package net.shibboleth.oidc.security.credential.impl;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.Header;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObject;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.jwk.AsymmetricJWK;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.jwk.RSAKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.security.CredentialConversionUtil;
import net.shibboleth.oidc.security.credential.BasicJWKCredential;
import net.shibboleth.oidc.security.credential.ClientSecretCredential;
import net.shibboleth.oidc.security.credential.JOSEObjectCredentialResolver;
import net.shibboleth.oidc.security.credential.JWKCredential;
import net.shibboleth.oidc.security.jose.criterion.JOSEObjectCriterion;
import net.shibboleth.oidc.security.jose.criterion.KeyIdCriterion;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver;
import org.opensaml.security.criteria.UsageCriterion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/oidc/security/credential/impl/BasicJOSEObjectCredentialResolver.class */
public class BasicJOSEObjectCredentialResolver extends AbstractCriteriaFilteringCredentialResolver implements JOSEObjectCredentialResolver {
    private final Logger log = LoggerFactory.getLogger(BasicJOSEObjectCredentialResolver.class);

    @NonnullElements
    @Nonnull
    protected Iterable<Credential> resolveFromSource(@Nullable CriteriaSet criteriaSet) throws ResolverException {
        List<Credential> processJWEHeader;
        JOSEObjectCriterion jOSEObjectCriterion = null;
        if (criteriaSet != null) {
            jOSEObjectCriterion = (JOSEObjectCriterion) criteriaSet.get(JOSEObjectCriterion.class);
        }
        if (jOSEObjectCriterion == null) {
            this.log.error("No JOSEObject criteria supplied, resolver could not process");
            throw new ResolverException("Credential criteria set did not contain an instance of JOSEObjectCriterion");
        }
        JOSEObject jOSEObject = jOSEObjectCriterion.getJOSEObject();
        if (jOSEObject == null) {
            throw new ResolverException("JOSEObjectCriterion did not contain an instance of JOSEObject");
        }
        Header header = jOSEObject.getHeader();
        if (JWSHeader.class.isInstance(header)) {
            processJWEHeader = processJWSHeader((JWSHeader) JWSHeader.class.cast(header));
        } else {
            if (!JWEHeader.class.isInstance(header)) {
                throw new ResolverException(("Saw unknown JOSEObject header type: " + header) != null ? header.getClass().getName() : "null");
            }
            processJWEHeader = processJWEHeader((JWEHeader) JWEHeader.class.cast(header));
        }
        postProcess(criteriaSet, jOSEObject, processJWEHeader);
        this.log.debug("A total of {} credentials were resolved from the JOSE headers", Integer.valueOf(processJWEHeader.size()));
        return processJWEHeader;
    }

    protected void postProcess(@Nullable CriteriaSet criteriaSet, @Nonnull JOSEObject jOSEObject, @Nonnull List<Credential> list) throws ResolverException {
    }

    @NonnullElements
    @Nonnull
    protected List<Credential> processJWSHeader(@Nonnull JWSHeader jWSHeader) {
        BasicJWKCredential buildJWKCredential;
        ArrayList arrayList = new ArrayList();
        if (jWSHeader.getJWK() != null && (buildJWKCredential = buildJWKCredential(jWSHeader.getJWK(), jWSHeader.getKeyID())) != null) {
            arrayList.add(buildJWKCredential);
        }
        return arrayList;
    }

    @NonnullElements
    @Nonnull
    protected List<Credential> processJWEHeader(@Nonnull JWEHeader jWEHeader) {
        BasicJWKCredential buildJWKCredential;
        ArrayList arrayList = new ArrayList();
        if (jWEHeader.getJWK() != null && (buildJWKCredential = buildJWKCredential(jWEHeader.getJWK(), jWEHeader.getKeyID())) != null) {
            arrayList.add(buildJWKCredential);
        }
        return arrayList;
    }

