package net.shibboleth.oidc.security.impl;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.KeyException;
import java.text.ParseException;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.security.credential.BasicJWKCredential;
import net.shibboleth.oidc.security.credential.JOSEObjectCredentialResolver;
import net.shibboleth.oidc.security.credential.impl.BasicJOSEObjectCredentialResolver;
import net.shibboleth.oidc.security.impl.support.TestCredentialHelper;
import net.shibboleth.oidc.security.jose.SignatureValidationParameters;
import net.shibboleth.oidc.security.jose.criterion.SignatureValidationParametersCriterion;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.ResolverException;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.crypto.KeySupport;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/oidc/security/impl/ExplicitKeySignedJWTTrustEngineTest.class */
public class ExplicitKeySignedJWTTrustEngineTest {
    private ExplicitKeySignedJWTTrustEngine engine;
    private ECKey key;
    private MockFunctionalCredentialResolver credResolver;
    private JOSEObjectCredentialResolver joseObjectCredResolver;

    @Nonnull
    private final String CVE_2016_10555_SIGNING_CERT_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJSHqzkdHPY62Mvn80Wc\nvriYxHhh6N/x6mK0hd+J/awNqZm8se6LG0Pv35Xx1aftefLGnlgPho49Jf82NMT/\nMczlsHQesAFwotPr1rbqyvmNrbQTqxrAzoN2b5Cpu9ZPcFznOdtUWv+g+M/Xoqdp\nv8ZPXn1SMgfZJiGw+Mhdxyfv6TEAM8TUeqfYzVpuTmg/ns08ZsHmjxJIDlMrOt8o\n7cKDUK/kt0bfDDYZf5kjdFFF6qzZg0uo30L0qxLpJDr/OpLi904MP4H94rnWPXKE\nKu8Yx+aYhYITnq5yyPiJpyHfgDj6MVlA1vUWqB9MwlvKOywLNCFfDZj6+TCjzCJF\nXQIDAQAB";

    @Nonnull
    private final String JWT_WITH_INLINE_SHARED_SECRET_JWK = "eyJraWQiOiIxMjMiLCJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp3ayI6eyJrdHkiOiJvY3QiLCJraWQiOiIxMjMiLCJrIjoiV0hBeWN6VjJPSGt2UWo5RktFZ3JUV0pSWlZSb1YyMVpjVE4wTm5jNWVpUSIsImFsZyI6IkhTMjU2In19.eyJpc3MiOiJodHRwczpcL1wvb3AuZXhhbXBsZS5jb21cLyIsIm5hbWUiOiJKIERvZSIsImF1ZCI6Imh0dHBzOlwvXC9ycC5leGFtcGxlLmNvbSIsInN1YiI6Impkb2UiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJqZG9lIn0.q0XGQTDjL2RPVY1DUswmBh7Q8D-vkJw0KruoUJbSU9c";
    private static final String CLIENT_SECRET = "Xp2s5v8y/B?E(H+MbQeThWmYq3t6w9z$";
    private static final String CLIENT_SECRET_512 = "$B&E)H@McQfTjWnZr4u7w!z%C*F-JaNdRgUkXp2s5v8y/A?D(G+KbPeShVmYq3t6";
    private SignatureValidationParameters params;
    private CriteriaSet criteria;

    @BeforeMethod
    public void setup() throws JOSEException {
        this.params = new SignatureValidationParameters();
        this.params.setSignatureTrustEngine(this.engine);
        this.criteria = new CriteriaSet();
        this.criteria.add(new UsageCriterion(UsageType.SIGNING));
        this.criteria.add(new SignatureValidationParametersCriterion(this.params));
        this.key = new ECKeyGenerator(Curve.P_256).keyID("123").generate();
        this.credResolver = criteriaSet -> {
            BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
            basicJWKCredential.setAlgorithm(this.key.getAlgorithm());
            basicJWKCredential.setKid(this.key.getKeyID());
            try {
                basicJWKCredential.setPublicKey(this.key.toPublicKey());
            } catch (JOSEException e) {
                Assert.fail();
            }
            return basicJWKCredential;
        };
        this.joseObjectCredResolver = new BasicJOSEObjectCredentialResolver();
        this.engine = new ExplicitKeySignedJWTTrustEngine(this.credResolver, this.joseObjectCredResolver);
    }

    @Test
    public void testValid_WithTrustedCredential() throws JOSEException, SecurityException {
        Assert.assertTrue(this.engine.validate(createECSignedJWT(this.key, this.key.getKeyID(), JWSAlgorithm.ES256, "https://op.example.com/", "https://rp.example.com"), this.criteria));
    }

