package com.nimbusds.openid.connect.sdk.federation.entities;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory;
import com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory;
import com.nimbusds.jose.jwk.AsymmetricJWK;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.jwk.OctetKeyPair;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.util.CollectionUtils;
import java.text.ParseException;
import java.util.List;
import net.jcip.annotations.Immutable;

@Immutable
/* loaded from: input_file:applicationinsights-agent-3.4.11.jar:inst/com/nimbusds/openid/connect/sdk/federation/entities/EntityStatement.classdata */
public final class EntityStatement {
    private final SignedJWT statementJWT;
    private final EntityStatementClaimsSet statementClaimsSet;

    private EntityStatement(SignedJWT signedJWT, EntityStatementClaimsSet entityStatementClaimsSet) {
        if (signedJWT == null) {
            throw new IllegalArgumentException("The entity statement must not be null");
        }
        if (JWSObject.State.UNSIGNED.equals(signedJWT.getState())) {
            throw new IllegalArgumentException("The statement is not signed");
        }
        this.statementJWT = signedJWT;
        if (entityStatementClaimsSet == null) {
            throw new IllegalArgumentException("The entity statement claims set must not be null");
        }
        this.statementClaimsSet = entityStatementClaimsSet;
    }

    public EntityID getEntityID() {
        return getClaimsSet().getSubjectEntityID();
    }

    public SignedJWT getSignedStatement() {
        return this.statementJWT;
    }

    public EntityStatementClaimsSet getClaimsSet() {
        return this.statementClaimsSet;
    }

    public boolean isTrustAnchor() {
        return getClaimsSet().isSelfStatement() && CollectionUtils.isEmpty(getClaimsSet().getAuthorityHints());
    }

    public Base64URL verifySignatureOfSelfStatement() throws BadJOSEException, JOSEException {
        if (getClaimsSet().isSelfStatement()) {
            return verifySignature(getClaimsSet().getJWKSet());
        }
        throw new BadJOSEException("Entity statement not self-issued");
    }

    /* JADX WARN: Multi-variable type inference failed */
    public Base64URL verifySignature(JWKSet jWKSet) throws BadJOSEException, JOSEException {
        List<JWK> select = new JWKSelector(JWKMatcher.forJWSHeader(this.statementJWT.getHeader())).select(jWKSet);
        if (select.isEmpty()) {
            throw new BadJOSEException("Entity statement rejected: Another JOSE algorithm expected, or no matching key(s) found");
        }
        DefaultJWSVerifierFactory defaultJWSVerifierFactory = new DefaultJWSVerifierFactory();
        JWK jwk = null;
        for (JWK jwk2 : select) {
            if (jwk2 instanceof AsymmetricJWK) {
                if (this.statementJWT.verify(defaultJWSVerifierFactory.createJWSVerifier(this.statementJWT.getHeader(), ((AsymmetricJWK) jwk2).toPublicKey()))) {
                    jwk = jwk2;
                }
            }
        }
        if (jwk == null) {
            throw new BadJOSEException("Entity statement rejected: Invalid signature");
        }
        try {
            new EntityStatementClaimsVerifier(null).verify(this.statementJWT.getJWTClaimsSet(), null);
            return jwk.computeThumbprint();
        } catch (ParseException e) {
            throw new BadJOSEException(e.getMessage(), e);
        }
    }

    public static EntityStatement sign(EntityStatementClaimsSet entityStatementClaimsSet, JWK jwk) throws JOSEException {
        return sign(entityStatementClaimsSet, jwk, resolveSigningAlgorithm(jwk));
    }

    public static EntityStatement sign(EntityStatementClaimsSet entityStatementClaimsSet, JWK jwk, JWSAlgorithm jWSAlgorithm) throws JOSEException {
        if (entityStatementClaimsSet.isSelfStatement() && !entityStatementClaimsSet.getJWKSet().containsJWK(jwk)) {
            throw new JOSEException("Signing JWK not found in JWK set of self-statement");
        }
        JWSSigner createJWSSigner = new DefaultJWSSignerFactory().createJWSSigner(jwk, jWSAlgorithm);
        try {
            SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(jWSAlgorithm).keyID(jwk.getKeyID()).build(), entityStatementClaimsSet.toJWTClaimsSet());
            signedJWT.sign(createJWSSigner);
            return new EntityStatement(signedJWT, entityStatementClaimsSet);
        } catch (com.nimbusds.oauth2.sdk.ParseException e) {
            throw new JOSEException(e.getMessage(), e);
        }
    }

    private static JWSAlgorithm resolveSigningAlgorithm(JWK jwk) throws JOSEException {
        KeyType keyType = jwk.getKeyType();
        if (KeyType.RSA.equals(keyType)) {
            return jwk.getAlgorithm() != null ? new JWSAlgorithm(jwk.getAlgorithm().getName()) : JWSAlgorithm.RS256;
        }
        if (!KeyType.EC.equals(keyType)) {
            if (!KeyType.OKP.equals(keyType)) {
                throw new JOSEException("Unsupported JWK type: " + keyType);
            }
            OctetKeyPair octetKeyPair = jwk.toOctetKeyPair();
            if (Curve.Ed25519.equals(octetKeyPair.getCurve())) {
                return JWSAlgorithm.EdDSA;
            }
            throw new JOSEException("Unsupported EdDSA curve: " + octetKeyPair.getCurve());
        }
        ECKey eCKey = jwk.toECKey();
        if (jwk.getAlgorithm() != null) {
            return new JWSAlgorithm(eCKey.getAlgorithm().getName());
        }
        if (Curve.P_256.equals(eCKey.getCurve())) {
            return JWSAlgorithm.ES256;
        }
        if (Curve.P_384.equals(eCKey.getCurve())) {
            return JWSAlgorithm.ES384;
        }
        if (Curve.P_521.equals(eCKey.getCurve())) {
            return JWSAlgorithm.ES512;
        }
        throw new JOSEException("Unsupported ECDSA curve: " + eCKey.getCurve());
    }

    public static EntityStatement parse(SignedJWT signedJWT) throws com.nimbusds.oauth2.sdk.ParseException {
        if (JWSObject.State.UNSIGNED.equals(signedJWT.getState())) {
            throw new com.nimbusds.oauth2.sdk.ParseException("The statement is not signed");
        }
        try {
            return new EntityStatement(signedJWT, new EntityStatementClaimsSet(signedJWT.getJWTClaimsSet()));
        } catch (ParseException e) {
            throw new com.nimbusds.oauth2.sdk.ParseException(e.getMessage(), e);
        }
    }

    public static EntityStatement parse(String str) throws com.nimbusds.oauth2.sdk.ParseException {
        try {
            return parse(SignedJWT.parse(str));
        } catch (ParseException e) {
            throw new com.nimbusds.oauth2.sdk.ParseException("Invalid entity statement: " + e.getMessage(), e);
        }
    }
}
