package se.arkalix.internal.security.access;

import java.security.PrivateKey;
import java.security.PublicKey;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.lang.JoseException;
import se.arkalix.descriptor.InterfaceDescriptor;
import se.arkalix.security.access.AccessTokenException;

/* loaded from: input_file:se/arkalix/internal/security/access/AccessToken.class */
public final class AccessToken {
    private static final long CLOCK_SKEW_TOLERANCE_IN_MS = 60000;
    private final String cid;
    private final InterfaceDescriptor iid;
    private final String sid;

    private AccessToken(String str, InterfaceDescriptor interfaceDescriptor, String str2) {
        this.cid = str;
        this.iid = interfaceDescriptor;
        this.sid = str2;
    }

    public String cid() {
        return this.cid;
    }

    public InterfaceDescriptor iid() {
        return this.iid;
    }

    public String sid() {
        return this.sid;
    }

    public static AccessToken read(String str, PrivateKey privateKey, PublicKey publicKey) throws AccessTokenException {
        JwtClaims verifyAndGetClaims = verifyAndGetClaims(verifySignatureAndGetPayload(decrypt(str, privateKey), publicKey));
        String claimValueAsString = verifyAndGetClaims.getClaimValueAsString("cid");
        if (claimValueAsString == null) {
            throw new AccessTokenException("Expected \"cid\" claim");
        }
        String claimValueAsString2 = verifyAndGetClaims.getClaimValueAsString("iid");
        if (claimValueAsString2 == null) {
            throw new AccessTokenException("Expected \"iid\" claim");
        }
        try {
            InterfaceDescriptor valueOf = InterfaceDescriptor.valueOf(claimValueAsString2);
            String claimValueAsString3 = verifyAndGetClaims.getClaimValueAsString("sid");
            if (claimValueAsString3 == null) {
                throw new AccessTokenException("Expected \"sid\" claim");
            }
            return new AccessToken(claimValueAsString, valueOf, claimValueAsString3);
        } catch (IllegalArgumentException e) {
            throw new AccessTokenException("Malformed \"iid\"; expected <protocol>-<security>-<encoding>, got \"" + claimValueAsString2 + "\"");
        }
    }

    private static String decrypt(String str, PrivateKey privateKey) throws AccessTokenException {
        JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
        try {
            jsonWebEncryption.setCompactSerialization(str);
            jsonWebEncryption.setKey(privateKey);
            try {
                return jsonWebEncryption.getPlaintextString();
            } catch (JoseException e) {
                throw new AccessTokenException("Could not decrypt token", e);
            }
        } catch (JoseException e2) {
            throw new AccessTokenException("Malformed JWE", e2);
        }
    }

    public static String verifySignatureAndGetPayload(String str, PublicKey publicKey) throws AccessTokenException {
        boolean z;
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        try {
            jsonWebSignature.setCompactSerialization(str);
            jsonWebSignature.setKey(publicKey);
            Throwable th = null;
            try {
                z = jsonWebSignature.verifySignature();
            } catch (JoseException e) {
                th = e;
                z = false;
            }
            if (!z) {
                throw new AccessTokenException("Token signature verification failed", th);
            }
            try {
                return jsonWebSignature.getPayload();
            } catch (JoseException e2) {
                throw new AccessTokenException("Malformed JWS payload", e2);
            }
        } catch (JoseException e3) {
            throw new AccessTokenException("Malformed JWS", e3);
        }
    }

    private static JwtClaims verifyAndGetClaims(String str) throws AccessTokenException {
        try {
            JwtClaims parse = JwtClaims.parse(str);
            long currentTimeMillis = System.currentTimeMillis() + CLOCK_SKEW_TOLERANCE_IN_MS;
            NumericDate expirationTime = parse.getExpirationTime();
            if (expirationTime != null && expirationTime.getValueInMillis() > currentTimeMillis) {
                throw new AccessTokenException("JWT expired");
            }
            NumericDate issuedAt = parse.getIssuedAt();
            if (issuedAt == null || issuedAt.getValueInMillis() <= currentTimeMillis) {
                return parse;
            }
            throw new AccessTokenException("JWT not yet issued");
        } catch (MalformedClaimException e) {
            throw new AccessTokenException("Malformed JWT claim", e);
        } catch (InvalidJwtException e2) {
            throw new AccessTokenException("Malformed JWT claims", e2);
        }
    }
}
