package com.azure.security.attestation.implementation.models;

import com.azure.core.util.BinaryData;
import com.azure.core.util.logging.ClientLogger;
import com.azure.core.util.serializer.JacksonAdapter;
import com.azure.core.util.serializer.SerializerAdapter;
import com.azure.core.util.serializer.SerializerEncoding;
import com.azure.security.attestation.models.AttestationSigner;
import com.azure.security.attestation.models.AttestationSigningKey;
import com.azure.security.attestation.models.AttestationToken;
import com.azure.security.attestation.models.AttestationTokenValidationOptions;
import com.nimbusds.jose.Header;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.PlainObject;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.opts.AllowWeakRSAKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jwt.JWTClaimsSet;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateEncodingException;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.text.ParseException;
import java.time.Duration;
import java.time.Instant;
import java.time.OffsetDateTime;
import java.time.ZoneOffset;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.concurrent.atomic.AtomicReference;

/* loaded from: input_file:com/azure/security/attestation/implementation/models/AttestationTokenImpl.class */
public class AttestationTokenImpl implements AttestationToken {
    private static final SerializerAdapter SERIALIZER_ADAPTER = JacksonAdapter.createDefaultSerializerAdapter();
    private final String rawToken;
    private final Header header;
    private final JWSHeader jwsHeader;
    private final Payload payload;
    static final String EMPTY_TOKEN = "eyJhbGciOiJub25lIn0..";
    final AtomicReference<String> issuer = new AtomicReference<>();
    final AtomicReference<OffsetDateTime> issuedAt = new AtomicReference<>();
    final AtomicReference<OffsetDateTime> expiresOn = new AtomicReference<>();
    final AtomicReference<OffsetDateTime> notBeforeTime = new AtomicReference<>();
    private final ClientLogger logger = new ClientLogger(AttestationTokenImpl.class);

    public AttestationTokenImpl(String str) {
        this.rawToken = str;
        try {
            JOSEObject parse = JOSEObject.parse(str);
            this.header = parse.getHeader();
            if (this.header.getAlgorithm().getName().equals("none")) {
                this.jwsHeader = null;
            } else {
                this.jwsHeader = this.header;
            }
            this.payload = parse.getPayload();
        } catch (ParseException e) {
            throw this.logger.logExceptionAsError(new RuntimeException(e.toString()));
        }
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public <T> T getBody(Class<T> cls) {
        if (this.payload.toString().length() == 0) {
            return null;
        }
        try {
            return (T) SERIALIZER_ADAPTER.deserialize(this.payload.toString(), cls, SerializerEncoding.JSON);
        } catch (IOException e) {
            throw this.logger.logExceptionAsError(new RuntimeException(e.getMessage()));
        }
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public String serialize() {
        return this.rawToken;
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public String getAlgorithm() {
        return this.header.getAlgorithm().getName();
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public String getKeyId() {
        if (this.jwsHeader != null) {
            return this.jwsHeader.getKeyID();
        }
        return null;
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public AttestationSigner getCertificateChain() {
        if (this.jwsHeader != null) {
            return AttestationSignerImpl.fromCertificateChain(this.jwsHeader.getX509CertChain());
        }
        return null;
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public String getJsonWebKeyUrl() {
        if (this.jwsHeader != null) {
            return this.jwsHeader.getJWKURL().toString();
        }
        return null;
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public AttestationSigner getJsonWebKey() {
        JWK jwk;
        if (this.jwsHeader == null || (jwk = this.jwsHeader.getJWK()) == null) {
            return null;
        }
        return AttestationSignerImpl.fromJWK(jwk);
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public BinaryData getSha256Thumbprint() {
        if (this.jwsHeader != null) {
            return BinaryData.fromBytes(this.jwsHeader.getX509CertSHA256Thumbprint().decode());
        }
        return null;
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public BinaryData getThumbprint() {
        if (this.jwsHeader != null) {
            return BinaryData.fromBytes(this.jwsHeader.getX509CertThumbprint().decode());
        }
        return null;
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public String getX509Url() {
        if (this.jwsHeader != null) {
            return this.jwsHeader.getX509CertURL().toString();
        }
        return null;
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public String[] getCritical() {
        return (String[]) this.jwsHeader.getCriticalParams().toArray(new String[0]);
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public String getType() {
        return this.jwsHeader.getType().getType();
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public String getContentType() {
        return this.jwsHeader.getContentType();
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public String getIssuer() {
        Map jSONObject;
        if (this.issuer.get() == null && (jSONObject = this.payload.toJSONObject()) != null) {
            try {
                this.issuer.set(JWTClaimsSet.parse(jSONObject).getIssuer());
            } catch (ParseException e) {
                throw this.logger.logExceptionAsError(new RuntimeException(e.getMessage()));
            }
        }
        return this.issuer.get();
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public OffsetDateTime getIssuedAt() {
        Map jSONObject;
        Object obj;
        if (this.issuedAt.get() == null && (jSONObject = this.payload.toJSONObject()) != null && (obj = jSONObject.get("iat")) != null) {
            if (!(obj instanceof Long)) {
                throw this.logger.logExceptionAsError(new RuntimeException(String.format("Invalid type for IssuedAt: %s", obj.getClass().getName())));
            }
            this.issuedAt.set(OffsetDateTime.ofInstant(Instant.ofEpochSecond(((Long) obj).longValue()), ZoneOffset.UTC));
        }
        return this.issuedAt.get();
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public OffsetDateTime getExpiresOn() {
        Map jSONObject;
        Object obj;
        if (this.expiresOn.get() == null && (jSONObject = this.payload.toJSONObject()) != null && (obj = jSONObject.get("exp")) != null) {
            if (!(obj instanceof Long)) {
                throw this.logger.logExceptionAsError(new RuntimeException(String.format("Invalid type for ExpiresOn: %s", this.expiresOn.getClass().getName())));
            }
            this.expiresOn.set(OffsetDateTime.ofInstant(Instant.ofEpochSecond(((Long) obj).longValue()), ZoneOffset.UTC));
        }
        return this.expiresOn.get();
    }

