package eu.europa.ec.eudi.openid4vp.internal.response;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEEncrypter;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.id.Issuer;
import eu.europa.ec.eudi.openid4vp.ConfigKt;
import eu.europa.ec.eudi.openid4vp.JarmConfiguration;
import eu.europa.ec.eudi.openid4vp.JarmRequirement;
import eu.europa.ec.eudi.openid4vp.SiopOpenId4VPConfig;
import eu.europa.ec.eudi.openid4vp.VerifiablePresentation;
import eu.europa.ec.eudi.openid4vp.VpToken;
import eu.europa.ec.eudi.openid4vp.internal.response.AuthorizationResponsePayload;
import java.time.Instant;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import kotlin.Metadata;
import kotlin.NoWhenBranchMatchedException;
import kotlin.Pair;
import kotlin.TuplesKt;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.internal.Intrinsics;
import kotlinx.serialization.json.JsonArrayBuilder;
import kotlinx.serialization.json.JsonElement;
import kotlinx.serialization.json.JsonElementKt;

/* compiled from: JarmJwt.kt */
@Metadata(d1 = {"\u0000p\n\u0000\n\u0002\u0018\u0002\n\u0002\u0010\u000e\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\u001a%\u0010\u0000\u001a\u00060\u0002j\u0002`\u0001*\u00020\u00032\u0006\u0010\u0004\u001a\u00020\u00052\u0006\u0010\u0006\u001a\u00020\u0007H\u0000¢\u0006\u0002\u0010\b\u001a\u001c\u0010\t\u001a\u00020\n*\u00020\u00032\u0006\u0010\u000b\u001a\u00020\f2\u0006\u0010\u0006\u001a\u00020\u0007H\u0002\u001a\u001c\u0010\r\u001a\u00020\u000e*\u00020\u00032\u0006\u0010\u000b\u001a\u00020\u000f2\u0006\u0010\u0006\u001a\u00020\u0007H\u0002\u001a(\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u00132\u0006\u0010\u0014\u001a\u00020\u00152\u0006\u0010\u0016\u001a\u00020\u00172\u0006\u0010\u0006\u001a\u00020\u0007H\u0002\u001a\u001c\u0010\u0018\u001a\u00020\u0019*\u00020\u00032\u0006\u0010\u000b\u001a\u00020\u001a2\u0006\u0010\u0006\u001a\u00020\u0007H\u0002\u001a$\u0010\u001b\u001a\u000e\u0012\u0004\u0012\u00020\u0017\u0012\u0004\u0012\u00020\u001d0\u001c2\u0006\u0010\u0012\u001a\u00020\u00132\u0006\u0010\u001e\u001a\u00020\u001fH\u0002\u001a\f\u0010 \u001a\u00020!*\u00020\"H\u0000¨\u0006#"}, d2 = {"jarmJwt", "Leu/europa/ec/eudi/openid4vp/Jwt;", "", "Leu/europa/ec/eudi/openid4vp/SiopOpenId4VPConfig;", "jarmRequirement", "Leu/europa/ec/eudi/openid4vp/JarmRequirement;", "data", "Leu/europa/ec/eudi/openid4vp/internal/response/AuthorizationResponsePayload;", "(Leu/europa/ec/eudi/openid4vp/SiopOpenId4VPConfig;Leu/europa/ec/eudi/openid4vp/JarmRequirement;Leu/europa/ec/eudi/openid4vp/internal/response/AuthorizationResponsePayload;)Ljava/lang/String;", "sign", "Lcom/nimbusds/jwt/SignedJWT;", "requirement", "Leu/europa/ec/eudi/openid4vp/JarmRequirement$Signed;", "encrypt", "Lcom/nimbusds/jwt/EncryptedJWT;", "Leu/europa/ec/eudi/openid4vp/JarmRequirement$Encrypted;", "jweHeader", "Lcom/nimbusds/jose/JWEHeader;", "jweAlgorithm", "Lcom/nimbusds/jose/JWEAlgorithm;", "encryptionMethod", "Lcom/nimbusds/jose/EncryptionMethod;", "jweKey", "Lcom/nimbusds/jose/jwk/JWK;", "signAndEncrypt", "Lcom/nimbusds/jose/JWEObject;", "Leu/europa/ec/eudi/openid4vp/JarmRequirement$SignedAndEncrypted;", "keyAndEncryptor", "Lkotlin/Pair;", "Lcom/nimbusds/jose/JWEEncrypter;", "jwkSet", "Lcom/nimbusds/jose/jwk/JWKSet;", "toJson", "Lkotlinx/serialization/json/JsonElement;", "Leu/europa/ec/eudi/openid4vp/VpToken;", "siop-openid4vp"}, k = 2, mv = {2, 0, 0}, xi = 48)
/* loaded from: classes6.dex */
public final class JarmJwtKt {
    private static final EncryptedJWT encrypt(SiopOpenId4VPConfig siopOpenId4VPConfig, JarmRequirement.Encrypted encrypted, AuthorizationResponsePayload authorizationResponsePayload) {
        if (ConfigKt.encryptionConfig(siopOpenId4VPConfig.getJarmConfiguration()) == null) {
            throw new IllegalStateException("Wallet doesn't support encrypted JARM".toString());
        }
        JWEAlgorithm responseEncryptionAlg = encrypted.getResponseEncryptionAlg();
        EncryptionMethod responseEncryptionEnc = encrypted.getResponseEncryptionEnc();
        Pair<JWK, JWEEncrypter> keyAndEncryptor = keyAndEncryptor(responseEncryptionAlg, encrypted.getEncryptionKeySet());
        JWK component1 = keyAndEncryptor.component1();
        JWEEncrypter component2 = keyAndEncryptor.component2();
        EncryptedJWT encryptedJWT = new EncryptedJWT(jweHeader(responseEncryptionAlg, responseEncryptionEnc, component1, authorizationResponsePayload), JwtPayloadFactory.INSTANCE.encryptedJwtClaimSet(authorizationResponsePayload));
        encryptedJWT.encrypt(component2);
        return encryptedJWT;
    }

