package org.eclipse.edc.identityhub.verifier.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import java.text.ParseException;
import java.util.Set;
import org.eclipse.edc.iam.did.spi.key.PublicKeyWrapper;
import org.eclipse.edc.iam.did.spi.resolution.DidPublicKeyResolver;
import org.eclipse.edc.spi.monitor.Monitor;
import org.eclipse.edc.spi.result.Result;

/* loaded from: input_file:org/eclipse/edc/identityhub/verifier/jwt/DidJwtCredentialsVerifier.class */
class DidJwtCredentialsVerifier implements JwtCredentialsVerifier {
    private static final String ISSUER_CLAIM = "iss";
    private final DidPublicKeyResolver didPublicKeyResolver;
    private final Monitor monitor;

    /* JADX INFO: Access modifiers changed from: package-private */
    public DidJwtCredentialsVerifier(DidPublicKeyResolver didPublicKeyResolver, Monitor monitor) {
        this.didPublicKeyResolver = didPublicKeyResolver;
        this.monitor = monitor;
    }

    @Override // org.eclipse.edc.identityhub.verifier.jwt.JwtCredentialsVerifier
    public Result<Void> isSignedByIssuer(SignedJWT signedJWT) {
        try {
            String issuer = signedJWT.getJWTClaimsSet().getIssuer();
            Result<PublicKeyWrapper> resolvePublicKey = this.didPublicKeyResolver.resolvePublicKey(issuer);
            if (!resolvePublicKey.failed()) {
                return verifySignature(signedJWT, resolvePublicKey.getContent());
            }
            String format = String.format("Failed finding publicKey of issuer: %s", issuer);
            this.monitor.warning(format, new Throwable[0]);
            return Result.failure(format);
        } catch (ParseException e) {
            this.monitor.warning("Error parsing issuer from JWT", e);
            return Result.failure(String.format("%s: %s", "Error parsing issuer from JWT", e.getMessage()));
        }
    }

    @Override // org.eclipse.edc.identityhub.verifier.jwt.JwtCredentialsVerifier
    public Result<Void> verifyClaims(SignedJWT signedJWT, String str) {
        try {
            try {
                new DefaultJWTClaimsVerifier(new JWTClaimsSet.Builder().subject(str).build(), Set.of("iss")).verify(signedJWT.getJWTClaimsSet(), null);
                this.monitor.debug(() -> {
                    return "JWT claims verification successful";
                }, new Throwable[0]);
                return Result.success();
            } catch (BadJWTException e) {
                this.monitor.warning("Failure verifying JWT token", e);
                return Result.failure(String.format("%s: %s", "Failure verifying JWT token", e.getMessage()));
            }
        } catch (ParseException e2) {
            this.monitor.warning("Error parsing issuer from JWT", e2);
            return Result.failure(String.format("%s: %s", "Error parsing issuer from JWT", e2.getMessage()));
        }
    }

    private Result<Void> verifySignature(SignedJWT signedJWT, PublicKeyWrapper publicKeyWrapper) {
        try {
            if (!signedJWT.verify(publicKeyWrapper.verifier())) {
                return Result.failure("Invalid JWT signature");
            }
            this.monitor.debug(() -> {
                return "JWT signature verification successful";
            }, new Throwable[0]);
            return Result.success();
        } catch (JOSEException e) {
            this.monitor.warning("Unable to verify JWT token", e);
            return Result.failure(String.format("%s: %s", "Unable to verify JWT token", e.getMessage()));
        }
    }
}
