package net.shibboleth.oidc.security.impl;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
import com.nimbusds.jose.jwk.gen.RSAKeyGenerator;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.id.ClientID;
import java.text.ParseException;
import java.util.Date;
import javax.annotation.Nonnull;
import net.shibboleth.oidc.profile.core.OIDCAuthenticationRequest;
import net.shibboleth.oidc.security.impl.support.TestCredentialHelper;
import net.shibboleth.oidc.security.jose.SignatureSigningParameters;
import net.shibboleth.oidc.security.jose.context.SecurityParametersContext;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/oidc/security/impl/SignJWTHandlerTest.class */
public class SignJWTHandlerTest extends AbstractHandlerTest {

    @Nonnull
    private static final String CLIENT_SECRET = "Xp2s5v8y/B?E(H+MbQeThWmYq3t6w9z$";
    private SignJWTHandler signer;
    private OIDCAuthenticationRequest request;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Override // net.shibboleth.oidc.security.impl.AbstractHandlerTest
    @BeforeMethod
    public void setup() throws Exception {
        super.setup();
        this.signer = new SignJWTHandler();
        this.signer.setLogName("Mock Token");
        this.signer.setClaimsToSignLookupStrategy(messageContext -> {
            OIDCAuthenticationRequest oIDCAuthenticationRequest = (OIDCAuthenticationRequest) messageContext.getMessage();
            try {
                if (!$assertionsDisabled && oIDCAuthenticationRequest == null) {
                    throw new AssertionError();
                }
                JWT requestObject = oIDCAuthenticationRequest.getRequestObject();
                if ($assertionsDisabled || requestObject != null) {
                    return requestObject.getJWTClaimsSet();
                }
                throw new AssertionError();
            } catch (ParseException e) {
                Assert.fail();
                return null;
            }
        });
        this.signer.setJwtUpdateConsumer((jwt, messageContext2) -> {
            OIDCAuthenticationRequest oIDCAuthenticationRequest = (OIDCAuthenticationRequest) messageContext2.getMessage();
            if (!$assertionsDisabled && oIDCAuthenticationRequest == null) {
                throw new AssertionError();
            }
            oIDCAuthenticationRequest.setRequestObject(jwt);
        });
        this.request = new OIDCAuthenticationRequest(new ClientID("test-client"));
        this.request.setRequestObject(new PlainJWT(new JWTClaimsSet.Builder().issuer("test-client").audience("test-op").issueTime(new Date()).build()));
        this.prc.ensureOutboundMessageContext().setMessage(this.request);
    }

    @Test
    public void testSignHMAC_Success() throws Exception {
        SecurityParametersContext securityParametersContext = new SecurityParametersContext();
        SignatureSigningParameters signatureSigningParameters = new SignatureSigningParameters();
        signatureSigningParameters.setSigningCredential(TestCredentialHelper.createClientSecretCredential(CLIENT_SECRET).toSigningCredential());
        signatureSigningParameters.setSignatureAlgorithm("HS256");
        securityParametersContext.setSignatureSigningParameters(signatureSigningParameters);
        this.prc.ensureOutboundMessageContext().addSubcontext(securityParametersContext);
        this.signer.initialize();
        this.signer.invoke(this.prc.ensureOutboundMessageContext());
        SignedJWT requestObject = this.request.getRequestObject();
        Assert.assertTrue(requestObject instanceof SignedJWT);
        SignedJWT signedJWT = requestObject;
        if (!$assertionsDisabled && signedJWT == null) {
            throw new AssertionError();
        }
        Assert.assertTrue(JWSAlgorithm.Family.HMAC_SHA.contains(signedJWT.getHeader().getAlgorithm()));
    }

    @Test(expectedExceptions = {MessageHandlerException.class})
    public void testSignRS256_WrongCredentialType() throws Exception {
        SecurityParametersContext securityParametersContext = new SecurityParametersContext();
        SignatureSigningParameters signatureSigningParameters = new SignatureSigningParameters();
        signatureSigningParameters.setSigningCredential(TestCredentialHelper.createClientSecretCredential(CLIENT_SECRET).toSigningCredential());
        signatureSigningParameters.setSignatureAlgorithm("RS256");
        securityParametersContext.setSignatureSigningParameters(signatureSigningParameters);
        this.prc.ensureOutboundMessageContext().addSubcontext(securityParametersContext);
        this.signer.initialize();
        this.signer.invoke(this.prc.ensureOutboundMessageContext());
    }

