package com.nimbusds.jose.crypto;

import com.nimbusds.jose.CriticalHeaderParamsAware;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEDecrypter;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObjectJSON;
import com.nimbusds.jose.KeyLengthException;
import com.nimbusds.jose.crypto.impl.AAD;
import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral;
import com.nimbusds.jose.crypto.impl.JWEHeaderValidation;
import com.nimbusds.jose.crypto.impl.MultiCryptoProvider;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.shaded.jcip.ThreadSafe;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jose.util.JSONObjectUtils;
import java.net.URI;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;

@ThreadSafe
/* loaded from: input_file:web-author-ai-positron-enterprise-plugin-4.0.0-SNAPSHOT/lib/nimbus-jose-jwt-9.40.jar:com/nimbusds/jose/crypto/MultiDecrypter.class */
public class MultiDecrypter extends MultiCryptoProvider implements JWEDecrypter, CriticalHeaderParamsAware {
    private final JWK jwk;
    private final String kid;
    private final URI x5u;
    private final Base64URL x5t;
    private final Base64URL x5t256;
    private final List<Base64> x5c;
    private final Base64URL thumbprint;
    private final CriticalHeaderParamsDeferral critPolicy;

    public MultiDecrypter(JWK jwk) throws JOSEException, KeyLengthException {
        this(jwk, null);
    }

    public MultiDecrypter(JWK jwk, Set<String> set) throws JOSEException, KeyLengthException {
        super(null);
        this.critPolicy = new CriticalHeaderParamsDeferral();
        if (jwk == null) {
            throw new IllegalArgumentException("The private key (JWK) must not be null");
        }
        this.jwk = jwk;
        this.kid = jwk.getKeyID();
        this.x5c = jwk.getX509CertChain();
        this.x5u = jwk.getX509CertURL();
        this.x5t = jwk.getX509CertThumbprint();
        this.x5t256 = jwk.getX509CertSHA256Thumbprint();
        this.thumbprint = jwk.computeThumbprint();
        this.critPolicy.setDeferredCriticalHeaderParams(set);
    }

    @Override // com.nimbusds.jose.CriticalHeaderParamsAware
    public Set<String> getProcessedCriticalHeaderParams() {
        return this.critPolicy.getProcessedCriticalHeaderParams();
    }

    @Override // com.nimbusds.jose.CriticalHeaderParamsAware
    public Set<String> getDeferredCriticalHeaderParams() {
        return this.critPolicy.getProcessedCriticalHeaderParams();
    }

    private boolean jwkMatched(JWEHeader jWEHeader) throws JOSEException {
        if (this.thumbprint.toString().equals(jWEHeader.getKeyID())) {
            return true;
        }
        JWK jwk = jWEHeader.getJWK();
        if (jwk != null && this.thumbprint.equals(jwk.computeThumbprint())) {
            return true;
        }
        if (this.x5u != null && this.x5u.equals(jWEHeader.getX509CertURL())) {
            return true;
        }
        if (this.x5t != null && this.x5t.equals(jWEHeader.getX509CertThumbprint())) {
            return true;
        }
        if (this.x5t256 != null && this.x5t256.equals(jWEHeader.getX509CertSHA256Thumbprint())) {
            return true;
        }
        List x509CertChain = jWEHeader.getX509CertChain();
        if (this.x5c == null || x509CertChain == null || !this.x5c.containsAll(x509CertChain) || !x509CertChain.containsAll(this.x5c)) {
            return this.kid != null && this.kid.equals(jWEHeader.getKeyID());
        }
        return true;
    }

    @Deprecated
    public byte[] decrypt(JWEHeader jWEHeader, Base64URL base64URL, Base64URL base64URL2, Base64URL base64URL3, Base64URL base64URL4) throws JOSEException {
        return decrypt(jWEHeader, base64URL, base64URL2, base64URL3, base64URL4, AAD.compute(jWEHeader));
    }

