package net.shibboleth.oidc.security.impl;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Collection;
import java.util.Iterator;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.security.credential.JWKCredential;
import org.opensaml.security.credential.Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/oidc/security/impl/JWTSignatureValidationUtil.class */
public final class JWTSignatureValidationUtil {

    @Nonnull
    private static Logger log = LoggerFactory.getLogger(JWTSignatureValidationUtil.class);

    private JWTSignatureValidationUtil() {
    }

    public static String validateSignatureEx(@Nonnull Collection<? extends Credential> collection, @Nonnull SignedJWT signedJWT, @Nullable String str) {
        JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
        Iterator<? extends Credential> it = collection.iterator();
        while (it.hasNext()) {
            JWKCredential jWKCredential = (Credential) it.next();
            if (!(jWKCredential instanceof JWKCredential) || jWKCredential.getAlgorithm() == null || algorithm.equals(jWKCredential.getAlgorithm())) {
                try {
                    JWSVerifier initializeVerifier = initializeVerifier(algorithm, jWKCredential);
                    if (initializeVerifier == null) {
                        log.debug("No verifier for given JWT and Credential pair for alg {}", algorithm.getName());
                    } else {
                        if (signedJWT.verify(initializeVerifier)) {
                            if (!log.isDebugEnabled()) {
                                return null;
                            }
                            String kid = jWKCredential instanceof JWKCredential ? jWKCredential.getKid() : null;
                            Logger logger = log;
                            Object[] objArr = new Object[3];
                            objArr[0] = signedJWT.serialize();
                            objArr[1] = algorithm.getName();
                            objArr[2] = kid != null ? " and key " + kid : "";
                            logger.debug("JWT {} verified using algorithm {}{}", objArr);
                            return null;
                        }
                        log.debug("Unable to validate given JWT with credential");
                    }
                } catch (JOSEException | IllegalStateException e) {
                    String kid2 = jWKCredential instanceof JWKCredential ? jWKCredential.getKid() : null;
                    log.warn("Exception caught when validating given JWT{}", kid2 != null ? " with credential " + kid2 : "", e);
                }
            } else {
                log.debug("Credential alg {} not matching jwt header alg {}", jWKCredential.getAlgorithm().getName(), algorithm.getName());
            }
        }
        log.warn("Unable to validate given JWT with any of the credentials");
        return str;
    }

    private static JWSVerifier initializeVerifier(Algorithm algorithm, Credential credential) throws JOSEException {
        if (JWSAlgorithm.Family.HMAC_SHA.contains(algorithm) && credential.getSecretKey() != null) {
            return new MACVerifier(credential.getSecretKey());
        }
        if (JWSAlgorithm.Family.RSA.contains(algorithm) && (credential.getPublicKey() instanceof RSAPublicKey)) {
            return new RSASSAVerifier((RSAPublicKey) credential.getPublicKey());
        }
        if (JWSAlgorithm.Family.EC.contains(algorithm) && (credential.getPublicKey() instanceof ECPublicKey)) {
            return new ECDSAVerifier((ECPublicKey) credential.getPublicKey());
        }
        return null;
    }
}
