package de.governikus.autent.eudiwallet.keycloak.endpoints.credentialendpoints;

import de.governikus.autent.eudiwallet.keycloak.constants.Constants;
import de.governikus.autent.eudiwallet.keycloak.constants.StaticContext;
import de.governikus.autent.eudiwallet.keycloak.constants.UtilityMethods;
import de.governikus.autent.eudiwallet.keycloak.database.RetryCounterEntity;
import de.governikus.autent.eudiwallet.keycloak.database.RetryCounterRepository;
import de.governikus.autent.eudiwallet.keycloak.endpoints.credentialendpoints.AbstractCredentialEndpoint;
import de.governikus.autent.eudiwallet.keycloak.models.CredentialRequest;
import de.governikus.autent.eudiwallet.keycloak.models.Proof;
import de.governikus.autent.eudiwallet.keycloak.models.ProofOfPossessionDetails;
import java.nio.charset.StandardCharsets;
import java.util.Optional;
import org.apache.commons.lang3.StringUtils;
import org.keycloak.TokenVerifier;
import org.keycloak.common.VerificationException;
import org.keycloak.jose.jws.crypto.HashUtils;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oid4vc.model.CredentialResponse;
import org.keycloak.services.managers.AuthenticationManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/governikus/autent/eudiwallet/keycloak/endpoints/credentialendpoints/CredentialIssuanceEndpoint.class */
public class CredentialIssuanceEndpoint extends AbstractCredentialEndpoint {
    private static final Logger log = LoggerFactory.getLogger(CredentialIssuanceEndpoint.class);

    public CredentialIssuanceEndpoint(KeycloakSession keycloakSession, AuthenticationManager.AuthResult authResult) {
        super(keycloakSession, authResult);
    }

    @Override // de.governikus.autent.eudiwallet.keycloak.endpoints.credentialendpoints.CredentialEndpoint
    public void validateCredentialRequest(CredentialRequest credentialRequest) {
        doWorkaroundForIssuanceRequest(credentialRequest);
        try {
            validateProofOfPossessions(credentialRequest);
        } catch (VerificationException e) {
            throw getInvalidRequestException(e.getMessage());
        }
    }

    private void validateProofOfPossessions(CredentialRequest credentialRequest) throws VerificationException {
        Proof proof = credentialRequest.getProof();
        if (proof == null) {
            throw getInvalidRequestException("Missing required parameter 'proof'");
        }
        String proofType = proof.getProofType();
        if (!StringUtils.equals("jwt", proofType)) {
            throw getInvalidRequestException(String.format("Unsupported proof type '%s'", proofType));
        }
        String str = (String) this.authResult.getToken().getOtherClaims().get(Constants.ProtocolAttributes.C_NONCE);
        if (StringUtils.isBlank(str)) {
            throw getUnauthorizedException("Invalid AccessToken. Token cannot be used for credential issuance. Missing object '%s'\n".stripIndent().strip().formatted(Constants.ProtocolAttributes.C_NONCE));
        }
        String issuer = StaticContext.getIssuer(this.keycloakSession);
        ProofOfPossessionDetails parseAndVerify = ProofOfPossessionDetails.parseAndVerify(this.keycloakSession, credentialRequest.getPinDerivedEphPubProofOfPossession(), getTokenVerifiers(issuer, str, Constants.ProtocolAttributes.DEVICE_KEY_PUB));
        parseAndVerify.extractBodyKey(Constants.ProtocolAttributes.DEVICE_KEY_PUB);
        String str2 = (String) credentialRequest.getProof().getProofObject();
        if (StringUtils.isBlank(str2)) {
            throw getInvalidRequestException(String.format("Missing required parameter 'proof.%s'", proofType));
        }
        ProofOfPossessionDetails parseAndVerify2 = ProofOfPossessionDetails.parseAndVerify(this.keycloakSession, str2, getTokenVerifiers(issuer, str, Constants.ProtocolAttributes.PIN_DERIVED_EPH_PUB));
        parseAndVerify2.extractBodyKey(Constants.ProtocolAttributes.PIN_DERIVED_EPH_PUB);
        if (!parseAndVerify.isCrossProofOfPossessionKeyRefEquals(parseAndVerify2)) {
            throw getInvalidRequestException("Found invalid key in '%s'. Key does not match cross proof of possession in field 'proof'\n".stripIndent().strip().formatted("pin_derived_eph_key_pop"));
        }
        if (!parseAndVerify2.isCrossProofOfPossessionKeyRefEquals(parseAndVerify)) {
            throw getInvalidRequestException("Found invalid key in 'proof'. Key does not match cross proof of possession in field '%s'\n".stripIndent().strip().formatted("pin_derived_eph_key_pop"));
        }
        this.keycloakSession.setAttribute("pin_derived_eph_key_pop", parseAndVerify);
        this.keycloakSession.setAttribute(Constants.ProtocolAttributes.DEV_KEY_POP, parseAndVerify2);
    }

