package de.governikus.autent.eudiwallet.mdl.verifier;

import com.authlete.cbor.CBORByteArray;
import com.authlete.cbor.CBORItem;
import com.authlete.cbor.CBORItemList;
import com.authlete.cbor.CBORPair;
import com.authlete.cbor.CBORParser;
import com.authlete.cose.COSEKey;
import com.authlete.cose.COSEMac0;
import com.authlete.cose.COSESign1;
import com.authlete.cose.COSEUnprotectedHeader;
import com.authlete.cose.COSEVerifier;
import de.governikus.autent.eudiwallet.mdl.MdocConstants;
import java.io.ByteArrayInputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.time.Instant;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.thymeleaf.engine.XMLDeclaration;

/* loaded from: input_file:BOOT-INF/lib/eudi-wallet-mdl-utils-0.2.0.jar:de/governikus/autent/eudiwallet/mdl/verifier/MdocResponseParser.class */
public class MdocResponseParser {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) MdocResponseParser.class);

    public static boolean isMdocValid(ParsedMdocResponse parsedMdocResponse, ECPrivateKey eCPrivateKey, String str, String str2, String str3, String str4) {
        if (!parsedMdocResponse.isComplete()) {
            return false;
        }
        try {
            validateIssuerAuth(parsedMdocResponse.getIssuerAuth(), parsedMdocResponse.getX5chain());
            validateMac(parsedMdocResponse, eCPrivateKey, str, str2, str3, str4);
            return true;
        } catch (Exception e) {
            log.warn("Validation of mdoc document failed", (Throwable) e);
            return false;
        }
    }

    private static void validateIssuerAuth(COSESign1 cOSESign1, List<X509Certificate> list) {
        if (new COSEVerifier(((X509Certificate) list.getLast()).getPublicKey()).verify(cOSESign1)) {
        } else {
            throw new MdocValidationException("Signature on IssuerAuth could not be verified");
        }
    }

    private static void validateMac(ParsedMdocResponse parsedMdocResponse, ECPrivateKey eCPrivateKey, String str, String str2, String str3, String str4) {
        MacValidator macValidator = new MacValidator();
        macValidator.setVerifierPrivateKey(eCPrivateKey);
        macValidator.setSessionTranscript(str, str2, str3, str4);
        macValidator.setExternalMac(parsedMdocResponse.getMac());
        macValidator.setIssuerPublicKey(parsedMdocResponse.getDevicePublicKey());
        macValidator.setDeviceNameSpaceBytes(parsedMdocResponse.getNameSpaceBytes());
        if (!macValidator.isExternalMacValid()) {
            throw new MdocValidationException("MAC value in DeviceSigned could not be verified");
        }
    }

    public static ParsedMdocResponse parseMdoc(String str) {
        ParsedMdocResponse parsedMdocResponse = new ParsedMdocResponse();
        try {
            Map<String, Object> parseDocument = parseDocument(str);
            try {
                COSESign1 parseIssuerAuthIntoCoseSign1 = parseIssuerAuthIntoCoseSign1(parseDocument.get("issuerSigned"));
                parsedMdocResponse.setIssuerAuth(parseIssuerAuthIntoCoseSign1);
                parsedMdocResponse.setX5chain(extractX5Chain(parseIssuerAuthIntoCoseSign1.getUnprotectedHeader()));
                Map map = (Map) new CBORParser(((CBORByteArray) parseIssuerAuthIntoCoseSign1.getPayload()).getValue()).next();
                validateMobileSecurityObject(map);
                parsedMdocResponse.setDevicePublicKey(extractDeviceKey(map));
            } catch (Exception e) {
                log.error("Failed to parse issuer auth", (Throwable) e);
            }
            try {
                Map map2 = (Map) parseDocument.get("deviceSigned");
                byte[] bArr = (byte[]) map2.get("nameSpaces");
                parsedMdocResponse.setNameSpaceBytes(bArr);
                Map map3 = (Map) new CBORParser(bArr).next();
                if (log.isDebugEnabled()) {
                    log.debug("There is data for the following nameSpace keys: {}", (String) map3.keySet().stream().collect(Collectors.joining(",")));
                }
                parsedMdocResponse.setData((Map) map3.get(MdocConstants.EUDI_DOC_TYPE));
                parsedMdocResponse.setMac(extractMacValue(map2));
            } catch (Exception e2) {
                log.error("Failed to parse device signed", (Throwable) e2);
            }
            log.debug("successfully parsed mdoc response");
            return parsedMdocResponse;
        } catch (Exception e3) {
            log.error("Failed to parse mdoc document", (Throwable) e3);
            return parsedMdocResponse;
        }
    }

