package com.pingidentity.did.sdk.claim;

import com.pingidentity.did.sdk.base64.Base64Util;
import com.pingidentity.did.sdk.exception.ClaimExpirationSignatureMismatchException;
import com.pingidentity.did.sdk.exception.ClaimRegistrationExpiredException;
import com.pingidentity.did.sdk.exception.ClaimRegistrationSignatureMismatchException;
import com.pingidentity.did.sdk.exception.ClaimSignatureMismatchException;
import com.pingidentity.did.sdk.exception.ClaimVerificationException;
import com.pingidentity.did.sdk.exception.DidException;
import com.pingidentity.did.sdk.jose.JwsConsumer;
import com.pingidentity.did.sdk.types.Claim;
import com.pingidentity.did.sdk.types.ClaimReference;
import com.pingidentity.did.sdk.types.ClaimRegistration;
import com.pingidentity.did.sdk.types.ExpirationSignature;
import com.pingidentity.did.sdk.types.SaltedData;
import com.squareup.moshi.Moshi;
import com.squareup.moshi.Types;
import java.io.IOException;
import java.time.Clock;
import java.time.Instant;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.BiConsumer;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.lang.JoseException;

/* loaded from: classes4.dex */
public class ClaimVerifier {
    private final JwsConsumer jwsConsumer = new JwsConsumer();
    private final Hasher hasher = Hashers.sha256();
    private final Moshi moshi = new Moshi.Builder().build();
    private final Clock clock = Clock.systemUTC();

    /* JADX INFO: Access modifiers changed from: private */
    @FunctionalInterface
    /* loaded from: classes4.dex */
    public interface ThrowingRunnable {
        void run() throws Exception;
    }

    private void checkMetadataMatch(String str, String str2, Map<String, String> map) {
        String str3 = map.get(str);
        if (!str2.equals(str3)) {
            throw new ClaimVerificationException(String.format("Claim %s does not match. Expected: '%s', Actual: '%s'", str, str3, str2));
        }
    }

    private Map<String, String> getCertifiedData(String str) throws IOException {
        return (Map) this.moshi.adapter(Types.newParameterizedType(Map.class, String.class, String.class)).fromJson(str);
    }

    private Optional<String> getEncodedSignature(byte[] bArr, Map<String, String> map) {
        String encodeToString = Base64Util.encodeToString(bArr);
        return map.containsKey(encodeToString) ? Optional.of(map.get(encodeToString)) : Optional.empty();
    }

    private int getVersion(Map<String, String> map) {
        String str = map.get("version");
        if (str == null) {
            return 0;
        }
        try {
            return Integer.parseInt(str);
        } catch (NumberFormatException unused) {
            throw new ClaimVerificationException(String.format("Unexpected value for 'version' field: '%s'", str));
        }
    }

    private boolean isAssociated(Claim claim, ClaimRegistration claimRegistration) {
        return claim.getId().equals(claimRegistration.getTransactionId()) && claim.getDataHash().equals(claimRegistration.getHash());
    }

    private boolean isExpired(ClaimRegistration claimRegistration, JsonWebKeySet jsonWebKeySet) throws JoseException {
        if (claimRegistration.getIdExpiries() == null) {
            return false;
        }
        for (ExpirationSignature expirationSignature : claimRegistration.getIdExpiries()) {
            verifyExpirationSignature(expirationSignature, jsonWebKeySet);
            if (Instant.ofEpochSecond(Long.parseLong(expirationSignature.getExpiryTimestamp())).isBefore(this.clock.instant())) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public /* synthetic */ void lambda$verify$0(Claim claim, JsonWebKeySet jsonWebKeySet) throws Exception {
        Map<String, String> verifyClaimData = verifyClaimData(claim.getClaimData(), lambda$verify$1(claim, jsonWebKeySet), jsonWebKeySet);
        if (getVersion(verifyClaimData) >= 1) {
            checkMetadataMatch("issuer", claim.getIssuer().getData(), verifyClaimData);
            checkMetadataMatch("holder", claim.getHolder().getData(), verifyClaimData);
            checkMetadataMatch("subject", claim.getSubject().getData(), verifyClaimData);
            checkMetadataMatch("version", Integer.toString(claim.getVersion()), verifyClaimData);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static /* synthetic */ ClaimVerificationException lambda$verifyClaimData$2(SaltedData saltedData) {
        return new ClaimVerificationException(saltedData.getData() + " not found in Claim.dataJson");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public /* synthetic */ void lambda$verifyClaimData$3(Map map, String str, JsonWebKeySet jsonWebKeySet, final SaltedData saltedData, SaltedData saltedData2) {
        this.jwsConsumer.verify(str, saltedData2.toBytes(), getEncodedSignature(this.hasher.hash(saltedData.toBytes()), map).orElseThrow(new Supplier() { // from class: com.pingidentity.did.sdk.claim.f
            @Override // java.util.function.Supplier
            public final Object get() {
                ClaimVerificationException lambda$verifyClaimData$2;
                lambda$verifyClaimData$2 = ClaimVerifier.lambda$verifyClaimData$2(SaltedData.this);
                return lambda$verifyClaimData$2;
            }
        }), jsonWebKeySet);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static /* synthetic */ String lambda$verifyDataPresentInClaim$4(Map.Entry entry) {
        return ((SaltedData) entry.getKey()).getData();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static /* synthetic */ String lambda$verifyDataPresentInClaim$5(Map.Entry entry) {
        return ((SaltedData) entry.getValue()).getData();
    }

