package com.nimbusds.openid.connect.provider.jwkset;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.crypto.bc.BouncyCastleProviderSingleton;
import com.nimbusds.jose.crypto.impl.RSASSAProvider;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.OctetKeyPair;
import com.nimbusds.jose.jwk.OctetSequenceKey;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
import com.nimbusds.jose.jwk.gen.OctetKeyPairGenerator;
import com.nimbusds.jose.jwk.gen.OctetSequenceKeyGenerator;
import com.nimbusds.jose.jwk.gen.RSAKeyGenerator;
import com.nimbusds.jwt.util.DateUtils;
import java.util.Arrays;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import javax.crypto.SecretKey;
import org.bouncycastle.pqc.crypto.crystals.kyber.KyberEngine;

/* loaded from: input_file:com/nimbusds/openid/connect/provider/jwkset/JWKSetSpec.class */
public final class JWKSetSpec {
    public static final int[] RSA_KEY_BIT_SIZES = {1024, 2048, 3072, 4096};

    /* loaded from: input_file:com/nimbusds/openid/connect/provider/jwkset/JWKSetSpec$HMAC.class */
    public static class HMAC {
        public static final int KEY_BIT_SIZE = 256;
        public static final String KEY_ID = "hmac";
        public static final JWKMatcher KEY_MATCHER = new JWKMatcher.Builder().keyType(KeyType.OCT).keySize(256).privateOnly(true).keyUse(KeyUse.SIGNATURE).keyID(KEY_ID).build();

        public static OctetSequenceKey generateKey() throws JOSEException {
            return new OctetSequenceKeyGenerator(256).keyUse(KeyUse.SIGNATURE).keyID(KEY_ID).issueTime(DateUtils.nowWithSecondsPrecision()).generate();
        }

        public static SecretKey loadKey(JWKSet jWKSet) throws JOSEException {
            JWKSetSpec.ensureNotEmpty(jWKSet);
            List<JWK> select = new JWKSelector(KEY_MATCHER).select(jWKSet);
            if (select.isEmpty()) {
                throw new JOSEException("Couldn't find eligible secret JSON Web Key (JWK) for applying HMAC to objects: Required key ID \"hmac\", required key use \"sig\", required key size 256 bits");
            }
            return ((OctetSequenceKey) select.get(0)).toSecretKey("HmacSha256");
        }

        private HMAC() {
        }
    }

    /* loaded from: input_file:com/nimbusds/openid/connect/provider/jwkset/JWKSetSpec$RefreshTokenEncryption.class */
    public static class RefreshTokenEncryption {
        public static final int KEY_BIT_SIZE = 256;
        public static final String KEY_ID = "refresh-token-encrypt";
        public static final JWKMatcher KEY_MATCHER = new JWKMatcher.Builder().keyType(KeyType.OCT).keySize(256).privateOnly(true).keyUse(KeyUse.ENCRYPTION).keyID(KEY_ID).build();

        public static OctetSequenceKey generateKey() throws JOSEException {
            return new OctetSequenceKeyGenerator(256).keyUse(KeyUse.ENCRYPTION).keyID(KEY_ID).issueTime(DateUtils.nowWithSecondsPrecision()).generate();
        }

        public static SecretKey loadKey(JWKSet jWKSet) throws JOSEException {
            JWKSetSpec.ensureNotEmpty(jWKSet);
            List<JWK> select = new JWKSelector(KEY_MATCHER).select(jWKSet);
            if (select.isEmpty()) {
                throw new JOSEException("Couldn't find eligible secret JSON Web Key (JWK) for refresh token encryption: Required key ID \"refresh-token-encrypt\", required key use \"enc\", required key size 256 bits");
            }
            if (select.size() > 1) {
                throw new JOSEException("Too many refresh token encryption keys, must be one");
            }
            return ((OctetSequenceKey) select.get(0)).toSecretKey("AES");
        }

        private RefreshTokenEncryption() {
        }
    }

    /* loaded from: input_file:com/nimbusds/openid/connect/provider/jwkset/JWKSetSpec$RotatedAccessTokenDirectEncryption.class */
    public static class RotatedAccessTokenDirectEncryption {
        public static final int[] KEY_BIT_SIZES = {128, 192, 256, KyberEngine.KyberPolyBytes, 512};

        @Deprecated
        public static final JWKMatcher KEY_MATCHER = new JWKMatcher.Builder().keyType(KeyType.OCT).keySizes(KEY_BIT_SIZES).privateOnly(true).algorithms(JWEAlgorithm.DIR, null).keyUses(KeyUse.ENCRYPTION).hasKeyID(true).build();

        public static JWKMatcher createKeyMatcher(EncryptionMethod encryptionMethod) {
            return new JWKMatcher.Builder().keyType(KeyType.OCT).keySize(encryptionMethod.cekBitLength()).privateOnly(true).algorithms(JWEAlgorithm.DIR, null).keyUses(KeyUse.ENCRYPTION).hasKeyID(true).build();
        }

        public static OctetSequenceKey generateKey(String str) throws JOSEException {
            return generateKey(str, KEY_BIT_SIZES[0]);
        }

        public static OctetSequenceKey generateKey(String str, int i) throws JOSEException {
            return new OctetSequenceKeyGenerator(i).keyUse(KeyUse.ENCRYPTION).keyID(str).issueTime(DateUtils.nowWithSecondsPrecision()).generate();
        }

