package be.atbash.ee.security.octopus.nimbus.jose.crypto;

import be.atbash.ee.security.octopus.jwt.JWTValidationConstant;
import be.atbash.ee.security.octopus.keys.AtbashKey;
import be.atbash.ee.security.octopus.keys.selector.AsymmetricPart;
import be.atbash.ee.security.octopus.nimbus.jose.JOSEException;
import be.atbash.ee.security.octopus.nimbus.jose.KeyTypeException;
import be.atbash.ee.security.octopus.nimbus.jose.crypto.impl.CriticalHeaderParamsDeferral;
import be.atbash.ee.security.octopus.nimbus.jose.crypto.impl.EdDSAProvider;
import be.atbash.ee.security.octopus.nimbus.jwk.Curve;
import be.atbash.ee.security.octopus.nimbus.jwk.KeyType;
import be.atbash.ee.security.octopus.nimbus.jwt.jws.JWSAlgorithm;
import be.atbash.ee.security.octopus.nimbus.jwt.jws.JWSHeader;
import be.atbash.ee.security.octopus.nimbus.jwt.jws.JWSVerifier;
import be.atbash.ee.security.octopus.nimbus.util.Base64URLValue;
import be.atbash.util.exception.AtbashUnexpectedException;
import java.io.IOException;
import java.security.interfaces.ECPrivateKey;
import java.util.Set;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DLSequence;
import org.bouncycastle.crypto.params.Ed25519PublicKeyParameters;
import org.bouncycastle.jcajce.provider.asymmetric.edec.BCEdDSAPublicKey;
import org.slf4j.MDC;

/* loaded from: input_file:be/atbash/ee/security/octopus/nimbus/jose/crypto/Ed25519Verifier.class */
public class Ed25519Verifier extends EdDSAProvider implements JWSVerifier {
    private final CriticalHeaderParamsDeferral critPolicy;
    private final BCEdDSAPublicKey publicKey;
    private final org.bouncycastle.crypto.signers.Ed25519Signer verifier;

    public Ed25519Verifier(BCEdDSAPublicKey bCEdDSAPublicKey) {
        this(bCEdDSAPublicKey, null);
    }

    public Ed25519Verifier(AtbashKey atbashKey) {
        this(getPublicKey(atbashKey));
    }

    private static BCEdDSAPublicKey getPublicKey(AtbashKey atbashKey) {
        if (atbashKey.getSecretKeyType().getKeyType() != KeyType.OKP) {
            throw new KeyTypeException(ECPrivateKey.class);
        }
        if (atbashKey.getSecretKeyType().getAsymmetricPart() != AsymmetricPart.PUBLIC) {
            throw new KeyTypeException(ECPrivateKey.class);
        }
        return atbashKey.getKey();
    }

    public Ed25519Verifier(BCEdDSAPublicKey bCEdDSAPublicKey, Set<String> set) {
        this.critPolicy = new CriticalHeaderParamsDeferral();
        if (!Curve.Ed25519.getName().equals(bCEdDSAPublicKey.getAlgorithm())) {
            throw new JOSEException("Ed25519Verifier only supports OctetKeyPairs with crv=Ed25519");
        }
        this.publicKey = bCEdDSAPublicKey;
        this.verifier = new org.bouncycastle.crypto.signers.Ed25519Signer();
        this.verifier.init(false, new Ed25519PublicKeyParameters(getDecodedX(), 0));
        this.critPolicy.setDeferredCriticalHeaderParams(set);
    }

    private byte[] getDecodedX() {
        try {
            ASN1InputStream aSN1InputStream = new ASN1InputStream(this.publicKey.getEncoded());
            try {
                try {
                    DLSequence readObject = aSN1InputStream.readObject();
                    aSN1InputStream.close();
                    return readObject.getObjectAt(1).getOctets();
                } catch (IOException e) {
                    throw new AtbashUnexpectedException(e);
                }
            } finally {
            }
        } catch (IOException e2) {
            throw new AtbashUnexpectedException(e2);
        }
    }

    @Override // be.atbash.ee.security.octopus.nimbus.jwt.jws.JWSVerifier
    public boolean verify(JWSHeader jWSHeader, byte[] bArr, Base64URLValue base64URLValue) {
        if (!JWSAlgorithm.EdDSA.equals(jWSHeader.getAlgorithm())) {
            throw new JOSEException("Ed25519Verifier requires alg=EdDSA in JWSHeader");
        }
        if (!this.critPolicy.headerPasses(jWSHeader)) {
            MDC.put(JWTValidationConstant.JWT_VERIFICATION_FAIL_REASON, "Verification failed due to 'crit' header parameter deferral policy");
            return false;
        }
        byte[] decode = base64URLValue.decode();
        this.verifier.update(bArr, 0, bArr.length);
        boolean verifySignature = this.verifier.verifySignature(decode);
        this.verifier.reset();
        return verifySignature;
    }
}
