package com.nimbusds.oauth2.sdk.dpop.verifiers;

import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.oauth2.sdk.id.JWTID;
import com.nimbusds.oauth2.sdk.util.URIUtils;
import com.nimbusds.oauth2.sdk.util.singleuse.AlreadyUsedException;
import com.nimbusds.oauth2.sdk.util.singleuse.SingleUseChecker;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import java.net.URI;
import java.text.ParseException;
import java.util.AbstractMap;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import net.jcip.annotations.ThreadSafe;

@ThreadSafe
/* loaded from: input_file:applicationinsights-agent-3.7.1.jar:inst/com/nimbusds/oauth2/sdk/dpop/verifiers/DPoPProofClaimsSetVerifier.classdata */
class DPoPProofClaimsSetVerifier extends DefaultJWTClaimsVerifier<DPoPProofContext> {
    private final long maxClockSkewSeconds;
    private final SingleUseChecker<Map.Entry<DPoPIssuer, JWTID>> singleUseChecker;

    public DPoPProofClaimsSetVerifier(URI uri, String str, Nonce nonce, long j, boolean z, SingleUseChecker<Map.Entry<DPoPIssuer, JWTID>> singleUseChecker) {
        super(null, composeExpectedJWTClaimsSet(uri, str, nonce), new HashSet(z ? Arrays.asList("jti", "iat", "ath") : Arrays.asList("jti", "iat")), composeProhibitedClaims(nonce));
        this.maxClockSkewSeconds = j;
        this.singleUseChecker = singleUseChecker;
    }

    private static JWTClaimsSet composeExpectedJWTClaimsSet(URI uri, String str, Nonce nonce) {
        JWTClaimsSet.Builder claim = new JWTClaimsSet.Builder().claim("htm", str).claim("htu", URIUtils.getBaseURI(uri).toString());
        if (nonce != null) {
            claim = claim.claim(IDTokenClaimsSet.NONCE_CLAIM_NAME, nonce.getValue());
        }
        return claim.build();
    }

    private static Set<String> composeProhibitedClaims(Nonce nonce) {
        if (nonce == null) {
            return Collections.singleton(IDTokenClaimsSet.NONCE_CLAIM_NAME);
        }
        return null;
    }

    @Override // com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier, com.nimbusds.jwt.proc.JWTClaimsSetVerifier
    public void verify(JWTClaimsSet jWTClaimsSet, DPoPProofContext dPoPProofContext) throws BadJWTException {
        super.verify(jWTClaimsSet, (JWTClaimsSet) dPoPProofContext);
        Date issueTime = jWTClaimsSet.getIssueTime();
        Date date = new Date();
        Date date2 = new Date(date.getTime() - (this.maxClockSkewSeconds * 1000));
        Date date3 = new Date(date.getTime() + (this.maxClockSkewSeconds * 1000));
        if (issueTime.before(date2)) {
            throw new BadJWTException("The JWT iat claim is behind the current time by more than " + this.maxClockSkewSeconds + " seconds");
        }
        if (issueTime.after(date3)) {
            throw new BadJWTException("The JWT iat claim is ahead of the current time by more than " + this.maxClockSkewSeconds + " seconds");
        }
        if (this.singleUseChecker != null) {
            JWTID jwtid = new JWTID(jWTClaimsSet.getJWTID());
            try {
                this.singleUseChecker.markAsUsed(new AbstractMap.SimpleImmutableEntry(dPoPProofContext.getIssuer(), jwtid));
            } catch (AlreadyUsedException e) {
                throw new BadJWTException("The jti was used before: " + jwtid);
            }
        }
        if (getRequiredClaims().contains("ath")) {
            try {
                dPoPProofContext.setAccessTokenHash(new Base64URL(jWTClaimsSet.getStringClaim("ath")));
            } catch (ParseException e2) {
                throw new BadJWTException("Invalid ath claim: " + e2.getMessage(), e2);
            }
        }
    }
}
