package org.hl7.fhir.r5.elementmodel;

import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.util.JSONObjectUtils;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.zip.DataFormatException;
import java.util.zip.Inflater;
import org.hl7.fhir.exceptions.DefinitionException;
import org.hl7.fhir.exceptions.FHIRException;
import org.hl7.fhir.exceptions.FHIRFormatError;
import org.hl7.fhir.r5.context.IWorkerContext;
import org.hl7.fhir.r5.formats.IParser;
import org.hl7.fhir.r5.model.Subscription;
import org.hl7.fhir.utilities.FileUtilities;
import org.hl7.fhir.utilities.MarkedToMoveToAdjunctPackage;
import org.hl7.fhir.utilities.Utilities;
import org.hl7.fhir.utilities.VersionUtilities;
import org.hl7.fhir.utilities.json.model.JsonElement;
import org.hl7.fhir.utilities.json.model.JsonElementType;
import org.hl7.fhir.utilities.json.model.JsonObject;
import org.hl7.fhir.utilities.json.model.JsonPrimitive;
import org.hl7.fhir.utilities.json.model.JsonProperty;
import org.hl7.fhir.utilities.validation.ValidationMessage;

@MarkedToMoveToAdjunctPackage
/* loaded from: input_file:org/hl7/fhir/r5/elementmodel/SHCParser.class */
public class SHCParser extends ParserBase {
    private JsonParser jsonParser;
    private List<String> types;
    private static final int BUFFER_SIZE = 1024;
    public static final String CURRENT_PACKAGE = "hl7.fhir.uv.shc-vaccination#0.6.2";
    private static final int MAX_ALLOWED_SHC_LENGTH = 1195;

    /* loaded from: input_file:org/hl7/fhir/r5/elementmodel/SHCParser$JWT.class */
    public static class JWT {
        private JsonObject header;
        private JsonObject payload;
        private byte[] headerSrc;
        private byte[] payloadSrc;

        public JsonObject getHeader() {
            return this.header;
        }

        public void setHeader(JsonObject jsonObject) {
            this.header = jsonObject;
        }

        public JsonObject getPayload() {
            return this.payload;
        }

        public void setPayload(JsonObject jsonObject) {
            this.payload = jsonObject;
        }

        public byte[] getHeaderSrc() {
            return this.headerSrc;
        }

        public void setHeaderSrc(byte[] bArr) {
            this.headerSrc = bArr;
        }

        public byte[] getPayloadSrc() {
            return this.payloadSrc;
        }

        public void setPayloadSrc(byte[] bArr) {
            this.payloadSrc = bArr;
        }
    }

    /* loaded from: input_file:org/hl7/fhir/r5/elementmodel/SHCParser$SHCSignedJWT.class */
    public class SHCSignedJWT extends SignedJWT {
        private static final long serialVersionUID = 1;
        private JWTClaimsSet claimsSet;

        public SHCSignedJWT(SignedJWT signedJWT, String str) throws ParseException {
            super(signedJWT.getParsedParts()[0], signedJWT.getParsedParts()[1], signedJWT.getParsedParts()[2]);
            this.claimsSet = JWTClaimsSet.parse(JSONObjectUtils.parse(str));
        }

        public JWTClaimsSet getJWTClaimsSet() {
            return this.claimsSet;
        }
    }

    public SHCParser(IWorkerContext iWorkerContext) {
        super(iWorkerContext);
        this.types = new ArrayList();
        this.jsonParser = new JsonParser(iWorkerContext);
    }

