package io.nixer.nixerplugin.stigma.token.read;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import io.nixer.nixerplugin.stigma.crypto.DecrypterFactory;
import io.nixer.nixerplugin.stigma.token.read.DecryptedToken;
import javax.annotation.Nonnull;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:io/nixer/nixerplugin/stigma/token/read/TokenDecrypter.class */
public class TokenDecrypter {

    @Nonnull
    private final DecrypterFactory decrypterFactory;

    public TokenDecrypter(@Nonnull DecrypterFactory decrypterFactory) {
        Assert.notNull(decrypterFactory, "decrypterFactory must not be null");
        this.decrypterFactory = decrypterFactory;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public DecryptedToken decrypt(@Nonnull JWT jwt) {
        Assert.notNull(jwt, "JWT must not be null");
        if (!(jwt instanceof EncryptedJWT)) {
            return DecryptedToken.invalid(DecryptedToken.DecryptionStatus.NOT_ENCRYPTED, String.format("Expected EncryptedJWT, but got [%s]", jwt.getClass()));
        }
        EncryptedJWT encryptedJWT = (EncryptedJWT) jwt;
        JWEHeader header = encryptedJWT.getHeader();
        if (!this.decrypterFactory.getAlgorithm().equals(header.getAlgorithm())) {
            return DecryptedToken.invalid(DecryptedToken.DecryptionStatus.WRONG_ALG, String.format("Invalid encryption algorithm. Expected [%s] but got [%s]", this.decrypterFactory.getAlgorithm(), header.getAlgorithm()));
        }
        if (!this.decrypterFactory.getEncryptionMethod().equals(header.getEncryptionMethod())) {
            return DecryptedToken.invalid(DecryptedToken.DecryptionStatus.WRONG_ENC, String.format("Invalid encryption method. Expected [%s] but got [%s]", this.decrypterFactory.getEncryptionMethod(), header.getEncryptionMethod()));
        }
        if (!StringUtils.hasText(header.getKeyID())) {
            return DecryptedToken.invalid(DecryptedToken.DecryptionStatus.MISSING_KEY_ID, "Missing key ID (kid).");
        }
        try {
            encryptedJWT.decrypt(this.decrypterFactory.decrypter(header));
            return DecryptedToken.valid(encryptedJWT);
        } catch (JOSEException e) {
            return DecryptedToken.invalid(DecryptedToken.DecryptionStatus.DECRYPTION_ERROR, String.format("Decryption error: [%s]", e.getMessage()));
        }
    }
}
