package org.forgerock.jaspi.modules.openid.resolvers;

import java.security.Key;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Date;
import javax.crypto.SecretKey;
import org.forgerock.jaspi.modules.openid.exceptions.InvalidIssException;
import org.forgerock.jaspi.modules.openid.exceptions.JwtExpiredException;
import org.forgerock.jaspi.modules.openid.exceptions.OpenIdConnectVerificationException;
import org.forgerock.json.jose.jws.SignedJwt;
import org.forgerock.json.jose.jws.SigningManager;
import org.forgerock.json.jose.jws.handlers.SigningHandler;

/* loaded from: input_file:org/forgerock/jaspi/modules/openid/resolvers/BaseOpenIdResolver.class */
public abstract class BaseOpenIdResolver implements OpenIdResolver {
    private final String issuer;

    public BaseOpenIdResolver(String str) {
        this.issuer = str;
    }

    void verifyIssuer(String str) throws InvalidIssException {
        if (!this.issuer.equals(str)) {
            throw new InvalidIssException("Invalid issuer");
        }
    }

    void verifyExpiration(Date date) throws JwtExpiredException {
        if (new Date().after(date)) {
            throw new JwtExpiredException("Token expired");
        }
    }

    @Override // org.forgerock.jaspi.modules.openid.resolvers.OpenIdResolver
    public void validateIdentity(SignedJwt signedJwt) throws OpenIdConnectVerificationException {
        if (signedJwt == null) {
            throw new OpenIdConnectVerificationException("A valid SignedJWT must be supplied to the resolver");
        }
        verifyIssuer(signedJwt.getClaimsSet().getIssuer());
        verifyExpiration(signedJwt.getClaimsSet().getExpirationTime());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SigningHandler createSigningHandlerForKey(SigningManager signingManager, Key key) {
        if (key instanceof ECPublicKey) {
            return signingManager.newEcdsaVerificationHandler((ECPublicKey) key);
        }
        if (key instanceof RSAPublicKey) {
            return signingManager.newRsaSigningHandler(key);
        }
        if (key instanceof SecretKey) {
            return signingManager.newHmacSigningHandler(key.getEncoded());
        }
        throw new IllegalArgumentException("Unable to determine signing algorithm");
    }

    @Override // org.forgerock.jaspi.modules.openid.resolvers.OpenIdResolver
    public String getIssuer() {
        return this.issuer;
    }
}
