package com.nimbusds.openid.connect.sdk.federation.trust;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.oauth2.sdk.util.MapUtils;
import com.nimbusds.openid.connect.sdk.federation.entities.EntityID;
import com.nimbusds.openid.connect.sdk.federation.entities.EntityStatement;
import com.nimbusds.openid.connect.sdk.federation.trust.constraints.TrustChainConstraints;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:applicationinsights-agent-3.5.4.jar:inst/com/nimbusds/openid/connect/sdk/federation/trust/TrustChainResolver.classdata */
public class TrustChainResolver {
    private final Map<EntityID, JWKSet> trustAnchors;
    private final EntityStatementRetriever statementRetriever;
    private final TrustChainConstraints constraints;

    public TrustChainResolver(EntityID entityID) {
        this(entityID, null);
    }

    public TrustChainResolver(EntityID entityID, JWKSet jWKSet) {
        this((Map<EntityID, JWKSet>) Collections.singletonMap(entityID, jWKSet), TrustChainConstraints.NO_CONSTRAINTS, new DefaultEntityStatementRetriever());
    }

    public TrustChainResolver(Map<EntityID, JWKSet> map, int i, int i2) {
        this(map, TrustChainConstraints.NO_CONSTRAINTS, new DefaultEntityStatementRetriever(i, i2));
    }

    public TrustChainResolver(Map<EntityID, JWKSet> map, TrustChainConstraints trustChainConstraints, EntityStatementRetriever entityStatementRetriever) {
        if (MapUtils.isEmpty(map)) {
            throw new IllegalArgumentException("The trust anchors map must not be empty or null");
        }
        this.trustAnchors = map;
        if (trustChainConstraints == null) {
            throw new IllegalArgumentException("The trust chain constraints must not be null");
        }
        this.constraints = trustChainConstraints;
        if (entityStatementRetriever == null) {
            throw new IllegalArgumentException("The entity statement retriever must not be null");
        }
        this.statementRetriever = entityStatementRetriever;
    }

    public Map<EntityID, JWKSet> getTrustAnchors() {
        return Collections.unmodifiableMap(this.trustAnchors);
    }

    public EntityStatementRetriever getEntityStatementRetriever() {
        return this.statementRetriever;
    }

    public TrustChainConstraints getConstraints() {
        return this.constraints;
    }

    public TrustChainSet resolveTrustChains(EntityID entityID) throws ResolveException {
        try {
            return resolveTrustChains(entityID, null);
        } catch (InvalidEntityMetadataException e) {
            throw new IllegalStateException("Unexpected exception: " + e.getMessage(), e);
        }
    }

    public TrustChainSet resolveTrustChains(EntityID entityID, EntityMetadataValidator entityMetadataValidator) throws ResolveException, InvalidEntityMetadataException {
        if (this.trustAnchors.get(entityID) != null) {
            throw new ResolveException("Target is trust anchor");
        }
        DefaultTrustChainRetriever defaultTrustChainRetriever = new DefaultTrustChainRetriever(this.statementRetriever, this.constraints);
        return verifyTrustChains(defaultTrustChainRetriever.retrieve(entityID, entityMetadataValidator, this.trustAnchors.keySet()), defaultTrustChainRetriever.getAccumulatedTrustAnchorJWKSets(), defaultTrustChainRetriever.getAccumulatedExceptions());
    }

    public TrustChainSet resolveTrustChains(EntityStatement entityStatement) throws ResolveException {
        if (this.trustAnchors.get(entityStatement.getEntityID()) != null) {
            throw new ResolveException("Target is trust anchor");
        }
        DefaultTrustChainRetriever defaultTrustChainRetriever = new DefaultTrustChainRetriever(this.statementRetriever, this.constraints);
        return verifyTrustChains(defaultTrustChainRetriever.retrieve(entityStatement, this.trustAnchors.keySet()), defaultTrustChainRetriever.getAccumulatedTrustAnchorJWKSets(), defaultTrustChainRetriever.getAccumulatedExceptions());
    }

    private TrustChainSet verifyTrustChains(Set<TrustChain> set, Map<EntityID, JWKSet> map, List<Throwable> list) throws ResolveException {
        if (set.isEmpty()) {
            if (list.isEmpty()) {
                throw new ResolveException("No trust chain leading up to a trust anchor");
            }
            if (list.size() != 1) {
                throw new ResolveException("Couldn't resolve trust chain due to multiple causes", list);
            }
            Throwable th = list.get(0);
            throw new ResolveException("Couldn't resolve trust chain: " + th.getMessage(), th);
        }
        LinkedList linkedList = new LinkedList();
        TrustChainSet trustChainSet = new TrustChainSet();
        for (TrustChain trustChain : set) {
            EntityID trustAnchorEntityID = trustChain.getTrustAnchorEntityID();
            JWKSet jWKSet = this.trustAnchors.get(trustAnchorEntityID);
            if (jWKSet == null) {
                jWKSet = map.get(trustAnchorEntityID);
            }
            try {
                trustChain.verifySignatures(jWKSet);
                trustChainSet.add(trustChain);
            } catch (JOSEException | BadJOSEException e) {
                linkedList.add(e);
            }
        }
        if (!trustChainSet.isEmpty()) {
            return trustChainSet;
        }
        LinkedList linkedList2 = new LinkedList(list);
        linkedList2.addAll(linkedList);
        if (linkedList.size() != 1) {
            throw new ResolveException("Couldn't resolve trust chain due to multiple causes", linkedList2);
        }
        throw new ResolveException("Couldn't resolve trust chain: " + ((Throwable) linkedList.get(0)).getMessage(), linkedList2);
    }
}