        @Deprecated
        public static List<OctetSequenceKey> loadKeys(JWKSet jWKSet) {
            List<JWK> select = new JWKSelector(KEY_MATCHER).select(jWKSet);
            LinkedList linkedList = new LinkedList();
            select.forEach(jwk -> {
                linkedList.add(jwk.toOctetSequenceKey());
            });
            return linkedList;
        }

        public static List<OctetSequenceKey> loadKeys(JWKSet jWKSet, EncryptionMethod encryptionMethod) {
            List<JWK> select = new JWKSelector(createKeyMatcher(encryptionMethod)).select(jWKSet);
            LinkedList linkedList = new LinkedList();
            select.forEach(jwk -> {
                linkedList.add(jwk.toOctetSequenceKey());
            });
            return linkedList;
        }

        private RotatedAccessTokenDirectEncryption() {
        }
    }

    /* loaded from: input_file:com/nimbusds/openid/connect/provider/jwkset/JWKSetSpec$RotatedECDHEncryption.class */
    public static class RotatedECDHEncryption {
        public static final Set<Curve> SUPPORTED_CURVES = Collections.unmodifiableSet(new LinkedHashSet(Arrays.asList(Curve.P_256, Curve.P_384, Curve.P_521)));
        public static final JWKMatcher KEY_MATCHER = new JWKMatcher.Builder().keyType(KeyType.EC).privateOnly(true).keyUse(KeyUse.ENCRYPTION).hasKeyID(true).build();

        public static ECKey generateKey(Curve curve, String str) throws JOSEException {
            return new ECKeyGenerator(curve).keyUse(KeyUse.ENCRYPTION).keyID(str).issueTime(DateUtils.nowWithSecondsPrecision()).generate();
        }

        private RotatedECDHEncryption() {
        }
    }

    /* loaded from: input_file:com/nimbusds/openid/connect/provider/jwkset/JWKSetSpec$RotatedECSigning.class */
    public static class RotatedECSigning {
        public static final Set<Curve> SUPPORTED_CURVES = Collections.unmodifiableSet(new LinkedHashSet(Arrays.asList(Curve.P_256, Curve.P_384, Curve.P_521, Curve.SECP256K1)));

        public static JWKMatcher createKeyMatcher(JWSAlgorithm jWSAlgorithm) {
            Set<Curve> forJWSAlgorithm = Curve.forJWSAlgorithm(jWSAlgorithm);
            if (forJWSAlgorithm == null) {
                throw new IllegalArgumentException("Invalid / unsupported EC DSA algorithm: " + jWSAlgorithm);
            }
            return new JWKMatcher.Builder().keyType(KeyType.EC).curves(forJWSAlgorithm).privateOnly(true).algorithms(jWSAlgorithm, null).keyUses(KeyUse.SIGNATURE).hasKeyID(true).build();
        }

        public static ECKey generateKey(Curve curve, String str) throws JOSEException {
            return new ECKeyGenerator(curve).keyUse(KeyUse.SIGNATURE).keyID(str).issueTime(DateUtils.nowWithSecondsPrecision()).provider(BouncyCastleProviderSingleton.getInstance()).generate();
        }

        public static List<ECKey> loadKeys(JWKSet jWKSet, JWSAlgorithm jWSAlgorithm) throws JOSEException {
            try {
                List<JWK> select = new JWKSelector(createKeyMatcher(jWSAlgorithm)).select(jWKSet);
                LinkedList linkedList = new LinkedList();
                select.forEach(jwk -> {
                    linkedList.add(jwk.toECKey());
                });
                return linkedList;
            } catch (IllegalArgumentException e) {
                throw new JOSEException(e.getMessage());
            }
        }

        private RotatedECSigning() {
        }
    }

    /* loaded from: input_file:com/nimbusds/openid/connect/provider/jwkset/JWKSetSpec$RotatedEdDSASigning.class */
    public static class RotatedEdDSASigning {
        public static final JWKMatcher KEY_MATCHER = new JWKMatcher.Builder().keyType(KeyType.OKP).curve(Curve.Ed25519).privateOnly(true).algorithms(JWSAlgorithm.EdDSA, null).keyUses(KeyUse.SIGNATURE).hasKeyID(true).build();

        public static OctetKeyPair generateKey(String str) throws JOSEException {
            return new OctetKeyPairGenerator(Curve.Ed25519).keyUse(KeyUse.SIGNATURE).keyID(str).issueTime(DateUtils.nowWithSecondsPrecision()).generate();
        }

