package pl.edu.icm.unity.rest.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import eu.emi.security.authn.x509.X509Credential;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;

/* loaded from: input_file:pl/edu/icm/unity/rest/jwt/JWTUtils.class */
public class JWTUtils {
    public static final Set<String> REQUIRED_CLAIMS = new HashSet();

    public static String generate(X509Credential x509Credential, String str, String str2, String str3, Date date, String str4) throws JOSEException {
        if (!(x509Credential.getKey() instanceof RSAPrivateKey)) {
            throw new IllegalArgumentException("The credential for signing JWT must be of RSA type.");
        }
        RSASSASigner rSASSASigner = new RSASSASigner((RSAPrivateKey) x509Credential.getKey());
        SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), new JWTClaimsSet.Builder().subject(str).issueTime(new Date()).issuer(str2).audience(str3).expirationTime(date).jwtID(str4).build());
        signedJWT.sign(rSASSASigner);
        return signedJWT.serialize();
    }

    public static String generate(X509Credential x509Credential, JWTClaimsSet jWTClaimsSet) throws JOSEException {
        if (!(x509Credential.getKey() instanceof RSAPrivateKey)) {
            throw new IllegalArgumentException("The credential for signing JWT must be of RSA type.");
        }
        RSASSASigner rSASSASigner = new RSASSASigner((RSAPrivateKey) x509Credential.getKey());
        SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), jWTClaimsSet);
        signedJWT.sign(rSASSASigner);
        return signedJWT.serialize();
    }

    public static JWTClaimsSet parseAndValidate(String str, X509Credential x509Credential) throws ParseException, JOSEException {
        SignedJWT parse = SignedJWT.parse(str);
        if (!parse.verify(new RSASSAVerifier((RSAPublicKey) x509Credential.getCertificate().getPublicKey()))) {
            throw new JOSEException("JWT signature is invalid");
        }
        JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
        if (new Date().after(jWTClaimsSet.getExpirationTime())) {
            throw new JOSEException("JWT is expired");
        }
        validateClaimsSet(jWTClaimsSet);
        return jWTClaimsSet;
    }

    private static void validateClaimsSet(JWTClaimsSet jWTClaimsSet) throws ParseException {
        if (!jWTClaimsSet.getClaims().keySet().containsAll(REQUIRED_CLAIMS)) {
            throw new ParseException("The claims in the JWT are incomplete", 0);
        }
    }

    static {
        Collections.addAll(REQUIRED_CLAIMS, "iss", "sub", "aud", "exp", "iat", "jti");
    }
}
