package dev.fitko.fitconnect.jwkvalidator.parameter;

import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.KeyOperation;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import dev.fitko.fitconnect.jwkvalidator.exceptions.JWKInvalidPurposeException;
import dev.fitko.fitconnect.jwkvalidator.exceptions.JWKValidationException;
import dev.fitko.fitconnect.jwkvalidator.exceptions.LogLevel;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:dev/fitko/fitconnect/jwkvalidator/parameter/JWKParameterValidator.class */
public class JWKParameterValidator {
    private static final Logger log = LoggerFactory.getLogger(JWKParameterValidator.class);
    private final LogLevel logLevel;

    public JWKParameterValidator(LogLevel logLevel) {
        this.logLevel = logLevel;
    }

    public void validateForPurpose(RSAKey rSAKey, KeyOperation keyOperation) throws IllegalArgumentException, JWKValidationException {
        if (rSAKey == null) {
            throw new IllegalArgumentException("Cannot validate JWK - JWK is null");
        }
        hasValidKid(rSAKey);
        if (keyOperation == null) {
            throw new IllegalArgumentException("Cannot validate JWK with id " + rSAKey.getKeyID() + " - specified purpose is null");
        }
        hasValidPurpose(rSAKey, keyOperation);
        hasValidParameters(rSAKey);
    }

    public void validate(RSAKey rSAKey) throws IllegalArgumentException, JWKValidationException {
        if (rSAKey == null) {
            throw new IllegalArgumentException("Cannot validate JWK - JWK is null");
        }
        hasValidKid(rSAKey);
        hasValidParameters(rSAKey);
    }

    private void hasValidParameters(RSAKey rSAKey) throws JWKValidationException {
        hasValidAlgForKeyOps(rSAKey);
        hasValidKeyLength(rSAKey);
        hasValidUse(rSAKey);
    }

    private void hasValidKid(RSAKey rSAKey) throws JWKValidationException {
        if (rSAKey.getKeyID() == null || rSAKey.getKeyID().isBlank()) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "JWK does not contain any key id", new Object[0]);
        }
        if (rSAKey.getKeyID().length() < 3) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "JWK with id {} has a key id with invalid length", new Object[0]);
        }
    }

    private void hasValidPurpose(RSAKey rSAKey, KeyOperation keyOperation) throws JWKValidationException {
        if (rSAKey.getKeyOperations() == null) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "JWK with id {} does not contain any purpose.", rSAKey.getKeyID());
        }
        if (!rSAKey.getKeyOperations().contains(keyOperation)) {
            throw JWKInvalidPurposeException.build((JWK) rSAKey, log, this.logLevel, "JWK with id {} does not have intended purpose {}", rSAKey.getKeyID(), keyOperation);
        }
    }

    private void hasValidAlgForKeyOps(RSAKey rSAKey) throws JWKValidationException {
        if (rSAKey.getKeyOperations() == null || rSAKey.getAlgorithm() == null || rSAKey.getKeyOperations().size() > 1) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "JWK with id {} does not have right amount of KeyOps and/or no Alg", rSAKey.getKeyID());
        }
        boolean contains = rSAKey.getKeyOperations().contains(KeyOperation.VERIFY);
        boolean equals = rSAKey.getAlgorithm().equals(JWSAlgorithm.PS512);
        if (contains && !equals) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "JWK with id {} is of type {} but has wrong Alg", rSAKey.getKeyID(), KeyOperation.VERIFY);
        }
        boolean contains2 = rSAKey.getKeyOperations().contains(KeyOperation.WRAP_KEY);
        boolean equals2 = rSAKey.getAlgorithm().equals(JWEAlgorithm.RSA_OAEP_256);
        if (contains2 && !equals2) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "JWK with id {} is of type {} but has wrong Alg", rSAKey.getKeyID(), KeyOperation.WRAP_KEY);
        }
    }

    private void hasValidKeyLength(RSAKey rSAKey) throws JWKValidationException {
        int length = rSAKey.getModulus().decode().length * 8;
        if (length < 4096) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "JWK with id {} has wrong key length. Is {} but should be 4096 at least.", rSAKey.getKeyID(), Integer.valueOf(length));
        }
    }

    private void hasValidUse(RSAKey rSAKey) throws JWKValidationException {
        boolean contains;
        KeyUse keyUse = rSAKey.getKeyUse();
        if (keyUse == null) {
            return;
        }
        if (KeyUse.SIGNATURE.equals(keyUse)) {
            contains = rSAKey.getKeyOperations().contains(KeyOperation.VERIFY);
        } else {
            if (!KeyUse.ENCRYPTION.equals(keyUse)) {
                throw JWKValidationException.build(rSAKey, log, this.logLevel, "Invalid key use in JWK with id {}", rSAKey.getKeyID());
            }
            contains = rSAKey.getKeyOperations().contains(KeyOperation.WRAP_KEY);
        }
        if (!contains) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "JWK with id {} has invalid KeyOps {} for use {}", rSAKey.getKeyID(), rSAKey.getKeyOperations(), rSAKey.getKeyUse());
        }
    }
}
