package be.atbash.ee.security.octopus.nimbus.jose.crypto;

import be.atbash.ee.security.octopus.jwt.JWTValidationConstant;
import be.atbash.ee.security.octopus.keys.AtbashKey;
import be.atbash.ee.security.octopus.keys.selector.AsymmetricPart;
import be.atbash.ee.security.octopus.nimbus.jose.JOSEException;
import be.atbash.ee.security.octopus.nimbus.jose.KeyTypeException;
import be.atbash.ee.security.octopus.nimbus.jose.crypto.impl.AlgorithmSupportMessage;
import be.atbash.ee.security.octopus.nimbus.jose.crypto.impl.CriticalHeaderParamsDeferral;
import be.atbash.ee.security.octopus.nimbus.jose.crypto.impl.RSASSA;
import be.atbash.ee.security.octopus.nimbus.jose.crypto.impl.RSASSAProvider;
import be.atbash.ee.security.octopus.nimbus.jwk.KeyType;
import be.atbash.ee.security.octopus.nimbus.jwt.jws.JWSAlgorithm;
import be.atbash.ee.security.octopus.nimbus.jwt.jws.JWSHeader;
import be.atbash.ee.security.octopus.nimbus.jwt.jws.JWSVerifier;
import be.atbash.ee.security.octopus.nimbus.util.Base64URLValue;
import java.security.InvalidKeyException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Set;
import org.slf4j.MDC;

/* loaded from: input_file:be/atbash/ee/security/octopus/nimbus/jose/crypto/RSASSAVerifier.class */
public class RSASSAVerifier extends RSASSAProvider implements JWSVerifier {
    private final CriticalHeaderParamsDeferral critPolicy;
    private final RSAPublicKey publicKey;

    public RSASSAVerifier(RSAPublicKey rSAPublicKey) {
        this(rSAPublicKey, (Set<String>) null);
    }

    public RSASSAVerifier(AtbashKey atbashKey) {
        this(getPublicKey(atbashKey));
    }

    public RSASSAVerifier(AtbashKey atbashKey, Set<String> set) {
        this(getPublicKey(atbashKey), set);
    }

    private static RSAPublicKey getPublicKey(AtbashKey atbashKey) {
        if (atbashKey.getSecretKeyType().getKeyType() != KeyType.RSA) {
            throw new KeyTypeException(ECPrivateKey.class);
        }
        if (atbashKey.getSecretKeyType().getAsymmetricPart() != AsymmetricPart.PUBLIC) {
            throw new KeyTypeException(ECPrivateKey.class);
        }
        return (RSAPublicKey) atbashKey.getKey();
    }

    public RSASSAVerifier(RSAPublicKey rSAPublicKey, Set<String> set) {
        this.critPolicy = new CriticalHeaderParamsDeferral();
        if (rSAPublicKey == null) {
            throw new IllegalArgumentException("The public RSA key must not be null");
        }
        this.publicKey = rSAPublicKey;
        this.critPolicy.setDeferredCriticalHeaderParams(set);
    }

    @Override // be.atbash.ee.security.octopus.nimbus.jwt.jws.JWSVerifier
    public boolean verify(JWSHeader jWSHeader, byte[] bArr, Base64URLValue base64URLValue) {
        JWSAlgorithm algorithm = jWSHeader.getAlgorithm();
        if (!supportedJWSAlgorithms().contains(algorithm)) {
            MDC.put(JWTValidationConstant.JWT_VERIFICATION_FAIL_REASON, String.format("Signature algorithm specified in Header %s is not supported.", algorithm.getName()));
            throw new JOSEException(AlgorithmSupportMessage.unsupportedJWSAlgorithm(algorithm, supportedJWSAlgorithms()));
        }
        if (!this.critPolicy.headerPasses(jWSHeader)) {
            MDC.put(JWTValidationConstant.JWT_VERIFICATION_FAIL_REASON, "Verification failed due to 'crit' header parameter deferral policy");
            return false;
        }
        Signature signerAndVerifier = RSASSA.getSignerAndVerifier(jWSHeader.getAlgorithm());
        try {
            signerAndVerifier.initVerify(this.publicKey);
            try {
                signerAndVerifier.update(bArr);
                return signerAndVerifier.verify(base64URLValue.decode());
            } catch (SignatureException e) {
                MDC.put(JWTValidationConstant.JWT_VERIFICATION_FAIL_REASON, "Signature verification failed with provided Public RSA key");
                return false;
            }
        } catch (InvalidKeyException e2) {
            MDC.put(JWTValidationConstant.JWT_VERIFICATION_FAIL_REASON, "Selected Public RSA key is not valid");
            throw new JOSEException("Invalid public RSA key: " + e2.getMessage(), e2);
        }
    }
}
