package io.micronaut.security.token.jwt.nimbus;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.SignedJWT;
import io.micronaut.core.annotation.Internal;
import io.micronaut.core.annotation.NonNull;
import io.micronaut.security.token.jwt.encryption.EncryptionConfiguration;
import io.micronaut.security.token.jwt.validator.JsonWebTokenEncryption;
import jakarta.inject.Singleton;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
@Internal
/* loaded from: input_file:io/micronaut/security/token/jwt/nimbus/NimbusJsonWebTokenEncryption.class */
class NimbusJsonWebTokenEncryption implements JsonWebTokenEncryption<EncryptedJWT, SignedJWT> {
    private static final Logger LOG = LoggerFactory.getLogger(NimbusJsonWebTokenEncryption.class);
    private final List<EncryptionConfiguration> encryptionConfigurationList;

    /* JADX INFO: Access modifiers changed from: package-private */
    public NimbusJsonWebTokenEncryption(List<EncryptionConfiguration> list) {
        this.encryptionConfigurationList = list;
    }

    @Override // io.micronaut.security.token.jwt.validator.JsonWebTokenEncryption
    @NonNull
    public Optional<SignedJWT> decrypt(@NonNull EncryptedJWT encryptedJWT) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Validating encrypted JWT");
        }
        if (LOG.isDebugEnabled() && this.encryptionConfigurationList.isEmpty()) {
            LOG.debug("JWT is encrypted and no encryption configurations -> not verified");
            return Optional.empty();
        }
        JWEHeader header = encryptedJWT.getHeader();
        ArrayList arrayList = new ArrayList(this.encryptionConfigurationList);
        arrayList.sort(comparator(header));
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            Optional<SignedJWT> decrypt = decrypt(encryptedJWT, (EncryptionConfiguration) it.next());
            if (decrypt.isPresent()) {
                return decrypt;
            }
        }
        return Optional.empty();
    }

    @NonNull
    private Optional<SignedJWT> decrypt(@NonNull EncryptedJWT encryptedJWT, @NonNull EncryptionConfiguration encryptionConfiguration) {
        if (LOG.isTraceEnabled()) {
            LOG.trace("Using encryption configuration: {}", encryptionConfiguration);
        }
        try {
            encryptionConfiguration.decrypt(encryptedJWT);
            SignedJWT signedJWT = encryptedJWT.getPayload().toSignedJWT();
            if (signedJWT != null) {
                return Optional.of(signedJWT);
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Encrypted JWT couldn't be converted to a signed JWT.");
            }
            return Optional.empty();
        } catch (JOSEException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Decryption fails with encryption configuration: {}, passing to the next one", encryptionConfiguration);
            }
            return Optional.empty();
        }
    }

    private static Comparator<EncryptionConfiguration> comparator(JWEHeader jWEHeader) {
        JWEAlgorithm algorithm = jWEHeader.getAlgorithm();
        EncryptionMethod encryptionMethod = jWEHeader.getEncryptionMethod();
        return (encryptionConfiguration, encryptionConfiguration2) -> {
            boolean supports = encryptionConfiguration.supports(algorithm, encryptionMethod);
            if (supports == encryptionConfiguration2.supports(algorithm, encryptionMethod)) {
                return 0;
            }
            return supports ? -1 : 1;
        };
    }
}
