package net.shibboleth.oidc.security.impl;

import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.security.credential.JOSEObjectCredentialResolver;
import net.shibboleth.oidc.security.jose.criterion.ClientInformationCriterion;
import net.shibboleth.shared.annotation.ParameterName;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.StringSupport;
import net.shibboleth.shared.resolver.CriteriaSet;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.CredentialResolver;
import org.opensaml.security.trust.TrustedCredentialTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/oidc/security/impl/ClientInformationJWTTrustEngine.class */
public class ClientInformationJWTTrustEngine extends ExplicitKeySignedJWTTrustEngine implements TrustedCredentialTrustEngine<SignedJWT> {
    private final Logger log;

    @Nonnull
    private final Function<OIDCClientInformation, String> signatureAlgorithmLookupStrategy;

    @Nullable
    private final String defaultAlgorithmValue;

    public ClientInformationJWTTrustEngine(@ParameterName(name = "resolver") @Nonnull CredentialResolver credentialResolver, @ParameterName(name = "JOSEObjectResolver") @Nonnull JOSEObjectCredentialResolver jOSEObjectCredentialResolver, @ParameterName(name = "signatureAlgorithmLookupStrategy") @Nonnull Function<OIDCClientInformation, String> function, @ParameterName(name = "defaultAlgorithmValue") @Nullable String str) {
        super(credentialResolver, jOSEObjectCredentialResolver);
        this.log = LoggerFactory.getLogger(ClientInformationJWTTrustEngine.class);
        this.signatureAlgorithmLookupStrategy = (Function) Constraint.isNotNull(function, "Signature algorithm lookup cannot be null");
        this.defaultAlgorithmValue = StringSupport.trimOrNull(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.oidc.security.impl.ExplicitKeySignedJWTTrustEngine, net.shibboleth.oidc.security.impl.BaseSignedJWTTrustEngine
    public boolean doValidate(@Nonnull SignedJWT signedJWT, @Nonnull CriteriaSet criteriaSet) throws SecurityException {
        String str;
        if (!super.doValidate(signedJWT, criteriaSet)) {
            return false;
        }
        String name = signedJWT.getHeader().getAlgorithm().getName();
        if (criteriaSet.contains(ClientInformationCriterion.class)) {
            str = getExpectedAlgorithm((ClientInformationCriterion) criteriaSet.get(ClientInformationCriterion.class));
        } else {
            this.log.debug("No client information given, using default value {}", this.defaultAlgorithmValue);
            str = this.defaultAlgorithmValue;
        }
        if (str == null) {
            this.log.debug("No expected algorithm defined, accepting {} from the token", name);
            return true;
        }
        if (name.equals(str)) {
            this.log.debug("The algorithnm specified in the token was expected {}", name);
            return true;
        }
        this.log.warn("The algorithnm specified in the token {} was not expected {}", name, str);
        return false;
    }

    @Nullable
    protected String getExpectedAlgorithm(@Nonnull ClientInformationCriterion clientInformationCriterion) {
        OIDCClientInformation oidcClientInformation = clientInformationCriterion.getOidcClientInformation();
        if (oidcClientInformation == null) {
            this.log.debug("No client information given, using default value {}", this.defaultAlgorithmValue);
            return this.defaultAlgorithmValue;
        }
        String apply = this.signatureAlgorithmLookupStrategy.apply(oidcClientInformation);
        if (StringSupport.trimOrNull(apply) == null) {
            this.log.debug("No algorithm value specified in metadata, using default value {}", this.defaultAlgorithmValue);
            return this.defaultAlgorithmValue;
        }
        this.log.debug("Found the expected algorithm from metadata: {}", apply);
        return apply;
    }
}
