package io.gravitee.policy.jwt.jwk.selector;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;

/* loaded from: input_file:io/gravitee/policy/jwt/jwk/selector/NoKidJWSVerificationKeySelector.class */
public class NoKidJWSVerificationKeySelector<C extends SecurityContext> extends JWSVerificationKeySelector<C> {
    public NoKidJWSVerificationKeySelector(JWSAlgorithm jWSAlgorithm, JWKSource<C> jWKSource) {
        super(jWSAlgorithm, jWKSource);
    }

    protected JWKMatcher createJWKMatcher(JWSHeader jWSHeader) {
        if (!isAllowed(jWSHeader.getAlgorithm())) {
            return null;
        }
        Algorithm algorithm = jWSHeader.getAlgorithm();
        if (JWSAlgorithm.Family.RSA.contains(algorithm) || JWSAlgorithm.Family.EC.contains(algorithm)) {
            return new JWKMatcher.Builder().keyType(KeyType.forAlgorithm(algorithm)).keyUses(new KeyUse[]{KeyUse.SIGNATURE, null}).algorithms(new Algorithm[]{algorithm, null}).x509CertSHA256Thumbprint(jWSHeader.getX509CertSHA256Thumbprint()).build();
        }
        if (JWSAlgorithm.Family.HMAC_SHA.contains(algorithm)) {
            return new JWKMatcher.Builder().keyType(KeyType.forAlgorithm(algorithm)).privateOnly(true).algorithms(new Algorithm[]{algorithm, null}).build();
        }
        if (JWSAlgorithm.Family.ED.contains(algorithm)) {
            return new JWKMatcher.Builder().keyType(KeyType.forAlgorithm(algorithm)).keyUses(new KeyUse[]{KeyUse.SIGNATURE, null}).algorithms(new Algorithm[]{algorithm, null}).curves(Curve.forJWSAlgorithm(algorithm)).build();
        }
        return null;
    }
}