    @Override // org.hl7.fhir.r5.elementmodel.ParserBase
    public List<ValidatedFragment> parse(InputStream inputStream) throws IOException, FHIRFormatError, DefinitionException, FHIRException {
        byte[] streamToBytes = FileUtilities.streamToBytes(inputStream);
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(streamToBytes);
        ArrayList arrayList = new ArrayList();
        ValidatedFragment validatedFragment = new ValidatedFragment("shc", "txt", streamToBytes, false);
        arrayList.add(validatedFragment);
        String trim = FileUtilities.streamToString(byteArrayInputStream).trim();
        ArrayList<String> arrayList2 = new ArrayList();
        Object obj = null;
        if (trim.startsWith("{")) {
            JsonObject parseObject = org.hl7.fhir.utilities.json.parser.JsonParser.parseObject(trim);
            if (!checkProperty(validatedFragment.getErrors(), parseObject, "$", "verifiableCredential", true, "Array")) {
                return arrayList;
            }
            obj = "verifiableCredential";
            int i = 0;
            Iterator it = parseObject.getJsonArray("verifiableCredential").iterator();
            while (it.hasNext()) {
                JsonElement jsonElement = (JsonElement) it.next();
                if (jsonElement instanceof JsonPrimitive) {
                    arrayList2.add(jsonElement.asString());
                } else {
                    logError(validatedFragment.getErrors(), ValidationMessage.NO_RULE_DATE, line(jsonElement), col(jsonElement), "$.verifiableCredential[" + i + "]", ValidationMessage.IssueType.STRUCTURE, "Wrong Property verifiableCredential in JSON Payload. Expected : String but found " + jsonElement.type().toName(), ValidationMessage.IssueSeverity.ERROR);
                }
                i++;
            }
        } else {
            arrayList2.add(trim);
        }
        int i2 = 0;
        for (String str : arrayList2) {
            String str2 = obj == null ? "" : obj + "[" + Integer.toString(i2) + "].";
            i2++;
            try {
                JWT decodeJWT = decodeJWT(validatedFragment.getErrors(), str);
                ValidatedFragment validatedFragment2 = new ValidatedFragment(Subscription.SP_PAYLOAD, "json", decodeJWT.payloadSrc, true);
                arrayList.add(validatedFragment2);
                checkNamedProperties(validatedFragment.getErrors(), decodeJWT.getPayload(), str2 + "payload", "iss", "nbf", "vc");
                checkProperty(validatedFragment.getErrors(), decodeJWT.getPayload(), str2 + "payload", "iss", true, "String");
                checkProperty(validatedFragment.getErrors(), decodeJWT.getPayload(), str2 + "payload", "nbf", true, "Number");
                JsonObject jsonObject = decodeJWT.getPayload().getJsonObject("vc");
                if (jsonObject == null) {
                    logError(validatedFragment.getErrors(), ValidationMessage.NO_RULE_DATE, 1, 1, "JWT", ValidationMessage.IssueType.STRUCTURE, "Unable to find property 'vc' in the payload", ValidationMessage.IssueSeverity.ERROR);
                    return arrayList;
                }
                String str3 = str2 + "payload.vc";
                checkNamedProperties(validatedFragment.getErrors(), jsonObject, str3, "type", "credentialSubject");
                if (!checkProperty(validatedFragment.getErrors(), jsonObject, str3, "type", true, "Array")) {
                    return arrayList;
                }
                int i3 = 0;
                Iterator it2 = jsonObject.getJsonArray("type").iterator();
                while (it2.hasNext()) {
                    JsonElement jsonElement2 = (JsonElement) it2.next();
                    if (jsonElement2.type() != JsonElementType.STRING) {
                        logError(validatedFragment.getErrors(), ValidationMessage.NO_RULE_DATE, line(jsonElement2), col(jsonElement2), str3 + ".type[" + i3 + "]", ValidationMessage.IssueType.STRUCTURE, "Wrong Property Type in JSON Payload. Expected : String but found " + jsonElement2.type().toName(), ValidationMessage.IssueSeverity.ERROR);
                    } else {
                        this.types.add(jsonElement2.asString());
                    }
                    i3++;
                }
                if (!this.types.contains("https://smarthealth.cards#health-card")) {
                    logError(validatedFragment.getErrors(), ValidationMessage.NO_RULE_DATE, line(jsonObject), col(jsonObject), str3, ValidationMessage.IssueType.STRUCTURE, "Card does not claim to be of type https://smarthealth.cards#health-card, cannot validate", ValidationMessage.IssueSeverity.ERROR);
                    return arrayList;
                }
                if (!checkProperty(validatedFragment.getErrors(), jsonObject, str3, "credentialSubject", true, "Object")) {
                    return arrayList;
                }
                JsonObject jsonObject2 = jsonObject.getJsonObject("credentialSubject");
                String str4 = str3 + ".credentialSubject";
                if (!checkProperty(validatedFragment.getErrors(), jsonObject2, str4, "fhirVersion", true, "String")) {
                    return arrayList;
                }
                JsonElement jsonElement3 = jsonObject2.get("fhirVersion");
                if (!VersionUtilities.versionsCompatible(this.context.getVersion(), jsonElement3.asString())) {
                    logError(validatedFragment.getErrors(), ValidationMessage.NO_RULE_DATE, line(jsonElement3), col(jsonElement3), str4 + ".fhirVersion", ValidationMessage.IssueType.STRUCTURE, "Card claims to be of version " + jsonElement3.asString() + ", cannot be validated against version " + this.context.getVersion(), ValidationMessage.IssueSeverity.ERROR);
                    return arrayList;
                }
                if (!checkProperty(validatedFragment.getErrors(), jsonObject2, str4, "fhirBundle", true, "Object")) {
                    return arrayList;
                }
                validatedFragment2.setElement(this.jsonParser.parse(validatedFragment2.getErrors(), jsonObject2.getJsonObject("fhirBundle"), str4));
                validatedFragment2.setElementPath(str4);
            } catch (Exception e) {
                logError(validatedFragment.getErrors(), ValidationMessage.NO_RULE_DATE, 1, 1, str2 + "JWT", ValidationMessage.IssueType.INVALID, "Unable to decode JWT token", ValidationMessage.IssueSeverity.ERROR);
                return arrayList;
            }
        }
        return arrayList;
    }

