package net.shibboleth.oidc.security.credential.impl;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.KeyLengthException;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.AESDecrypter;
import com.nimbusds.jose.crypto.AESEncrypter;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.jose.SecretKeyDerivation;
import java.time.Instant;
import java.util.Date;
import java.util.List;
import javax.annotation.Nonnull;
import javax.crypto.SecretKey;
import net.shibboleth.oidc.security.credential.DefaultClientSecretCredential;
import net.shibboleth.oidc.security.jose.criterion.ClientSecretCredentialCriterion;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.ResolverException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.testng.Assert;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/oidc/security/credential/impl/ClientSecretCriterionCredentialResolverTest.class */
public class ClientSecretCriterionCredentialResolverTest {

    @Nonnull
    private static final String CLIENT_SECRET = "aPdSgVkXp2s5v8y/B?E(H+MbQeThWmZq";
    private ClientSecretCriterionCredentialResolver resolver;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Test
    public void testResolveSigningKey() throws ResolverException {
        this.resolver = new ClientSecretCriterionCredentialResolver();
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        criteriaSet.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET)));
        Iterable resolve = this.resolver.resolve(criteriaSet);
        Assert.assertNotNull(resolve);
        Assert.assertTrue(resolve.iterator().hasNext());
        Credential credential = (Credential) resolve.iterator().next();
        Assert.assertNotNull(credential);
        SecretKey secretKey = credential.getSecretKey();
        if (!$assertionsDisabled && secretKey == null) {
            throw new AssertionError();
        }
        Assert.assertEquals(secretKey.getAlgorithm(), "NONE");
        Assert.assertEquals(secretKey.getEncoded().length, 32);
        Assert.assertEquals(credential.getUsageType(), UsageType.SIGNING);
    }

    @Test(expectedExceptions = {ResolverException.class})
    public void testResolveIncompatibleUsageType() throws ResolverException {
        this.resolver = new ClientSecretCriterionCredentialResolver();
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriterion(UsageType.UNSPECIFIED));
        criteriaSet.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET)));
        criteriaSet.add(new KeyManagmentAlgorithmCriterion(JWEAlgorithm.A128KW.getName()));
        criteriaSet.add(new DataEncryptionAlgorithmCriterion(EncryptionMethod.A128CBC_HS256.getName()));
        this.resolver.resolve(criteriaSet);
    }

    @Test(expectedExceptions = {ResolverException.class})
    public void testResolveNoKeyAlogrithmCriterion() throws ResolverException {
        this.resolver = new ClientSecretCriterionCredentialResolver();
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
        criteriaSet.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET)));
        criteriaSet.add(new DataEncryptionAlgorithmCriterion(EncryptionMethod.A128CBC_HS256.getName()));
        this.resolver.resolve(criteriaSet);
    }

    @Test(expectedExceptions = {ResolverException.class})
    public void testResolveNoDataEncryptionAlogrithmCriterion() throws ResolverException {
        this.resolver = new ClientSecretCriterionCredentialResolver();
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
        criteriaSet.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET)));
        criteriaSet.add(new KeyManagmentAlgorithmCriterion(JWEAlgorithm.A128KW.getName()));
        this.resolver.resolve(criteriaSet);
    }

    @Test
    public void testResolveKeyWrappingKey() throws ResolverException {
        this.resolver = new ClientSecretCriterionCredentialResolver();
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
        criteriaSet.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET)));
        criteriaSet.add(new KeyManagmentAlgorithmCriterion(JWEAlgorithm.A128KW.getName()));
        criteriaSet.add(new DataEncryptionAlgorithmCriterion(EncryptionMethod.A128CBC_HS256.getName()));
        Iterable resolve = this.resolver.resolve(criteriaSet);
        Assert.assertNotNull(resolve);
        Assert.assertTrue(resolve.iterator().hasNext());
        Credential credential = (Credential) resolve.iterator().next();
        Assert.assertNotNull(credential);
        SecretKey secretKey = credential.getSecretKey();
        if (!$assertionsDisabled && secretKey == null) {
            throw new AssertionError();
        }
        Assert.assertEquals(secretKey.getAlgorithm(), "AES");
        Assert.assertEquals(secretKey.getEncoded().length, 16);
        Assert.assertEquals(credential.getUsageType(), UsageType.ENCRYPTION);
    }

