package com.nimbusds.oauth2.sdk.auth.verifier;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory;
import com.nimbusds.jose.proc.JWSVerifierFactory;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientSecretJWT;
import com.nimbusds.oauth2.sdk.auth.PKITLSClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.PlainClientSecret;
import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.auth.SelfSignedTLSClientAuthentication;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.util.CollectionUtils;
import com.nimbusds.oauth2.sdk.util.ListUtils;
import com.nimbusds.oauth2.sdk.util.X509CertificateUtils;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import net.jcip.annotations.ThreadSafe;

@ThreadSafe
/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/oauth2-client-plugin-3.0.6.jar:com/nimbusds/oauth2/sdk/auth/verifier/ClientAuthenticationVerifier.class */
public class ClientAuthenticationVerifier<T> {
    private final ClientCredentialsSelector<T> clientCredentialsSelector;

    @Deprecated
    private final ClientX509CertificateBindingVerifier<T> certBindingVerifier;
    private final PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier;
    private final JWTAuthenticationClaimsSetVerifier claimsSetVerifier;
    private final JWSVerifierFactory jwsVerifierFactory = new DefaultJWSVerifierFactory();

    @Deprecated
    public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, ClientX509CertificateBindingVerifier<T> clientX509CertificateBindingVerifier, Set<Audience> set) {
        this.claimsSetVerifier = new JWTAuthenticationClaimsSetVerifier(set);
        if (clientCredentialsSelector == null) {
            throw new IllegalArgumentException("The client credentials selector must not be null");
        }
        this.certBindingVerifier = clientX509CertificateBindingVerifier;
        this.pkiCertBindingVerifier = null;
        this.clientCredentialsSelector = clientCredentialsSelector;
    }

    public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, Set<Audience> set) {
        this.claimsSetVerifier = new JWTAuthenticationClaimsSetVerifier(set);
        if (clientCredentialsSelector == null) {
            throw new IllegalArgumentException("The client credentials selector must not be null");
        }
        this.certBindingVerifier = null;
        this.pkiCertBindingVerifier = null;
        this.clientCredentialsSelector = clientCredentialsSelector;
    }

    public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, PKIClientX509CertificateBindingVerifier<T> pKIClientX509CertificateBindingVerifier, Set<Audience> set) {
        this.claimsSetVerifier = new JWTAuthenticationClaimsSetVerifier(set);
        if (clientCredentialsSelector == null) {
            throw new IllegalArgumentException("The client credentials selector must not be null");
        }
        this.certBindingVerifier = null;
        this.pkiCertBindingVerifier = pKIClientX509CertificateBindingVerifier;
        this.clientCredentialsSelector = clientCredentialsSelector;
    }

    public ClientCredentialsSelector<T> getClientCredentialsSelector() {
        return this.clientCredentialsSelector;
    }

    @Deprecated
    public ClientX509CertificateBindingVerifier<T> getClientX509CertificateBindingVerifier() {
        return this.certBindingVerifier;
    }

    public PKIClientX509CertificateBindingVerifier<T> getPKIClientX509CertificateBindingVerifier() {
        return this.pkiCertBindingVerifier;
    }

    public Set<Audience> getExpectedAudience() {
        return this.claimsSetVerifier.getExpectedAudience();
    }

    private static List<Secret> removeNullOrErased(List<Secret> list) {
        if (ListUtils.removeNullItems(list) == null) {
            return null;
        }
        LinkedList linkedList = new LinkedList();
        for (Secret secret : list) {
            if (secret.getValue() != null && secret.getValueBytes() != null) {
                linkedList.add(secret);
            }
        }
        return linkedList;
    }

