package com.nimbusds.openid.connect.sdk.validators;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.jwk.source.ImmutableSecret;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWEDecryptionKeySelector;
import com.nimbusds.jose.proc.JWEKeySelector;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.util.ResourceRetriever;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.ClockSkewAware;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.oauth2.sdk.GeneralException;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.text.ParseException;
import net.jcip.annotations.ThreadSafe;

@ThreadSafe
/* loaded from: input_file:BOOT-INF/lib/oauth2-oidc-sdk-7.1.1.jar:com/nimbusds/openid/connect/sdk/validators/IDTokenValidator.class */
public class IDTokenValidator extends AbstractJWTValidator implements ClockSkewAware {
    public IDTokenValidator(Issuer issuer, ClientID clientID) {
        this(issuer, clientID, (JWSKeySelector) null, (JWEKeySelector) null);
    }

    public IDTokenValidator(Issuer issuer, ClientID clientID, JWSAlgorithm jWSAlgorithm, JWKSet jWKSet) {
        this(issuer, clientID, new JWSVerificationKeySelector(jWSAlgorithm, new ImmutableJWKSet(jWKSet)), (JWEKeySelector) null);
    }

    public IDTokenValidator(Issuer issuer, ClientID clientID, JWSAlgorithm jWSAlgorithm, URL url) {
        this(issuer, clientID, jWSAlgorithm, url, null);
    }

    public IDTokenValidator(Issuer issuer, ClientID clientID, JWSAlgorithm jWSAlgorithm, URL url, ResourceRetriever resourceRetriever) {
        this(issuer, clientID, new JWSVerificationKeySelector(jWSAlgorithm, new RemoteJWKSet(url, resourceRetriever)), (JWEKeySelector) null);
    }

    public IDTokenValidator(Issuer issuer, ClientID clientID, JWSAlgorithm jWSAlgorithm, Secret secret) {
        this(issuer, clientID, new JWSVerificationKeySelector(jWSAlgorithm, new ImmutableSecret(secret.getValueBytes())), (JWEKeySelector) null);
    }

    public IDTokenValidator(Issuer issuer, ClientID clientID, JWSKeySelector jWSKeySelector, JWEKeySelector jWEKeySelector) {
        super(issuer, clientID, jWSKeySelector, jWEKeySelector);
    }

    public IDTokenClaimsSet validate(JWT jwt, Nonce nonce) throws BadJOSEException, JOSEException {
        if (jwt instanceof PlainJWT) {
            return validate((PlainJWT) jwt, nonce);
        }
        if (jwt instanceof SignedJWT) {
            return validate((SignedJWT) jwt, nonce);
        }
        if (jwt instanceof EncryptedJWT) {
            return validate((EncryptedJWT) jwt, nonce);
        }
        throw new JOSEException("Unexpected JWT type: " + jwt.getClass());
    }

    private IDTokenClaimsSet validate(PlainJWT plainJWT, Nonce nonce) throws BadJOSEException, JOSEException {
        if (getJWSKeySelector() != null) {
            throw new BadJWTException("Signed ID token expected");
        }
        try {
            JWTClaimsSet jWTClaimsSet = plainJWT.getJWTClaimsSet();
            new IDTokenClaimsVerifier(getExpectedIssuer(), getClientID(), nonce, getMaxClockSkew()).verify(jWTClaimsSet, null);
            return toIDTokenClaimsSet(jWTClaimsSet);
        } catch (ParseException e) {
            throw new BadJWTException(e.getMessage(), e);
        }
    }

    private IDTokenClaimsSet validate(SignedJWT signedJWT, Nonce nonce) throws BadJOSEException, JOSEException {
        if (getJWSKeySelector() == null) {
            throw new BadJWTException("Verification of signed JWTs not configured");
        }
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSKeySelector(getJWSKeySelector());
        defaultJWTProcessor.setJWTClaimsSetVerifier(new IDTokenClaimsVerifier(getExpectedIssuer(), getClientID(), nonce, getMaxClockSkew()));
        return toIDTokenClaimsSet(defaultJWTProcessor.process(signedJWT, (SignedJWT) null));
    }

    private IDTokenClaimsSet validate(EncryptedJWT encryptedJWT, Nonce nonce) throws BadJOSEException, JOSEException {
        if (getJWEKeySelector() == null) {
            throw new BadJWTException("Decryption of JWTs not configured");
        }
        if (getJWSKeySelector() == null) {
            throw new BadJWTException("Verification of signed JWTs not configured");
        }
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSKeySelector(getJWSKeySelector());
        defaultJWTProcessor.setJWEKeySelector(getJWEKeySelector());
        defaultJWTProcessor.setJWTClaimsSetVerifier(new IDTokenClaimsVerifier(getExpectedIssuer(), getClientID(), nonce, getMaxClockSkew()));
        return toIDTokenClaimsSet(defaultJWTProcessor.process(encryptedJWT, (EncryptedJWT) null));
    }

