package net.shibboleth.idp.plugin.oidc.op.security.impl;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.util.Iterator;
import java.util.List;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import net.shibboleth.idp.plugin.oidc.op.criterion.ClientInformationCriterion;
import net.shibboleth.oidc.security.credential.BasicJWKCredential;
import net.shibboleth.oidc.security.impl.OIDCDecryptionParameters;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.security.credential.Credential;
import org.opensaml.xmlsec.EncryptionConfiguration;
import org.opensaml.xmlsec.EncryptionParameters;
import org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion;
import org.opensaml.xmlsec.criterion.EncryptionOptionalCriterion;
import org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/security/impl/OIDCClientInformationEncryptionParametersResolver.class */
public class OIDCClientInformationEncryptionParametersResolver extends BasicEncryptionParametersResolver {
    private Logger log = LoggerFactory.getLogger(OIDCClientInformationEncryptionParametersResolver.class);
    private ParameterType target = ParameterType.IDTOKEN_ENCRYPTION;

    /* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/security/impl/OIDCClientInformationEncryptionParametersResolver$ParameterType.class */
    public enum ParameterType {
        REQUEST_OBJECT_DECRYPTION,
        IDTOKEN_ENCRYPTION,
        USERINFO_ENCRYPTION
    }

    public void setParameterType(ParameterType parameterType) {
        this.target = parameterType;
    }

    @Nullable
    public EncryptionParameters resolveSingle(@Nonnull CriteriaSet criteriaSet) throws ResolverException {
        Constraint.isNotNull(criteriaSet, "CriteriaSet was null");
        Constraint.isNotNull((EncryptionConfigurationCriterion) criteriaSet.get(EncryptionConfigurationCriterion.class), "Resolver requires an instance of EncryptionConfigurationCriterion");
        Predicate includeExcludePredicate = getIncludeExcludePredicate(criteriaSet);
        OIDCDecryptionParameters oIDCDecryptionParameters = this.target == ParameterType.REQUEST_OBJECT_DECRYPTION ? new OIDCDecryptionParameters() : new EncryptionParameters();
        resolveAndPopulateCredentialsAndAlgorithms(oIDCDecryptionParameters, criteriaSet, includeExcludePredicate);
        boolean z = false;
        EncryptionOptionalCriterion encryptionOptionalCriterion = (EncryptionOptionalCriterion) criteriaSet.get(EncryptionOptionalCriterion.class);
        if (encryptionOptionalCriterion != null) {
            z = encryptionOptionalCriterion.isEncryptionOptional();
        }
        if (!validate(oIDCDecryptionParameters, z)) {
            return null;
        }
        logResult(oIDCDecryptionParameters);
        return oIDCDecryptionParameters;
    }