    @Nullable
    protected BasicJWKCredential buildJWKCredential(@Nonnull JWK jwk, @Nullable String str) {
        BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
        if (jwk.getKeyType() != KeyType.EC && jwk.getKeyType() != KeyType.RSA) {
            this.log.warn("Unsupported key type {} found from JWK", jwk.getKeyType());
            return null;
        }
        try {
            basicJWKCredential.setPublicKey(((AsymmetricJWK) jwk).toPublicKey());
            if (jwk.getKeyID() != null) {
                basicJWKCredential.getKeyNames().add(jwk.getKeyID());
                basicJWKCredential.setKid(jwk.getKeyID());
            }
            if (jwk.getAlgorithm() != null) {
                basicJWKCredential.setAlgorithm(jwk.getAlgorithm());
            }
            if (str != null && !str.equals(basicJWKCredential.getKid())) {
                this.log.warn("Key ID in JOSE header does not match 'kid' in JWK");
                return null;
            }
            if (jwk.getKeyUse() != null) {
                basicJWKCredential.setUsageType(CredentialConversionUtil.getUsageType(jwk));
            }
            return basicJWKCredential;
        } catch (JOSEException e) {
            this.log.warn("Could not parse public key from JWK", e);
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nullable
    public String extractKeyIdFromCriteria(@Nonnull CriteriaSet criteriaSet) {
        if (criteriaSet.contains(EvaluableKeyIDCredentialCriterion.class)) {
            return ((EvaluableKeyIDCredentialCriterion) criteriaSet.get(EvaluableKeyIDCredentialCriterion.class)).getKeyId();
        }
        if (criteriaSet.contains(KeyIdCriterion.class)) {
            return ((KeyIdCriterion) criteriaSet.get(KeyIdCriterion.class)).getKeyId();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void populateCredentialsFromKeySet(@Nonnull JWKSet jWKSet, @Nonnull Collection<Credential> collection) {
        for (JWK jwk : jWKSet.getKeys()) {
            if ((jwk instanceof RSAKey) || (jwk instanceof ECKey)) {
                try {
                    Credential keyToCredential = CredentialConversionUtil.keyToCredential(jwk);
                    if (keyToCredential != null) {
                        Logger logger = this.log;
                        Object[] objArr = new Object[4];
                        objArr[0] = jwk.getKeyID();
                        objArr[1] = jwk.getKeyType();
                        objArr[2] = jwk.getKeyUse();
                        objArr[3] = jwk.getAlgorithm() != null ? ", and alg: " + jwk.getAlgorithm() : "";
                        logger.trace("Found key '{}' of type '{}' with usage '{}' {}", objArr);
                        collection.add(keyToCredential);
                    }
                } catch (JOSEException e) {
                    this.log.trace("Unable to convert key '{}' to credential", jwk.getKeyID(), e);
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nullable
    public Credential deriveClientSecretCredential(@Nonnull ClientSecretCredential clientSecretCredential, @Nonnull CriteriaSet criteriaSet) throws ResolverException {
        UsageCriterion usageCriterion = (UsageCriterion) criteriaSet.get(UsageCriterion.class);
        if (usageCriterion == null) {
            this.log.trace("No usage type criterion supplied, unable to derive client_secret credential");
            return null;
        }
        UsageType usage = usageCriterion.getUsage();
        if (usage == UsageType.SIGNING) {
            JWKCredential signingCredential = clientSecretCredential.toSigningCredential();
            this.log.debug("Derived signing credential '{}'", signingCredential.getKeyNames());
            return signingCredential;
        }
        if (usage != UsageType.ENCRYPTION) {
            this.log.trace("Client secret could not be derived, unknown usage type '{}'", usage);
            throw new ResolverException("Unable to create key from client_secret, incompatible usage type");
        }
        KeyManagmentAlgorithmCriterion keyManagmentAlgorithmCriterion = (KeyManagmentAlgorithmCriterion) criteriaSet.get(KeyManagmentAlgorithmCriterion.class);
        if (keyManagmentAlgorithmCriterion == null) {
            throw new ResolverException("Credential criteria set did not contain an instance of KeyManagmentAlgorithmCriterion");
        }
        DataEncryptionAlgorithmCriterion dataEncryptionAlgorithmCriterion = (DataEncryptionAlgorithmCriterion) criteriaSet.get(DataEncryptionAlgorithmCriterion.class);
        if (dataEncryptionAlgorithmCriterion == null) {
            throw new ResolverException("Credential criteria set did not contain an instance of DataEncryptionAlgorithmCriterion");
        }
        if (!JWEAlgorithm.Family.SYMMETRIC.contains(JWEAlgorithm.parse(keyManagmentAlgorithmCriterion.getAlgorithm()))) {
            this.log.trace("Asymmetric key requested, client_secret not appropriate");
            return null;
        }
        try {
            JWKCredential encryptionCredential = clientSecretCredential.toEncryptionCredential(JWEAlgorithm.parse(keyManagmentAlgorithmCriterion.getAlgorithm()), EncryptionMethod.parse(dataEncryptionAlgorithmCriterion.getEncAlgorithm()));
            this.log.debug("Derived encryption credential '{}' from 'alg={}' and 'enc={}'", new Object[]{encryptionCredential.getKeyNames(), keyManagmentAlgorithmCriterion.getAlgorithm(), dataEncryptionAlgorithmCriterion.getEncAlgorithm()});
            return encryptionCredential;
        } catch (JOSEException e) {
            this.log.warn("Unable to derive symmetric encryption key from client_secret using 'alg={}' and 'enc={}'", keyManagmentAlgorithmCriterion.getAlgorithm(), dataEncryptionAlgorithmCriterion.getEncAlgorithm());
            throw new ResolverException("Unable to create encryption key from client_secret");
        }
    }
}