    @Test
    public void testSignRS256_Success() throws Exception {
        SecurityParametersContext securityParametersContext = new SecurityParametersContext();
        SignatureSigningParameters signatureSigningParameters = new SignatureSigningParameters();
        signatureSigningParameters.setSigningCredential(TestCredentialHelper.createAsymmetricSigningCredential(new RSAKeyGenerator(2048).keyID("1").keyUse(KeyUse.SIGNATURE).generate()));
        signatureSigningParameters.setSignatureAlgorithm("RS256");
        securityParametersContext.setSignatureSigningParameters(signatureSigningParameters);
        this.prc.ensureOutboundMessageContext().addSubcontext(securityParametersContext);
        this.signer.initialize();
        this.signer.invoke(this.prc.ensureOutboundMessageContext());
        SignedJWT requestObject = this.request.getRequestObject();
        Assert.assertTrue(requestObject instanceof SignedJWT);
        SignedJWT signedJWT = requestObject;
        if (!$assertionsDisabled && signedJWT == null) {
            throw new AssertionError();
        }
        Assert.assertTrue(JWSAlgorithm.Family.RSA.contains(signedJWT.getHeader().getAlgorithm()));
    }

    @Test
    public void testSignES256_Success() throws Exception {
        SecurityParametersContext securityParametersContext = new SecurityParametersContext();
        SignatureSigningParameters signatureSigningParameters = new SignatureSigningParameters();
        signatureSigningParameters.setSigningCredential(TestCredentialHelper.createAsymmetricSigningCredential(new ECKeyGenerator(Curve.P_256).keyID("1").keyUse(KeyUse.SIGNATURE).generate()));
        signatureSigningParameters.setSignatureAlgorithm("ES256");
        securityParametersContext.setSignatureSigningParameters(signatureSigningParameters);
        this.prc.ensureOutboundMessageContext().addSubcontext(securityParametersContext);
        this.signer.initialize();
        this.signer.invoke(this.prc.ensureOutboundMessageContext());
        SignedJWT requestObject = this.request.getRequestObject();
        Assert.assertTrue(requestObject instanceof SignedJWT);
        SignedJWT signedJWT = requestObject;
        if (!$assertionsDisabled && signedJWT == null) {
            throw new AssertionError();
        }
        Assert.assertTrue(JWSAlgorithm.Family.EC.contains(signedJWT.getHeader().getAlgorithm()));
    }

    @Test
    public void testSignPS256_Success() throws Exception {
        SecurityParametersContext securityParametersContext = new SecurityParametersContext();
        SignatureSigningParameters signatureSigningParameters = new SignatureSigningParameters();
        signatureSigningParameters.setSigningCredential(TestCredentialHelper.createAsymmetricSigningCredential(new RSAKeyGenerator(2048).keyID("1").keyUse(KeyUse.SIGNATURE).generate()));
        signatureSigningParameters.setSignatureAlgorithm("PS256");
        securityParametersContext.setSignatureSigningParameters(signatureSigningParameters);
        this.prc.ensureOutboundMessageContext().addSubcontext(securityParametersContext);
        this.signer.initialize();
        this.signer.invoke(this.prc.ensureOutboundMessageContext());
        SignedJWT requestObject = this.request.getRequestObject();
        Assert.assertTrue(requestObject instanceof SignedJWT);
        SignedJWT signedJWT = requestObject;
        if (!$assertionsDisabled && signedJWT == null) {
            throw new AssertionError();
        }
        Assert.assertTrue(JWSAlgorithm.Family.RSA.contains(signedJWT.getHeader().getAlgorithm()));
    }

    static {
        $assertionsDisabled = !SignJWTHandlerTest.class.desiredAssertionStatus();
    }
}