    protected void resolveAndPopulateCredentialsAndAlgorithms(@Nonnull EncryptionParameters encryptionParameters, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        JWEAlgorithm iDTokenJWEAlg;
        EncryptionMethod iDTokenJWEEnc;
        if (!criteriaSet.contains(ClientInformationCriterion.class)) {
            this.log.debug("No client criterion, nothing to do");
            super.resolveAndPopulateCredentialsAndAlgorithms(encryptionParameters, criteriaSet, predicate);
            return;
        }
        OIDCClientInformation oidcClientInformation = ((ClientInformationCriterion) criteriaSet.get(ClientInformationCriterion.class)).getOidcClientInformation();
        if (oidcClientInformation == null) {
            this.log.debug("No client information, nothing to do");
            super.resolveAndPopulateCredentialsAndAlgorithms(encryptionParameters, criteriaSet, predicate);
            return;
        }
        if (!criteriaSet.contains(EncryptionConfigurationCriterion.class)) {
            this.log.debug("No encryption configuration criterion, nothing to do");
            super.resolveAndPopulateCredentialsAndAlgorithms(encryptionParameters, criteriaSet, predicate);
            return;
        }
        List configurations = ((EncryptionConfigurationCriterion) criteriaSet.get(EncryptionConfigurationCriterion.class)).getConfigurations();
        if (configurations == null || configurations.isEmpty()) {
            this.log.debug("No encrypt configuration nothing to do");
            super.resolveAndPopulateCredentialsAndAlgorithms(encryptionParameters, criteriaSet, predicate);
            return;
        }
        switch (this.target) {
            case REQUEST_OBJECT_DECRYPTION:
                iDTokenJWEAlg = oidcClientInformation.getOIDCMetadata().getRequestObjectJWEAlg();
                iDTokenJWEEnc = oidcClientInformation.getOIDCMetadata().getRequestObjectJWEEnc();
                break;
            case USERINFO_ENCRYPTION:
                iDTokenJWEAlg = oidcClientInformation.getOIDCMetadata().getUserInfoJWEAlg();
                iDTokenJWEEnc = oidcClientInformation.getOIDCMetadata().getUserInfoJWEEnc();
                break;
            default:
                iDTokenJWEAlg = oidcClientInformation.getOIDCMetadata().getIDTokenJWEAlg();
                iDTokenJWEEnc = oidcClientInformation.getOIDCMetadata().getIDTokenJWEEnc();
                break;
        }
        if (iDTokenJWEAlg == null) {
            this.log.debug("No algorithm information in client information, nothing to do");
            criteriaSet.add(new EncryptionOptionalCriterion(true));
            super.resolveAndPopulateCredentialsAndAlgorithms(encryptionParameters, criteriaSet, predicate);
            return;
        }
        if (iDTokenJWEEnc == null) {
            iDTokenJWEEnc = EncryptionMethod.A128CBC_HS256;
        }
        List effectiveKeyTransportAlgorithms = getEffectiveKeyTransportAlgorithms(criteriaSet, predicate);
        this.log.trace("Resolved effective key transport algorithms: {}", effectiveKeyTransportAlgorithms);
        if (!effectiveKeyTransportAlgorithms.contains(iDTokenJWEAlg.getName())) {
            this.log.warn("Client requests key transport algorithm {} that is not available", iDTokenJWEAlg.getName());
            super.resolveAndPopulateCredentialsAndAlgorithms(encryptionParameters, criteriaSet, predicate);
            return;
        }
        List effectiveDataEncryptionAlgorithms = getEffectiveDataEncryptionAlgorithms(criteriaSet, predicate);
        this.log.trace("Resolved effective data encryption algorithms: {}", effectiveDataEncryptionAlgorithms);
        if (!effectiveDataEncryptionAlgorithms.contains(iDTokenJWEEnc.getName())) {
            this.log.warn("Client requests encryption algorithm {} that is not available", iDTokenJWEEnc.getName());
            super.resolveAndPopulateCredentialsAndAlgorithms(encryptionParameters, criteriaSet, predicate);
            return;
        }
        if (JWEAlgorithm.Family.SYMMETRIC.contains(iDTokenJWEAlg)) {
            Secret secret = oidcClientInformation.getSecret();
            if (secret == null) {
                this.log.warn("No client secret available");
                super.resolveAndPopulateCredentialsAndAlgorithms(encryptionParameters, criteriaSet, predicate);
                return;
            }
            BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
            basicJWKCredential.setAlgorithm(iDTokenJWEAlg);
            try {
                basicJWKCredential.setSecretKey(generateSymmetricKey(secret.getValueBytes(), iDTokenJWEAlg));
                if (encryptionParameters instanceof OIDCDecryptionParameters) {
                    ((OIDCDecryptionParameters) encryptionParameters).getKeyTransportDecryptionCredentials().add(basicJWKCredential);
                }
                encryptionParameters.setKeyTransportEncryptionCredential(basicJWKCredential);
                encryptionParameters.setKeyTransportEncryptionAlgorithm(iDTokenJWEAlg.getName());
                encryptionParameters.setDataEncryptionAlgorithm(iDTokenJWEEnc.getName());
                return;
            } catch (NoSuchAlgorithmException e) {
                this.log.warn("Unable to generate secret key: " + e.getMessage());
                super.resolveAndPopulateCredentialsAndAlgorithms(encryptionParameters, criteriaSet, predicate);
                return;
            }
        }
        if (this.target != ParameterType.REQUEST_OBJECT_DECRYPTION) {
            JWKSet jWKSet = oidcClientInformation.getOIDCMetadata().getJWKSet();
            if (jWKSet == null) {
                this.log.warn("No keyset available");
                super.resolveAndPopulateCredentialsAndAlgorithms(encryptionParameters, criteriaSet, predicate);
                return;
            }
            for (JWK jwk : jWKSet.getKeys()) {
                if (!KeyUse.SIGNATURE.equals(jwk.getKeyUse()) && ((JWEAlgorithm.Family.RSA.contains(iDTokenJWEAlg) && jwk.getKeyType().equals(KeyType.RSA)) || (JWEAlgorithm.Family.ECDH_ES.contains(iDTokenJWEAlg) && jwk.getKeyType().equals(KeyType.EC)))) {
                    BasicJWKCredential basicJWKCredential2 = new BasicJWKCredential();
                    basicJWKCredential2.setAlgorithm(iDTokenJWEAlg);
                    basicJWKCredential2.setKid(jwk.getKeyID());
                    try {
                        if (jwk.getKeyType().equals(KeyType.RSA)) {
                            basicJWKCredential2.setPublicKey(((RSAKey) jwk).toPublicKey());
                        } else {
                            basicJWKCredential2.setPublicKey(((ECKey) jwk).toPublicKey());
                        }
                        this.log.debug("Selected key {} for alg {} and enc {}", new Object[]{jwk.getKeyID(), iDTokenJWEAlg.getName(), iDTokenJWEEnc.getName()});
                        encryptionParameters.setKeyTransportEncryptionCredential(basicJWKCredential2);
                        encryptionParameters.setKeyTransportEncryptionAlgorithm(iDTokenJWEAlg.getName());
                        encryptionParameters.setDataEncryptionAlgorithm(iDTokenJWEEnc.getName());
                        return;
                    } catch (JOSEException e2) {
                        this.log.warn("Unable to parse keyset");
                        super.resolveAndPopulateCredentialsAndAlgorithms(encryptionParameters, criteriaSet, predicate);
                        return;
                    }
                }
            }
        } else {
            Iterator it = configurations.iterator();
            while (it.hasNext()) {
                for (Credential credential : ((EncryptionConfiguration) it.next()).getKeyTransportEncryptionCredentials()) {
                    if ((JWEAlgorithm.Family.RSA.contains(iDTokenJWEAlg) && (credential.getPrivateKey() instanceof RSAPrivateKey)) || (JWEAlgorithm.Family.ECDH_ES.contains(iDTokenJWEAlg) && (credential.getPrivateKey() instanceof ECPrivateKey))) {
                        this.log.debug("Picked key for alg {} and enc {}", iDTokenJWEAlg.getName(), iDTokenJWEEnc.getName());
                        encryptionParameters.setKeyTransportEncryptionCredential(credential);
                        encryptionParameters.setKeyTransportEncryptionAlgorithm(iDTokenJWEAlg.getName());
                        encryptionParameters.setDataEncryptionAlgorithm(iDTokenJWEEnc.getName());
                        if (!(encryptionParameters instanceof OIDCDecryptionParameters)) {
                            return;
                        } else {
                            ((OIDCDecryptionParameters) encryptionParameters).getKeyTransportDecryptionCredentials().add(credential);
                        }
                    }
                }
            }
        }
        if (encryptionParameters.getKeyTransportEncryptionCredential() == null) {
            this.log.debug("Not able to credentials based on provided client information");
            super.resolveAndPopulateCredentialsAndAlgorithms(encryptionParameters, criteriaSet, predicate);
        }
    }

