package net.shibboleth.oidc.security.impl;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.security.credential.JWKCredential;
import org.opensaml.security.credential.Credential;
import org.opensaml.xmlsec.context.SecurityParametersContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/oidc/security/impl/JWTSignatureValidationUtil.class */
public final class JWTSignatureValidationUtil {

    @Nonnull
    private static Logger log = LoggerFactory.getLogger(JWTSignatureValidationUtil.class);

    private JWTSignatureValidationUtil() {
    }

    @Nullable
    public static String validateSignature(@Nullable SecurityParametersContext securityParametersContext, @Nonnull SignedJWT signedJWT, @Nullable String str) {
        if (securityParametersContext == null) {
            log.error("No security parameters context is available");
            return "InvalidSecurityConfiguration";
        }
        if (securityParametersContext.getSignatureSigningParameters() == null || !(securityParametersContext.getSignatureSigningParameters() instanceof OIDCSignatureValidationParameters)) {
            log.error("No signature validation credentials available");
            return "InvalidSecurityConfiguration";
        }
        OIDCSignatureValidationParameters oIDCSignatureValidationParameters = (OIDCSignatureValidationParameters) securityParametersContext.getSignatureSigningParameters();
        if (!oIDCSignatureValidationParameters.getValidationCredentials().isEmpty()) {
            return validateSignature(oIDCSignatureValidationParameters.getValidationCredentials(), signedJWT, str);
        }
        log.error("Unable to find any keys to validate given JWT signature");
        return "InvalidSecurityConfiguration";
    }

    public static String validateSignature(@Nonnull List<JWKCredential> list, @Nonnull SignedJWT signedJWT, @Nullable String str) {
        JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
        for (JWKCredential jWKCredential : list) {
            if (algorithm.equals(jWKCredential.getAlgorithm())) {
                try {
                    JWSVerifier initializeVerifier = initializeVerifier(algorithm, jWKCredential);
                    if (initializeVerifier == null) {
                        log.error("No verifier for given JWT for alg {}", algorithm.getName());
                        return "InvalidSecurityConfiguration";
                    }
                    if (signedJWT.verify(initializeVerifier)) {
                        Logger logger = log;
                        Object[] objArr = new Object[3];
                        objArr[0] = signedJWT.serialize();
                        objArr[1] = algorithm.getName();
                        objArr[2] = jWKCredential.getKid() != null ? "and key " + jWKCredential.getKid() : "";
                        logger.debug("JWT {} verified using algorithm {} {}", objArr);
                        return null;
                    }
                    log.debug("Unable to validate given JWT with credential, picking next key");
                } catch (JOSEException | IllegalStateException e) {
                    log.warn("Exception caught when validating given JWT {}", jWKCredential.getKid() != null ? "with credential " + jWKCredential.getKid() : "", e);
                }
            } else {
                log.debug("Credential alg {} not matching jwt header alg {}", jWKCredential.getAlgorithm().getName(), algorithm.getName());
            }
        }
        log.error("Unable to validate given JWT with any of the credentials");
        return str;
    }

    private static JWSVerifier initializeVerifier(Algorithm algorithm, Credential credential) throws JOSEException {
        if (JWSAlgorithm.Family.HMAC_SHA.contains(algorithm)) {
            return new MACVerifier(credential.getSecretKey());
        }
        if (JWSAlgorithm.Family.RSA.contains(algorithm)) {
            return new RSASSAVerifier((RSAPublicKey) credential.getPublicKey());
        }
        if (JWSAlgorithm.Family.EC.contains(algorithm)) {
            return new ECDSAVerifier((ECPublicKey) credential.getPublicKey());
        }
        return null;
    }
}
