package com.nimbusds.oauth2.sdk.jarm;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.jwk.source.ImmutableSecret;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWEDecryptionKeySelector;
import com.nimbusds.jose.proc.JWEKeySelector;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.util.ResourceRetriever;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.ClockSkewAware;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.oauth2.sdk.GeneralException;
import com.nimbusds.oauth2.sdk.as.AuthorizationServerMetadata;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.client.ClientInformation;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import com.nimbusds.openid.connect.sdk.validators.AbstractJWTValidator;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.text.ParseException;
import net.jcip.annotations.ThreadSafe;

@ThreadSafe
/* loaded from: input_file:WEB-INF/lib/oauth2-oidc-sdk-9.4.jar:com/nimbusds/oauth2/sdk/jarm/JARMValidator.class */
public class JARMValidator extends AbstractJWTValidator implements ClockSkewAware {
    public JARMValidator(Issuer issuer, ClientID clientID, JWSAlgorithm jWSAlgorithm, JWKSet jWKSet) {
        this(issuer, clientID, new JWSVerificationKeySelector(jWSAlgorithm, new ImmutableJWKSet(jWKSet)), (JWEKeySelector) null);
    }

    public JARMValidator(Issuer issuer, ClientID clientID, JWSAlgorithm jWSAlgorithm, URL url) {
        this(issuer, clientID, jWSAlgorithm, url, null);
    }

    public JARMValidator(Issuer issuer, ClientID clientID, JWSAlgorithm jWSAlgorithm, URL url, ResourceRetriever resourceRetriever) {
        this(issuer, clientID, new JWSVerificationKeySelector(jWSAlgorithm, new RemoteJWKSet(url, resourceRetriever)), (JWEKeySelector) null);
    }

    public JARMValidator(Issuer issuer, ClientID clientID, JWSAlgorithm jWSAlgorithm, Secret secret) {
        this(issuer, clientID, new JWSVerificationKeySelector(jWSAlgorithm, new ImmutableSecret(secret.getValueBytes())), (JWEKeySelector) null);
    }

    public JARMValidator(Issuer issuer, ClientID clientID, JWSKeySelector jWSKeySelector, JWEKeySelector jWEKeySelector) {
        super(issuer, clientID, jWSKeySelector, jWEKeySelector);
    }

    public JWTClaimsSet validate(String str) throws BadJOSEException, JOSEException {
        try {
            return validate(JWTParser.parse(str));
        } catch (ParseException e) {
            throw new BadJOSEException("Invalid JWT: " + e.getMessage(), e);
        }
    }

    public JWTClaimsSet validate(JWT jwt) throws BadJOSEException, JOSEException {
        if (jwt instanceof SignedJWT) {
            return validate((SignedJWT) jwt);
        }
        if (jwt instanceof EncryptedJWT) {
            return validate((EncryptedJWT) jwt);
        }
        if (jwt instanceof PlainJWT) {
            throw new BadJWTException("The JWT must not be plain (unsecured)");
        }
        throw new BadJOSEException("Unexpected JWT type: " + jwt.getClass());
    }

    private JWTClaimsSet validate(SignedJWT signedJWT) throws BadJOSEException, JOSEException {
        if (getJWSKeySelector() == null) {
            throw new BadJWTException("Verification of signed JWTs not configured");
        }
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSKeySelector(getJWSKeySelector());
        defaultJWTProcessor.setJWTClaimsSetVerifier(new JARMClaimsVerifier(getExpectedIssuer(), getClientID(), getMaxClockSkew()));
        return defaultJWTProcessor.process(signedJWT, (SignedJWT) null);
    }

    private JWTClaimsSet validate(EncryptedJWT encryptedJWT) throws BadJOSEException, JOSEException {
        if (getJWEKeySelector() == null) {
            throw new BadJWTException("Decryption of JWTs not configured");
        }
        if (getJWSKeySelector() == null) {
            throw new BadJWTException("Verification of signed JWTs not configured");
        }
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSKeySelector(getJWSKeySelector());
        defaultJWTProcessor.setJWEKeySelector(getJWEKeySelector());
        defaultJWTProcessor.setJWTClaimsSetVerifier(new JARMClaimsVerifier(getExpectedIssuer(), getClientID(), getMaxClockSkew()));
        return defaultJWTProcessor.process(encryptedJWT, (EncryptedJWT) null);
    }

