package net.shibboleth.oidc.security.impl;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Objects;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.security.CredentialConversionUtil;
import net.shibboleth.oidc.security.credential.JOSEObjectCredentialResolver;
import net.shibboleth.oidc.security.credential.JWKCredential;
import net.shibboleth.oidc.security.jose.criterion.JOSEObjectCriterion;
import net.shibboleth.oidc.security.jose.criterion.SignatureValidationParametersCriterion;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/oidc/security/impl/BaseSignedJWTTrustEngine.class */
public abstract class BaseSignedJWTTrustEngine<TrustBasisType> implements TrustEngine<SignedJWT> {
    private final Logger log = LoggerFactory.getLogger(BaseSignedJWTTrustEngine.class);
    private final JOSEObjectCredentialResolver joseObjectCredentialResolver;

    /* JADX INFO: Access modifiers changed from: protected */
    public BaseSignedJWTTrustEngine(@Nonnull JOSEObjectCredentialResolver jOSEObjectCredentialResolver) {
        this.joseObjectCredentialResolver = (JOSEObjectCredentialResolver) Constraint.isNotNull(jOSEObjectCredentialResolver, "JOSEObject credential resolver cannot be null");
    }

    public boolean validate(@Nonnull SignedJWT signedJWT, @Nonnull CriteriaSet criteriaSet) throws SecurityException {
        checkParams(signedJWT, criteriaSet);
        SignatureValidationParametersCriterion signatureValidationParametersCriterion = (SignatureValidationParametersCriterion) criteriaSet.get(SignatureValidationParametersCriterion.class);
        if (signatureValidationParametersCriterion != null) {
            this.log.debug("Performing signature algorithm include/exclude validation using params from CriteriaSet");
            JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
            if (!AlgorithmSupport.validateAlgorithmURI(algorithm.getName(), signatureValidationParametersCriterion.getSignatureValidationParameters().getIncludedAlgorithms(), signatureValidationParametersCriterion.getSignatureValidationParameters().getExcludedAlgorithms())) {
                this.log.warn("Algorithm failed include/exclude validation: {}", algorithm.getName());
                return false;
            }
        }
        return doValidate(signedJWT, criteriaSet);
    }

    protected abstract boolean doValidate(@Nonnull SignedJWT signedJWT, @Nonnull CriteriaSet criteriaSet) throws SecurityException;

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean validate(@Nonnull SignedJWT signedJWT, @Nullable TrustBasisType trustbasistype) throws SecurityException {
        this.log.debug("Attempting to verify signature and establish trust using token-derived credentials");
        Collection<Credential> resolveTokenCredentials = resolveTokenCredentials(signedJWT);
        if (resolveTokenCredentials.isEmpty()) {
            this.log.debug("SignedJWT contained no resolveable credentials, nothing to evaluate");
        } else {
            this.log.debug("Resolved {} token-derived credentials", Integer.valueOf(resolveTokenCredentials.size()));
            for (Credential credential : resolveTokenCredentials) {
                if (verifySignature(signedJWT, credential)) {
                    this.log.debug("Successfully verified signature using token-derived credential");
                    this.log.debug("Attempting to establish trust of token-derived credential");
                    if (evaluateTrust(credential, trustbasistype)) {
                        this.log.debug("Successfully established trust of token-derived credential");
                        return true;
                    }
                    this.log.debug("Failed to establish trust of token-derived credential");
                }
            }
        }
        this.log.debug("Failed to verify signature and/or establish trust using any token-derived credentials");
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean verifySignature(@Nonnull SignedJWT signedJWT, @Nonnull Credential credential) throws SecurityException {
        try {
            JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
            JWSVerifier initializeVerifier = initializeVerifier(algorithm, credential);
            if (initializeVerifier == null) {
                this.log.debug("No verifier for given JWT and Credential pair for alg {}", algorithm.getName());
                return false;
            }
            if (!signedJWT.verify(initializeVerifier)) {
                this.log.debug("Unable to validate given JWT with credential '{}'", CredentialConversionUtil.resolveKid(credential));
                return false;
            }
            if (this.log.isDebugEnabled()) {
                String kid = credential instanceof JWKCredential ? ((JWKCredential) credential).getKid() : null;
                Logger logger = this.log;
                Object[] objArr = new Object[3];
                objArr[0] = algorithm.getName();
                objArr[1] = kid != null ? " and key " + kid : "";
                objArr[2] = signedJWT.serialize();
                logger.debug("Verified JWT using algorithm {}{}: {} ", objArr);
            }
            this.log.debug("Signature validation using candidate credential was successful");
            return true;
        } catch (JOSEException | IllegalStateException e) {
            String kid2 = credential instanceof JWKCredential ? ((JWKCredential) credential).getKid() : null;
            this.log.warn("Exception caught when validating given JWT{}", kid2 != null ? " with credential " + kid2 : "", e);
            return false;
        }
    }

    private static JWSVerifier initializeVerifier(Algorithm algorithm, Credential credential) throws JOSEException {
        if (JWSAlgorithm.Family.HMAC_SHA.contains(algorithm) && credential.getSecretKey() != null) {
            return new MACVerifier(credential.getSecretKey());
        }
        if (JWSAlgorithm.Family.RSA.contains(algorithm) && (credential.getPublicKey() instanceof RSAPublicKey)) {
            return new RSASSAVerifier((RSAPublicKey) credential.getPublicKey());
        }
        if (JWSAlgorithm.Family.EC.contains(algorithm) && (credential.getPublicKey() instanceof ECPublicKey)) {
            return new ECDSAVerifier((ECPublicKey) credential.getPublicKey());
        }
        return null;
    }

    protected abstract boolean evaluateTrust(@Nonnull Credential credential, @Nullable TrustBasisType trustbasistype) throws SecurityException;

    protected void checkParams(@Nonnull SignedJWT signedJWT, @Nonnull CriteriaSet criteriaSet) throws SecurityException {
        if (signedJWT == null) {
            throw new SecurityException("SignedJWT cannot be null");
        }
        if (criteriaSet == null) {
            throw new SecurityException("Trust basis criteria set cannot be null");
        }
        if (criteriaSet.isEmpty()) {
            throw new SecurityException("Trust basis criteria set cannot be empty");
        }
    }

    @Nonnull
    protected Collection<Credential> resolveTokenCredentials(@Nonnull SignedJWT signedJWT) throws SecurityException {
        try {
            ArrayList arrayList = new ArrayList();
            Iterable resolve = this.joseObjectCredentialResolver.resolve(new CriteriaSet(new Criterion[]{new JOSEObjectCriterion(signedJWT)}));
            Objects.requireNonNull(arrayList);
            resolve.forEach((v1) -> {
                r1.add(v1);
            });
            return arrayList;
        } catch (ResolverException e) {
            throw new SecurityException("Error resolving credentials from JOSEObject", e);
        }
    }
}
