package com.nimbusds.openid.connect.provider.jwkset.validator;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.openid.connect.provider.jwkset.JWKSetSpec;

/* loaded from: input_file:com/nimbusds/openid/connect/provider/jwkset/validator/JWKSetValidator.class */
public final class JWKSetValidator {
    public static void validateMinimumRequired(JWKSet jWKSet) throws JOSEException {
        JWKMatcher createKeyMatcher = JWKSetSpec.RotatedRSASigning.createKeyMatcher(JWSAlgorithm.RS256);
        if (new JWKSelector(createKeyMatcher).select(jWKSet).isEmpty()) {
            throw new JOSEException("The JWK set must contain at least one signing RSA key pair with properties: " + createKeyMatcher);
        }
        if (new JWKSelector(JWKSetSpec.HMAC.KEY_MATCHER).select(jWKSet).isEmpty()) {
            throw new JOSEException("The JWK set must contain one HMAC secret key with properties: " + JWKSetSpec.HMAC.KEY_MATCHER);
        }
        if (new JWKSelector(JWKSetSpec.SubjectEncryption.KEY_MATCHER).select(jWKSet).isEmpty()) {
            throw new JOSEException("The JWK set must contain one subject encryption AES key with properties: " + JWKSetSpec.SubjectEncryption.KEY_MATCHER);
        }
        if (new JWKSelector(JWKSetSpec.RefreshTokenEncryption.KEY_MATCHER).select(jWKSet).isEmpty()) {
            throw new JOSEException("The JWK set must contain one refresh token encryption AES key with properties: " + JWKSetSpec.RefreshTokenEncryption.KEY_MATCHER);
        }
    }
}
