package com.nimbusds.openid.connect.provider.spi.grants.handlers.web.tokenexchange;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.jwt.proc.JWTProcessor;
import com.nimbusds.oauth2.sdk.token.Token;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import net.jcip.annotations.ThreadSafe;

@ThreadSafe
/* loaded from: input_file:com/nimbusds/openid/connect/provider/spi/grants/handlers/web/tokenexchange/JWTVerifier.class */
public class JWTVerifier {
    public static final Set<JWSAlgorithm> SUPPORTED_JWS_ALGS;
    public static final Set<JOSEObjectType> ALLOWED_TYPES;
    protected final Map<String, JWTProcessor<?>> jwtProcessors = new HashMap();
    static final /* synthetic */ boolean $assertionsDisabled;

    @SafeVarargs
    private static Set<JWSAlgorithm> merge(Set<JWSAlgorithm>... setArr) {
        HashSet hashSet = new HashSet();
        for (Set<JWSAlgorithm> set : setArr) {
            hashSet.addAll(set);
        }
        return Collections.unmodifiableSet(hashSet);
    }

    public JWTVerifier(Map<String, JWTVerificationConfiguration> map) {
        for (Map.Entry<String, JWTVerificationConfiguration> entry : map.entrySet()) {
            JWTProcessor<?> defaultJWTProcessor = new DefaultJWTProcessor<>();
            defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(SUPPORTED_JWS_ALGS, new RemoteJWKSet(entry.getValue().jwkSetURI, new DefaultResourceRetriever(entry.getValue().connectTimeout, entry.getValue().readTimeout))));
            defaultJWTProcessor.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier(ALLOWED_TYPES));
            this.jwtProcessors.put(entry.getKey(), defaultJWTProcessor);
        }
    }

    public boolean isConfigured() {
        return !this.jwtProcessors.isEmpty();
    }

    public JWTVerification verify(Token token) throws ParseException, BadJOSEException, JOSEException {
        if (!isConfigured()) {
            throw new IllegalStateException("Not configured");
        }
        SignedJWT parse = SignedJWT.parse(token.getValue());
        BadJOSEException badJOSEException = null;
        Iterator<JWTProcessor<?>> it = this.jwtProcessors.values().iterator();
        while (it.hasNext()) {
            try {
                return new JWTVerification(parse.getHeader(), it.next().process(parse, (SecurityContext) null));
            } catch (BadJOSEException e) {
                badJOSEException = e;
            }
        }
        if ($assertionsDisabled || badJOSEException != null) {
            throw badJOSEException;
        }
        throw new AssertionError();
    }

    static {
        $assertionsDisabled = !JWTVerifier.class.desiredAssertionStatus();
        SUPPORTED_JWS_ALGS = merge(JWSAlgorithm.Family.RSA, JWSAlgorithm.Family.EC);
        ALLOWED_TYPES = new HashSet(Arrays.asList(JOSEObjectType.JWT, new JOSEObjectType("at+JWT"), null));
    }
}
