package dev.paseto.jpaseto.impl;

import dev.paseto.jpaseto.ExpiredPasetoException;
import dev.paseto.jpaseto.FooterClaims;
import dev.paseto.jpaseto.IncorrectClaimException;
import dev.paseto.jpaseto.KeyResolver;
import dev.paseto.jpaseto.MissingClaimException;
import dev.paseto.jpaseto.Paseto;
import dev.paseto.jpaseto.PasetoParser;
import dev.paseto.jpaseto.PasetoSignatureException;
import dev.paseto.jpaseto.PrematurePasetoException;
import dev.paseto.jpaseto.Purpose;
import dev.paseto.jpaseto.UnsupportedPasetoException;
import dev.paseto.jpaseto.Version;
import dev.paseto.jpaseto.io.Deserializer;
import dev.paseto.jpaseto.lang.Assert;
import dev.paseto.jpaseto.lang.DateFormats;
import dev.paseto.jpaseto.lang.DescribedPredicate;
import java.nio.charset.StandardCharsets;
import java.security.PublicKey;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.Map;
import java.util.function.Predicate;
import javax.crypto.SecretKey;

/* loaded from: input_file:dev/paseto/jpaseto/impl/DefaultPasetoParser.class */
class DefaultPasetoParser implements PasetoParser {
    private final KeyResolver keyResolver;
    private final Deserializer<Map<String, Object>> deserializer;
    private final Clock clock;
    private final Duration allowedClockSkew;
    private final Map<String, Predicate<Object>> userExpectedClaimsMap;
    private final Map<String, Predicate<Object>> userExpectedFooterClaimsMap;

    /* JADX INFO: Access modifiers changed from: package-private */
    public DefaultPasetoParser(KeyResolver keyResolver, Deserializer<Map<String, Object>> deserializer, Clock clock, Duration duration, Map<String, Predicate<Object>> map, Map<String, Predicate<Object>> map2) {
        this.keyResolver = keyResolver;
        this.deserializer = deserializer;
        this.clock = clock;
        this.allowedClockSkew = duration;
        this.userExpectedClaimsMap = Collections.unmodifiableMap(map);
        this.userExpectedFooterClaimsMap = Collections.unmodifiableMap(map2);
    }

    public Paseto parse(String str) {
        Paseto v1Public;
        Assert.hasText(str, "Paseto token cannot be null or empty");
        String[] split = str.split("\\.");
        Assert.isTrue(split.length == 3 || split.length == 4, "Paseto token expected to have 3 or 4 parts.");
        Version from = Version.from(split[0]);
        Purpose from2 = Purpose.from(split[1]);
        byte[] decode = Base64.getUrlDecoder().decode(split[2].getBytes(StandardCharsets.UTF_8));
        byte[] decode2 = split.length == 4 ? Base64.getUrlDecoder().decode(split[3].getBytes(StandardCharsets.UTF_8)) : new byte[0];
        if (from == Version.V2 && from2 == Purpose.LOCAL) {
            v1Public = v2Local(decode, decode2);
        } else if (from == Version.V2 && from2 == Purpose.PUBLIC) {
            v1Public = v2Public(decode, decode2);
        } else if (from == Version.V1 && from2 == Purpose.LOCAL) {
            v1Public = v1Local(decode, decode2);
        } else {
            if (from != Version.V1 || from2 != Purpose.PUBLIC) {
                throw new UnsupportedPasetoException("Paseto token with header: '" + from.toString() + "." + from2.toString() + ".' is not supported.");
            }
            v1Public = v1Public(decode, decode2);
        }
        verifyExpiration(v1Public);
        verifyNotBefore(v1Public);
        validateExpectedClaims(v1Public);
        validateExpectedFooterClaims(v1Public);
        return v1Public;
    }

    private Paseto v2Local(byte[] bArr, byte[] bArr2) {
        FooterClaims footer = toFooter(bArr2);
        SecretKey resolveSharedKey = this.keyResolver.resolveSharedKey(Version.V2, Purpose.LOCAL, footer);
        Assert.notNull(resolveSharedKey, "A shared secret could not be resolved.  A shared secret must be configured in 'Pasetos.parserBuilder().setSharedSecret(...)' or Pasetos.parserBuilder().setKeyResolver(...)");
        return new DefaultPaseto(Version.V2, Purpose.LOCAL, new DefaultClaims((Map) this.deserializer.deserialize(CryptoProviders.v2LocalCryptoProvider().decrypt(bArr, bArr2, resolveSharedKey))), footer);
    }

    private Paseto v1Public(byte[] bArr, byte[] bArr2) {
        FooterClaims footer = toFooter(bArr2);
        byte[] copyOf = Arrays.copyOf(bArr, bArr.length - 256);
        byte[] copyOfRange = Arrays.copyOfRange(bArr, bArr.length - 256, bArr.length);
        PublicKey resolvePublicKey = this.keyResolver.resolvePublicKey(Version.V1, Purpose.PUBLIC, footer);
        Assert.notNull(resolvePublicKey, "A public key could not be resolved.  A public key must be configured in 'Pasetos.parserBuilder().setPublicKey(...)' or Pasetos.parserBuilder().setKeyResolver(...)");
        if (!CryptoProviders.v1PublicCryptoProvider().verify(copyOf, bArr2, copyOfRange, resolvePublicKey)) {
            throw new PasetoSignatureException("Signature could not be validated in paseto token.");
        }
        return new DefaultPaseto(Version.V1, Purpose.PUBLIC, new DefaultClaims((Map) this.deserializer.deserialize(copyOf)), footer);
    }

