package net.visma.autopay.http.signature;

import java.time.Instant;
import java.util.HashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import net.visma.autopay.http.signature.SignatureException;
import net.visma.autopay.http.structured.StructuredDictionary;
import net.visma.autopay.http.structured.StructuredInnerList;
import net.visma.autopay.http.structured.StructuredString;

/* loaded from: input_file:net/visma/autopay/http/signature/SignatureVerifier.class */
final class SignatureVerifier {
    private final VerificationSpec verificationSpec;
    private StructuredInnerList signatureInput;
    private SignatureParameters signatureParameters;
    private SignatureContext signatureContext;

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void verify(VerificationSpec verificationSpec) throws SignatureException {
        new SignatureVerifier(verificationSpec).verify();
    }

    private SignatureVerifier(VerificationSpec verificationSpec) {
        this.verificationSpec = verificationSpec;
    }

    private void verify() throws SignatureException {
        this.signatureContext = this.verificationSpec.getSignatureContext();
        this.signatureInput = getSignatureInput();
        this.signatureParameters = getSignatureParameters();
        verifyUniqueness();
        verifyRequired();
        verifyForbidden();
        verifyExpiration();
        byte[] signature = getSignature();
        String signatureBase = SignatureSigner.getSignatureBase(getComponents(), this.signatureContext, this.signatureInput);
        PublicKeyInfo publicKeyInfo = getPublicKeyInfo();
        SignatureAlgorithm algorithm = getAlgorithm(publicKeyInfo);
        if (!DataVerifier.verify(signatureBase, signature, publicKeyInfo.getPublicKey(algorithm.getKeyAlgorithm()), algorithm)) {
            throw new SignatureException(SignatureException.ErrorCode.INCORRECT_SIGNATURE, "Provided signature different from computed one.\nUsed algorithm: " + algorithm.getIdentifier() + "\nSignature base:\n" + signatureBase);
        }
    }

    private SignatureAlgorithm getAlgorithm(PublicKeyInfo publicKeyInfo) throws SignatureException {
        SignatureAlgorithm algorithm = this.signatureParameters.getAlgorithm();
        SignatureAlgorithm algorithm2 = publicKeyInfo.getAlgorithm();
        SignatureAlgorithm signatureAlgorithm = algorithm2 != null ? algorithm2 : algorithm;
        if (signatureAlgorithm == null) {
            throw new SignatureException(SignatureException.ErrorCode.MISSING_ALGORITHM, "Signature algorithm not provided");
        }
        return signatureAlgorithm;
    }

    private PublicKeyInfo getPublicKeyInfo() throws SignatureException {
        try {
            return this.verificationSpec.getPublicKeyGetter().apply(this.signatureParameters.getKeyId());
        } catch (SignatureException e) {
            throw e;
        } catch (Exception e2) {
            throw new SignatureException(SignatureException.ErrorCode.INVALID_KEY, "Exception when fetching public key", e2);
        }
    }

    private StructuredInnerList getSignatureInput() throws SignatureException {
        List<String> list = this.signatureContext.getHeaders().get(SignatureHeaders.SIGNATURE_INPUT.toLowerCase());
        if (list == null) {
            throw new SignatureException(SignatureException.ErrorCode.MISSING_HEADER, "Missing Signature-Input header");
        }
        try {
            Optional item = StructuredDictionary.parse(list).getItem(this.verificationSpec.getSignatureLabel(), StructuredInnerList.class);
            if (item.isEmpty()) {
                throw new SignatureException(SignatureException.ErrorCode.MISSING_DICTIONARY_KEY, "Missing " + this.verificationSpec.getSignatureLabel() + " in Signature-Input");
            }
            return (StructuredInnerList) item.get();
        } catch (Exception e) {
            throw new SignatureException(SignatureException.ErrorCode.INVALID_STRUCTURED_HEADER, "Unable to parse Signature-Input header", e);
        }
    }

    private byte[] getSignature() throws SignatureException {
        List<String> list = this.signatureContext.getHeaders().get(SignatureHeaders.SIGNATURE.toLowerCase());
        if (list == null) {
            throw new SignatureException(SignatureException.ErrorCode.MISSING_HEADER, "Missing Signature header");
        }
        try {
            Optional<byte[]> bytes = StructuredDictionary.parse(list).getBytes(this.verificationSpec.getSignatureLabel());
            if (bytes.isEmpty()) {
                throw new SignatureException(SignatureException.ErrorCode.MISSING_DICTIONARY_KEY, "Missing " + this.verificationSpec.getSignatureLabel() + " in Signature");
            }
            return bytes.get();
        } catch (Exception e) {
            throw new SignatureException(SignatureException.ErrorCode.INVALID_STRUCTURED_HEADER, "Unable to parse Signature header", e);
        }
    }

