package org.elasticsearch.xpack.security.authc.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.OctetSequenceKey;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.SignedJWT;
import java.util.List;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtValidateUtil.class */
public class JwtValidateUtil {
    private static final Logger LOGGER;
    static final /* synthetic */ boolean $assertionsDisabled;

    public static void validateSignature(SignedJWT signedJWT, List<JWK> list) throws Exception {
        if (!$assertionsDisabled && list == null) {
            throw new AssertionError("Verify requires a non-null JWK list");
        }
        if (list.isEmpty()) {
            throw new ElasticsearchException("Verify requires a non-empty JWK list", new Object[0]);
        }
        String keyID = signedJWT.getHeader().getKeyID();
        JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
        LOGGER.trace("JWKs [{}], JWT KID [{}], and JWT Algorithm [{}] before filters.", Integer.valueOf(list.size()), keyID, algorithm.getName());
        List<JWK> list2 = list.stream().filter(jwk -> {
            return keyID == null || jwk.getKeyID() == null || keyID.equals(jwk.getKeyID());
        }).toList();
        LOGGER.trace("JWKs [{}] after KID [{}](|null) filter.", Integer.valueOf(list2.size()), keyID);
        List<JWK> list3 = list2.stream().filter(jwk2 -> {
            return jwk2.getAlgorithm() == null || algorithm.equals(jwk2.getAlgorithm());
        }).toList();
        LOGGER.trace("JWKs [{}] after Algorithm [{}](|null) filter.", Integer.valueOf(list3.size()), algorithm.getName());
        List<JWK> list4 = list3.stream().filter(jwk3 -> {
            return JwkValidateUtil.isMatch(jwk3, algorithm.getName());
        }).toList();
        LOGGER.debug("JWKs [{}] after Algorithm [{}] match filter.", Integer.valueOf(list4.size()), algorithm);
        if (list4.isEmpty()) {
            throw new ElasticsearchException("Verify failed because all " + list.size() + " provided JWKs were filtered.", new Object[0]);
        }
        for (JWK jwk4 : list4) {
            if (signedJWT.verify(createJwsVerifier(jwk4))) {
                LOGGER.trace("JWT signature validation succeeded with JWK kty=[{}], jwtAlg=[{}], jwtKid=[{}], use=[{}], ops=[{}]", jwk4.getKeyType(), jwk4.getAlgorithm(), jwk4.getKeyID(), jwk4.getKeyUse(), jwk4.getKeyOperations());
                return;
            }
            LOGGER.trace("JWT signature validation failed with JWK kty=[{}], jwtAlg=[{}], jwtKid=[{}], use=[{}], ops={}", jwk4.getKeyType(), jwk4.getAlgorithm(), jwk4.getKeyID(), jwk4.getKeyUse(), jwk4.getKeyOperations() == null ? "[null]" : jwk4.getKeyOperations());
        }
        throw new ElasticsearchException("Verify failed using " + list4.size() + " of " + list.size() + " provided JWKs.", new Object[0]);
    }

    public static JWSVerifier createJwsVerifier(JWK jwk) throws JOSEException {
        if (jwk instanceof RSAKey) {
            return new RSASSAVerifier((RSAKey) jwk);
        }
        if (jwk instanceof ECKey) {
            return new ECDSAVerifier((ECKey) jwk);
        }
        if (jwk instanceof OctetSequenceKey) {
            return new MACVerifier((OctetSequenceKey) jwk);
        }
        throw new JOSEException("Unsupported JWK class [" + (jwk == null ? "null" : jwk.getClass().getCanonicalName()) + "]. Supported classes are [" + RSAKey.class.getCanonicalName() + ", " + ECKey.class.getCanonicalName() + ", " + OctetSequenceKey.class.getCanonicalName() + "].");
    }

    static {
        $assertionsDisabled = !JwtValidateUtil.class.desiredAssertionStatus();
        LOGGER = LogManager.getLogger(JwtValidateUtil.class);
    }
}
