package com.nimbusds.oauth2.sdk.auth.verifier;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory;
import com.nimbusds.jose.proc.JWSVerifierFactory;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientSecretJWT;
import com.nimbusds.oauth2.sdk.auth.PlainClientSecret;
import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT;
import com.nimbusds.oauth2.sdk.auth.PublicKeyTLSClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.auth.TLSClientAuthentication;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.util.X509CertificateUtils;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import net.jcip.annotations.ThreadSafe;
import org.apache.commons.collections4.CollectionUtils;

@ThreadSafe
/* loaded from: input_file:BOOT-INF/lib/oauth2-oidc-sdk-5.38.jar:com/nimbusds/oauth2/sdk/auth/verifier/ClientAuthenticationVerifier.class */
public class ClientAuthenticationVerifier<T> {
    private final ClientCredentialsSelector<T> clientCredentialsSelector;
    private final ClientX509CertificateBindingVerifier<T> certBindingVerifier;
    private final JWTAuthenticationClaimsSetVerifier claimsSetVerifier;
    private final JWSVerifierFactory jwsVerifierFactory = new DefaultJWSVerifierFactory();

    public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, ClientX509CertificateBindingVerifier<T> clientX509CertificateBindingVerifier, Set<Audience> set) {
        this.claimsSetVerifier = new JWTAuthenticationClaimsSetVerifier(set);
        if (clientCredentialsSelector == null) {
            throw new IllegalArgumentException("The client credentials selector must not be null");
        }
        this.certBindingVerifier = clientX509CertificateBindingVerifier;
        this.clientCredentialsSelector = clientCredentialsSelector;
    }

    public ClientCredentialsSelector<T> getClientCredentialsSelector() {
        return this.clientCredentialsSelector;
    }

    public ClientX509CertificateBindingVerifier<T> getClientX509CertificateBindingVerifier() {
        return this.certBindingVerifier;
    }

    public Set<Audience> getExpectedAudience() {
        return this.claimsSetVerifier.getExpectedAudience();
    }