    @Test
    public void testValid_WithSymmetricKeyCredential() throws JOSEException, SecurityException {
        this.credResolver = criteriaSet -> {
            try {
                return TestCredentialHelper.createClientSecretCredential(CLIENT_SECRET).toSigningCredential();
            } catch (KeyException e) {
                Assert.fail(e.getMessage());
                return null;
            }
        };
        this.engine = new ExplicitKeySignedJWTTrustEngine(this.credResolver, this.joseObjectCredResolver);
        Assert.assertTrue(this.engine.validate(createMACSignedJWT(CLIENT_SECRET, this.key.getKeyID(), JWSAlgorithm.HS256, "https://op.example.com/", "https://rp.example.com"), this.criteria));
    }

    @Test
    public void testValid_WithSymmetricKeyCredential_Filtered() throws JOSEException, SecurityException {
        this.credResolver = new MockAbstractFunctionalCredentialResolver() { // from class: net.shibboleth.oidc.security.impl.ExplicitKeySignedJWTTrustEngineTest.1
            @Override // net.shibboleth.oidc.security.impl.MockFunctionalCredentialResolver
            @Nullable
            public Credential resolveSingle(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                try {
                    return TestCredentialHelper.createClientSecretCredential(ExplicitKeySignedJWTTrustEngineTest.CLIENT_SECRET).toSigningCredential();
                } catch (KeyException e) {
                    Assert.fail();
                    return null;
                }
            }

            @Nonnull
            protected Iterable<Credential> resolveFromSource(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                Credential resolveSingle = resolveSingle(ExplicitKeySignedJWTTrustEngineTest.this.criteria);
                return resolveSingle != null ? CollectionSupport.singletonList(resolveSingle) : CollectionSupport.emptyList();
            }
        };
        this.engine = new ExplicitKeySignedJWTTrustEngine(this.credResolver, this.joseObjectCredResolver);
        Assert.assertTrue(this.engine.validate(createMACSignedJWT(CLIENT_SECRET, null, JWSAlgorithm.HS256, "https://op.example.com/", "https://rp.example.com"), this.criteria));
    }

    @Test
    public void testValid_WithSymmetricKeyCredential_Filtered_WrongKeySize() throws JOSEException, SecurityException {
        this.credResolver = new MockAbstractFunctionalCredentialResolver() { // from class: net.shibboleth.oidc.security.impl.ExplicitKeySignedJWTTrustEngineTest.2
            @Override // net.shibboleth.oidc.security.impl.MockFunctionalCredentialResolver
            @Nullable
            public Credential resolveSingle(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                try {
                    return TestCredentialHelper.createClientSecretCredential(ExplicitKeySignedJWTTrustEngineTest.CLIENT_SECRET).toSigningCredential();
                } catch (KeyException e) {
                    Assert.fail();
                    return null;
                }
            }

            @Nonnull
            protected Iterable<Credential> resolveFromSource(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                Credential resolveSingle = resolveSingle(ExplicitKeySignedJWTTrustEngineTest.this.criteria);
                return resolveSingle != null ? CollectionSupport.singletonList(resolveSingle) : CollectionSupport.emptyList();
            }
        };
        this.engine = new ExplicitKeySignedJWTTrustEngine(this.credResolver, this.joseObjectCredResolver);
        Assert.assertFalse(this.engine.validate(createMACSignedJWT(CLIENT_SECRET_512, null, JWSAlgorithm.HS512, "https://op.example.com/", "https://rp.example.com"), this.criteria));
    }

    @Test
    public void testValid_WithSymmetricKeyCredential_JWSAlgorithm_Excluded() throws JOSEException, SecurityException {
        this.credResolver = criteriaSet -> {
            try {
                return TestCredentialHelper.createClientSecretCredential(CLIENT_SECRET).toSigningCredential();
            } catch (KeyException e) {
                Assert.fail(e.getMessage());
                return null;
            }
        };
        this.engine = new ExplicitKeySignedJWTTrustEngine(this.credResolver, this.joseObjectCredResolver);
        this.params.setExcludedAlgorithms(List.of("HS256"));
        Assert.assertFalse(this.engine.validate(createMACSignedJWT(CLIENT_SECRET, this.key.getKeyID(), JWSAlgorithm.HS256, "https://op.example.com/", "https://rp.example.com"), this.criteria));
    }

