package org.eclipse.edc.verifiablecredentials.linkeddata;

import com.apicatalog.jsonld.InvalidJsonLdValue;
import com.apicatalog.jsonld.JsonLdReader;
import com.apicatalog.jsonld.json.JsonUtils;
import com.apicatalog.jsonld.loader.DocumentLoader;
import com.apicatalog.jsonld.loader.SchemeRouter;
import com.apicatalog.ld.DocumentError;
import com.apicatalog.ld.schema.LdObject;
import com.apicatalog.ld.schema.LdProperty;
import com.apicatalog.ld.schema.LdTerm;
import com.apicatalog.ld.signature.LinkedDataSignature;
import com.apicatalog.ld.signature.SignatureSuite;
import com.apicatalog.ld.signature.SignatureSuiteMapper;
import com.apicatalog.ld.signature.SignatureSuiteProvider;
import com.apicatalog.ld.signature.VerificationError;
import com.apicatalog.ld.signature.key.VerificationKey;
import com.apicatalog.ld.signature.method.DidUrlMethodResolver;
import com.apicatalog.ld.signature.method.HttpMethodResolver;
import com.apicatalog.ld.signature.method.MethodResolver;
import com.apicatalog.ld.signature.method.VerificationMethod;
import com.apicatalog.ld.signature.proof.EmbeddedProof;
import com.apicatalog.vc.VcTag;
import com.apicatalog.vc.VcVocab;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.json.Json;
import jakarta.json.JsonArray;
import jakarta.json.JsonObject;
import jakarta.json.JsonValue;
import java.io.IOException;
import java.net.URI;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import org.eclipse.edc.identitytrust.verification.CredentialVerifier;
import org.eclipse.edc.identitytrust.verification.SignatureSuiteRegistry;
import org.eclipse.edc.identitytrust.verification.VerifierContext;
import org.eclipse.edc.jsonld.spi.JsonLd;
import org.eclipse.edc.spi.result.Result;

/* loaded from: input_file:org/eclipse/edc/verifiablecredentials/linkeddata/LdpVerifier.class */
public class LdpVerifier implements CredentialVerifier {
    private JsonLd jsonLd;
    private ObjectMapper jsonLdMapper;
    private SignatureSuiteProvider suiteProvider;
    private Map<String, Object> params;
    private Collection<MethodResolver> methodResolvers = new ArrayList(List.of(new DidUrlMethodResolver(), new HttpMethodResolver()));
    private DocumentLoader loader;
    private URI base;

    /* loaded from: input_file:org/eclipse/edc/verifiablecredentials/linkeddata/LdpVerifier$Builder.class */
    public static class Builder {
        private final LdpVerifier verifier = new LdpVerifier();

        private Builder() {
        }

        public static Builder newInstance() {
            return new Builder();
        }

        public Builder signatureSuite(SignatureSuite signatureSuite) {
            this.verifier.suiteProvider = new SignatureSuiteMapper().add(signatureSuite);
            return this;
        }

        public Builder signatureSuites(SignatureSuiteProvider signatureSuiteProvider) {
            this.verifier.suiteProvider = signatureSuiteProvider;
            return this;
        }

        public Builder signatureSuites(SignatureSuiteRegistry signatureSuiteRegistry) {
            SignatureSuiteMapper signatureSuiteMapper = new SignatureSuiteMapper();
            Collection allSuites = signatureSuiteRegistry.getAllSuites();
            Objects.requireNonNull(signatureSuiteMapper);
            allSuites.forEach(signatureSuiteMapper::add);
            this.verifier.suiteProvider = signatureSuiteMapper;
            return this;
        }

        public Builder params(Map<String, Object> map) {
            this.verifier.params = map;
            return this;
        }

        public Builder param(String str, Object obj) {
            this.verifier.params.put(str, obj);
            return this;
        }

        public Builder methodResolvers(Collection<MethodResolver> collection) {
            this.verifier.methodResolvers = collection;
            return this;
        }

        public Builder methodResolver(MethodResolver methodResolver) {
            this.verifier.methodResolvers.add(methodResolver);
            return this;
        }

        public Builder objectMapper(ObjectMapper objectMapper) {
            this.verifier.jsonLdMapper = objectMapper;
            return this;
        }

        public Builder jsonLd(JsonLd jsonLd) {
            this.verifier.jsonLd = jsonLd;
            return this;
        }

        public Builder base(URI uri) {
            this.verifier.base = uri;
            return this;
        }

        public Builder loader(DocumentLoader documentLoader) {
            this.verifier.loader = documentLoader;
            return this;
        }

        public LdpVerifier build() {
            Objects.requireNonNull(this.verifier.jsonLd, "Must have a JsonLD service!");
            Objects.requireNonNull(this.verifier.jsonLdMapper, "Must have an ObjectMapper!");
            Objects.requireNonNull(this.verifier.suiteProvider, "Must have a SignatureSuite!");
            return this.verifier;
        }
    }

