package com.nimbusds.jose.pkcs11;

import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jose.util.X509CertUtils;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/nimbusds/jose/pkcs11/SigningJWKFeeder.class */
public class SigningJWKFeeder<T extends JWK> {
    private final HashMap<X509Certificate, T> x509Keys = new LinkedHashMap();
    private final List<T> plainKeys = new LinkedList();
    private static final Logger MAIN_LOG = LogManager.getLogger("MAIN");

    public SigningJWKFeeder(List<T> list) {
        if (list.isEmpty()) {
            throw new IllegalArgumentException("The JWK list must not be empty");
        }
        for (T t : list) {
            if (!KeyUse.SIGNATURE.equals(t.getKeyUse())) {
                throw new IllegalArgumentException("The use of JWK with ID " + t.getKeyID() + " must be signature");
            }
            if (t.getX509CertChain() == null || t.getX509CertChain().size() <= 0) {
                this.plainKeys.add(t);
            } else {
                Base64 base64 = (Base64) t.getX509CertChain().get(0);
                if (base64 == null) {
                    throw new IllegalArgumentException("Couldn't parse x.509 certificate from JWK with ID " + t.getKeyID() + ": Empty certificate");
                }
                X509Certificate parse = X509CertUtils.parse(base64.decode());
                if (parse == null) {
                    throw new IllegalArgumentException("Couldn't parse X.509 certificate from JWK with ID " + t.getKeyID());
                }
                if (parse.getNotBefore() == null) {
                    throw new IllegalArgumentException("Missing not-before attribute for X.509 certificate for JWK with ID " + t.getKeyID());
                }
                if (parse.getNotAfter() == null) {
                    throw new IllegalArgumentException("Missing not-after attribute for X.509 certificate for JWK with ID " + t.getKeyID());
                }
                this.x509Keys.put(parse, t);
            }
        }
    }

    public T getJWK() {
        if (this.x509Keys.isEmpty()) {
            return this.plainKeys.get(0);
        }
        Date date = new Date();
        for (Map.Entry<X509Certificate, T> entry : this.x509Keys.entrySet()) {
            X509Certificate key = entry.getKey();
            if (!date.before(key.getNotBefore()) && date.before(key.getNotAfter())) {
                return entry.getValue();
            }
        }
        MAIN_LOG.error("[SE2000] Couldn't find signing PKCS#11 key with a X.509 certificate that is valid at this time instant, using first available key. Consider adding new key(s) to the PKCS#11 store!");
        return this.x509Keys.values().iterator().next();
    }

    public int size() {
        return this.x509Keys.size() + this.plainKeys.size();
    }
}
