package de.governikus.autent.eudiwallet.keycloak.provider.signingservices;

import de.governikus.autent.eudiwallet.ecdh.KeyService;
import de.governikus.autent.eudiwallet.keycloak.constants.Constants;
import de.governikus.autent.eudiwallet.keycloak.constants.StaticContext;
import de.governikus.autent.eudiwallet.keycloak.constants.UtilityMethods;
import de.governikus.autent.eudiwallet.keycloak.models.Confirmation;
import de.governikus.autent.eudiwallet.keycloak.models.CredentialRequest;
import de.governikus.autent.eudiwallet.keycloak.models.SdJwtBodyDetails;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.time.Instant;
import java.util.List;
import java.util.stream.Collectors;
import javax.crypto.spec.SecretKeySpec;
import org.keycloak.common.util.CertificateUtils;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.util.JWKSUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/governikus/autent/eudiwallet/keycloak/provider/signingservices/SdJwtSigningProvider.class */
public class SdJwtSigningProvider implements OpenId4VciSigningProvider<SdJwtBodyDetails> {
    private static final Logger log = LoggerFactory.getLogger(SdJwtSigningProvider.class);
    private final KeycloakSession keycloakSession;

    @Override // de.governikus.autent.eudiwallet.keycloak.provider.signingservices.OpenId4VciSigningProvider
    public String signCredential(ClientScopeModel clientScopeModel, SdJwtBodyDetails sdJwtBodyDetails) {
        JsonWebToken iat = new JsonWebToken().issuer(StaticContext.getIssuer(this.keycloakSession)).iat(Long.valueOf(Instant.now().getEpochSecond()));
        iat.getOtherClaims().putAll(sdJwtBodyDetails.getClaims());
        CredentialRequest credentialRequest = (CredentialRequest) this.keycloakSession.getAttribute(Constants.ProtocolAttributes.CREDENTIAL_REQUEST, CredentialRequest.class);
        iat.getOtherClaims().put(Constants.ProtocolAttributes.VCT, clientScopeModel.getName());
        KeyWrapper signingKey = getSigningKey(clientScopeModel, credentialRequest.getRelyingPartyEphemeralPublicKey());
        SignatureProvider provider = this.keycloakSession.getProvider(SignatureProvider.class, signingKey.getAlgorithm());
        iat.setOtherClaims("cnf", Confirmation.builder().jwk((JWK) this.keycloakSession.getAttribute(Constants.ProtocolAttributes.KB_EPH_PUB, JWK.class)).build());
        StringBuilder sb = new StringBuilder(new JWSBuilder().type("vc+sd-jwt").x5c(signingKey.getCertificateChain()).jsonContent(iat).sign(provider.signer(signingKey)));
        return sb.append('~').append((String) sdJwtBodyDetails.getDisclosures().stream().map((v0) -> {
            return v0.getDisclosure();
        }).collect(Collectors.joining("~"))).append('~').toString();
    }

    private KeyWrapper getSigningKey(ClientScopeModel clientScopeModel, JWK jwk) {
        KeyPair generatePpEphKeyPair = generatePpEphKeyPair();
        KeyWrapper deriveHmacKey = deriveHmacKey(generatePpEphKeyPair, (PublicKey) JWKSUtils.getKeyWrapper(jwk).getPublicKey());
        deriveHmacKey.setPublicKey(generatePpEphKeyPair.getPublic());
        deriveHmacKey.setPrivateKey(generatePpEphKeyPair.getPrivate());
        KeyWrapper pidProviderSigningKey = UtilityMethods.getPidProviderSigningKey(this.keycloakSession, clientScopeModel);
        doMissingCertificateWorkaround(clientScopeModel.getRealm(), pidProviderSigningKey);
        deriveHmacKey.setCertificateChain(List.of(CertificateUtils.generateV3Certificate(generatePpEphKeyPair, (PrivateKey) pidProviderSigningKey.getPrivateKey(), pidProviderSigningKey.getCertificate(), StaticContext.getIssuer(this.keycloakSession)), pidProviderSigningKey.getCertificate()));
        return deriveHmacKey;
    }

    protected KeyWrapper deriveHmacKey(KeyPair keyPair, PublicKey publicKey) {
        SecretKeySpec secretKeySpec = new SecretKeySpec(KeyService.deriveKeyFrom(keyPair.getPrivate(), publicKey), "HmacSHA512");
        KeyWrapper keyWrapper = new KeyWrapper();
        keyWrapper.setAlgorithm("HS512");
        keyWrapper.setSecretKey(secretKeySpec);
        keyWrapper.setType("OCT");
        return keyWrapper;
    }

    public SdJwtSigningProvider(KeycloakSession keycloakSession) {
        this.keycloakSession = keycloakSession;
    }

    @Override // de.governikus.autent.eudiwallet.keycloak.provider.signingservices.OpenId4VciSigningProvider
    public KeycloakSession getKeycloakSession() {
        return this.keycloakSession;
    }
}