    public static final String jarmJwt(SiopOpenId4VPConfig siopOpenId4VPConfig, JarmRequirement jarmRequirement, AuthorizationResponsePayload data) throws IllegalStateException, JOSEException {
        JWEObject signAndEncrypt;
        Intrinsics.checkNotNullParameter(siopOpenId4VPConfig, "<this>");
        Intrinsics.checkNotNullParameter(jarmRequirement, "jarmRequirement");
        Intrinsics.checkNotNullParameter(data, "data");
        if (jarmRequirement instanceof JarmRequirement.Signed) {
            signAndEncrypt = sign(siopOpenId4VPConfig, (JarmRequirement.Signed) jarmRequirement, data);
        } else if (jarmRequirement instanceof JarmRequirement.Encrypted) {
            signAndEncrypt = encrypt(siopOpenId4VPConfig, (JarmRequirement.Encrypted) jarmRequirement, data);
        } else {
            if (!(jarmRequirement instanceof JarmRequirement.SignedAndEncrypted)) {
                throw new NoWhenBranchMatchedException();
            }
            signAndEncrypt = signAndEncrypt(siopOpenId4VPConfig, (JarmRequirement.SignedAndEncrypted) jarmRequirement, data);
        }
        String serialize = signAndEncrypt.serialize();
        Intrinsics.checkNotNullExpressionValue(serialize, "serialize(...)");
        return serialize;
    }

    private static final JWEHeader jweHeader(JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod, JWK jwk, AuthorizationResponsePayload authorizationResponsePayload) {
        Pair pair;
        Base64URL apu = authorizationResponsePayload instanceof AuthorizationResponsePayload.OpenId4VPAuthorization ? ((AuthorizationResponsePayload.OpenId4VPAuthorization) authorizationResponsePayload).getVpToken().getApu() : authorizationResponsePayload instanceof AuthorizationResponsePayload.SiopOpenId4VPAuthentication ? ((AuthorizationResponsePayload.SiopOpenId4VPAuthentication) authorizationResponsePayload).getVpToken().getApu() : null;
        if (apu == null || (pair = TuplesKt.to(Base64URL.encode(authorizationResponsePayload.getNonce()), apu)) == null) {
            pair = TuplesKt.to(null, null);
        }
        Base64URL base64URL = (Base64URL) pair.component1();
        Base64URL base64URL2 = (Base64URL) pair.component2();
        JWEHeader.Builder builder = new JWEHeader.Builder(jWEAlgorithm, encryptionMethod);
        if (base64URL != null) {
            builder.agreementPartyVInfo(base64URL);
        }
        if (base64URL2 != null) {
            builder.agreementPartyUInfo(base64URL2);
        }
        String keyID = jwk.toPublicJWK().getKeyID();
        if (keyID != null) {
            builder.keyID(keyID);
        }
        JWEHeader build = builder.build();
        Intrinsics.checkNotNullExpressionValue(build, "build(...)");
        return build;
    }