    private SignatureParameters getSignatureParameters() {
        return SignatureParameters.builder().created((Instant) this.signatureInput.longParam(SignatureParameterType.CREATED.getIdentifier()).map((v0) -> {
            return Instant.ofEpochSecond(v0);
        }).orElse(null)).expires((Instant) this.signatureInput.longParam(SignatureParameterType.EXPIRES.getIdentifier()).map((v0) -> {
            return Instant.ofEpochSecond(v0);
        }).orElse(null)).nonce(this.signatureInput.stringParam(SignatureParameterType.NONCE.getIdentifier()).orElse(null)).algorithm((SignatureAlgorithm) this.signatureInput.stringParam(SignatureParameterType.ALGORITHM.getIdentifier()).map(SignatureAlgorithm::fromIdentifier).orElse(null)).keyId(this.signatureInput.stringParam(SignatureParameterType.KEY_ID.getIdentifier()).orElse(null)).build();
    }

    private void verifyRequired() throws SignatureException {
        Set<String> keySet = this.signatureInput.parameters().keySet();
        for (SignatureParameterType signatureParameterType : this.verificationSpec.getRequiredParameters()) {
            if (!keySet.contains(signatureParameterType.getIdentifier())) {
                throw new SignatureException(SignatureException.ErrorCode.MISSING_REQUIRED, "Missing required parameter " + signatureParameterType.getIdentifier());
            }
        }
        HashSet hashSet = new HashSet(this.signatureInput.itemList(StructuredString.class));
        for (Component component : this.verificationSpec.getRequiredComponents().getComponents()) {
            if (!hashSet.contains(component.getName())) {
                throw new SignatureException(SignatureException.ErrorCode.MISSING_REQUIRED, "Missing required component " + component);
            }
        }
        for (Component component2 : this.verificationSpec.getRequiredIfPresentComponents().getComponents()) {
            if (!hashSet.contains(component2.getName()) && component2.isValuePresent(this.signatureContext)) {
                throw new SignatureException(SignatureException.ErrorCode.MISSING_REQUIRED, "Missing required optionally present component " + component2);
            }
        }
    }

    private void verifyForbidden() throws SignatureException {
        Set<String> keySet = this.signatureInput.parameters().keySet();
        for (SignatureParameterType signatureParameterType : this.verificationSpec.getForbiddenParameters()) {
            if (keySet.contains(signatureParameterType.getIdentifier())) {
                throw new SignatureException(SignatureException.ErrorCode.FORBIDDEN_PRESENT, "Forbidden parameter " + signatureParameterType.getIdentifier() + " present");
            }
        }
    }

    private void verifyExpiration() throws SignatureException {
        Instant created = this.signatureParameters.getCreated();
        Instant expires = this.signatureParameters.getExpires();
        Integer maximumAgeSeconds = this.verificationSpec.getMaximumAgeSeconds();
        Integer maximumSkewSeconds = this.verificationSpec.getMaximumSkewSeconds();
        Instant now = Instant.now();
        if (created != null) {
            if (expires != null && expires.isBefore(now)) {
                throw new SignatureException(SignatureException.ErrorCode.SIGNATURE_EXPIRED, "Expiration " + expires + " exceeded");
            }
            if (maximumAgeSeconds != null && created.plusSeconds(maximumAgeSeconds.intValue()).isBefore(now)) {
                throw new SignatureException(SignatureException.ErrorCode.SIGNATURE_EXPIRED, "Maximum age " + maximumAgeSeconds + " seconds exceeded");
            }
            if (maximumSkewSeconds != null && created.isAfter(now.plusSeconds(maximumSkewSeconds.intValue()))) {
                throw new SignatureException(SignatureException.ErrorCode.SIGNATURE_EXPIRED, "Created in the future. Maximum skew " + maximumSkewSeconds + " seconds exceeded");
            }
        }
    }

    private void verifyUniqueness() throws SignatureException {
        if (this.signatureInput.itemList().size() > new HashSet(this.signatureInput.itemList()).size()) {
            throw new SignatureException(SignatureException.ErrorCode.INVALID_STRUCTURED_HEADER, "Duplicate items in Signature-Input: " + this.signatureInput);
        }
    }

    private List<Component> getComponents() throws SignatureException {
        try {
            return (List) this.signatureInput.itemList(StructuredString.class).stream().map(ComponentFactory::create).collect(Collectors.toList());
        } catch (Exception e) {
            throw new SignatureException(SignatureException.ErrorCode.INVALID_STRUCTURED_HEADER, "Unable to parse Signature-Input header", e);
        }
    }
}
