package de.governikus.identification.report.jwt;

import com.nimbusds.jose.Header;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.SignedJWT;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Objects;
import java.util.Optional;

/* loaded from: input_file:de/governikus/identification/report/jwt/JwtHandler.class */
public class JwtHandler {
    private final PrivateKey privateKey;
    private final X509Certificate certificate;

    /* loaded from: input_file:de/governikus/identification/report/jwt/JwtHandler$JwtHandlerBuilder.class */
    public static class JwtHandlerBuilder {
        private PrivateKey privateKey;
        private X509Certificate certificate;

        JwtHandlerBuilder() {
        }

        public JwtHandlerBuilder privateKey(PrivateKey privateKey) {
            this.privateKey = privateKey;
            return this;
        }

        public JwtHandlerBuilder certificate(X509Certificate x509Certificate) {
            this.certificate = x509Certificate;
            return this;
        }

        public JwtHandler build() {
            return new JwtHandler(this.privateKey, this.certificate);
        }

        public String toString() {
            return "JwtHandler.JwtHandlerBuilder(privateKey=" + this.privateKey + ", certificate=" + this.certificate + ")";
        }
    }

    /* loaded from: input_file:de/governikus/identification/report/jwt/JwtHandler$OperationExecuted.class */
    public enum OperationExecuted {
        SIGNATURE_VERIFIED,
        DECRYPTED
    }

    /* loaded from: input_file:de/governikus/identification/report/jwt/JwtHandler$PlainJwtData.class */
    public static class PlainJwtData {
        private final OperationExecuted operationExecuted;
        private final Header header;
        private final Payload body;

        /* loaded from: input_file:de/governikus/identification/report/jwt/JwtHandler$PlainJwtData$PlainJwtDataBuilder.class */
        public static class PlainJwtDataBuilder {
            private OperationExecuted operationExecuted;
            private Header header;
            private Payload body;

            PlainJwtDataBuilder() {
            }

            public PlainJwtDataBuilder operationExecuted(OperationExecuted operationExecuted) {
                this.operationExecuted = operationExecuted;
                return this;
            }

            public PlainJwtDataBuilder header(Header header) {
                this.header = header;
                return this;
            }

            public PlainJwtDataBuilder body(Payload payload) {
                this.body = payload;
                return this;
            }

            public PlainJwtData build() {
                return new PlainJwtData(this.operationExecuted, this.header, this.body);
            }

            public String toString() {
                return "JwtHandler.PlainJwtData.PlainJwtDataBuilder(operationExecuted=" + this.operationExecuted + ", header=" + this.header + ", body=" + this.body + ")";
            }
        }

        PlainJwtData(OperationExecuted operationExecuted, Header header, Payload payload) {
            this.operationExecuted = operationExecuted;
            this.header = header;
            this.body = payload;
        }

        public static PlainJwtDataBuilder builder() {
            return new PlainJwtDataBuilder();
        }

        public OperationExecuted getOperationExecuted() {
            return this.operationExecuted;
        }

        public Header getHeader() {
            return this.header;
        }

        public Payload getBody() {
            return this.body;
        }
    }

    public JwtHandler(PrivateKey privateKey, X509Certificate x509Certificate) {
        this.privateKey = privateKey;
        this.certificate = x509Certificate;
    }

    public String createJws(String str) {
        return createSignedJwt(buildJwsHeader(selectSignatureAlgorithm()), str);
    }

    public PlainJwtData handleJwt(String str) {
        if (str.split("\\.").length == 3) {
            return verifySignature(str);
        }
        throw new IllegalStateException("Unsupported JWT. Only compact JWS structures are supported for signature verification.");
    }

    private JWSHeader buildJwsHeader(JWSAlgorithm jWSAlgorithm) {
        return new JWSHeader.Builder(jWSAlgorithm).x509CertSHA256Thumbprint(getSha256Thumbprint()).build();
    }

    private JWSAlgorithm selectSignatureAlgorithm() {
        String algorithm = this.certificate.getPublicKey().getAlgorithm();
        boolean z = -1;
        switch (algorithm.hashCode()) {
            case 2206:
                if (algorithm.equals("EC")) {
                    z = true;
                    break;
                }
                break;
            case 81440:
                if (algorithm.equals("RSA")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return JWSAlgorithm.RS512;
            case true:
                Integer keyLength = getKeyLength();
                switch (keyLength.intValue()) {
                    case 256:
                        return JWSAlgorithm.ES256;
                    case 384:
                        return JWSAlgorithm.ES384;
                    case 521:
                        return JWSAlgorithm.ES512;
                    default:
                        throw new IllegalArgumentException(String.format("Unsupported key length for EC key type: %s-bit", keyLength));
                }
            default:
                throw new IllegalArgumentException(String.format("Unsupported key type '%s'", this.certificate.getPublicKey().getAlgorithm()));
        }
    }