    private LdpVerifier() {
    }

    public boolean canHandle(String str) {
        try {
            JsonParser createParser = this.jsonLdMapper.createParser(str);
            try {
                createParser.nextToken();
                if (createParser != null) {
                    createParser.close();
                }
                return true;
            } finally {
            }
        } catch (IOException e) {
            return false;
        }
    }

    public Result<Void> verify(String str, VerifierContext verifierContext) {
        try {
            Result expand = this.jsonLd.expand((JsonObject) this.jsonLdMapper.readValue(str, JsonObject.class));
            if (this.loader == null) {
                this.loader = SchemeRouter.defaultInstance();
            }
            return expand.compose(jsonObject -> {
                try {
                    return verifyExpanded(jsonObject, verifierContext);
                } catch (DocumentError e) {
                    return Result.failure("Could not verify VP-LDP: message: %s, code: %s".formatted(e.getMessage(), e.getCode()));
                } catch (VerificationError e2) {
                    return Result.failure("Could not verify VP-LDP: %s | message: %s".formatted(e2.getCode(), e2.getMessage()));
                }
            });
        } catch (JsonProcessingException e) {
            return Result.failure("Failed to parse JSON: %s".formatted(e.toString()));
        }
    }

    public URI getBase() {
        return this.base;
    }

    private Result<Void> validateCredentialIssuer(JsonObject jsonObject, VerificationMethod verificationMethod) {
        try {
            Optional id = JsonLdReader.getId(jsonObject, VcVocab.ISSUER.uri());
            return id.isEmpty() ? Result.failure("Document must contain an 'issuer' property.") : !((URI) id.get()).equals(verificationMethod.id()) ? Result.failure("Issuer and proof.verificationMethod mismatch: %s <> %s".formatted(id.get(), verificationMethod.id())) : Result.success();
        } catch (InvalidJsonLdValue e) {
            return Result.failure("Error getting issuer: %s".formatted(e.getMessage()));
        }
    }

    private JsonValue extractGraph(JsonValue jsonValue) {
        return (jsonValue.getValueType() != JsonValue.ValueType.OBJECT || jsonValue.asJsonObject().get("@graph") == null) ? jsonValue : (JsonValue) jsonValue.asJsonObject().getJsonArray("@graph").get(0);
    }

    private Result<Void> verifyExpanded(JsonObject jsonObject, VerifierContext verifierContext) throws VerificationError, DocumentError {
        if (isCredential(jsonObject)) {
            return verifyProofs(jsonObject);
        }
        if (!isPresentation(jsonObject)) {
            return Result.failure("%s: %s".formatted(DocumentError.ErrorType.Unknown, LdTerm.TYPE));
        }
        verifyProofs(jsonObject);
        ArrayList arrayList = new ArrayList();
        for (JsonValue jsonValue : JsonLdReader.getObjects(jsonObject, VcVocab.VERIFIABLE_CREDENTIALS.uri())) {
            if (JsonUtils.isNotObject(jsonValue)) {
                return Result.failure("Presentation contained an invalid 'verifiableCredential' object!");
            }
            arrayList.add(jsonValue.asJsonObject());
        }
        return (Result) arrayList.stream().map((v1) -> {
            return extractGraph(v1);
        }).map(jsonValue2 -> {
            return verifierContext.verify(jsonValue2.toString());
        }).reduce((v0, v1) -> {
            return v0.merge(v1);
        }).orElse(Result.success());
    }