    @Override // org.hl7.fhir.r5.elementmodel.ParserBase
    public String getImpliedProfile() {
        if (this.types.contains("https://smarthealth.cards#covid19") && this.types.contains("https://smarthealth.cards#immunization")) {
            return "http://hl7.org/fhir/uv/shc-vaccination/StructureDefinition/shc-vaccination-bundle-dm";
        }
        if (this.types.contains("https://smarthealth.cards#covid19") && this.types.contains("https://smarthealth.cards#laboratory")) {
            return "http://hl7.org/fhir/uv/shc-vaccination/StructureDefinition/shc-covid19-laboratory-bundle-dm";
        }
        if (this.types.contains("https://smarthealth.cards#laboratory")) {
            return "http://hl7.org/fhir/uv/shc-vaccination/StructureDefinition/shc-infectious-disease-laboratory-bundle-dm";
        }
        return null;
    }

    private boolean checkProperty(List<ValidationMessage> list, JsonObject jsonObject, String str, String str2, boolean z, String str3) {
        JsonElement jsonElement = jsonObject.get(str2);
        if (jsonElement == null) {
            if (!z) {
                return true;
            }
            logError(list, ValidationMessage.NO_RULE_DATE, line(jsonObject), col(jsonObject), str, ValidationMessage.IssueType.STRUCTURE, "Missing Property in JSON Payload: " + str2, ValidationMessage.IssueSeverity.ERROR);
            return false;
        }
        String name = jsonElement.type().toName();
        if (str3.equals(name)) {
            return true;
        }
        logError(list, ValidationMessage.NO_RULE_DATE, line(jsonElement), col(jsonElement), str + "." + str2, ValidationMessage.IssueType.STRUCTURE, "Wrong Property Type in JSON Payload. Expected : " + str3 + " but found " + name, ValidationMessage.IssueSeverity.ERROR);
        return false;
    }

    private void checkNamedProperties(List<ValidationMessage> list, JsonObject jsonObject, String str, String... strArr) {
        for (JsonProperty jsonProperty : jsonObject.getProperties()) {
            if (!Utilities.existsInList(jsonProperty.getName(), strArr)) {
                logError(list, ValidationMessage.NO_RULE_DATE, line(jsonProperty.getValue()), col(jsonProperty.getValue()), str + "." + jsonProperty.getName(), ValidationMessage.IssueType.STRUCTURE, "Unknown Property in JSON Payload", ValidationMessage.IssueSeverity.WARNING);
            }
        }
    }

    private int line(JsonElement jsonElement) {
        return jsonElement.getStart().getLine();
    }

    private int col(JsonElement jsonElement) {
        return jsonElement.getStart().getCol();
    }