    public void verify(ClientAuthentication clientAuthentication, Set<Hint> set, Context<T> context) throws InvalidClientException, JOSEException {
        if (clientAuthentication instanceof PlainClientSecret) {
            List<Secret> selectClientSecrets = this.clientCredentialsSelector.selectClientSecrets(clientAuthentication.getClientID(), clientAuthentication.getMethod(), context);
            if (CollectionUtils.isEmpty(selectClientSecrets)) {
                throw InvalidClientException.NO_REGISTERED_SECRET;
            }
            PlainClientSecret plainClientSecret = (PlainClientSecret) clientAuthentication;
            Iterator<Secret> it = selectClientSecrets.iterator();
            while (it.hasNext()) {
                if (plainClientSecret.getClientSecret().equalsSHA256Based(it.next())) {
                    return;
                }
            }
            throw InvalidClientException.BAD_SECRET;
        }
        if (clientAuthentication instanceof ClientSecretJWT) {
            ClientSecretJWT clientSecretJWT = (ClientSecretJWT) clientAuthentication;
            try {
                this.claimsSetVerifier.verify(clientSecretJWT.getJWTAuthenticationClaimsSet().toJWTClaimsSet());
                List<Secret> selectClientSecrets2 = this.clientCredentialsSelector.selectClientSecrets(clientAuthentication.getClientID(), clientAuthentication.getMethod(), context);
                if (CollectionUtils.isEmpty(selectClientSecrets2)) {
                    throw InvalidClientException.NO_REGISTERED_SECRET;
                }
                SignedJWT clientAssertion = clientSecretJWT.getClientAssertion();
                Iterator<Secret> it2 = selectClientSecrets2.iterator();
                while (it2.hasNext()) {
                    if (clientAssertion.verify(new MACVerifier(it2.next().getValueBytes()))) {
                        return;
                    }
                }
                throw InvalidClientException.BAD_JWT_HMAC;
            } catch (BadJWTException e) {
                throw new InvalidClientException("Bad / expired JWT claims: " + e.getMessage());
            }
        }
        if (clientAuthentication instanceof PrivateKeyJWT) {
            PrivateKeyJWT privateKeyJWT = (PrivateKeyJWT) clientAuthentication;
            try {
                this.claimsSetVerifier.verify(privateKeyJWT.getJWTAuthenticationClaimsSet().toJWTClaimsSet());
                List<? extends PublicKey> selectPublicKeys = this.clientCredentialsSelector.selectPublicKeys(privateKeyJWT.getClientID(), privateKeyJWT.getMethod(), privateKeyJWT.getClientAssertion().getHeader(), false, context);
                if (CollectionUtils.isEmpty(selectPublicKeys)) {
                    throw InvalidClientException.NO_MATCHING_JWK;
                }
                SignedJWT clientAssertion2 = privateKeyJWT.getClientAssertion();
                for (PublicKey publicKey : selectPublicKeys) {
                    if (publicKey != null && clientAssertion2.verify(this.jwsVerifierFactory.createJWSVerifier(privateKeyJWT.getClientAssertion().getHeader(), publicKey))) {
                        return;
                    }
                }
                if (set != null && set.contains(Hint.CLIENT_HAS_REMOTE_JWK_SET)) {
                    List<? extends PublicKey> selectPublicKeys2 = this.clientCredentialsSelector.selectPublicKeys(privateKeyJWT.getClientID(), privateKeyJWT.getMethod(), privateKeyJWT.getClientAssertion().getHeader(), true, context);
                    if (CollectionUtils.isEmpty(selectPublicKeys2)) {
                        throw InvalidClientException.NO_MATCHING_JWK;
                    }
                    SignedJWT clientAssertion3 = privateKeyJWT.getClientAssertion();
                    for (PublicKey publicKey2 : selectPublicKeys2) {
                        if (publicKey2 != null && clientAssertion3.verify(this.jwsVerifierFactory.createJWSVerifier(privateKeyJWT.getClientAssertion().getHeader(), publicKey2))) {
                            return;
                        }
                    }
                }
                throw InvalidClientException.BAD_JWT_SIGNATURE;
            } catch (BadJWTException e2) {
                throw new InvalidClientException("Bad / expired JWT claims: " + e2.getMessage());
            }
        }
        if (!(clientAuthentication instanceof PublicKeyTLSClientAuthentication)) {
            if (!(clientAuthentication instanceof TLSClientAuthentication)) {
                throw new RuntimeException("Unexpected client authentication: " + clientAuthentication.getMethod());
            }
            if (this.certBindingVerifier == null) {
                throw new InvalidClientException("Mutual TLS client Authentication (tls_client_auth) not supported");
            }
            TLSClientAuthentication tLSClientAuthentication = (TLSClientAuthentication) clientAuthentication;
            this.certBindingVerifier.verifyCertificateBinding(clientAuthentication.getClientID(), tLSClientAuthentication.getClientX509CertificateSubjectDN(), tLSClientAuthentication.getClientX509CertificateRootDN(), context);
            return;
        }
        PublicKeyTLSClientAuthentication publicKeyTLSClientAuthentication = (PublicKeyTLSClientAuthentication) clientAuthentication;
        X509Certificate clientX509Certificate = publicKeyTLSClientAuthentication.getClientX509Certificate();
        if (clientX509Certificate == null) {
            throw new InvalidClientException("Missing client X.509 certificate");
        }
        List<? extends PublicKey> selectPublicKeys3 = this.clientCredentialsSelector.selectPublicKeys(publicKeyTLSClientAuthentication.getClientID(), publicKeyTLSClientAuthentication.getMethod(), null, false, context);
        if (CollectionUtils.isEmpty(selectPublicKeys3)) {
            throw InvalidClientException.NO_MATCHING_JWK;
        }
        for (PublicKey publicKey3 : selectPublicKeys3) {
            if (publicKey3 != null && X509CertificateUtils.hasValidSignature(clientX509Certificate, publicKey3)) {
                return;
            }
        }
        if (set != null && set.contains(Hint.CLIENT_HAS_REMOTE_JWK_SET)) {
            List<? extends PublicKey> selectPublicKeys4 = this.clientCredentialsSelector.selectPublicKeys(publicKeyTLSClientAuthentication.getClientID(), publicKeyTLSClientAuthentication.getMethod(), null, true, context);
            if (CollectionUtils.isEmpty(selectPublicKeys4)) {
                throw InvalidClientException.NO_MATCHING_JWK;
            }
            for (PublicKey publicKey4 : selectPublicKeys4) {
                if (publicKey4 != null && X509CertificateUtils.hasValidSignature(clientX509Certificate, publicKey4)) {
                    return;
                }
            }
        }
        throw InvalidClientException.BAD_SELF_SIGNED_CLIENT_CERTIFICATE;
    }
}