    @Test
    public void testResolveKeyWrappingKey_Decrypts() throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.A128KW, EncryptionMethod.A128GCM).contentType("JWT").keyID("mock-key").build(), new Payload(createdSignedJWT()));
        this.resolver = new ClientSecretCriterionCredentialResolver();
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
        criteriaSet.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET)));
        criteriaSet.add(new KeyManagmentAlgorithmCriterion(JWEAlgorithm.A128KW.getName()));
        criteriaSet.add(new DataEncryptionAlgorithmCriterion(EncryptionMethod.A128GCM.getName()));
        Iterable resolve = this.resolver.resolve(criteriaSet);
        Assert.assertNotNull(resolve);
        Assert.assertTrue(resolve.iterator().hasNext());
        Credential credential = (Credential) resolve.iterator().next();
        Assert.assertNotNull(credential);
        SecretKey secretKey = credential.getSecretKey();
        if (!$assertionsDisabled && secretKey == null) {
            throw new AssertionError();
        }
        Assert.assertEquals(secretKey.getAlgorithm(), "AES");
        Assert.assertEquals(secretKey.getEncoded().length, 16);
        Assert.assertEquals(credential.getUsageType(), UsageType.ENCRYPTION);
        jWEObject.encrypt(new AESEncrypter(credential.getSecretKey()));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        parse.decrypt(new AESDecrypter(SecretKeyDerivation.deriveSecretKey(new Secret(CLIENT_SECRET), JWEAlgorithm.A128KW, EncryptionMethod.A128GCM)));
        Assert.assertTrue(parse.getState() == JWEObject.State.DECRYPTED);
        Assert.assertEquals(parse.getPayload().toSignedJWT().getJWTClaimsSet().getSubject(), "jdoe");
    }

    private SignedJWT createdSignedJWT() throws KeyLengthException, JOSEException {
        SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.HS256).type(JOSEObjectType.JWT).keyID("mock-key").build(), createClaims());
        signedJWT.sign(new MACSigner(CLIENT_SECRET));
        return signedJWT;
    }

    private JWTClaimsSet createClaims() {
        return new JWTClaimsSet.Builder().issuer("https://localhost:9918").audience(List.of("test-client")).subject("jdoe").claim("nonce", "abadnonce").claim("azp", "test-client").claim("name", "jdoe").expirationTime(Date.from(Instant.now().plusSeconds(120L))).build();
    }

    @Test
    public void testResolveDirectEncryptionKey() throws ResolverException {
        this.resolver = new ClientSecretCriterionCredentialResolver();
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET)));
        criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
        criteriaSet.add(new KeyManagmentAlgorithmCriterion(JWEAlgorithm.DIR.getName()));
        criteriaSet.add(new DataEncryptionAlgorithmCriterion(EncryptionMethod.A128CBC_HS256.getName()));
        Iterable resolve = this.resolver.resolve(criteriaSet);
        Assert.assertNotNull(resolve);
        Assert.assertTrue(resolve.iterator().hasNext());
        Credential credential = (Credential) resolve.iterator().next();
        Assert.assertNotNull(credential);
        SecretKey secretKey = credential.getSecretKey();
        if (!$assertionsDisabled && secretKey == null) {
            throw new AssertionError();
        }
        Assert.assertEquals(secretKey.getEncoded().length, 32);
        Assert.assertEquals(secretKey.getAlgorithm(), "AES");
        Assert.assertEquals(credential.getUsageType(), UsageType.ENCRYPTION);
    }

    @Test
    public void testIncompatibleAlg() throws ResolverException {
        this.resolver = new ClientSecretCriterionCredentialResolver();
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
        criteriaSet.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET)));
        criteriaSet.add(new KeyManagmentAlgorithmCriterion(JWEAlgorithm.RSA_OAEP_256.getName()));
        criteriaSet.add(new DataEncryptionAlgorithmCriterion(EncryptionMethod.A128CBC_HS256.getName()));
        Iterable resolve = this.resolver.resolve(criteriaSet);
        Assert.assertNotNull(resolve);
        Assert.assertFalse(resolve.iterator().hasNext());
    }

    static {
        $assertionsDisabled = !ClientSecretCriterionCredentialResolverTest.class.desiredAssertionStatus();
    }
}
