package com.atlassian.asap.nimbus.parser;

import com.atlassian.asap.api.AlgorithmType;
import com.atlassian.asap.api.JwsHeader;
import com.atlassian.asap.api.Jwt;
import com.atlassian.asap.api.JwtBuilder;
import com.atlassian.asap.api.JwtClaims;
import com.atlassian.asap.api.SigningAlgorithm;
import com.atlassian.asap.core.exception.SignatureMismatchException;
import com.atlassian.asap.core.exception.UnsupportedAlgorithmException;
import com.atlassian.asap.core.parser.VerifiableJwt;
import com.google.common.base.Predicates;
import com.google.common.collect.Maps;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import java.security.Provider;
import java.security.PublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Locale;
import java.util.Optional;
import java.util.Set;
import net.minidev.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/asap/nimbus/parser/NimbusVerifiableJwt.class */
public class NimbusVerifiableJwt implements VerifiableJwt {
    private static final Logger logger = LoggerFactory.getLogger(NimbusVerifiableJwt.class);
    private static final Set<String> REGISTERED_CLAIM_NAMES = JWTClaimsSet.getRegisteredNames();
    private final Jwt unverifiedJwt;
    private final JWSObject jwsObject;
    private final Provider provider;

    public NimbusVerifiableJwt(Jwt jwt, JWSObject jWSObject, Provider provider) {
        this.unverifiedJwt = jwt;
        this.jwsObject = jWSObject;
        this.provider = provider;
    }

    public static VerifiableJwt buildVerifiableJwt(JWSObject jWSObject, JWTClaimsSet jWTClaimsSet, Provider provider) throws UnsupportedAlgorithmException {
        return new NimbusVerifiableJwt(JwtBuilder.newJwt().algorithm(getSigningAlgorithm(jWSObject.getHeader().getAlgorithm().getName())).keyId(jWSObject.getHeader().getKeyID()).issuer(jWTClaimsSet.getIssuer()).jwtId(jWTClaimsSet.getJWTID()).subject(Optional.ofNullable(jWTClaimsSet.getSubject())).audience(jWTClaimsSet.getAudience()).expirationTime(jWTClaimsSet.getExpirationTime().toInstant()).issuedAt(jWTClaimsSet.getIssueTime().toInstant()).notBefore(Optional.ofNullable(jWTClaimsSet.getNotBeforeTime()).map((v0) -> {
            return v0.toInstant();
        })).customClaims(NimbusJsr353Translator.nimbusToJsr353(new JSONObject(Maps.filterKeys(jWTClaimsSet.getClaims(), Predicates.not(Predicates.in(REGISTERED_CLAIM_NAMES)))))).build(), jWSObject, provider);
    }

    @Override // com.atlassian.asap.core.parser.VerifiableJwt
    public void verifySignature(PublicKey publicKey) throws SignatureMismatchException, UnsupportedAlgorithmException {
        try {
            if (this.jwsObject.verify(verifierFor(this.unverifiedJwt.getHeader().getAlgorithm(), publicKey, this.provider))) {
                return;
            }
            logger.debug("Invalid JWT signature");
            throw new SignatureMismatchException("Invalid JWT signature");
        } catch (JOSEException e) {
            logger.error("Unexpected error when verifying a JWT signature", e);
            throw new SignatureMismatchException("Unexpected error when verifying JWT signature");
        }
    }

    private static JWSVerifier verifierFor(SigningAlgorithm signingAlgorithm, PublicKey publicKey, Provider provider) throws UnsupportedAlgorithmException {
        if ((signingAlgorithm.type() == AlgorithmType.RSA || signingAlgorithm.type() == AlgorithmType.RSASSA_PSS) && (publicKey instanceof RSAPublicKey)) {
            RSASSAVerifier rSASSAVerifier = new RSASSAVerifier((RSAPublicKey) publicKey);
            rSASSAVerifier.getJCAContext().setProvider(provider);
            return rSASSAVerifier;
        }
        if (signingAlgorithm.type() != AlgorithmType.ECDSA || !(publicKey instanceof ECPublicKey)) {
            logger.debug("Unsupported signing algorithm {} or public key algorithm {}", signingAlgorithm, publicKey.getAlgorithm());
            throw new UnsupportedAlgorithmException(signingAlgorithm.name());
        }
        try {
            ECDSAVerifier eCDSAVerifier = new ECDSAVerifier((ECPublicKey) publicKey);
            eCDSAVerifier.getJCAContext().setProvider(provider);
            return eCDSAVerifier;
        } catch (JOSEException e) {
            logger.debug("Unsupported signing algorithm {} or public key algorithm {}", signingAlgorithm, publicKey.getAlgorithm());
            throw new UnsupportedAlgorithmException(signingAlgorithm.name(), e);
        }
    }

    private static SigningAlgorithm getSigningAlgorithm(String str) throws UnsupportedAlgorithmException {
        try {
            return SigningAlgorithm.valueOf(str.toUpperCase(Locale.ROOT));
        } catch (IllegalArgumentException e) {
            throw new UnsupportedAlgorithmException(str + " is not a supported asymmetric JWS algorithm");
        }
    }

    @Override // com.atlassian.asap.api.Jwt
    public JwsHeader getHeader() {
        return this.unverifiedJwt.getHeader();
    }

    @Override // com.atlassian.asap.api.Jwt
    public JwtClaims getClaims() {
        return this.unverifiedJwt.getClaims();
    }
}
