package tbdex.sdk.httpclient;

import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.time.Instant;
import java.util.Date;
import java.util.List;
import java.util.UUID;
import kotlin.Metadata;
import kotlin.NoWhenBranchMatchedException;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.SourceDebugExtension;
import kotlin.text.StringsKt;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import web5.sdk.common.Convert;
import web5.sdk.common.EncodingFormat;
import web5.sdk.crypto.KeyManager;
import web5.sdk.dids.Did;
import web5.sdk.dids.DidResolvers;
import web5.sdk.dids.ResolveDidOptions;
import web5.sdk.dids.didcore.DIDDocument;
import web5.sdk.dids.didcore.VerificationMethod;

/* compiled from: RequestToken.kt */
@Metadata(mv = {1, 9, 0}, k = 1, xi = 48, d1 = {"�� \n\u0002\u0018\u0002\n\u0002\u0010��\n\u0002\b\u0002\n\u0002\u0010 \n\u0002\u0010\u000e\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0002\b\u0005\bÆ\u0002\u0018��2\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002J\"\u0010\b\u001a\u00020\u00052\u0006\u0010\t\u001a\u00020\n2\u0006\u0010\u000b\u001a\u00020\u00052\n\b\u0002\u0010\f\u001a\u0004\u0018\u00010\u0005J\u0016\u0010\r\u001a\u00020\u00052\u0006\u0010\u000e\u001a\u00020\u00052\u0006\u0010\u000b\u001a\u00020\u0005R\u0017\u0010\u0003\u001a\b\u0012\u0004\u0012\u00020\u00050\u0004¢\u0006\b\n��\u001a\u0004\b\u0006\u0010\u0007¨\u0006\u000f"}, d2 = {"Ltbdex/sdk/httpclient/RequestToken;", "", "()V", "requiredClaimKeys", "", "", "getRequiredClaimKeys", "()Ljava/util/List;", "generate", "did", "Lweb5/sdk/dids/Did;", "pfiDid", "assertionMethodId", "verify", "token", "httpclient"})
@SourceDebugExtension({"SMAP\nRequestToken.kt\nKotlin\n*S Kotlin\n*F\n+ 1 RequestToken.kt\ntbdex/sdk/httpclient/RequestToken\n+ 2 fake.kt\nkotlin/jvm/internal/FakeKt\n+ 3 _Collections.kt\nkotlin/collections/CollectionsKt___CollectionsKt\n*L\n1#1,129:1\n1#2:130\n1855#3,2:131\n*S KotlinDebug\n*F\n+ 1 RequestToken.kt\ntbdex/sdk/httpclient/RequestToken\n*L\n109#1:131,2\n*E\n"})
/* loaded from: input_file:tbdex/sdk/httpclient/RequestToken.class */
public final class RequestToken {

    @NotNull
    public static final RequestToken INSTANCE = new RequestToken();

    @NotNull
    private static final List<String> requiredClaimKeys = CollectionsKt.listOf(new String[]{"aud", "iss", "exp", "jti", "iat"});

    private RequestToken() {
    }

    @NotNull
    public final List<String> getRequiredClaimKeys() {
        return requiredClaimKeys;
    }

    @NotNull
    public final String generate(@NotNull Did did, @NotNull String str, @Nullable String str2) {
        VerificationMethod findAssertionMethodById;
        String id;
        Intrinsics.checkNotNullParameter(did, "did");
        Intrinsics.checkNotNullParameter(str, "pfiDid");
        DIDDocument didDocument = DidResolvers.resolve$default(DidResolvers.INSTANCE, did.getUri(), (ResolveDidOptions) null, 2, (Object) null).getDidDocument();
        if (didDocument == null || (findAssertionMethodById = didDocument.findAssertionMethodById(str2)) == null) {
            throw new RequestTokenCreateException("Assertion method not found");
        }
        JWK publicKeyJwk = findAssertionMethodById.getPublicKeyJwk();
        if (!(publicKeyJwk != null)) {
            throw new IllegalStateException("publicKeyJwk is null".toString());
        }
        String deterministicAlias = did.getKeyManager().getDeterministicAlias(publicKeyJwk);
        JWSAlgorithm parse = JWSAlgorithm.parse(publicKeyJwk.getAlgorithm().toString());
        boolean startsWith$default = StringsKt.startsWith$default(findAssertionMethodById.getId(), "#", false, 2, (Object) null);
        if (startsWith$default) {
            id = did.getUri() + findAssertionMethodById.getId();
        } else {
            if (startsWith$default) {
                throw new NoWhenBranchMatchedException();
            }
            id = findAssertionMethodById.getId();
        }
        JWSHeader build = new JWSHeader.Builder(parse).type(JOSEObjectType.JWT).keyID(id).build();
        Instant now = Instant.now();
        JWTClaimsSet build2 = new JWTClaimsSet.Builder().audience(str).issuer(did.getUri()).expirationTime(Date.from(now.plusSeconds(60L))).issueTime(Date.from(now)).jwtID(UUID.randomUUID().toString()).build();
        byte[] signingInput = new SignedJWT(build, build2).getSigningInput();
        KeyManager keyManager = did.getKeyManager();
        Intrinsics.checkNotNull(signingInput);
        return build.toBase64URL() + "." + build2.toPayload().toBase64URL() + "." + new Base64URL(new Convert(keyManager.sign(deterministicAlias, signingInput), (EncodingFormat) null, 2, (DefaultConstructorMarker) null).toBase64Url(false));
    }

    public static /* synthetic */ String generate$default(RequestToken requestToken, Did did, String str, String str2, int i, Object obj) {
        if ((i & 4) != 0) {
            str2 = null;
        }
        return requestToken.generate(did, str, str2);
    }

    @NotNull
    public final String verify(@NotNull String str, @NotNull String str2) {
        Intrinsics.checkNotNullParameter(str, "token");
        Intrinsics.checkNotNullParameter(str2, "pfiDid");
        try {
            JWTClaimsSet jWTClaimsSet = SignedJWT.parse(str).getJWTClaimsSet();
            Intrinsics.checkNotNullExpressionValue(jWTClaimsSet, "getJWTClaimsSet(...)");
            String issuer = jWTClaimsSet.getIssuer();
            List audience = jWTClaimsSet.getAudience();
            Date expirationTime = jWTClaimsSet.getExpirationTime();
            for (String str3 : requiredClaimKeys) {
                if (!jWTClaimsSet.getClaims().containsKey(str3)) {
                    throw new RequestTokenMissingClaimsException("Missing required claim for key " + str3);
                }
            }
            if (!Instant.now().isBefore(expirationTime.toInstant())) {
                throw new RequestTokenExpiredException("Request Token is expired.");
            }
            if (!audience.contains(str2)) {
                throw new RequestTokenAudMismatchException("Request token contains invalid audience. Expected aud property to be PFI DID.");
            }
            Intrinsics.checkNotNull(issuer);
            return issuer;
        } catch (Exception e) {
            throw new RequestTokenVerificationException(e, "Failed to parse request token");
        }
    }
}