    private Paseto v1Local(byte[] bArr, byte[] bArr2) {
        FooterClaims footer = toFooter(bArr2);
        SecretKey resolveSharedKey = this.keyResolver.resolveSharedKey(Version.V1, Purpose.LOCAL, footer);
        Assert.notNull(resolveSharedKey, "A shared secret could not be resolved.  A shared secret must be configured in 'Pasetos.parserBuilder().setSharedSecret(...)' or Pasetos.parserBuilder().setKeyResolver(...)");
        return new DefaultPaseto(Version.V1, Purpose.LOCAL, new DefaultClaims((Map) this.deserializer.deserialize(CryptoProviders.v1LocalCryptoProvider().decrypt(bArr, bArr2, Arrays.copyOf(bArr, 32), resolveSharedKey))), footer);
    }

    private Paseto v2Public(byte[] bArr, byte[] bArr2) {
        FooterClaims footer = toFooter(bArr2);
        byte[] copyOf = Arrays.copyOf(bArr, bArr.length - 64);
        byte[] copyOfRange = Arrays.copyOfRange(bArr, bArr.length - 64, bArr.length);
        PublicKey resolvePublicKey = this.keyResolver.resolvePublicKey(Version.V2, Purpose.PUBLIC, footer);
        Assert.notNull(resolvePublicKey, "A public key could not be resolved.  A public key must be configured in 'Pasetos.parserBuilder().setPublicKey(...)' or Pasetos.parserBuilder().setKeyResolver(...)");
        if (!CryptoProviders.v2PublicCryptoProvider().verify(copyOf, bArr2, copyOfRange, resolvePublicKey)) {
            throw new PasetoSignatureException("Signature could not be validated in paseto token.");
        }
        return new DefaultPaseto(Version.V2, Purpose.PUBLIC, new DefaultClaims((Map) this.deserializer.deserialize(copyOf)), footer);
    }

    private FooterClaims toFooter(byte[] bArr) {
        return bArr.length != 0 ? (bArr[0] == 123 && bArr[bArr.length - 1] == 125) ? new DefaultFooterClaims((Map<String, Object>) this.deserializer.deserialize(bArr)) : new DefaultFooterClaims(new String(bArr, StandardCharsets.UTF_8)) : new DefaultFooterClaims("");
    }

    private void verifyNotBefore(Paseto paseto) {
        Instant instant = this.clock.instant();
        Instant notBefore = paseto.getClaims().getNotBefore();
        if (notBefore != null) {
            Instant plus = instant.plus((TemporalAmount) this.allowedClockSkew);
            if (plus.isBefore(notBefore)) {
                throw new PrematurePasetoException(paseto, "JWT must not be accepted before " + DateFormats.formatIso8601(notBefore) + ". Current time: " + DateFormats.formatIso8601(instant) + ", a difference of " + Duration.between(notBefore, plus) + ".  Allowed clock skew: " + this.allowedClockSkew + ".");
            }
        }
    }

    private void verifyExpiration(Paseto paseto) {
        Instant instant = this.clock.instant();
        Instant expiration = paseto.getClaims().getExpiration();
        if (expiration != null) {
            Instant minus = instant.minus((TemporalAmount) this.allowedClockSkew);
            if (minus.isAfter(expiration)) {
                throw new ExpiredPasetoException(paseto, "Paseto expired at " + DateFormats.formatIso8601(expiration) + ". Current time: " + DateFormats.formatIso8601(instant) + ", a difference of " + Duration.between(minus, expiration) + ".  Allowed clock skew: " + this.allowedClockSkew + ".");
            }
        }
    }

    private void validateExpectedClaims(Paseto paseto) {
        validateExpected(paseto, paseto.getClaims(), this.userExpectedClaimsMap);
    }

    private void validateExpectedFooterClaims(Paseto paseto) {
        validateExpected(paseto, paseto.getFooter(), this.userExpectedFooterClaimsMap);
    }

    private void validateExpected(Paseto paseto, Map<String, Object> map, Map<String, Predicate<Object>> map2) {
        map2.forEach((str, predicate) -> {
            Object normalize = normalize(map.get(str));
            MissingClaimException missingClaimException = null;
            String description = predicate instanceof DescribedPredicate ? ((DescribedPredicate) predicate).getDescription() : "<unnamed predicate>";
            if (normalize == null) {
                missingClaimException = new MissingClaimException(paseto, str, description, String.format("Expected '%s' claim to be %s, but was not present in the paseto claims.", str, description));
            } else if (!predicate.test(normalize)) {
                missingClaimException = new IncorrectClaimException(paseto, str, description, String.format("Expected '%s' claim to be %s, but was: '%s'.", str, description, normalize));
            }
            if (missingClaimException != null) {
                throw missingClaimException;
            }
        });
    }

    private static Object normalize(Object obj) {
        if (obj instanceof Integer) {
            obj = Long.valueOf(((Integer) obj).longValue());
        }
        return obj;
    }
}