    @Override // com.azure.security.attestation.models.AttestationToken
    public OffsetDateTime getNotBefore() {
        Map jSONObject;
        Object obj;
        if (this.notBeforeTime.get() == null && (jSONObject = this.payload.toJSONObject()) != null && (obj = jSONObject.get("nbf")) != null) {
            if (!(obj instanceof Long)) {
                throw this.logger.logExceptionAsError(new RuntimeException(String.format("Invalid type for NotBefore: %s", obj.getClass().getName())));
            }
            this.notBeforeTime.set(OffsetDateTime.ofInstant(Instant.ofEpochSecond(((Long) obj).longValue()), ZoneOffset.UTC));
        }
        return this.notBeforeTime.get();
    }

    public void validate(List<AttestationSigner> list, AttestationTokenValidationOptions attestationTokenValidationOptions) {
        if (attestationTokenValidationOptions.isValidateToken()) {
            AttestationSigner validateTokenSignature = validateTokenSignature(list);
            validateTokenTimeProperties(attestationTokenValidationOptions);
            validateTokenIssuer(attestationTokenValidationOptions);
            if (attestationTokenValidationOptions.getValidationCallback() != null) {
                attestationTokenValidationOptions.getValidationCallback().accept(this, validateTokenSignature);
            }
        }
    }

    private void validateTokenIssuer(AttestationTokenValidationOptions attestationTokenValidationOptions) {
        if (attestationTokenValidationOptions.getExpectedIssuer() != null && getIssuer() != null && !getIssuer().equals(attestationTokenValidationOptions.getExpectedIssuer())) {
            throw this.logger.logExceptionAsError(new RuntimeException(String.format("Token Validation Failed due to mismatched issuer. Expected issuer %s, but found %s", attestationTokenValidationOptions.getExpectedIssuer(), getIssuer())));
        }
    }

    private void validateTokenTimeProperties(AttestationTokenValidationOptions attestationTokenValidationOptions) {
        OffsetDateTime minusNanos = OffsetDateTime.now().minusNanos(r0.getNano());
        if (getExpiresOn() != null && attestationTokenValidationOptions.isValidateExpiresOn()) {
            OffsetDateTime expiresOn = getExpiresOn();
            if (minusNanos.isAfter(expiresOn) && Duration.between(minusNanos, expiresOn).abs().compareTo(attestationTokenValidationOptions.getValidationSlack()) > 0) {
                throw this.logger.logExceptionAsError(new RuntimeException(String.format("Token Validation Failed due to expiration time. Current time: %tc Expiration time: %tc", minusNanos, getExpiresOn())));
            }
        }
        if (getNotBefore() == null || !attestationTokenValidationOptions.isValidateNotBefore()) {
            return;
        }
        OffsetDateTime notBefore = getNotBefore();
        if (minusNanos.isBefore(notBefore) && Duration.between(minusNanos, notBefore).abs().compareTo(attestationTokenValidationOptions.getValidationSlack()) > 0) {
            throw this.logger.logExceptionAsError(new RuntimeException(String.format("Token Validation Failed due to NotBefore time. Current time: %tc Token becomes valid at: %tc", minusNanos, getNotBefore())));
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:18:0x00dd, code lost:
    
        r0.set(r0);
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private com.azure.security.attestation.models.AttestationSigner validateTokenSignature(java.util.List<com.azure.security.attestation.models.AttestationSigner> r6) {
        /*
            Method dump skipped, instructions count: 266
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.azure.security.attestation.implementation.models.AttestationTokenImpl.validateTokenSignature(java.util.List):com.azure.security.attestation.models.AttestationSigner");
    }

