package de.governikus.autent.eudiwallet.relyingparty.helper;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ArrayNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.util.Base64URL;
import de.governikus.autent.eudiwallet.relyingparty.constants.CredentialFormat;
import de.governikus.autent.eudiwallet.relyingparty.constants.CredentialFormatValueMapper;
import de.governikus.autent.eudiwallet.relyingparty.constants.LevelOfAssurance;
import de.governikus.autent.eudiwallet.relyingparty.controller.TestClientController;
import de.governikus.autent.eudiwallet.relyingparty.helper.PresentationDefinition;
import de.governikus.autent.eudiwallet.relyingparty.model.WorkflowSessionModel;
import jakarta.annotation.PostConstruct;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.time.Instant;
import java.util.List;
import java.util.UUID;
import java.util.stream.Stream;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.io.ResourceLoader;
import org.springframework.stereotype.Component;
import org.springframework.web.util.UriComponentsBuilder;

@Component
/* loaded from: input_file:de/governikus/autent/eudiwallet/relyingparty/helper/RelyingPartyHelper.class */
public class RelyingPartyHelper {
    private static final String RAR_TYP_VAL = "oauth-authz-req+jwt";
    public static final String AUD_VAL = "openid4vci://127.0.0.1:24727/wallet";
    private static final String PURPOSE_VAL = "Identity check for registration";
    public static final String CLIENT_ID_VAL = "eudiTestClient";

    @Value("${rp.input.descriptor.id:seed_credential}")
    private String inputDescriptorId;
    private final ResourceLoader resourceLoader;

    @Value("${rp.key-store}")
    private String rpKeyStoreFileRef;

    @Value("${rp.key-store-type}")
    private String rpKeyStoreType;

    @Value("${rp.key-store-password}")
    private String rpKeyStorePassword;

    @Value("${rp.key-alias}")
    private String rpKeyAlias;

    @Value("${rp.requested.optional.claim.list:}")
    private List<String> optionalRequestedClaims;

    @Value("${rp.key-password}")
    private String rpKeyPassword;
    private ECPrivateKey rpPrivateKey;
    private X509Certificate clientCert;
    private Base64URL clientX509CertSHA256Thumbprint;
    private final CredentialFormatValueMapper credentialFormatValueMapper;
    public static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();

    @PostConstruct
    void init() {
        KeyStore keyStore = KeyStore.getInstance(this.rpKeyStoreType);
        InputStream inputStream = this.resourceLoader.getResource(this.rpKeyStoreFileRef).getInputStream();
        try {
            keyStore.load(inputStream, this.rpKeyStorePassword.toCharArray());
            if (inputStream != null) {
                inputStream.close();
            }
            this.rpPrivateKey = (ECPrivateKey) keyStore.getKey(this.rpKeyAlias, this.rpKeyPassword.toCharArray());
            this.clientCert = (X509Certificate) keyStore.getCertificate(this.rpKeyAlias);
            this.clientX509CertSHA256Thumbprint = ECKey.parse(this.clientCert).getX509CertSHA256Thumbprint();
        } finally {
        }
    }

    public JWSObject createRarJws(UriComponentsBuilder uriComponentsBuilder, LevelOfAssurance levelOfAssurance, WorkflowSessionModel workflowSessionModel) {
        ECDSASigner eCDSASigner = new ECDSASigner(this.rpPrivateKey);
        JWSObject jWSObject = new JWSObject(new JWSHeader.Builder(JWSAlgorithm.ES256).x509CertSHA256Thumbprint(this.clientX509CertSHA256Thumbprint).type(new JOSEObjectType(RAR_TYP_VAL)).jwk(JWK.parse(this.clientCert)).build(), new Payload(getRarPayload(uriComponentsBuilder, levelOfAssurance, workflowSessionModel)));
        jWSObject.sign(eCDSASigner);
        return jWSObject;
    }

    private String getRarPayload(UriComponentsBuilder uriComponentsBuilder, LevelOfAssurance levelOfAssurance, WorkflowSessionModel workflowSessionModel) {
        ObjectNode createObjectNode = OBJECT_MAPPER.createObjectNode();
        createObjectNode.put("aud", AUD_VAL);
        createObjectNode.put("iat", Instant.now().toEpochMilli());
        createObjectNode.put("rp_eph_pub", OBJECT_MAPPER.valueToTree(new ECKey.Builder(Curve.P_256, workflowSessionModel.getRpEphPub()).build().toJSONObject()));
        createObjectNode.put("acr_values", levelOfAssurance.toString());
        createObjectNode.put("presentation_definition", getPresentationDefinition(workflowSessionModel.getRequestedCredentialFormat()));
        createObjectNode.put("purpose", PURPOSE_VAL);
        createObjectNode.put(TestClientController.STATE_NAME, workflowSessionModel.getState());
        createObjectNode.put("nonce", workflowSessionModel.getNonce());
        createObjectNode.put("response_uri", buildUriPath(uriComponentsBuilder, TestClientController.AUTH_RESPONSE));
        createObjectNode.put("metadata_url", buildUriPath(uriComponentsBuilder, TestClientController.METADATA));
        return createObjectNode.toString();
    }

    public String getMetadata(UriComponentsBuilder uriComponentsBuilder) {
        ObjectNode createObjectNode = OBJECT_MAPPER.createObjectNode();
        createObjectNode.put("aud", AUD_VAL);
        createObjectNode.put("auth_response_url", buildUriPath(uriComponentsBuilder, TestClientController.AUTH_RESPONSE));
        createObjectNode.put("jwks_uri", buildUriPath(uriComponentsBuilder, TestClientController.JWKS));
        return createObjectNode.toString();
    }

    public String getJwks() {
        ArrayNode createArrayNode = OBJECT_MAPPER.createArrayNode();
        createArrayNode.add(OBJECT_MAPPER.valueToTree(JWK.parse(this.clientCert).toJSONObject()));
        return createArrayNode.toString();
    }

    private ObjectNode getPresentationDefinition(CredentialFormat credentialFormat) {
        PresentationDefinition.InputDescriptor.InputDescriptorBuilder requestedAttributes = PresentationDefinition.InputDescriptor.builder().id(this.inputDescriptorId).name("Default descriptors for relying party").purpose("Test case of the relying party").format(this.credentialFormatValueMapper.getFormatValue(credentialFormat)).alg(List.of(JWSAlgorithm.ES256.getName(), JWSAlgorithm.RS256.getName(), JWSAlgorithm.RS384.getName(), JWSAlgorithm.RS512.getName())).requestedAttributes(Stream.concat(List.of("family_name", "given_name", "birth_date", "age_over_18", "issuance_date", "expiry_date", "issuing_authority", "issuing_country").stream(), (!this.optionalRequestedClaims.isEmpty() ? this.optionalRequestedClaims : List.of("resident_address", "birth_place", "family_name_birth", "given_name_birth", "gender", "nationality")).stream()).toList());
        PresentationDefinition.PresentationDefinitionBuilder builder = PresentationDefinition.builder();
        builder.id(UUID.randomUUID().toString());
        builder.inputDescriptor(requestedAttributes.build());
        return builder.build().getAsJson();
    }

    public String buildUriPath(UriComponentsBuilder uriComponentsBuilder, String str) {
        return uriComponentsBuilder.cloneBuilder().path(str).build().toString();
    }

    public RelyingPartyHelper(ResourceLoader resourceLoader, CredentialFormatValueMapper credentialFormatValueMapper) {
        this.resourceLoader = resourceLoader;
        this.credentialFormatValueMapper = credentialFormatValueMapper;
    }
}
