package org.soulwing.jwt.extension.service;

import java.util.Objects;
import java.util.Optional;
import org.soulwing.jwt.api.Assertions;
import org.soulwing.jwt.api.JWE;
import org.soulwing.jwt.api.JWS;
import org.soulwing.jwt.api.JWTProvider;
import org.soulwing.jwt.api.JWTValidator;
import org.soulwing.jwt.api.exceptions.JWTAssertionFailedException;
import org.soulwing.jwt.api.exceptions.JWTConfigurationException;
import org.soulwing.jwt.api.locator.JcaPublicKeyLocator;
import org.soulwing.jwt.api.locator.JcaX509CertificateValidator;

/* loaded from: input_file:org/soulwing/jwt/extension/service/JWTValidatorFactory.class */
class JWTValidatorFactory {
    private static final JWTValidatorFactory INSTANCE = new JWTValidatorFactory();

    JWTValidatorFactory() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static JWTValidatorFactory getInstance() {
        return INSTANCE;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JWTValidator newValidator(Configuration configuration) throws JWTConfigurationException {
        JWTProvider provider = configuration.getProvider();
        JWTValidator.Builder signatureOperatorFactory = provider.validator().claimsAssertions(newAssertions(configuration)).signatureOperatorFactory(newSignatureOperator(configuration.getSignatureConfiguration(), provider));
        if (configuration.getEncryptionConfiguration() != null) {
            signatureOperatorFactory.encryptionOperatorFactory(newEncryptionOperator(configuration.getEncryptionConfiguration(), provider));
        }
        return signatureOperatorFactory.build();
    }

    private JWS.Factory newSignatureOperator(SignatureConfiguration signatureConfiguration, JWTProvider jWTProvider) {
        return header -> {
            JWS.Builder signatureOperator = jWTProvider.signatureOperator();
            signatureOperator.algorithm(signatureAlgorithm(signatureConfiguration.getAlgorithm(), header));
            if (signatureConfiguration.getSecretKeys() != null) {
                signatureOperator.keyProvider(new ListSecretKeyProvider(signatureConfiguration.getSecretKeys()));
            }
            if (signatureConfiguration.getTrustStore() != null) {
                signatureOperator.publicKeyLocator(JcaPublicKeyLocator.builder().chainLoader(new CertificateChainLoader(signatureConfiguration.getIssuerUrl())).certificateValidator(JcaX509CertificateValidator.builder().trustStore(signatureConfiguration.getTrustStore()).checkExpiration(signatureConfiguration.isCheckCertificateExpiration()).checkRevocation(signatureConfiguration.isCheckCertificateRevocation()).checkSubjectOnly(signatureConfiguration.isCheckSubjectCertificateOnly()).build()).build());
            }
            return signatureOperator.build();
        };
    }

    private JWS.Algorithm signatureAlgorithm(JWS.Algorithm algorithm, JWS.Header header) throws JWTConfigurationException {
        JWS.Algorithm algorithm2 = (JWS.Algorithm) Optional.ofNullable(header.getAlgorithm()).map(JWS.Algorithm::of).orElse(null);
        if (algorithm == null || algorithm.equals(algorithm2)) {
            return algorithm2;
        }
        throw new JWTConfigurationException("required algorithm is `" + algorithm.toToken());
    }

    private JWE.Factory newEncryptionOperator(EncryptionConfiguration encryptionConfiguration, JWTProvider jWTProvider) {
        return header -> {
            JWE.Builder encryptionOperator = jWTProvider.encryptionOperator();
            encryptionOperator.keyManagementAlgorithm(keyManagementAlgorithm(encryptionConfiguration.getKeyManagementAlgorithm(), header));
            encryptionOperator.contentEncryptionAlgorithm(contentEncryptionAlgorithm(encryptionConfiguration.getContentEncryptionAlgorithm(), header));
            encryptionOperator.compressionAlgorithm(compressionAlgorithm(encryptionConfiguration.getCompressionAlgorithm(), header));
            if (encryptionConfiguration.getKeyPairStorage() != null) {
                encryptionOperator.keyProvider(new KeyPairStorageKeyProvider(encryptionConfiguration.getKeyPairStorage()));
            } else if (encryptionConfiguration.getSecretKeys() != null) {
                encryptionOperator.keyProvider(new ListSecretKeyProvider(encryptionConfiguration.getSecretKeys()));
            }
            encryptionOperator.contentType("JWT");
            return encryptionOperator.build();
        };
    }

