package net.shibboleth.idp.plugin.oidc.op.token.support;

import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.openid.connect.sdk.claims.ACR;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSet;
import java.net.URI;
import java.text.ParseException;
import java.time.Instant;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.plugin.oidc.op.token.support.TokenClaimsSet;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.security.DataSealer;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/token/support/AccessTokenClaimsSet.class */
public final class AccessTokenClaimsSet extends TokenClaimsSet {

    @NotEmpty
    @Nonnull
    protected static final String VALUE_TYPE_AT = "at";

    /* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/token/support/AccessTokenClaimsSet$Builder.class */
    public static final class Builder extends TokenClaimsSet.Builder<AccessTokenClaimsSet> {
        public Builder() {
        }

        @Deprecated(since = "3.1.0", forRemoval = true)
        public Builder(@Nonnull IdentifierGenerationStrategy identifierGenerationStrategy, @Nonnull ClientID clientID, @Nonnull String str, @Nonnull String str2, @Nonnull String str3, @Nonnull Instant instant, @Nonnull Instant instant2, @Nonnull Instant instant3, @Nonnull URI uri, @Nonnull Scope scope) {
            setJWTID(identifierGenerationStrategy);
            setClientID(clientID);
            setIssuer(str);
            setPrincipal(str2);
            setSubject(str3);
            setIssuedAt(instant);
            setExpiresAt(instant2);
            setAuthenticationTime(instant3);
            setScope(scope);
        }

        public Builder(@Nonnull TokenClaimsSet tokenClaimsSet, @Nonnull Scope scope, @Nullable ClaimsSet claimsSet, @Nullable ClaimsSet claimsSet2, @Nonnull Instant instant, @Nonnull Instant instant2) {
            this(tokenClaimsSet);
            setScope(scope);
            setDlClaims(claimsSet);
            setDlClaimsUI(claimsSet2);
            setIssuedAt(instant);
            setExpiresAt(instant2);
        }

        private Builder(@Nonnull TokenClaimsSet tokenClaimsSet) {
            setJWTID(tokenClaimsSet.getID());
            setClientID(tokenClaimsSet.getClientID());
            setIssuer(tokenClaimsSet.getClaimsSet().getIssuer());
            setPrincipal(tokenClaimsSet.getPrincipal());
            setSubject(tokenClaimsSet.getClaimsSet().getSubject());
            setACR(tokenClaimsSet.getACR() == null ? null : new ACR(tokenClaimsSet.getACR()));
            setNonce(tokenClaimsSet.getNonce());
            setNotBefore(tokenClaimsSet.getNotBefore());
            setAuthenticationTime(tokenClaimsSet.getAuthenticationTime());
            setAudience(tokenClaimsSet.getAudience());
            setClaimsRequest(tokenClaimsSet.getClaimsRequest());
            setConsentedClaims(tokenClaimsSet.getConsentedClaims());
            setConsentEnabled(Boolean.valueOf(tokenClaimsSet.isConsentEnabled()));
            setRootTokenIdentifier(tokenClaimsSet.getRootTokenIdentifier());
            setSessionIdentifier(tokenClaimsSet.getSessionIdentifier());
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // net.shibboleth.idp.plugin.oidc.op.token.support.TokenClaimsSet.Builder
        public AccessTokenClaimsSet build() {
            return new AccessTokenClaimsSet(buildJWTClaimsSet(AccessTokenClaimsSet.VALUE_TYPE_AT));
        }
    }

    @Deprecated(since = "3.1.0", forRemoval = true)
    public AccessTokenClaimsSet(@Nonnull TokenClaimsSet tokenClaimsSet, @Nonnull Scope scope, @Nullable ClaimsSet claimsSet, @Nullable ClaimsSet claimsSet2, @Nonnull Instant instant, @Nonnull Instant instant2) {
        setClaimsSet(new Builder(tokenClaimsSet, scope, claimsSet, claimsSet2, instant, instant2).buildJWTClaimsSet(VALUE_TYPE_AT));
    }

    protected AccessTokenClaimsSet(@Nonnull JWTClaimsSet jWTClaimsSet) {
        super(jWTClaimsSet);
    }

    @Nonnull
    public static AccessTokenClaimsSet parse(@NotEmpty @Nonnull String str) throws ParseException {
        JWTClaimsSet parse = JWTClaimsSet.parse(str);
        verifyParsedClaims(VALUE_TYPE_AT, parse);
        return new AccessTokenClaimsSet(parse);
    }

    @Nonnull
    public static AccessTokenClaimsSet parse(@NotEmpty @Nonnull String str, @Nonnull DataSealer dataSealer) throws ParseException, DataSealerException {
        return parse(dataSealer.unwrap(str));
    }

    @Nonnull
    public static AccessTokenClaimsSet parse(@NotEmpty @Nonnull JWT jwt, @Nonnull DataSealer dataSealer) throws ParseException, DataSealerException {
        JWTClaimsSet jWTClaimsSet = jwt.getJWTClaimsSet();
        if (jWTClaimsSet.getClaim(TokenClaimsSet.KEY_SEALED_FOR_OP) == null) {
            verifyParsedClaims(VALUE_TYPE_AT, jWTClaimsSet);
            return new AccessTokenClaimsSet(jWTClaimsSet);
        }
        Map jSONObject = jWTClaimsSet.toJSONObject();
        JWTClaimsSet parse = JWTClaimsSet.parse(dataSealer.unwrap(jWTClaimsSet.getStringClaim(TokenClaimsSet.KEY_SEALED_FOR_OP)));
        jSONObject.remove(TokenClaimsSet.KEY_SEALED_FOR_OP);
        for (Map.Entry entry : parse.getClaims().entrySet()) {
            jSONObject.put((String) entry.getKey(), entry.getValue());
        }
        JWTClaimsSet parse2 = JWTClaimsSet.parse(jSONObject);
        verifyParsedClaims(VALUE_TYPE_AT, parse2);
        return new AccessTokenClaimsSet(parse2);
    }
}