    private SecretKey generateSymmetricKey(byte[] bArr, JWEAlgorithm jWEAlgorithm) throws NoSuchAlgorithmException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
        String name = jWEAlgorithm.getName();
        boolean z = -1;
        switch (name.hashCode()) {
            case -1474860396:
                if (name.equals("A192GCMKW")) {
                    z = 3;
                    break;
                }
                break;
            case 1074323335:
                if (name.equals("A128GCMKW")) {
                    z = true;
                    break;
                }
                break;
            case 1127419115:
                if (name.equals("A256GCMKW")) {
                    z = 5;
                    break;
                }
                break;
            case 1907693122:
                if (name.equals("A128KW")) {
                    z = false;
                    break;
                }
                break;
            case 1907895893:
                if (name.equals("A192KW")) {
                    z = 2;
                    break;
                }
                break;
            case 1908704094:
                if (name.equals("A256KW")) {
                    z = 4;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
                return new SecretKeySpec(messageDigest.digest(bArr), 0, 16, "AES");
            case true:
            case true:
                return new SecretKeySpec(messageDigest.digest(bArr), 0, 24, "AES");
            case true:
            case true:
                return new SecretKeySpec(messageDigest.digest(bArr), 0, 32, "AES");
            default:
                throw new NoSuchAlgorithmException("Implementation does not support generating key for " + jWEAlgorithm.getName());
        }
    }
}