    private JWE.KeyManagementAlgorithm keyManagementAlgorithm(JWE.KeyManagementAlgorithm keyManagementAlgorithm, JWE.Header header) throws JWTConfigurationException {
        JWE.KeyManagementAlgorithm keyManagementAlgorithm2 = (JWE.KeyManagementAlgorithm) Optional.ofNullable(header.getKeyManagementAlgorithm()).map(JWE.KeyManagementAlgorithm::of).orElse(null);
        if (keyManagementAlgorithm == null || keyManagementAlgorithm.equals(keyManagementAlgorithm2)) {
            return keyManagementAlgorithm2;
        }
        throw new JWTConfigurationException("required key management algorithm is `" + keyManagementAlgorithm.toToken());
    }

    private JWE.ContentEncryptionAlgorithm contentEncryptionAlgorithm(JWE.ContentEncryptionAlgorithm contentEncryptionAlgorithm, JWE.Header header) throws JWTConfigurationException {
        JWE.ContentEncryptionAlgorithm contentEncryptionAlgorithm2 = (JWE.ContentEncryptionAlgorithm) Optional.ofNullable(header.getContentEncryptionAlgorithm()).map(JWE.ContentEncryptionAlgorithm::of).orElse(null);
        if (contentEncryptionAlgorithm == null || contentEncryptionAlgorithm.equals(contentEncryptionAlgorithm2)) {
            return contentEncryptionAlgorithm2;
        }
        throw new JWTConfigurationException("required content encryption algorithm is `" + contentEncryptionAlgorithm.toToken());
    }

    private JWE.CompressionAlgorithm compressionAlgorithm(JWE.CompressionAlgorithm compressionAlgorithm, JWE.Header header) throws JWTConfigurationException {
        JWE.CompressionAlgorithm compressionAlgorithm2 = (JWE.CompressionAlgorithm) Optional.ofNullable(header.getCompressionAlgorithm()).map(JWE.CompressionAlgorithm::of).orElse(null);
        if (compressionAlgorithm == null || compressionAlgorithm.equals(compressionAlgorithm2)) {
            return compressionAlgorithm2;
        }
        throw new JWTConfigurationException("required compression algorithm is `");
    }

    private Assertions newAssertions(Configuration configuration) {
        Assertions.Builder assertions = configuration.getProvider().assertions();
        assertions.requireIssuer(configuration.getIssuer(), new String[0]);
        assertions.requireNotExpired(configuration.getExpirationTolerance());
        assertions.requireSubjectSatisfies((v0) -> {
            return Objects.nonNull(v0);
        }, str -> {
            return new JWTAssertionFailedException("`sub` claim is required");
        });
        if (configuration.getSignatureConfiguration().getTrustStore() != null) {
            String certificateSubjectName = configuration.getSignatureConfiguration().getCertificateSubjectName();
            if (certificateSubjectName != null) {
                assertions.requireCertificateSubjectMatches(certificateSubjectName);
            } else {
                assertions.requireCertificateSubjectMatchesIssuer();
            }
        }
        if (configuration.getAudience() != null) {
            assertions.requireAudience(configuration.getAudience(), new String[0]);
        }
        configuration.getAssertions().forEach(assertionConfiguration -> {
            assertions.requireSatisfies(assertionConfiguration.getPredicate(), assertionConfiguration.getErrorSupplier());
        });
        return assertions.build();
    }
}