    private List<AttestationSigner> getCandidateSigners(List<AttestationSigner> list) {
        ArrayList arrayList = new ArrayList();
        String keyId = getKeyId();
        if (keyId != null && list != null) {
            list.forEach(attestationSigner -> {
                if (keyId.equals(attestationSigner.getKeyId())) {
                    arrayList.add(attestationSigner);
                }
            });
        }
        if (arrayList.size() == 0) {
            if (list == null || list.size() == 0) {
                if (getCertificateChain() != null) {
                    arrayList.add(getCertificateChain());
                }
                if (getJsonWebKey() != null) {
                    arrayList.add(getJsonWebKey());
                }
            } else {
                arrayList.addAll(list);
            }
        }
        return arrayList;
    }

    public static AttestationToken createUnsecuredToken() {
        return new AttestationTokenImpl(EMPTY_TOKEN);
    }

    public static AttestationToken createUnsecuredToken(String str) {
        return new AttestationTokenImpl(new PlainObject(new Payload(str)).serialize());
    }

    public static AttestationToken createSecuredToken(AttestationSigningKey attestationSigningKey) {
        RSASSASigner eCDSASigner;
        ClientLogger clientLogger = new ClientLogger(AttestationTokenImpl.class);
        try {
            attestationSigningKey.verify();
            ArrayList arrayList = new ArrayList();
            try {
                arrayList.add(Base64.encode(attestationSigningKey.getCertificate().getEncoded()));
                JWSHeader build = new JWSHeader.Builder(JWSAlgorithm.RS256).x509CertChain(arrayList).build();
                try {
                    if (attestationSigningKey.getPrivateKey() instanceof RSAPrivateKey) {
                        HashSet hashSet = new HashSet();
                        if (attestationSigningKey.isWeakKeyAllowed()) {
                            hashSet.add(AllowWeakRSAKey.getInstance());
                        }
                        eCDSASigner = new RSASSASigner(attestationSigningKey.getPrivateKey(), hashSet);
                    } else {
                        if (!(attestationSigningKey.getPrivateKey() instanceof ECPrivateKey)) {
                            throw new RuntimeException("Assertion failure: Cannot have signer that is not either RSA or EC");
                        }
                        eCDSASigner = new ECDSASigner((ECPrivateKey) attestationSigningKey.getPrivateKey());
                    }
                    String str = build.toBase64URL() + ".";
                    try {
                        return new AttestationTokenImpl(str + "." + eCDSASigner.sign(build, str.getBytes(StandardCharsets.UTF_8)).toString());
                    } catch (JOSEException e) {
                        throw new RuntimeException(e.toString());
                    }
                } catch (JOSEException e2) {
                    throw clientLogger.logExceptionAsError(new RuntimeException(e2.getMessage()));
                }
            } catch (CertificateEncodingException e3) {
                throw clientLogger.logExceptionAsError(new RuntimeException(e3.getMessage()));
            }
        } catch (Exception e4) {
            throw clientLogger.logExceptionAsError(new RuntimeException(e4.getMessage()));
        }
    }

    public static AttestationToken createSecuredToken(String str, AttestationSigningKey attestationSigningKey) {
        ClientLogger clientLogger = new ClientLogger(AttestationTokenImpl.class);
        try {
            attestationSigningKey.verify();
            Payload payload = new Payload(str);
            ArrayList arrayList = new ArrayList();
            try {
                arrayList.add(Base64.encode(attestationSigningKey.getCertificate().getEncoded()));
                JWSHeader build = new JWSHeader.Builder(JWSAlgorithm.RS256).x509CertChain(arrayList).build();
                RSASSASigner rSASSASigner = null;
                try {
                    if (attestationSigningKey.getPrivateKey() instanceof RSAPrivateKey) {
                        HashSet hashSet = new HashSet();
                        if (attestationSigningKey.isWeakKeyAllowed()) {
                            hashSet.add(AllowWeakRSAKey.getInstance());
                        }
                        rSASSASigner = new RSASSASigner(attestationSigningKey.getPrivateKey(), hashSet);
                    } else if (attestationSigningKey.getPrivateKey() instanceof ECPrivateKey) {
                        rSASSASigner = new ECDSASigner((ECPrivateKey) attestationSigningKey.getPrivateKey());
                    }
                    JWSObject jWSObject = new JWSObject(build, payload);
                    try {
                        jWSObject.sign(rSASSASigner);
                        return new AttestationTokenImpl(jWSObject.serialize());
                    } catch (JOSEException e) {
                        throw clientLogger.logExceptionAsError(new RuntimeException(e.toString()));
                    }
                } catch (JOSEException e2) {
                    throw clientLogger.logExceptionAsError(new RuntimeException(e2.getMessage()));
                }
            } catch (CertificateEncodingException e3) {
                throw clientLogger.logExceptionAsError(new RuntimeException(e3.getMessage()));
            }
        } catch (Exception e4) {
            throw clientLogger.logExceptionAsError(new RuntimeException(e4.getMessage()));
        }
    }
}