    public void verify(ClientAuthentication clientAuthentication, Set<Hint> set, Context<T> context) throws InvalidClientException, JOSEException {
        if (clientAuthentication instanceof PlainClientSecret) {
            List removeNullItems = ListUtils.removeNullItems(this.clientCredentialsSelector.selectClientSecrets(clientAuthentication.getClientID(), clientAuthentication.getMethod(), context));
            if (CollectionUtils.isEmpty(removeNullItems)) {
                throw InvalidClientException.NO_REGISTERED_SECRET;
            }
            PlainClientSecret plainClientSecret = (PlainClientSecret) clientAuthentication;
            Iterator it = removeNullItems.iterator();
            while (it.hasNext()) {
                if (((Secret) it.next()).equals(plainClientSecret.getClientSecret())) {
                    return;
                }
            }
            throw InvalidClientException.BAD_SECRET;
        }
        if (clientAuthentication instanceof ClientSecretJWT) {
            ClientSecretJWT clientSecretJWT = (ClientSecretJWT) clientAuthentication;
            try {
                this.claimsSetVerifier.verify(clientSecretJWT.getJWTAuthenticationClaimsSet().toJWTClaimsSet(), null);
                List<Secret> removeNullOrErased = removeNullOrErased(this.clientCredentialsSelector.selectClientSecrets(clientAuthentication.getClientID(), clientAuthentication.getMethod(), context));
                if (CollectionUtils.isEmpty(removeNullOrErased)) {
                    throw InvalidClientException.NO_REGISTERED_SECRET;
                }
                SignedJWT clientAssertion = clientSecretJWT.getClientAssertion();
                Iterator<Secret> it2 = removeNullOrErased.iterator();
                while (it2.hasNext()) {
                    if (clientAssertion.verify(new MACVerifier(it2.next().getValueBytes()))) {
                        return;
                    }
                }
                throw InvalidClientException.BAD_JWT_HMAC;
            } catch (BadJWTException e) {
                throw new InvalidClientException("Bad / expired JWT claims: " + e.getMessage());
            }
        }
        if (clientAuthentication instanceof PrivateKeyJWT) {
            PrivateKeyJWT privateKeyJWT = (PrivateKeyJWT) clientAuthentication;
            try {
                this.claimsSetVerifier.verify(privateKeyJWT.getJWTAuthenticationClaimsSet().toJWTClaimsSet(), null);
                List removeNullItems2 = ListUtils.removeNullItems(this.clientCredentialsSelector.selectPublicKeys(privateKeyJWT.getClientID(), privateKeyJWT.getMethod(), privateKeyJWT.getClientAssertion().getHeader(), false, context));
                if (CollectionUtils.isEmpty(removeNullItems2)) {
                    throw InvalidClientException.NO_MATCHING_JWK;
                }
                SignedJWT clientAssertion2 = privateKeyJWT.getClientAssertion();
                Iterator it3 = removeNullItems2.iterator();
                while (it3.hasNext()) {
                    if (clientAssertion2.verify(this.jwsVerifierFactory.createJWSVerifier(privateKeyJWT.getClientAssertion().getHeader(), (PublicKey) it3.next()))) {
                        return;
                    }
                }
                if (set != null && set.contains(Hint.CLIENT_HAS_REMOTE_JWK_SET)) {
                    List removeNullItems3 = ListUtils.removeNullItems(this.clientCredentialsSelector.selectPublicKeys(privateKeyJWT.getClientID(), privateKeyJWT.getMethod(), privateKeyJWT.getClientAssertion().getHeader(), true, context));
                    if (CollectionUtils.isEmpty(removeNullItems3)) {
                        throw InvalidClientException.NO_MATCHING_JWK;
                    }
                    SignedJWT clientAssertion3 = privateKeyJWT.getClientAssertion();
                    Iterator it4 = removeNullItems3.iterator();
                    while (it4.hasNext()) {
                        if (clientAssertion3.verify(this.jwsVerifierFactory.createJWSVerifier(privateKeyJWT.getClientAssertion().getHeader(), (PublicKey) it4.next()))) {
                            return;
                        }
                    }
                }
                throw InvalidClientException.BAD_JWT_SIGNATURE;
            } catch (BadJWTException e2) {
                throw new InvalidClientException("Bad / expired JWT claims: " + e2.getMessage());
            }
        }
        if (!(clientAuthentication instanceof SelfSignedTLSClientAuthentication)) {
            if (!(clientAuthentication instanceof PKITLSClientAuthentication)) {
                throw new RuntimeException("Unexpected client authentication: " + clientAuthentication.getMethod());
            }
            PKITLSClientAuthentication pKITLSClientAuthentication = (PKITLSClientAuthentication) clientAuthentication;
            if (this.pkiCertBindingVerifier != null) {
                this.pkiCertBindingVerifier.verifyCertificateBinding(clientAuthentication.getClientID(), pKITLSClientAuthentication.getClientX509Certificate(), context);
                return;
            } else {
                if (this.certBindingVerifier == null) {
                    throw new InvalidClientException("Mutual TLS client Authentication (tls_client_auth) not supported");
                }
                this.certBindingVerifier.verifyCertificateBinding(clientAuthentication.getClientID(), pKITLSClientAuthentication.getClientX509CertificateSubjectDN(), context);
                return;
            }
        }
        SelfSignedTLSClientAuthentication selfSignedTLSClientAuthentication = (SelfSignedTLSClientAuthentication) clientAuthentication;
        X509Certificate clientX509Certificate = selfSignedTLSClientAuthentication.getClientX509Certificate();
        if (clientX509Certificate == null) {
            throw new InvalidClientException("Missing client X.509 certificate");
        }
        List removeNullItems4 = ListUtils.removeNullItems(this.clientCredentialsSelector.selectPublicKeys(selfSignedTLSClientAuthentication.getClientID(), selfSignedTLSClientAuthentication.getMethod(), null, false, context));
        if (CollectionUtils.isEmpty(removeNullItems4)) {
            throw InvalidClientException.NO_MATCHING_JWK;
        }
        Iterator it5 = removeNullItems4.iterator();
        while (it5.hasNext()) {
            if (X509CertificateUtils.publicKeyMatches(clientX509Certificate, (PublicKey) it5.next())) {
                return;
            }
        }
        if (set != null && set.contains(Hint.CLIENT_HAS_REMOTE_JWK_SET)) {
            List<PublicKey> removeNullItems5 = ListUtils.removeNullItems(this.clientCredentialsSelector.selectPublicKeys(selfSignedTLSClientAuthentication.getClientID(), selfSignedTLSClientAuthentication.getMethod(), null, true, context));
            if (CollectionUtils.isEmpty(removeNullItems5)) {
                throw InvalidClientException.NO_MATCHING_JWK;
            }
            for (PublicKey publicKey : removeNullItems5) {
                if (publicKey != null && X509CertificateUtils.publicKeyMatches(clientX509Certificate, publicKey)) {
                    return;
                }
            }
        }
        throw InvalidClientException.BAD_SELF_SIGNED_CLIENT_CERTIFICATE;
    }
}