    @Override // org.hl7.fhir.r5.elementmodel.ParserBase
    public void compose(Element element, OutputStream outputStream, IParser.OutputStyle outputStyle, String str) throws FHIRException, IOException {
        throw new FHIRFormatError("Writing resources is not supported for the SHC format");
    }

    public static String decodeQRCode(String str) {
        StringBuilder sb = new StringBuilder();
        if (!str.startsWith("shc:/")) {
            throw new FHIRException("Unable to process smart health card (didn't start with shc:/)");
        }
        int i = 5;
        while (true) {
            int i2 = i;
            if (i2 >= str.length()) {
                return sb.toString();
            }
            sb.append((char) (45 + Byte.parseByte(str.substring(i2, i2 + 2))));
            i = i2 + 2;
        }
    }

    public JWT decodeJWT(List<ValidationMessage> list, String str) throws IOException, DataFormatException {
        if (str.startsWith("shc:/")) {
            str = decodeQRCode(str);
        }
        if (str.length() > MAX_ALLOWED_SHC_LENGTH) {
            logError(list, ValidationMessage.NO_RULE_DATE, -1, -1, "jwt", ValidationMessage.IssueType.TOOLONG, "JWT Payload limit length is 1195 bytes for a single image - this has " + str.length() + " bytes", ValidationMessage.IssueSeverity.ERROR);
        }
        String[] splitToken = splitToken(str);
        try {
            byte[] decode = Base64.getUrlDecoder().decode(splitToken[0]);
            byte[] decode2 = Base64.getUrlDecoder().decode(splitToken[1]);
            JWT jwt = new JWT();
            jwt.setHeaderSrc(decode);
            jwt.header = org.hl7.fhir.utilities.json.parser.JsonParser.parseObject(decode);
            if ("DEF".equals(jwt.header.asString("zip"))) {
                decode2 = inflate(decode2);
            }
            jwt.setPayloadSrc(decode2);
            jwt.payload = org.hl7.fhir.utilities.json.parser.JsonParser.parseObject(FileUtilities.bytesToString(decode2), true);
            checkSignature(str, jwt, list, "jwt", org.hl7.fhir.utilities.json.parser.JsonParser.compose(jwt.payload));
            return jwt;
        } catch (IllegalArgumentException e) {
            throw new FHIRException("The input is not a valid base 64 encoded string.", e);
        } catch (NullPointerException e2) {
            throw new FHIRException("The UTF-8 Charset isn't initialized.", e2);
        }
    }

    private void checkSignature(String str, JWT jwt, List<ValidationMessage> list, String str2, String str3) {
        String asString = jwt.payload.asString("iss");
        if (asString != null) {
            if (!asString.startsWith("https://")) {
                logError(list, "2023-09-08", 1, 1, str2, ValidationMessage.IssueType.NOTFOUND, "JWT iss '" + asString + "' must start with https://", ValidationMessage.IssueSeverity.ERROR);
            }
            if (asString.endsWith("/")) {
                logError(list, "2023-09-08", 1, 1, str2, ValidationMessage.IssueType.NOTFOUND, "JWT iss '" + asString + "' must not have trailing /", ValidationMessage.IssueSeverity.ERROR);
                asString = asString.substring(0, asString.length() - 1);
            }
            String pathURL = Utilities.pathURL(new String[]{asString, "/.well-known/jwks.json"});
            JsonObject jsonObject = null;
            try {
                jsonObject = this.signatureServices != null ? this.signatureServices.fetchJWKS(pathURL) : org.hl7.fhir.utilities.json.parser.JsonParser.parseObjectFromUrl(pathURL);
            } catch (Exception e) {
                logError(list, "2023-09-08", 1, 1, str2, ValidationMessage.IssueType.NOTFOUND, "Unable to verify the signature, because unable to retrieve JWKS from " + pathURL + ": " + e.getMessage().replace("Connection refused (Connection refused)", "Connection refused"), ValidationMessage.IssueSeverity.ERROR);
            }
            if (jsonObject != null) {
                verifySignature(str, list, str2, asString, pathURL, org.hl7.fhir.utilities.json.parser.JsonParser.compose(jsonObject));
            }
        }
    }

