package org.eclipse.edc.iam.did.crypto;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import java.text.ParseException;
import java.time.Clock;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Comparator;
import java.util.Date;
import java.util.Set;
import java.util.UUID;
import org.eclipse.edc.iam.did.spi.key.PrivateKeyWrapper;
import org.eclipse.edc.iam.did.spi.key.PublicKeyWrapper;
import org.eclipse.edc.spi.result.Result;

/* loaded from: input_file:org/eclipse/edc/iam/did/crypto/JwtUtils.class */
public class JwtUtils {
    public static SignedJWT create(PrivateKeyWrapper privateKeyWrapper, String str, String str2, String str3, Clock clock) {
        JWTClaimsSet build = new JWTClaimsSet.Builder().issuer(str).subject(str2).audience(str3).expirationTime(Date.from(clock.instant().plus(10L, (TemporalUnit) ChronoUnit.MINUTES).truncatedTo(ChronoUnit.SECONDS))).jwtID(UUID.randomUUID().toString()).build();
        JWSSigner signer = privateKeyWrapper.signer();
        SignedJWT signedJWT = new SignedJWT(new JWSHeader(signer.supportedJWSAlgorithms().contains(JWSAlgorithm.ES256) ? JWSAlgorithm.ES256 : signer.supportedJWSAlgorithms().stream().min(Comparator.comparing((v0) -> {
            return v0.getRequirement();
        })).orElseThrow(() -> {
            return new CryptoException("No recommended JWS Algorithms for Private Key Signer " + signer.getClass());
        })), build);
        try {
            signedJWT.sign(signer);
            return signedJWT;
        } catch (JOSEException e) {
            throw new CryptoException(e);
        }
    }

    public static Result<Void> verify(SignedJWT signedJWT, PublicKeyWrapper publicKeyWrapper, String str) {
        try {
            if (!signedJWT.verify(publicKeyWrapper.verifier())) {
                return Result.failure("Invalid signature");
            }
            try {
                try {
                    new DefaultJWTClaimsVerifier(new JWTClaimsSet.Builder().audience(str).build(), Set.of("iss", "sub", "exp")).verify(signedJWT.getJWTClaimsSet(), null);
                    return Result.success();
                } catch (BadJWTException e) {
                    return Result.failure("Claim verification failed. " + e.getMessage());
                }
            } catch (ParseException e2) {
                return Result.failure("Error verifying JWT token. The payload must represent a valid JSON object and a JWT claims set. " + e2.getMessage());
            }
        } catch (JOSEException e3) {
            return Result.failure("Unable to verify JWT token. " + e3.getMessage());
        }
    }
}