    private static Map<String, Object> parseDocument(String str) {
        Map<String, Object> map = (Map) new CBORParser(Base64.getUrlDecoder().decode(str)).next();
        if (MdocConstants.EUDI_DOC_TYPE.equals(map.get("docType"))) {
            return map;
        }
        throw new MdocValidationException("mdoc document is not of doctype eu.europa.ec.eudi.pid.1");
    }

    private static COSESign1 parseIssuerAuthIntoCoseSign1(Object obj) {
        return COSESign1.build((List<Object>) ((Map) obj).get("issuerAuth"));
    }

    private static boolean isSignatureOnIssuerAuthValid(COSESign1 cOSESign1, ECPublicKey eCPublicKey) {
        return new COSEVerifier(eCPublicKey).verify(cOSESign1);
    }

    private static List<X509Certificate> extractX5Chain(COSEUnprotectedHeader cOSEUnprotectedHeader) {
        List<? extends CBORPair> pairs = cOSEUnprotectedHeader.getPairs();
        if (pairs.size() != 1) {
            log.warn("issuer auth header contains more than one parameter. x5chain can not be extracted");
            return Collections.EMPTY_LIST;
        }
        CBORItem value = pairs.get(0).getValue();
        if (value instanceof CBORByteArray) {
            X509Certificate parseCborByteArrayToX509Certificate = parseCborByteArrayToX509Certificate((CBORByteArray) value);
            return parseCborByteArrayToX509Certificate == null ? Collections.emptyList() : List.of(parseCborByteArrayToX509Certificate);
        }
        if (!(value instanceof CBORItemList)) {
            return Collections.emptyList();
        }
        Stream<? extends CBORItem> stream = ((CBORItemList) value).getItems().stream();
        Class<CBORByteArray> cls = CBORByteArray.class;
        Objects.requireNonNull(CBORByteArray.class);
        return stream.filter((v1) -> {
            return r1.isInstance(v1);
        }).map(cBORItem -> {
            return parseCborByteArrayToX509Certificate((CBORByteArray) cBORItem);
        }).toList();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static X509Certificate parseCborByteArrayToX509Certificate(CBORByteArray cBORByteArray) {
        return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(cBORByteArray.getValue()));
    }

    private static void validateMobileSecurityObject(Map<String, Object> map) {
        if (!MdocConstants.EUDI_DOC_TYPE.equals(map.get("docType"))) {
            throw new MdocValidationException("mobile security object is not of doctype eu.europa.ec.eudi.pid.1");
        }
        if (!XMLDeclaration.DEFAULT_VERSION.equals(map.get(XMLDeclaration.ATTRIBUTE_NAME_VERSION))) {
            throw new MdocValidationException("mobile security object is not of version 1.0");
        }
        String str = (String) ((Map) map.get("validityInfo")).get("validUntil");
        if (str != null && Instant.now().isAfter(Instant.parse(str))) {
            throw new MdocValidationException("validity of issuer auth has expired");
        }
    }

    private static ECPublicKey extractDeviceKey(Map<String, Object> map) {
        return (ECPublicKey) COSEKey.build((Map<Object, Object>) ((Map) map.get("deviceKeyInfo")).get("deviceKey")).createPublicKey();
    }

    private static byte[] extractMacValue(Map<String, Object> map) {
        return COSEMac0.build((List<Object>) ((Map) map.get("deviceAuth")).get("deviceMac")).getTag().getValue();
    }
}