    private Result<Void> verifyProofs(JsonObject jsonObject) throws VerificationError, DocumentError {
        Collection<JsonValue> assertProof = EmbeddedProof.assertProof(jsonObject);
        JsonObject removeProof = EmbeddedProof.removeProof(jsonObject);
        for (JsonValue jsonValue : assertProof) {
            if (JsonUtils.isNotObject(jsonValue)) {
                return Result.failure("%s: %s".formatted(DocumentError.ErrorType.Invalid, VcVocab.PROOF));
            }
            JsonObject asJsonObject = jsonValue.asJsonObject();
            Collection type = JsonLdReader.getType(asJsonObject);
            if (type == null || type.isEmpty()) {
                return Result.failure("%s: %s, %s".formatted(DocumentError.ErrorType.Missing, VcVocab.PROOF, LdTerm.TYPE));
            }
            Stream stream = type.stream();
            SignatureSuiteProvider signatureSuiteProvider = this.suiteProvider;
            Objects.requireNonNull(signatureSuiteProvider);
            Optional findFirst = stream.filter(signatureSuiteProvider::isSupported).findFirst();
            SignatureSuiteProvider signatureSuiteProvider2 = this.suiteProvider;
            Objects.requireNonNull(signatureSuiteProvider2);
            SignatureSuite signatureSuite = (SignatureSuite) findFirst.map(signatureSuiteProvider2::find).orElseThrow(() -> {
                return new VerificationError(VerificationError.Code.UnsupportedCryptoSuite);
            });
            if (signatureSuite.getSchema() == null) {
                return Result.failure("The suite [" + signatureSuite.getId() + "] does not provide proof schema.");
            }
            LdProperty tagged = signatureSuite.getSchema().tagged(VcTag.ProofValue.name());
            if (tagged == null) {
                return Result.failure("The proof schema does not define the proof value.");
            }
            LdObject read = signatureSuite.getSchema().read(asJsonObject);
            signatureSuite.getSchema().validate(read, this.params);
            if (!read.contains(tagged.term())) {
                return Result.failure("%s: %s".formatted(DocumentError.ErrorType.Missing, tagged.term()));
            }
            byte[] bArr = (byte[]) read.value(tagged.term());
            if (bArr == null || bArr.length == 0) {
                return Result.failure("%s: %s".formatted(DocumentError.ErrorType.Missing, tagged.term()));
            }
            LdProperty<VerificationMethod> tagged2 = signatureSuite.getSchema().tagged(VcTag.VerificationMethod.name());
            if (tagged2 == null) {
                return Result.failure("The proof schema does not define a verification method.");
            }
            VerificationKey verificationKey = (VerificationMethod) getMethod(tagged2, asJsonObject, signatureSuite).orElseThrow(() -> {
                return new DocumentError(DocumentError.ErrorType.Missing, new LdTerm[]{tagged2.term()});
            });
            if (!(verificationKey instanceof VerificationKey)) {
                return Result.failure("%s: %s".formatted(DocumentError.ErrorType.Unknown, tagged2.term()));
            }
            if (isCredential(jsonObject)) {
                Result<Void> validateCredentialIssuer = validateCredentialIssuer(jsonObject, verificationKey);
                if (validateCredentialIssuer.failed()) {
                    return validateCredentialIssuer;
                }
            }
            new LinkedDataSignature(signatureSuite.getCryptoSuite()).verify(removeProof, Json.createObjectBuilder(asJsonObject).remove(tagged.term().uri()).build(), verificationKey, bArr);
        }
        return Result.success();
    }

    private Optional<VerificationMethod> getMethod(LdProperty<VerificationMethod> ldProperty, JsonObject jsonObject, SignatureSuite signatureSuite) throws DocumentError {
        JsonArray jsonArray = jsonObject.getJsonArray(ldProperty.term().uri());
        if (JsonUtils.isNull(jsonArray) || jsonArray.isEmpty()) {
            return Optional.empty();
        }
        Iterator it = jsonArray.iterator();
        if (!it.hasNext()) {
            return Optional.empty();
        }
        JsonValue jsonValue = (JsonValue) it.next();
        if (JsonUtils.isNotObject(jsonValue)) {
            throw new IllegalStateException();
        }
        JsonObject asJsonObject = jsonValue.asJsonObject();
        Collection type = JsonLdReader.getType(asJsonObject);
        if (type == null || type.isEmpty()) {
            return resolve(asJsonObject, signatureSuite, ldProperty);
        }
        VerificationKey verificationKey = (VerificationMethod) ldProperty.read(asJsonObject);
        return (!(verificationKey instanceof VerificationKey) || verificationKey.publicKey() == null) ? resolve(verificationKey.id(), signatureSuite, ldProperty) : Optional.of(verificationKey);
    }

    private Optional<VerificationMethod> resolve(JsonObject jsonObject, SignatureSuite signatureSuite, LdProperty<VerificationMethod> ldProperty) throws DocumentError {
        try {
            return resolve((URI) JsonLdReader.getId(jsonObject).orElseThrow(() -> {
                return new DocumentError(DocumentError.ErrorType.Missing, new LdTerm[]{ldProperty.term()});
            }), signatureSuite, ldProperty);
        } catch (InvalidJsonLdValue e) {
            throw new DocumentError(e, DocumentError.ErrorType.Invalid, new LdTerm[]{ldProperty.term()});
        }
    }

    private Optional<VerificationMethod> resolve(URI uri, SignatureSuite signatureSuite, LdProperty<VerificationMethod> ldProperty) throws DocumentError {
        if (uri == null) {
            throw new DocumentError(DocumentError.ErrorType.Invalid, new LdTerm[]{ldProperty.term()});
        }
        Optional<MethodResolver> findFirst = this.methodResolvers.stream().filter(methodResolver -> {
            return methodResolver.isAccepted(uri);
        }).findFirst();
        if (findFirst.isPresent()) {
            return Optional.ofNullable(findFirst.get().resolve(uri, this.loader, signatureSuite));
        }
        throw new DocumentError(DocumentError.ErrorType.Unknown, new LdTerm[]{ldProperty.term()});
    }

    private boolean isCredential(JsonObject jsonObject) {
        return JsonLdReader.isTypeOf(VcVocab.CREDENTIAL_TYPE.uri(), jsonObject);
    }

    private boolean isPresentation(JsonObject jsonObject) {
        return JsonLdReader.isTypeOf(VcVocab.PRESENTATION_TYPE.uri(), jsonObject);
    }
}