    private static IDTokenClaimsSet toIDTokenClaimsSet(JWTClaimsSet jWTClaimsSet) throws JOSEException {
        try {
            return new IDTokenClaimsSet(jWTClaimsSet);
        } catch (com.nimbusds.oauth2.sdk.ParseException e) {
            throw new JOSEException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static JWSKeySelector createJWSKeySelector(OIDCProviderMetadata oIDCProviderMetadata, OIDCClientInformation oIDCClientInformation) throws GeneralException {
        JWSAlgorithm iDTokenJWSAlg = oIDCClientInformation.getOIDCMetadata().getIDTokenJWSAlg();
        if (oIDCProviderMetadata.getIDTokenJWSAlgs() == null) {
            throw new GeneralException("Missing OpenID Provider id_token_signing_alg_values_supported parameter");
        }
        if (!oIDCProviderMetadata.getIDTokenJWSAlgs().contains(iDTokenJWSAlg)) {
            throw new GeneralException("The OpenID Provider doesn't support " + iDTokenJWSAlg + " ID tokens");
        }
        if (Algorithm.NONE.equals(iDTokenJWSAlg)) {
            return null;
        }
        if (JWSAlgorithm.Family.RSA.contains(iDTokenJWSAlg) || JWSAlgorithm.Family.EC.contains(iDTokenJWSAlg)) {
            try {
                return new JWSVerificationKeySelector(iDTokenJWSAlg, new RemoteJWKSet(oIDCProviderMetadata.getJWKSetURI().toURL()));
            } catch (MalformedURLException e) {
                throw new GeneralException("Invalid jwk set URI: " + e.getMessage(), e);
            }
        }
        if (!JWSAlgorithm.Family.HMAC_SHA.contains(iDTokenJWSAlg)) {
            throw new GeneralException("Unsupported JWS algorithm: " + iDTokenJWSAlg);
        }
        Secret secret = oIDCClientInformation.getSecret();
        if (secret == null) {
            throw new GeneralException("Missing client secret");
        }
        return new JWSVerificationKeySelector(iDTokenJWSAlg, new ImmutableSecret(secret.getValueBytes()));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static JWEKeySelector createJWEKeySelector(OIDCProviderMetadata oIDCProviderMetadata, OIDCClientInformation oIDCClientInformation, JWKSource jWKSource) throws GeneralException {
        JWEAlgorithm iDTokenJWEAlg = oIDCClientInformation.getOIDCMetadata().getIDTokenJWEAlg();
        EncryptionMethod iDTokenJWEEnc = oIDCClientInformation.getOIDCMetadata().getIDTokenJWEEnc();
        if (iDTokenJWEAlg == null) {
            return null;
        }
        if (iDTokenJWEEnc == null) {
            throw new GeneralException("Missing required ID token JWE encryption method for " + iDTokenJWEAlg);
        }
        if (oIDCProviderMetadata.getIDTokenJWEAlgs() == null || !oIDCProviderMetadata.getIDTokenJWEAlgs().contains(iDTokenJWEAlg)) {
            throw new GeneralException("The OpenID Provider doesn't support " + iDTokenJWEAlg + " ID tokens");
        }
        if (oIDCProviderMetadata.getIDTokenJWEEncs() == null || !oIDCProviderMetadata.getIDTokenJWEEncs().contains(iDTokenJWEEnc)) {
            throw new GeneralException("The OpenID Provider doesn't support " + iDTokenJWEAlg + " / " + iDTokenJWEEnc + " ID tokens");
        }
        return new JWEDecryptionKeySelector(iDTokenJWEAlg, iDTokenJWEEnc, jWKSource);
    }

    public static IDTokenValidator create(OIDCProviderMetadata oIDCProviderMetadata, OIDCClientInformation oIDCClientInformation, JWKSource jWKSource) throws GeneralException {
        return new IDTokenValidator(oIDCProviderMetadata.getIssuer(), oIDCClientInformation.getID(), createJWSKeySelector(oIDCProviderMetadata, oIDCClientInformation), createJWEKeySelector(oIDCProviderMetadata, oIDCClientInformation, jWKSource));
    }

    public static IDTokenValidator create(OIDCProviderMetadata oIDCProviderMetadata, OIDCClientInformation oIDCClientInformation) throws GeneralException {
        return create(oIDCProviderMetadata, oIDCClientInformation, null);
    }

    public static IDTokenValidator create(Issuer issuer, OIDCClientInformation oIDCClientInformation) throws GeneralException, IOException {
        return create(issuer, oIDCClientInformation, null, 0, 0);
    }

    public static IDTokenValidator create(Issuer issuer, OIDCClientInformation oIDCClientInformation, JWKSource jWKSource, int i, int i2) throws GeneralException, IOException {
        return create(OIDCProviderMetadata.resolve(issuer, i, i2), oIDCClientInformation, jWKSource);
    }
}
