package io.mosip.authentication.common.service.util;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import io.mosip.authentication.core.constant.IdAuthenticationErrorConstants;
import io.mosip.authentication.core.exception.IdAuthenticationBusinessException;
import io.mosip.authentication.core.logger.IdaLogger;
import io.mosip.kernel.core.logger.spi.Logger;
import io.mosip.kernel.core.util.DateUtils;
import io.mosip.kernel.keymanagerservice.util.KeymanagerUtil;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.time.LocalDateTime;
import java.time.temporal.ChronoUnit;
import java.util.Date;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import org.apache.commons.codec.binary.Hex;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:io/mosip/authentication/common/service/util/KeyBindedTokenMatcherUtil.class */
public class KeyBindedTokenMatcherUtil {
    private static final String X5t_HEADER = "x5t#S256";
    private static final String TOKEN = "token";
    private static final String FORMAT = "format";
    private static final String TYPE = "type";
    private static final String INDIVIDUAL_ID = "individualId";
    private static final String JWT_CONST = "jwt";

    @Autowired
    private KeymanagerUtil keymanagerUtil;

    @Value("${mosip.ida.key.binding.token.audience-id:ida-binding}")
    private String audienceId;

    @Value("${mosip.ida.key.binding.token.iat.adjustment.seconds:30}")
    private int iatAdjSeconds;
    private static Logger mosipLogger = IdaLogger.getLogger(KeyBindedTokenMatcherUtil.class);
    private static Set<String> REQUIRED_WLA_CLAIMS = new HashSet();

    public double match(Map<String, String> map, Map<String, String> map2, Map<String, Object> map3) throws IdAuthenticationBusinessException {
        return validateBindedToken(map, map2) ? 100.0d : 0.0d;
    }

    private boolean validateBindedToken(Map<String, String> map, Map<String, String> map2) throws IdAuthenticationBusinessException {
        String str = map.get(TOKEN);
        String str2 = map.get(FORMAT);
        String str3 = map.get(TYPE);
        String str4 = map.get(INDIVIDUAL_ID);
        try {
            SignedJWT parse = JWTParser.parse(str);
            JWSHeader header = parse.getHeader();
            if (Objects.isNull(header.getX509CertSHA256Thumbprint())) {
                mosipLogger.error("sessionId", getClass().getSimpleName(), "", String.format(IdAuthenticationErrorConstants.MISSING_INPUT_PARAMETER.getErrorMessage(), X5t_HEADER));
                throw new IdAuthenticationBusinessException(IdAuthenticationErrorConstants.INVALID_INPUT_PARAMETER.getErrorCode(), String.format(IdAuthenticationErrorConstants.INVALID_INPUT_PARAMETER.getErrorMessage(), X5t_HEADER));
            }
            if (!isIatWithinAllowedTime(parse.getJWTClaimsSet().getIssueTime())) {
                mosipLogger.error("sessionId", getClass().getSimpleName(), "", IdAuthenticationErrorConstants.BINDED_TOKEN_EXPIRED.getErrorMessage());
                throw new IdAuthenticationBusinessException(IdAuthenticationErrorConstants.BINDED_TOKEN_EXPIRED.getErrorCode(), IdAuthenticationErrorConstants.BINDED_TOKEN_EXPIRED.getErrorMessage());
            }
            String upperCase = Hex.encodeHexString(header.getX509CertSHA256Thumbprint().decode()).toUpperCase();
            String str5 = map2.get((upperCase + "-" + str3).toUpperCase());
            if (Objects.isNull(str5)) {
                mosipLogger.error("sessionId", getClass().getSimpleName(), "", String.format(IdAuthenticationErrorConstants.BINDED_KEY_NOT_FOUND.getErrorMessage(), upperCase, str3));
                throw new IdAuthenticationBusinessException(IdAuthenticationErrorConstants.BINDED_KEY_NOT_FOUND.getErrorCode(), String.format(IdAuthenticationErrorConstants.BINDED_KEY_NOT_FOUND.getErrorMessage(), upperCase, str3));
            }
            if (str2.equalsIgnoreCase(JWT_CONST)) {
                return verifyWLAAsJWT(str4, parse, str5);
            }
            return false;
        } catch (ParseException e) {
            mosipLogger.error("sessionId", new Object[]{getClass().getSimpleName(), "", "Failed to verify WLA token", e});
            return false;
        }
    }

    private boolean verifyWLAAsJWT(String str, JWT jwt, String str2) throws IdAuthenticationBusinessException {
        try {
            JWSVerificationKeySelector jWSVerificationKeySelector = new JWSVerificationKeySelector(JWSAlgorithm.RS256, new ImmutableJWKSet(new JWKSet(RSAKey.parse((X509Certificate) this.keymanagerUtil.convertToCertificate(str2)))));
            DefaultJWTClaimsVerifier defaultJWTClaimsVerifier = new DefaultJWTClaimsVerifier(new JWTClaimsSet.Builder().audience(this.audienceId).subject(str).build(), REQUIRED_WLA_CLAIMS);
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(jWSVerificationKeySelector);
            defaultJWTProcessor.setJWTClaimsSetVerifier(defaultJWTClaimsVerifier);
            defaultJWTProcessor.process(jwt, (SecurityContext) null);
            return true;
        } catch (BadJOSEException | JOSEException e) {
            mosipLogger.error("sessionId", new Object[]{getClass().getSimpleName(), "", "Failed to verify WLA token" + e.getMessage(), e});
            return false;
        }
    }

    private boolean isIatWithinAllowedTime(Date date) {
        long between = ChronoUnit.SECONDS.between(DateUtils.parseDateToLocalDateTime(date), LocalDateTime.now());
        return date != null && between >= 0 && between <= ((long) this.iatAdjSeconds);
    }

    static {
        REQUIRED_WLA_CLAIMS.add("sub");
        REQUIRED_WLA_CLAIMS.add("aud");
        REQUIRED_WLA_CLAIMS.add("exp");
        REQUIRED_WLA_CLAIMS.add("iss");
        REQUIRED_WLA_CLAIMS.add("iat");
    }
}
