package org.apache.cxf.rs.security.oauth2.provider;

import java.security.cert.X509Certificate;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rt.security.crypto.CryptoUtils;

/* loaded from: input_file:lib/cxf-rt-rs-security-oauth2-3.3.1.jar:org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtConsumer.class */
public class OAuthServerJoseJwtConsumer extends OAuthJoseJwtConsumer {
    private boolean verifyWithClientCertificates;

    public JwtToken getJwtToken(String str, Client client) {
        return getJwtToken(str, getInitializedDecryptionProvider(client), getInitializedSignatureVerifier(client));
    }

    protected JweDecryptionProvider getInitializedDecryptionProvider(Client client) {
        if (client == null) {
            return null;
        }
        return super.getInitializedDecryptionProvider(client.getClientSecret());
    }

    protected JwsSignatureVerifier getInitializedSignatureVerifier(Client client) {
        JwsSignatureVerifier jwsSignatureVerifier = null;
        if (this.verifyWithClientCertificates && client != null && !client.getApplicationCertificates().isEmpty()) {
            jwsSignatureVerifier = JwsUtils.getPublicKeySignatureVerifier(((X509Certificate) CryptoUtils.decodeCertificate(client.getApplicationCertificates().get(0))).getPublicKey(), SignatureAlgorithm.RS256);
        }
        if (jwsSignatureVerifier == null && client != null && client.getClientSecret() != null) {
            jwsSignatureVerifier = super.getInitializedSignatureVerifier(client.getClientSecret());
        }
        return jwsSignatureVerifier;
    }

    public void setVerifyWithClientCertificates(boolean z) {
        if (isVerifyWithClientSecret()) {
            throw new SecurityException();
        }
        this.verifyWithClientCertificates = z;
    }
}
