package com.nimbusds.oauth2.sdk.auth;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.http.CommonContentTypes;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.util.URLUtils;
import java.net.URI;
import java.security.Provider;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import net.jcip.annotations.Immutable;

@Immutable
/* loaded from: input_file:com/nimbusds/oauth2/sdk/auth/PrivateKeyJWT.class */
public final class PrivateKeyJWT extends JWTAuthentication {
    public static Set<JWSAlgorithm> getSupportedJWAs() {
        HashSet hashSet = new HashSet();
        hashSet.add(JWSAlgorithm.RS256);
        hashSet.add(JWSAlgorithm.RS384);
        hashSet.add(JWSAlgorithm.RS512);
        hashSet.add(JWSAlgorithm.PS256);
        hashSet.add(JWSAlgorithm.PS384);
        hashSet.add(JWSAlgorithm.PS512);
        hashSet.add(JWSAlgorithm.ES256);
        hashSet.add(JWSAlgorithm.ES384);
        hashSet.add(JWSAlgorithm.ES512);
        return Collections.unmodifiableSet(hashSet);
    }

    public static SignedJWT createClientAssertion(JWTAuthenticationClaimsSet jWTAuthenticationClaimsSet, JWSAlgorithm jWSAlgorithm, RSAPrivateKey rSAPrivateKey, Provider provider) throws JOSEException {
        SignedJWT signedJWT = new SignedJWT(new JWSHeader(jWSAlgorithm), jWTAuthenticationClaimsSet.toJWTClaimsSet());
        RSASSASigner rSASSASigner = new RSASSASigner(rSAPrivateKey);
        if (provider != null) {
            rSASSASigner.getJCAContext().setProvider(provider);
        }
        signedJWT.sign(rSASSASigner);
        return signedJWT;
    }

    public static SignedJWT createClientAssertion(JWTAuthenticationClaimsSet jWTAuthenticationClaimsSet, JWSAlgorithm jWSAlgorithm, ECPrivateKey eCPrivateKey, Provider provider) throws JOSEException {
        SignedJWT signedJWT = new SignedJWT(new JWSHeader(jWSAlgorithm), jWTAuthenticationClaimsSet.toJWTClaimsSet());
        ECDSASigner eCDSASigner = new ECDSASigner(eCPrivateKey);
        if (provider != null) {
            eCDSASigner.getJCAContext().setProvider(provider);
        }
        signedJWT.sign(eCDSASigner);
        return signedJWT;
    }

    public PrivateKeyJWT(ClientID clientID, URI uri, JWSAlgorithm jWSAlgorithm, RSAPrivateKey rSAPrivateKey, Provider provider) throws JOSEException {
        this(new JWTAuthenticationClaimsSet(clientID, new Audience(uri.toString())), jWSAlgorithm, rSAPrivateKey, provider);
    }

    public PrivateKeyJWT(JWTAuthenticationClaimsSet jWTAuthenticationClaimsSet, JWSAlgorithm jWSAlgorithm, RSAPrivateKey rSAPrivateKey, Provider provider) throws JOSEException {
        this(createClientAssertion(jWTAuthenticationClaimsSet, jWSAlgorithm, rSAPrivateKey, provider));
    }

    public PrivateKeyJWT(ClientID clientID, URI uri, JWSAlgorithm jWSAlgorithm, ECPrivateKey eCPrivateKey, Provider provider) throws JOSEException {
        this(new JWTAuthenticationClaimsSet(clientID, new Audience(uri.toString())), jWSAlgorithm, eCPrivateKey, provider);
    }

    public PrivateKeyJWT(JWTAuthenticationClaimsSet jWTAuthenticationClaimsSet, JWSAlgorithm jWSAlgorithm, ECPrivateKey eCPrivateKey, Provider provider) throws JOSEException {
        this(createClientAssertion(jWTAuthenticationClaimsSet, jWSAlgorithm, eCPrivateKey, provider));
    }

    public PrivateKeyJWT(SignedJWT signedJWT) {
        super(ClientAuthenticationMethod.PRIVATE_KEY_JWT, signedJWT);
        if (!getSupportedJWAs().contains(signedJWT.getHeader().getAlgorithm())) {
            throw new IllegalArgumentException("The client assertion JWT must be RSA or ECDSA-signed (RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384 or ES512)");
        }
    }

    public static PrivateKeyJWT parse(Map<String, String> map) throws ParseException {
        JWTAuthentication.ensureClientAssertionType(map);
        try {
            PrivateKeyJWT privateKeyJWT = new PrivateKeyJWT(JWTAuthentication.parseClientAssertion(map));
            ClientID parseClientID = JWTAuthentication.parseClientID(map);
            if (parseClientID == null || parseClientID.equals(privateKeyJWT.getClientID())) {
                return privateKeyJWT;
            }
            throw new ParseException("The client identifier doesn't match the client assertion subject / issuer");
        } catch (IllegalArgumentException e) {
            throw new ParseException(e.getMessage(), e);
        }
    }

    public static PrivateKeyJWT parse(String str) throws ParseException {
        return parse(URLUtils.parseParameters(str));
    }

    public static PrivateKeyJWT parse(HTTPRequest hTTPRequest) throws ParseException {
        hTTPRequest.ensureMethod(HTTPRequest.Method.POST);
        hTTPRequest.ensureContentType(CommonContentTypes.APPLICATION_URLENCODED);
        return parse(hTTPRequest.getQueryParameters());
    }
}
