package com.nimbusds.jose.jwk.loader;

import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jose.util.X509CertUtils;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;

/* loaded from: input_file:com/nimbusds/jose/jwk/loader/SigningJWKFeeder.class */
public class SigningJWKFeeder<T extends JWK> {
    protected final HashMap<X509Certificate, T> sortedX509Keys = new LinkedHashMap();
    protected final List<T> plainKeys = new LinkedList();

    private static X509Certificate getCertificate(JWK jwk) {
        if (jwk.getX509CertChain() == null || jwk.getX509CertChain().size() == 0) {
            return null;
        }
        Base64 base64 = (Base64) jwk.getX509CertChain().get(0);
        if (base64 == null) {
            throw new IllegalArgumentException("Couldn't parse x.509 certificate from JWK with ID " + jwk.getKeyID() + ": Empty certificate");
        }
        X509Certificate parse = X509CertUtils.parse(base64.decode());
        if (parse == null) {
            throw new IllegalArgumentException("Couldn't parse X.509 certificate from JWK with ID " + jwk.getKeyID());
        }
        if (parse.getNotBefore() == null) {
            throw new IllegalArgumentException("Missing not-before attribute for X.509 certificate for JWK with ID " + jwk.getKeyID());
        }
        if (parse.getNotAfter() == null) {
            throw new IllegalArgumentException("Missing not-after attribute for X.509 certificate for JWK with ID " + jwk.getKeyID());
        }
        return parse;
    }

    public SigningJWKFeeder(List<T> list) {
        if (list.isEmpty()) {
            throw new IllegalArgumentException("The JWK list must not be empty");
        }
        LinkedList<JWK> linkedList = new LinkedList();
        for (T t : list) {
            if (!KeyUse.SIGNATURE.equals(t.getKeyUse())) {
                throw new IllegalArgumentException("The use of JWK with ID " + t.getKeyID() + " must be signature");
            }
            if (getCertificate(t) != null) {
                linkedList.add(t);
            } else {
                this.plainKeys.add(t);
            }
        }
        linkedList.sort(Collections.reverseOrder(new X509CertExpirationComparator()));
        for (JWK jwk : linkedList) {
            this.sortedX509Keys.put(getCertificate(jwk), jwk);
        }
    }

    public T getJWK() {
        if (this.sortedX509Keys.isEmpty()) {
            return this.plainKeys.get(0);
        }
        Date date = new Date();
        KeyType keyType = null;
        for (Map.Entry<X509Certificate, T> entry : this.sortedX509Keys.entrySet()) {
            X509Certificate key = entry.getKey();
            if (!date.before(key.getNotBefore())) {
                if (date.before(key.getNotAfter())) {
                    return entry.getValue();
                }
                keyType = entry.getValue().getKeyType();
            }
        }
        Loggers.MAIN_LOG.error("[SE2000] No signing {} key with active (nbf < now < exp) X.509 certificate, using the first available. Add new key(s)!", keyType);
        return this.sortedX509Keys.values().iterator().next();
    }

    public int size() {
        return this.sortedX509Keys.size() + this.plainKeys.size();
    }
}