    private Base64URL getSha256Thumbprint() {
        return Base64URL.encode(MessageDigest.getInstance("SHA-256").digest(this.certificate.getEncoded()));
    }

    private PlainJwtData verifySignature(String str) {
        SignedJWT parse = SignedJWT.parse(str);
        if (parse.verify(getVerifier(parse.getHeader()))) {
            return PlainJwtData.builder().operationExecuted(OperationExecuted.SIGNATURE_VERIFIED).header(parse.getHeader()).body(parse.getPayload()).build();
        }
        throw new IllegalStateException("Signature validation has failed with signature key");
    }

    private String createSignedJwt(JWSHeader jWSHeader, String str) {
        return new SignedJWT(jWSHeader.toBase64URL(), Base64URL.encode(str), new DefaultJWSSignerFactory().createJWSSigner(toJwk(), jWSHeader.getAlgorithm()).sign(jWSHeader, (jWSHeader.toBase64URL().toString() + "." + new Payload(str).toBase64URL().toString()).getBytes(StandardCharsets.UTF_8))).serialize();
    }

    private JWK toJwk() {
        String algorithm = this.certificate.getPublicKey().getAlgorithm();
        boolean z = -1;
        switch (algorithm.hashCode()) {
            case 2206:
                if (algorithm.equals("EC")) {
                    z = true;
                    break;
                }
                break;
            case 81440:
                if (algorithm.equals("RSA")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return toRsaJwk();
            case true:
                return toEcJwk();
            default:
                return null;
        }
    }

    private ECKey toEcJwk() {
        ECPublicKey eCPublicKey = (ECPublicKey) this.certificate.getPublicKey();
        ECKey.Builder builder = new ECKey.Builder(Curve.forECParameterSpec(eCPublicKey.getParams()), eCPublicKey);
        Optional ofNullable = Optional.ofNullable(this.privateKey);
        Objects.requireNonNull(builder);
        ofNullable.ifPresent(builder::privateKey);
        return builder.build();
    }

    private RSAKey toRsaJwk() {
        RSAKey.Builder builder = new RSAKey.Builder((RSAPublicKey) this.certificate.getPublicKey());
        Optional ofNullable = Optional.ofNullable(this.privateKey);
        Objects.requireNonNull(builder);
        ofNullable.ifPresent(builder::privateKey);
        return builder.build();
    }

    private JWSVerifier getVerifier(JWSHeader jWSHeader) {
        if (JWSAlgorithm.Family.RSA.stream().anyMatch(jWSAlgorithm -> {
            return jWSAlgorithm.equals(jWSHeader.getAlgorithm());
        })) {
            return new RSASSAVerifier((RSAPublicKey) this.certificate.getPublicKey());
        }
        if (JWSAlgorithm.Family.EC.stream().anyMatch(jWSAlgorithm2 -> {
            return jWSAlgorithm2.equals(jWSHeader.getAlgorithm());
        })) {
            return new ECDSAVerifier((ECPublicKey) this.certificate.getPublicKey());
        }
        throw new IllegalArgumentException(String.format("Unsupported algorithm found '%s'", jWSHeader.getAlgorithm()));
    }

    private Integer getKeyLength() {
        PublicKey publicKey = this.certificate.getPublicKey();
        String algorithm = publicKey.getAlgorithm();
        boolean z = -1;
        switch (algorithm.hashCode()) {
            case 2206:
                if (algorithm.equals("EC")) {
                    z = true;
                    break;
                }
                break;
            case 81440:
                if (algorithm.equals("RSA")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return Integer.valueOf(((RSAPublicKey) publicKey).getModulus().bitLength());
            case true:
                return Integer.valueOf(((ECPublicKey) publicKey).getParams().getOrder().bitLength());
            default:
                throw new IllegalStateException(String.format("Not supporting keys of type '%s'", publicKey.getAlgorithm()));
        }
    }

    public static JwtHandlerBuilder builder() {
        return new JwtHandlerBuilder();
    }
}