        public static List<OctetKeyPair> loadKeys(JWKSet jWKSet) {
            List<JWK> select = new JWKSelector(KEY_MATCHER).select(jWKSet);
            LinkedList linkedList = new LinkedList();
            select.forEach(jwk -> {
                linkedList.add(jwk.toOctetKeyPair());
            });
            return linkedList;
        }

        private RotatedEdDSASigning() {
        }
    }

    /* loaded from: input_file:com/nimbusds/openid/connect/provider/jwkset/JWKSetSpec$RotatedRSAEncryption.class */
    public static class RotatedRSAEncryption {
        public static final int KEY_BIT_SIZE = 2048;
        public static final JWKMatcher KEY_MATCHER = new JWKMatcher.Builder().keyType(KeyType.RSA).privateOnly(true).keyUse(KeyUse.ENCRYPTION).hasKeyID(true).keySizes(JWKSetSpec.RSA_KEY_BIT_SIZES).build();

        public static RSAKey generateKey(String str) throws JOSEException {
            return new RSAKeyGenerator(2048).keyUse(KeyUse.ENCRYPTION).keyID(str).issueTime(DateUtils.nowWithSecondsPrecision()).generate();
        }

        private RotatedRSAEncryption() {
        }
    }

    /* loaded from: input_file:com/nimbusds/openid/connect/provider/jwkset/JWKSetSpec$RotatedRSASigning.class */
    public static class RotatedRSASigning {
        public static final int KEY_BIT_SIZE = 2048;

        public static JWKMatcher createKeyMatcher(JWSAlgorithm jWSAlgorithm) {
            return new JWKMatcher.Builder().keyType(KeyType.RSA).privateOnly(true).algorithms(jWSAlgorithm, null).keyUses(KeyUse.SIGNATURE).keySizes(JWKSetSpec.RSA_KEY_BIT_SIZES).hasKeyID(true).build();
        }

        public static RSAKey generateKey(String str) throws JOSEException {
            return generateKey(str, 2048);
        }

        public static RSAKey generateKey(String str, int i) throws JOSEException {
            return new RSAKeyGenerator(i).keyUse(KeyUse.SIGNATURE).keyID(str).issueTime(DateUtils.nowWithSecondsPrecision()).generate();
        }

        public static List<RSAKey> loadKeys(JWKSet jWKSet, JWSAlgorithm jWSAlgorithm) throws JOSEException {
            if (!RSASSAProvider.SUPPORTED_ALGORITHMS.contains(jWSAlgorithm)) {
                throw new JOSEException("Invalid / unsupported RSA signature algorithm: " + jWSAlgorithm);
            }
            List<JWK> select = new JWKSelector(createKeyMatcher(jWSAlgorithm)).select(jWKSet);
            LinkedList linkedList = new LinkedList();
            select.forEach(jwk -> {
                linkedList.add(jwk.toRSAKey());
            });
            return linkedList;
        }

        private RotatedRSASigning() {
        }
    }

    /* loaded from: input_file:com/nimbusds/openid/connect/provider/jwkset/JWKSetSpec$SubjectEncryption.class */
    public static class SubjectEncryption {
        public static final int[] KEY_BIT_SIZES = {256, KyberEngine.KyberPolyBytes, 512};
        public static final String KEY_ID = "subject-encrypt";
        public static final JWKMatcher KEY_MATCHER = new JWKMatcher.Builder().keyType(KeyType.OCT).keySizes(KEY_BIT_SIZES).privateOnly(true).keyUse(KeyUse.ENCRYPTION).keyID(KEY_ID).build();

        public static OctetSequenceKey generateKey() throws JOSEException {
            return new OctetSequenceKeyGenerator(KEY_BIT_SIZES[0]).keyUse(KeyUse.ENCRYPTION).keyID(KEY_ID).issueTime(DateUtils.nowWithSecondsPrecision()).generate();
        }

        public static SecretKey loadKey(JWKSet jWKSet) throws JOSEException {
            JWKSetSpec.ensureNotEmpty(jWKSet);
            List<JWK> select = new JWKSelector(KEY_MATCHER).select(jWKSet);
            if (select.isEmpty()) {
                throw new JOSEException("Couldn't find eligible secret JSON Web Key (JWK) for pairwise subject encryption: Required key ID \"subject-encrypt\", required key use \"enc\", required key sizes " + Arrays.toString(KEY_BIT_SIZES) + " bits");
            }
            if (select.size() > 1) {
                throw new JOSEException("Too many pairwise subject encryption keys, must be one");
            }
            return ((OctetSequenceKey) select.get(0)).toSecretKey("AES");
        }

        private SubjectEncryption() {
        }
    }

    private static void ensureNotEmpty(JWKSet jWKSet) throws JOSEException {
        if (jWKSet == null || jWKSet.getKeys().isEmpty()) {
            throw new JOSEException("Missing or empty JSON Web Key (JWK) set");
        }
    }
}