    protected static JWSKeySelector createJWSKeySelector(AuthorizationServerMetadata authorizationServerMetadata, ClientInformation clientInformation) throws GeneralException {
        JWSAlgorithm authorizationJWSAlg = clientInformation.getMetadata().getAuthorizationJWSAlg();
        if (authorizationServerMetadata.getAuthorizationJWSAlgs() == null) {
            throw new GeneralException("Missing Authorization Server authorization_signing_alg_values_supported parameter");
        }
        if (!authorizationServerMetadata.getAuthorizationJWSAlgs().contains(authorizationJWSAlg)) {
            throw new GeneralException("The Authorization Server doesn't support " + authorizationJWSAlg + " authorization responses");
        }
        if (Algorithm.NONE.equals(authorizationJWSAlg)) {
            return null;
        }
        if (JWSAlgorithm.Family.RSA.contains(authorizationJWSAlg) || JWSAlgorithm.Family.EC.contains(authorizationJWSAlg)) {
            try {
                return new JWSVerificationKeySelector(authorizationJWSAlg, new RemoteJWKSet(authorizationServerMetadata.getJWKSetURI().toURL()));
            } catch (MalformedURLException e) {
                throw new GeneralException("Invalid jwk set URI: " + e.getMessage(), e);
            }
        }
        if (!JWSAlgorithm.Family.HMAC_SHA.contains(authorizationJWSAlg)) {
            throw new GeneralException("Unsupported JWS algorithm: " + authorizationJWSAlg);
        }
        Secret secret = clientInformation.getSecret();
        if (secret == null) {
            throw new GeneralException("Missing client secret");
        }
        return new JWSVerificationKeySelector(authorizationJWSAlg, new ImmutableSecret(secret.getValueBytes()));
    }

    protected static JWEKeySelector createJWEKeySelector(AuthorizationServerMetadata authorizationServerMetadata, ClientInformation clientInformation, JWKSource jWKSource) throws GeneralException {
        JWEAlgorithm authorizationJWEAlg = clientInformation.getMetadata().getAuthorizationJWEAlg();
        EncryptionMethod authorizationJWEEnc = clientInformation.getMetadata().getAuthorizationJWEEnc();
        if (authorizationJWEAlg == null) {
            return null;
        }
        if (authorizationJWEEnc == null) {
            throw new GeneralException("Missing required authorization response JWE encryption method for " + authorizationJWEAlg);
        }
        if (authorizationServerMetadata.getAuthorizationJWEAlgs() == null || !authorizationServerMetadata.getAuthorizationJWEAlgs().contains(authorizationJWEAlg)) {
            throw new GeneralException("The Authorization Server doesn't support " + authorizationJWEAlg + " authorization responses");
        }
        if (authorizationServerMetadata.getAuthorizationJWEEncs() == null || !authorizationServerMetadata.getAuthorizationJWEEncs().contains(authorizationJWEEnc)) {
            throw new GeneralException("The Authorization Server doesn't support " + authorizationJWEAlg + " / " + authorizationJWEEnc + " authorization responses");
        }
        return new JWEDecryptionKeySelector(authorizationJWEAlg, authorizationJWEEnc, jWKSource);
    }

    public static JARMValidator create(AuthorizationServerMetadata authorizationServerMetadata, ClientInformation clientInformation, JWKSource jWKSource) throws GeneralException {
        return new JARMValidator(authorizationServerMetadata.getIssuer(), clientInformation.getID(), createJWSKeySelector(authorizationServerMetadata, clientInformation), createJWEKeySelector(authorizationServerMetadata, clientInformation, jWKSource));
    }

    public static JARMValidator create(AuthorizationServerMetadata authorizationServerMetadata, ClientInformation clientInformation) throws GeneralException {
        return create(authorizationServerMetadata, clientInformation, null);
    }

    public static JARMValidator create(Issuer issuer, ClientInformation clientInformation) throws GeneralException, IOException {
        return create(issuer, clientInformation, null, 0, 0);
    }

    public static JARMValidator create(Issuer issuer, ClientInformation clientInformation, JWKSource jWKSource, int i, int i2) throws GeneralException, IOException {
        AuthorizationServerMetadata resolve;
        try {
            resolve = OIDCProviderMetadata.resolve(issuer, i, i2);
        } catch (Exception e) {
            resolve = AuthorizationServerMetadata.resolve(issuer, i, i2);
        }
        return create(resolve, clientInformation, jWKSource);
    }
}
