package com.floragunn.dlic.auth.http.jwt.keybyoidc;

import com.google.common.base.Strings;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtException;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.jose.jwt.JwtUtils;

/* loaded from: input_file:com/floragunn/dlic/auth/http/jwt/keybyoidc/JwtVerifier.class */
public class JwtVerifier extends JoseJwtConsumer {
    private final KeyProvider keyProvider;

    public JwtVerifier(KeyProvider keyProvider) {
        this.keyProvider = keyProvider;
    }

    protected final JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwtToken) {
        return getInitializedSignatureVerifier(jwtToken.getJwsHeaders());
    }

    protected JwsSignatureVerifier getInitializedSignatureVerifier(JwsHeaders jwsHeaders) {
        String keyId = jwsHeaders.getKeyId();
        if (Strings.isNullOrEmpty(keyId)) {
            throw new JwtException("JWT did not contain kid (Headers: " + jwsHeaders + ")");
        }
        JsonWebKey keyByKid = this.keyProvider.getKeyByKid(keyId);
        if (keyByKid != null) {
            return JwsUtils.getSignatureVerifier(keyByKid);
        }
        throw new JwtException("Unknown kid " + keyId + " (Headers: " + jwsHeaders + ")");
    }

    protected JweDecryptionProvider getInitializedDecryptionProvider(JweHeaders jweHeaders) {
        return null;
    }

    public boolean isJwsRequired() {
        return true;
    }

    protected void validateToken(JwtToken jwtToken) {
        super.validateToken(jwtToken);
        JwtClaims claims = jwtToken.getClaims();
        if (claims != null) {
            JwtUtils.validateJwtExpiry(claims, getClockOffset(), false);
            JwtUtils.validateJwtNotBefore(claims, getClockOffset(), false);
        }
    }
}