    private static final Pair<JWK, JWEEncrypter> keyAndEncryptor(JWEAlgorithm jWEAlgorithm, JWKSet jWKSet) {
        Pair<JWK, JWEEncrypter> pair;
        Iterator<Map.Entry<JWK, JWEEncrypter>> it = EncrypterFactory.INSTANCE.findEncrypters(jWEAlgorithm, jWKSet).entrySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                pair = null;
                break;
            }
            Map.Entry<JWK, JWEEncrypter> next = it.next();
            pair = TuplesKt.to(next.getKey(), next.getValue());
            if (pair != null) {
                break;
            }
        }
        if (pair != null) {
            return pair;
        }
        throw new IllegalStateException(("Cannot find appropriate encryption key for " + jWEAlgorithm.getName()).toString());
    }

    private static final SignedJWT sign(SiopOpenId4VPConfig siopOpenId4VPConfig, JarmRequirement.Signed signed, AuthorizationResponsePayload authorizationResponsePayload) {
        JarmConfiguration.Signing signingConfig = ConfigKt.signingConfig(siopOpenId4VPConfig.getJarmConfiguration());
        if (signingConfig == null) {
            throw new IllegalStateException("Wallet doesn't support signing JARM".toString());
        }
        JWSHeader build = new JWSHeader.Builder(signed.getResponseSigningAlg()).keyID(signingConfig.getSigner().getKeyId()).build();
        JwtPayloadFactory jwtPayloadFactory = JwtPayloadFactory.INSTANCE;
        Issuer issuer = siopOpenId4VPConfig.getIssuer();
        Instant now = Instant.now();
        Intrinsics.checkNotNullExpressionValue(now, "now(...)");
        SignedJWT signedJWT = new SignedJWT(build, jwtPayloadFactory.signedJwtClaimSet(authorizationResponsePayload, issuer, now, signingConfig.getTtl()));
        signedJWT.sign(signingConfig.getSigner());
        return signedJWT;
    }

    private static final JWEObject signAndEncrypt(SiopOpenId4VPConfig siopOpenId4VPConfig, JarmRequirement.SignedAndEncrypted signedAndEncrypted, AuthorizationResponsePayload authorizationResponsePayload) {
        if (!(siopOpenId4VPConfig.getJarmConfiguration() instanceof JarmConfiguration.SigningAndEncryption)) {
            throw new IllegalStateException("Wallet doesn't support signing & encrypting JARM".toString());
        }
        SignedJWT sign = sign(siopOpenId4VPConfig, signedAndEncrypted.getSigned(), authorizationResponsePayload);
        JarmRequirement.Encrypted encryptResponse = signedAndEncrypted.getEncryptResponse();
        JWEAlgorithm responseEncryptionAlg = encryptResponse.getResponseEncryptionAlg();
        EncryptionMethod responseEncryptionEnc = encryptResponse.getResponseEncryptionEnc();
        Pair<JWK, JWEEncrypter> keyAndEncryptor = keyAndEncryptor(responseEncryptionAlg, encryptResponse.getEncryptionKeySet());
        JWK component1 = keyAndEncryptor.component1();
        JWEEncrypter component2 = keyAndEncryptor.component2();
        JWEObject jWEObject = new JWEObject(jweHeader(responseEncryptionAlg, responseEncryptionEnc, component1, authorizationResponsePayload), new Payload(sign));
        jWEObject.encrypt(component2);
        return jWEObject;
    }

    public static final JsonElement toJson(VpToken vpToken) {
        Intrinsics.checkNotNullParameter(vpToken, "<this>");
        int size = vpToken.getVerifiablePresentations().size();
        if (size == 0) {
            throw new IllegalStateException("Not expected".toString());
        }
        if (size == 1) {
            return toJson$asJson((VerifiablePresentation) CollectionsKt.first((List) vpToken.getVerifiablePresentations()));
        }
        JsonArrayBuilder jsonArrayBuilder = new JsonArrayBuilder();
        Iterator<VerifiablePresentation> it = vpToken.getVerifiablePresentations().iterator();
        while (it.hasNext()) {
            jsonArrayBuilder.add(toJson$asJson(it.next()));
        }
        return jsonArrayBuilder.build();
    }

    private static final JsonElement toJson$asJson(VerifiablePresentation verifiablePresentation) {
        if (verifiablePresentation instanceof VerifiablePresentation.Generic) {
            return JsonElementKt.JsonPrimitive(((VerifiablePresentation.Generic) verifiablePresentation).m8345unboximpl());
        }
        if (verifiablePresentation instanceof VerifiablePresentation.JsonObj) {
            return ((VerifiablePresentation.JsonObj) verifiablePresentation).m8352unboximpl();
        }
        if (verifiablePresentation instanceof VerifiablePresentation.MsoMdoc) {
            return JsonElementKt.JsonPrimitive(((VerifiablePresentation.MsoMdoc) verifiablePresentation).m8359unboximpl());
        }
        throw new NoWhenBranchMatchedException();
    }
}