    private void translateException(ThrowingRunnable throwingRunnable) {
        try {
            throwingRunnable.run();
        } catch (DidException e8) {
            throw e8;
        } catch (Exception e9) {
            throw new ClaimVerificationException(e9);
        }
    }

    private Map<String, String> verifyClaimData(Map<SaltedData, SaltedData> map, JsonWebSignature jsonWebSignature, final JsonWebKeySet jsonWebKeySet) throws JoseException, IOException {
        final String encodedHeader = jsonWebSignature.getHeaders().getEncodedHeader();
        final Map<String, String> certifiedData = getCertifiedData(jsonWebSignature.getPayload());
        map.forEach(new BiConsumer() { // from class: com.pingidentity.did.sdk.claim.h
            @Override // java.util.function.BiConsumer
            public final void accept(Object obj, Object obj2) {
                ClaimVerifier.this.lambda$verifyClaimData$3(certifiedData, encodedHeader, jsonWebKeySet, (SaltedData) obj, (SaltedData) obj2);
            }
        });
        return certifiedData;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* renamed from: verifyClaimReference, reason: merged with bridge method [inline-methods] */
    public JsonWebSignature lambda$verify$1(ClaimReference claimReference, JsonWebKeySet jsonWebKeySet) {
        String dataJson = claimReference.getDataJson();
        Objects.requireNonNull(dataJson, "Claim data JSON is null");
        JsonWebSignature readJwsString = this.jwsConsumer.readJwsString(dataJson, jsonWebKeySet);
        if (readJwsString.getEncodedSignature().equals(claimReference.getDataSignature())) {
            return readJwsString;
        }
        throw new ClaimSignatureMismatchException();
    }

    private void verifyDataPresentInClaim(Map<String, String> map, Claim claim) {
        Map map2 = (Map) claim.getClaimData().entrySet().stream().collect(Collectors.toMap(new Function() { // from class: com.pingidentity.did.sdk.claim.i
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                String lambda$verifyDataPresentInClaim$4;
                lambda$verifyDataPresentInClaim$4 = ClaimVerifier.lambda$verifyDataPresentInClaim$4((Map.Entry) obj);
                return lambda$verifyDataPresentInClaim$4;
            }
        }, new Function() { // from class: com.pingidentity.did.sdk.claim.j
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                String lambda$verifyDataPresentInClaim$5;
                lambda$verifyDataPresentInClaim$5 = ClaimVerifier.lambda$verifyDataPresentInClaim$5((Map.Entry) obj);
                return lambda$verifyDataPresentInClaim$5;
            }
        }));
        for (Map.Entry<String, String> entry : map.entrySet()) {
            if (!map2.containsKey(entry.getKey())) {
                throw new ClaimVerificationException(entry.getKey() + " not found in claim");
            }
            if (!entry.getValue().equals(map2.get(entry.getKey()))) {
                throw new ClaimVerificationException(entry.getKey() + " does not match value in claim");
            }
        }
    }

    private void verifyExpirationSignature(ExpirationSignature expirationSignature, JsonWebKeySet jsonWebKeySet) throws JoseException {
        if (!this.jwsConsumer.readJwsString(expirationSignature.getExpirySignature(), jsonWebKeySet).getPayload().equals(expirationSignature.getHash() + expirationSignature.getExpiryTimestamp())) {
            throw new ClaimExpirationSignatureMismatchException();
        }
    }

    public void verify(Claim claim, ClaimRegistration claimRegistration, JsonWebKeySet jsonWebKeySet) {
        if (!isAssociated(claim, claimRegistration)) {
            throw new ClaimVerificationException("Claim and registered claim do not match");
        }
        verify(claim, jsonWebKeySet);
        verify(claimRegistration, jsonWebKeySet);
        claim.setIdExpiries(claimRegistration.getIdExpiries());
    }

    public void verify(final Claim claim, final JsonWebKeySet jsonWebKeySet) {
        translateException(new ThrowingRunnable() { // from class: com.pingidentity.did.sdk.claim.e
            @Override // com.pingidentity.did.sdk.claim.ClaimVerifier.ThrowingRunnable
            public final void run() {
                ClaimVerifier.this.lambda$verify$0(claim, jsonWebKeySet);
            }
        });
    }

    public void verify(final ClaimReference claimReference, final JsonWebKeySet jsonWebKeySet) {
        translateException(new ThrowingRunnable() { // from class: com.pingidentity.did.sdk.claim.g
            @Override // com.pingidentity.did.sdk.claim.ClaimVerifier.ThrowingRunnable
            public final void run() {
                ClaimVerifier.this.lambda$verify$1(claimReference, jsonWebKeySet);
            }
        });
    }

    public void verify(ClaimRegistration claimRegistration, JsonWebKeySet jsonWebKeySet) {
        try {
            if (isExpired(claimRegistration, jsonWebKeySet)) {
                throw new ClaimRegistrationExpiredException();
            }
            if (!this.jwsConsumer.readJwsString(claimRegistration.getHashSignature(), jsonWebKeySet).getPayload().equals(claimRegistration.getHash() + claimRegistration.getHashTimestamp())) {
                throw new ClaimRegistrationSignatureMismatchException();
            }
        } catch (JoseException e8) {
            throw new ClaimVerificationException(e8);
        }
    }

    public void verify(Map<String, String> map, Claim claim, ClaimRegistration claimRegistration, JsonWebKeySet jsonWebKeySet) {
        verify(claim, claimRegistration, jsonWebKeySet);
        verifyDataPresentInClaim(map, claim);
    }
}