    private void verifySignature(String str, List<ValidationMessage> list, String str2, String str3, String str4, String str5) {
        try {
            JWSObject parse = JWSObject.parse(str);
            JWSHeader header = parse.getHeader();
            validateHeader(header);
            String asString = org.hl7.fhir.utilities.json.parser.JsonParser.parseObject(decompress(parse.getPayload().toBytes())).asString("iss");
            if (parse.verify(new ECDSAVerifier(JWKSet.parse(str5).getKeyByKeyId(header.getKeyID())))) {
                String vCIIssuer = getVCIIssuer(list, asString);
                if (vCIIssuer == null) {
                    logError(list, "2023-09-08", 1, 1, str2, ValidationMessage.IssueType.BUSINESSRULE, "The signature is valid, but the issuer " + asString + " is not a trusted issuer", ValidationMessage.IssueSeverity.WARNING);
                } else {
                    logError(list, "2023-09-08", 1, 1, str2, ValidationMessage.IssueType.INFORMATIONAL, "The signature is valid, signed by the trusted issuer '" + vCIIssuer + "' (" + asString + ")", ValidationMessage.IssueSeverity.INFORMATION);
                }
            } else {
                logError(list, "2023-09-08", 1, 1, str2, ValidationMessage.IssueType.BUSINESSRULE, "The signature is not valid", ValidationMessage.IssueSeverity.ERROR);
            }
        } catch (Exception e) {
            logError(list, "2023-09-08", 1, 1, str2, ValidationMessage.IssueType.NOTFOUND, "Error validating signature: " + e.getMessage(), ValidationMessage.IssueSeverity.ERROR);
        }
    }

    private static void validateHeader(JWSHeader jWSHeader) {
        if (!"ES256".equals(jWSHeader.getAlgorithm().getName())) {
            throw new IllegalArgumentException("Invalid alg in JWS header. Expected ES256.");
        }
        if (!jWSHeader.getCustomParam("zip").equals("DEF")) {
            throw new IllegalArgumentException("Invalid zip in JWS header. Expected DEF.");
        }
    }

    private static String decompress(byte[] bArr) throws Exception {
        Inflater inflater = new Inflater(true);
        inflater.setInput(bArr);
        byte[] bArr2 = new byte[BUFFER_SIZE];
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(bArr.length);
        while (!inflater.finished()) {
            try {
                byteArrayOutputStream.write(bArr2, 0, inflater.inflate(bArr2));
            } catch (Throwable th) {
                try {
                    byteArrayOutputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
        String byteArrayOutputStream2 = byteArrayOutputStream.toString(StandardCharsets.UTF_8.name());
        byteArrayOutputStream.close();
        return byteArrayOutputStream2;
    }

    private String getVCIIssuer(List<ValidationMessage> list, String str) {
        try {
            for (JsonObject jsonObject : org.hl7.fhir.utilities.json.parser.JsonParser.parseObjectFromUrl("https://raw.githubusercontent.com/the-commons-project/vci-directory/main/vci-issuers.json").getJsonObjects("participating_issuers")) {
                if (str.equals(jsonObject.asString("iss"))) {
                    return jsonObject.asString("name");
                }
            }
            return null;
        } catch (Exception e) {
            logError(list, "2023-09-08", 1, 1, "vci", ValidationMessage.IssueType.NOTFOUND, "Unable to retrieve/read VCI Trusted Issuer list: " + e.getMessage(), ValidationMessage.IssueSeverity.WARNING);
            return null;
        }
    }

    static String[] splitToken(String str) {
        String[] split = str.split("\\.");
        if (split.length == 2 && str.endsWith(".")) {
            split = new String[]{split[0], split[1], ""};
        }
        if (split.length != 3) {
            throw new FHIRException(String.format("The token was expected to have 3 parts, but got %s.", Integer.valueOf(split.length)));
        }
        return split;
    }

    public static final byte[] inflate(byte[] bArr) throws IOException, DataFormatException {
        Inflater inflater = new Inflater(true);
        inflater.setInput(bArr);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(bArr.length);
        try {
            byte[] bArr2 = new byte[BUFFER_SIZE];
            while (!inflater.finished()) {
                byteArrayOutputStream.write(bArr2, 0, inflater.inflate(bArr2));
            }
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            byteArrayOutputStream.close();
            return byteArray;
        } catch (Throwable th) {
            try {
                byteArrayOutputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }
}