    private TokenVerifier.Predicate[] getTokenVerifiers(String str, String str2, String str3) {
        return new TokenVerifier.Predicate[]{new TokenVerifier.AudienceCheck(str), new AbstractCredentialEndpoint.ProofOfPossessionLifetimeVerifier(), new AbstractCredentialEndpoint.ProofOfPossessionComparisonVerifier(Constants.ProtocolAttributes.C_NONCE, str2), new AbstractCredentialEndpoint.ProofOfPossessionBodyKeyPresentVerifier(str3)};
    }

    @Override // de.governikus.autent.eudiwallet.keycloak.endpoints.credentialendpoints.CredentialEndpoint
    public CredentialResponse handleCredentialRequest(CredentialRequest credentialRequest) {
        String parseFormat = parseFormat(credentialRequest.getFormat());
        String verifiableCredentialType = credentialRequest.getVerifiableCredentialType();
        CredentialResponseRecord buildCredential = buildCredential(getClientScope((String) Optional.ofNullable(verifiableCredentialType).orElse(credentialRequest.getMdocDocumentType()), parseFormat), parseFormat);
        createRetryCounter(buildCredential.signedCredential());
        return buildCredential.credentialResponse();
    }

    private void createRetryCounter(String str) {
        String encodeHashToOIDC = HashUtils.encodeHashToOIDC(HashUtils.hash(Constants.RETRY_COUNTER_MESSAGE_DIGEST_ALGORITHM, str.getBytes(StandardCharsets.UTF_8)), true);
        String encodeHashToOIDC2 = HashUtils.encodeHashToOIDC(HashUtils.hash(Constants.RETRY_COUNTER_MESSAGE_DIGEST_ALGORITHM, UtilityMethods.getPublicKeyFromJwk(((ProofOfPossessionDetails) this.keycloakSession.getAttribute("pin_derived_eph_key_pop")).getHeaderKey()).getEncoded()), true);
        RetryCounterRepository.saveRetryCounter(this.keycloakSession, RetryCounterEntity.builder().credentialDigest(encodeHashToOIDC).pinDerivedEphPublicDigest(encodeHashToOIDC2).devicePublicDigest(HashUtils.encodeHashToOIDC(HashUtils.hash(Constants.RETRY_COUNTER_MESSAGE_DIGEST_ALGORITHM, ((ProofOfPossessionDetails) this.keycloakSession.getAttribute(Constants.ProtocolAttributes.DEV_KEY_POP)).getHeaderKey().toString().getBytes(StandardCharsets.UTF_8)), true)).build());
    }

    private void doWorkaroundForIssuanceRequest(CredentialRequest credentialRequest) {
        if (StringUtils.equals("seed_credential", credentialRequest.getFormat())) {
            credentialRequest.setVerifiableCredentialType(Constants.SEED_CREDENTIAL_IDENTIFIER);
            credentialRequest.setFormat("jwt_vc_json");
        }
    }
}