    @Override // com.nimbusds.jose.JWEDecrypter
    public byte[] decrypt(JWEHeader jWEHeader, Base64URL base64URL, Base64URL base64URL2, Base64URL base64URL3, Base64URL base64URL4, byte[] bArr) throws JOSEException {
        JWEDecrypter x25519Decrypter;
        if (base64URL2 == null) {
            throw new JOSEException("Unexpected present JWE initialization vector (IV)");
        }
        if (base64URL4 == null) {
            throw new JOSEException("Missing JWE authentication tag");
        }
        if (bArr == null) {
            throw new JOSEException("Missing JWE additional authenticated data (AAD)");
        }
        KeyType keyType = this.jwk.getKeyType();
        Set<String> deferredCriticalHeaderParams = this.critPolicy.getDeferredCriticalHeaderParams();
        JWEObjectJSON.Recipient recipient = null;
        JWEHeader jWEHeader2 = null;
        try {
            Iterator<Object> it = JSONObjectUtils.getJSONArray(JSONObjectUtils.parse(base64URL.decodeToString()), "recipients").iterator();
            while (it.hasNext()) {
                try {
                    recipient = JWEObjectJSON.Recipient.parse((Map) it.next());
                    jWEHeader2 = (JWEHeader) jWEHeader.join(recipient.getUnprotectedHeader());
                    if (jwkMatched(jWEHeader2)) {
                        break;
                    }
                    jWEHeader2 = null;
                } catch (Exception e) {
                    throw new JOSEException(e.getMessage());
                }
            }
        } catch (Exception e2) {
            jWEHeader2 = jWEHeader;
            recipient = new JWEObjectJSON.Recipient(null, base64URL);
        }
        if (jWEHeader2 == null) {
            throw new JOSEException("No recipient found");
        }
        JWEAlgorithm algorithmAndEnsureNotNull = JWEHeaderValidation.getAlgorithmAndEnsureNotNull(jWEHeader2);
        this.critPolicy.ensureHeaderPasses(jWEHeader2);
        if (KeyType.RSA.equals(keyType) && RSADecrypter.SUPPORTED_ALGORITHMS.contains(algorithmAndEnsureNotNull)) {
            x25519Decrypter = new RSADecrypter(this.jwk.toRSAKey().toRSAPrivateKey(), deferredCriticalHeaderParams);
        } else if (KeyType.EC.equals(keyType) && ECDHDecrypter.SUPPORTED_ALGORITHMS.contains(algorithmAndEnsureNotNull)) {
            x25519Decrypter = new ECDHDecrypter(this.jwk.toECKey().toECPrivateKey(), deferredCriticalHeaderParams);
        } else if (KeyType.OCT.equals(keyType) && AESDecrypter.SUPPORTED_ALGORITHMS.contains(algorithmAndEnsureNotNull)) {
            x25519Decrypter = new AESDecrypter(this.jwk.toOctetSequenceKey().toSecretKey("AES"), deferredCriticalHeaderParams);
        } else if (KeyType.OCT.equals(keyType) && DirectDecrypter.SUPPORTED_ALGORITHMS.contains(algorithmAndEnsureNotNull)) {
            x25519Decrypter = new DirectDecrypter(this.jwk.toOctetSequenceKey().toSecretKey("AES"), deferredCriticalHeaderParams);
        } else {
            if (!KeyType.OKP.equals(keyType) || !X25519Decrypter.SUPPORTED_ALGORITHMS.contains(algorithmAndEnsureNotNull)) {
                throw new JOSEException("Unsupported algorithm");
            }
            x25519Decrypter = new X25519Decrypter(this.jwk.toOctetKeyPair(), deferredCriticalHeaderParams);
        }
        return x25519Decrypter.decrypt(jWEHeader2, recipient.getEncryptedKey(), base64URL2, base64URL3, base64URL4, bArr);
    }
}
