package de.lhns.jwt;

import cats.Monad;
import cats.Monad$;
import cats.NotNull$;
import cats.syntax.EitherObjectOps$;
import cats.syntax.EitherOps$;
import cats.syntax.EitherSyntax$CatchOnlyPartiallyApplied$;
import cats.syntax.package$all$;
import de.lhns.jwt.Jwt;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import scala.Function1;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Some;
import scala.reflect.ClassTag$;
import scala.runtime.BoxedUnit;
import scala.util.Either;
import scala.util.Left;
import scala.util.Right;

/* compiled from: JwtCertPath.scala */
/* loaded from: input_file:de/lhns/jwt/JwtCertPath$.class */
public final class JwtCertPath$ {
    public static final JwtCertPath$ MODULE$ = new JwtCertPath$();
    private static final Function1<PKIXParameters, BoxedUnit> defaultPkixParameters = pKIXParameters -> {
        pKIXParameters.setRevocationEnabled(false);
        return BoxedUnit.UNIT;
    };

    public <F> JwtVerifier<F> verifier(KeyStore keyStore, Function1<PublicKey, JwtVerifier<F>> function1, Function1<PKIXParameters, BoxedUnit> function12, Monad<F> monad) {
        return JwtVerifier$.MODULE$.apply(signedJwt -> {
            boolean z = false;
            Some some = null;
            Option map = signedJwt.header().x509CertificateChain().map(certPath -> {
                return MODULE$.validateCertPath(certPath, keyStore, function12);
            });
            if (map instanceof Some) {
                z = true;
                some = (Some) map;
                Right right = (Either) some.value();
                if (right instanceof Right) {
                    return ((JwtVerifier) function1.apply(((PKIXCertPathValidatorResult) right.value()).getPublicKey())).verify(signedJwt);
                }
            }
            if (z) {
                Left left = (Either) some.value();
                if (left instanceof Left) {
                    return Monad$.MODULE$.apply(monad).pure(new Left((CertPathValidatorException) left.value()));
                }
            }
            if (None$.MODULE$.equals(map)) {
                return Monad$.MODULE$.apply(monad).pure(new Left(new IllegalArgumentException("x5c claim required for cert validation")));
            }
            throw new MatchError(map);
        }, monad);
    }

    public <F> Function1<PKIXParameters, BoxedUnit> verifier$default$3() {
        return defaultPkixParameters();
    }

    public <F> JwtSigner<F> signer(CertPath certPath, JwtSigner<F> jwtSigner) {
        return JwtSigner$.MODULE$.apply(jwt -> {
            return jwtSigner.sign(jwt.modifyHeader(jwtHeader -> {
                return (Jwt.JwtHeader) jwtHeader.withX509CertificateChain(new Some(certPath));
            }));
        });
    }

    public Function1<PKIXParameters, BoxedUnit> defaultPkixParameters() {
        return defaultPkixParameters;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Either<CertPathValidatorException, PKIXCertPathValidatorResult> validateCertPath(CertPath certPath, KeyStore keyStore, Function1<PKIXParameters, BoxedUnit> function1) {
        CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
        return EitherOps$.MODULE$.leftMap$extension(package$all$.MODULE$.catsSyntaxEither(EitherSyntax$CatchOnlyPartiallyApplied$.MODULE$.apply$extension(EitherObjectOps$.MODULE$.catchOnly$extension(package$all$.MODULE$.catsSyntaxEitherObject(scala.package$.MODULE$.Either())), () -> {
            return new PKIXParameters(keyStore);
        }, ClassTag$.MODULE$.apply(InvalidAlgorithmParameterException.class), NotNull$.MODULE$.catsNotNullForA())), invalidAlgorithmParameterException -> {
            return new CertPathValidatorException(invalidAlgorithmParameterException);
        }).flatMap(pKIXParameters -> {
            function1.apply(pKIXParameters);
            return EitherSyntax$CatchOnlyPartiallyApplied$.MODULE$.apply$extension(EitherObjectOps$.MODULE$.catchOnly$extension(package$all$.MODULE$.catsSyntaxEitherObject(scala.package$.MODULE$.Either())), () -> {
                return (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, pKIXParameters);
            }, ClassTag$.MODULE$.apply(CertPathValidatorException.class), NotNull$.MODULE$.catsNotNullForA());
        });
    }

    private Function1<PKIXParameters, BoxedUnit> validateCertPath$default$3() {
        return defaultPkixParameters();
    }

    private JwtCertPath$() {
    }
}
