package com.nimbusds.openid.connect.sdk.federation.utils;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory;
import com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory;
import com.nimbusds.jose.jwk.AsymmetricJWK;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.jwk.OctetKeyPair;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.JWTClaimsSetVerifier;
import com.nimbusds.oauth2.sdk.ParseException;
import java.util.List;

/* loaded from: classes2.dex */
public class JWTUtils {
    private JWTUtils() {
    }

    public static JWTClaimsSet parseSignedJWTClaimsSet(SignedJWT signedJWT) {
        if (JWSObject.State.UNSIGNED.equals(signedJWT.getState())) {
            throw new ParseException("The JWT is not signed");
        }
        try {
            return signedJWT.getJWTClaimsSet();
        } catch (java.text.ParseException e5) {
            throw new ParseException(e5.getMessage(), e5);
        }
    }

    public static JWSAlgorithm resolveSigningAlgorithm(JWK jwk) {
        KeyType keyType = jwk.getKeyType();
        if (KeyType.RSA.equals(keyType)) {
            return jwk.getAlgorithm() != null ? new JWSAlgorithm(jwk.getAlgorithm().getName()) : JWSAlgorithm.RS256;
        }
        if (!KeyType.EC.equals(keyType)) {
            if (!KeyType.OKP.equals(keyType)) {
                throw new JOSEException("Unsupported JWK type: " + keyType);
            }
            OctetKeyPair octetKeyPair = jwk.toOctetKeyPair();
            if (Curve.Ed25519.equals(octetKeyPair.getCurve())) {
                return JWSAlgorithm.EdDSA;
            }
            throw new JOSEException("Unsupported EdDSA curve: " + octetKeyPair.getCurve());
        }
        ECKey eCKey = jwk.toECKey();
        if (jwk.getAlgorithm() != null) {
            return new JWSAlgorithm(eCKey.getAlgorithm().getName());
        }
        if (Curve.P_256.equals(eCKey.getCurve())) {
            return JWSAlgorithm.ES256;
        }
        if (Curve.P_384.equals(eCKey.getCurve())) {
            return JWSAlgorithm.ES384;
        }
        if (Curve.P_521.equals(eCKey.getCurve())) {
            return JWSAlgorithm.ES512;
        }
        if (Curve.SECP256K1.equals(eCKey.getCurve())) {
            return JWSAlgorithm.ES256K;
        }
        throw new JOSEException("Unsupported ECDSA curve: " + eCKey.getCurve());
    }

    public static SignedJWT sign(JWK jwk, JWSAlgorithm jWSAlgorithm, JOSEObjectType jOSEObjectType, JWTClaimsSet jWTClaimsSet) {
        JWSSigner createJWSSigner = new DefaultJWSSignerFactory().createJWSSigner(jwk, jWSAlgorithm);
        SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(jWSAlgorithm).type(jOSEObjectType).keyID(jwk.getKeyID()).build(), jWTClaimsSet);
        signedJWT.sign(createJWSSigner);
        return signedJWT;
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static Base64URL verifySignature(SignedJWT signedJWT, JOSEObjectType jOSEObjectType, JWTClaimsSetVerifier<?> jWTClaimsSetVerifier, JWKSet jWKSet) {
        if (!jOSEObjectType.equals(signedJWT.getHeader().getType())) {
            throw new BadJOSEException("JWT rejected: Invalid or missing JWT typ (type) header");
        }
        try {
            jWTClaimsSetVerifier.verify(signedJWT.getJWTClaimsSet(), null);
            List<JWK> select = new JWKSelector(JWKMatcher.forJWSHeader(signedJWT.getHeader())).select(jWKSet);
            if (select.isEmpty()) {
                throw new BadJOSEException("JWT rejected: Another JOSE algorithm expected, or no matching key(s) found");
            }
            DefaultJWSVerifierFactory defaultJWSVerifierFactory = new DefaultJWSVerifierFactory();
            for (JWK jwk : select) {
                if (jwk instanceof AsymmetricJWK) {
                    if (signedJWT.verify(defaultJWSVerifierFactory.createJWSVerifier(signedJWT.getHeader(), ((AsymmetricJWK) jwk).toPublicKey()))) {
                        return jwk.computeThumbprint();
                    }
                }
            }
            throw new BadJOSEException("JWT rejected: Invalid signature");
        } catch (java.text.ParseException e5) {
            throw new BadJOSEException(e5.getMessage(), e5);
        }
    }
}
