package com.nimbusds.jose.aws.kms.crypto;

import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.model.DependencyTimeoutException;
import com.amazonaws.services.kms.model.DisabledException;
import com.amazonaws.services.kms.model.InvalidGrantTokenException;
import com.amazonaws.services.kms.model.InvalidKeyUsageException;
import com.amazonaws.services.kms.model.KMSInternalException;
import com.amazonaws.services.kms.model.KMSInvalidSignatureException;
import com.amazonaws.services.kms.model.KMSInvalidStateException;
import com.amazonaws.services.kms.model.KeyUnavailableException;
import com.amazonaws.services.kms.model.MessageType;
import com.amazonaws.services.kms.model.NotFoundException;
import com.amazonaws.services.kms.model.VerifyRequest;
import com.nimbusds.jose.CriticalHeaderParamsAware;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.RemoteKeySourceException;
import com.nimbusds.jose.aws.kms.crypto.impl.KmsAsymmetricRSASSAProvider;
import com.nimbusds.jose.aws.kms.exceptions.TemporaryJOSEException;
import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral;
import com.nimbusds.jose.util.Base64URL;
import java.nio.ByteBuffer;
import java.util.Objects;
import java.util.Set;
import javax.annotation.concurrent.ThreadSafe;
import lombok.NonNull;

@ThreadSafe
/* loaded from: input_file:com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRSASSAVerifier.class */
public class KmsAsymmetricRSASSAVerifier extends KmsAsymmetricRSASSAProvider implements JWSVerifier, CriticalHeaderParamsAware {
    private final CriticalHeaderParamsDeferral critPolicy;

    public KmsAsymmetricRSASSAVerifier(@NonNull AWSKMS awskms, @NonNull String str, @NonNull MessageType messageType) {
        super(awskms, str, messageType);
        this.critPolicy = new CriticalHeaderParamsDeferral();
        Objects.requireNonNull(awskms, "kms is marked non-null but is null");
        Objects.requireNonNull(str, "privateKeyId is marked non-null but is null");
        Objects.requireNonNull(messageType, "messageType is marked non-null but is null");
    }

    public KmsAsymmetricRSASSAVerifier(@NonNull AWSKMS awskms, @NonNull String str, @NonNull MessageType messageType, @NonNull Set<String> set) {
        super(awskms, str, messageType);
        this.critPolicy = new CriticalHeaderParamsDeferral();
        Objects.requireNonNull(awskms, "kms is marked non-null but is null");
        Objects.requireNonNull(str, "privateKeyId is marked non-null but is null");
        Objects.requireNonNull(messageType, "messageType is marked non-null but is null");
        Objects.requireNonNull(set, "defCritHeaders is marked non-null but is null");
        this.critPolicy.setDeferredCriticalHeaderParams(set);
    }

    public Set<String> getProcessedCriticalHeaderParams() {
        return this.critPolicy.getProcessedCriticalHeaderParams();
    }

    public Set<String> getDeferredCriticalHeaderParams() {
        return this.critPolicy.getDeferredCriticalHeaderParams();
    }

    public boolean verify(@NonNull JWSHeader jWSHeader, @NonNull byte[] bArr, @NonNull Base64URL base64URL) throws JOSEException {
        Objects.requireNonNull(jWSHeader, "header is marked non-null but is null");
        Objects.requireNonNull(bArr, "signedContent is marked non-null but is null");
        Objects.requireNonNull(base64URL, "signature is marked non-null but is null");
        if (!this.critPolicy.headerPasses(jWSHeader)) {
            return false;
        }
        try {
            return getKms().verify(new VerifyRequest().withKeyId(getPrivateKeyId()).withSigningAlgorithm(jWSHeader.getAlgorithm().toString()).withMessageType(getMessageType()).withMessage(getMessage(jWSHeader, bArr)).withSignature(ByteBuffer.wrap(base64URL.decode()))).isSignatureValid().booleanValue();
        } catch (KMSInvalidSignatureException e) {
            return false;
        } catch (NotFoundException | DisabledException | KeyUnavailableException | InvalidKeyUsageException | KMSInvalidStateException e2) {
            throw new RemoteKeySourceException("An exception was thrown from KMS due to invalid key.", e2);
        } catch (DependencyTimeoutException | InvalidGrantTokenException | KMSInternalException e3) {
            throw new TemporaryJOSEException("A temporary exception was thrown from KMS.", e3);
        }
    }
}
