package net.shibboleth.idp.plugin.oidc.op.profile.impl;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.interfaces.ECPrivateKey;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.security.credential.JWKCredential;
import net.shibboleth.oidc.security.impl.CredentialConversionUtil;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.security.credential.Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/impl/AbstractSignJWTAction.class */
public abstract class AbstractSignJWTAction extends AbstractOIDCSigningResponseAction {

    @Nonnull
    private Logger log = LoggerFactory.getLogger(AbstractSignJWTAction.class);

    @Nullable
    private Credential credential;

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCSigningResponseAction, net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCResponseAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.credential = getSignatureSigningParameters().getSigningCredential();
        return true;
    }

    private JWSSigner getSigner(Algorithm algorithm) throws JOSEException {
        if (JWSAlgorithm.Family.EC.contains(algorithm)) {
            return new ECDSASigner((ECPrivateKey) this.credential.getPrivateKey());
        }
        if (JWSAlgorithm.Family.RSA.contains(algorithm)) {
            return new RSASSASigner(this.credential.getPrivateKey());
        }
        if (JWSAlgorithm.Family.HMAC_SHA.contains(algorithm)) {
            return new MACSigner(this.credential.getSecretKey());
        }
        throw new JOSEException("Unsupported algorithm " + algorithm.getName());
    }

    protected JWSAlgorithm resolveAlgorithm() {
        JWSAlgorithm jWSAlgorithm = new JWSAlgorithm(getSignatureSigningParameters().getSignatureAlgorithm());
        if ((this.credential instanceof JWKCredential) && !jWSAlgorithm.equals(this.credential.getAlgorithm())) {
            this.log.debug("{} Signature signing algorithm {} differs from JWK algorithm {}", new Object[]{getLogPrefix(), jWSAlgorithm.getName(), this.credential.getAlgorithm()});
        }
        this.log.debug("{} Algorithm resolved {}", getLogPrefix(), jWSAlgorithm.getName());
        return jWSAlgorithm;
    }

    protected abstract void setSignedJWT(@Nullable SignedJWT signedJWT);

    @Nonnull
    protected abstract JWTClaimsSet getClaimsSetToSign();

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        JWTClaimsSet claimsSetToSign = getClaimsSetToSign();
        if (claimsSetToSign == null) {
            this.log.debug("Claim set is null, nothing to do");
            return;
        }
        try {
            JWSAlgorithm resolveAlgorithm = resolveAlgorithm();
            JWSSigner signer = getSigner(resolveAlgorithm);
            SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(new JWSAlgorithm(resolveAlgorithm.getName())).keyID(CredentialConversionUtil.resolveKid(this.credential)).build(), claimsSetToSign);
            signedJWT.sign(signer);
            setSignedJWT(signedJWT);
        } catch (JOSEException e) {
            this.log.error("{} Error signing claim set: {}", getLogPrefix(), e.getMessage());
            ActionSupport.buildEvent(profileRequestContext, "UnableToSign");
        }
    }
}