    @Test
    public void testValid_WithSymmetricKeyCredential_JWSAlgorithm_NotIncluded() throws JOSEException, SecurityException {
        this.credResolver = criteriaSet -> {
            return null;
        };
        this.engine = new ExplicitKeySignedJWTTrustEngine(this.credResolver, this.joseObjectCredResolver);
        this.params.setIncludedAlgorithms(List.of("HS512"));
        Assert.assertFalse(this.engine.validate(createMACSignedJWT(CLIENT_SECRET, this.key.getKeyID(), JWSAlgorithm.HS256, "https://op.example.com/", "https://rp.example.com"), this.criteria));
    }

    @Test
    public void testInvalid_CVE_2016_10555() throws Exception {
        this.credResolver = criteriaSet -> {
            BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
            basicJWKCredential.setAlgorithm(this.key.getAlgorithm());
            basicJWKCredential.setKid(this.key.getKeyID());
            try {
                basicJWKCredential.setPublicKey(KeySupport.buildJavaRSAPublicKey("MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJSHqzkdHPY62Mvn80Wc\nvriYxHhh6N/x6mK0hd+J/awNqZm8se6LG0Pv35Xx1aftefLGnlgPho49Jf82NMT/\nMczlsHQesAFwotPr1rbqyvmNrbQTqxrAzoN2b5Cpu9ZPcFznOdtUWv+g+M/Xoqdp\nv8ZPXn1SMgfZJiGw+Mhdxyfv6TEAM8TUeqfYzVpuTmg/ns08ZsHmjxJIDlMrOt8o\n7cKDUK/kt0bfDDYZf5kjdFFF6qzZg0uo30L0qxLpJDr/OpLi904MP4H94rnWPXKE\nKu8Yx+aYhYITnq5yyPiJpyHfgDj6MVlA1vUWqB9MwlvKOywLNCFfDZj6+TCjzCJF\nXQIDAQAB"));
            } catch (Exception e) {
                Assert.fail();
            }
            return basicJWKCredential;
        };
        this.engine = new ExplicitKeySignedJWTTrustEngine(this.credResolver, this.joseObjectCredResolver);
        Assert.assertFalse(this.engine.validate(SignedJWT.parse("eyJraWQiOiJtb2NrLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IkhTMjU2In0.eyJpc3MiOiJodHRwczovL29wLmV4YW1wbGUuY29tLyIsIm5hbWUiOiJKIERvZSIsImF1ZCI6Imh0dHBzOi8vcnAuZXhhbXBsZS5jb20iLCJzdWIiOiJqZG9lIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamRvZSJ9._7dbXz7UPiY0Hrfz7SffjjKp849-s696mAvlT-ihWB4"), this.criteria));
    }

    @Test
    public void testValid_WithInlineJWK() throws JOSEException, SecurityException {
        Assert.assertTrue(this.engine.validate(createECSignedJWTWithInlineJWK(this.key, this.key.getKeyID(), JWSAlgorithm.ES256, "https://op.example.com/", "https://rp.example.com"), this.criteria));
    }

    @Test(expectedExceptions = {ParseException.class})
    public void testInvalid_WithInlineSharedSecretJWK() throws Exception {
        SignedJWT.parse("eyJraWQiOiIxMjMiLCJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp3ayI6eyJrdHkiOiJvY3QiLCJraWQiOiIxMjMiLCJrIjoiV0hBeWN6VjJPSGt2UWo5RktFZ3JUV0pSWlZSb1YyMVpjVE4wTm5jNWVpUSIsImFsZyI6IkhTMjU2In19.eyJpc3MiOiJodHRwczpcL1wvb3AuZXhhbXBsZS5jb21cLyIsIm5hbWUiOiJKIERvZSIsImF1ZCI6Imh0dHBzOlwvXC9ycC5leGFtcGxlLmNvbSIsInN1YiI6Impkb2UiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJqZG9lIn0.q0XGQTDjL2RPVY1DUswmBh7Q8D-vkJw0KruoUJbSU9c");
    }

    @Test
    public void testInvalid_WithUntrustedInlineJWK_CVE_2018_0114() throws JOSEException, SecurityException {
        ECKey generate = new ECKeyGenerator(Curve.P_256).keyID("123").generate();
        Assert.assertFalse(this.engine.validate(createECSignedJWTWithInlineJWK(generate, generate.getKeyID(), JWSAlgorithm.ES256, "https://op.example.com/", "https://rp.example.com"), this.criteria));
    }

    @Test(enabled = false)
    public void testValid_WithInlineJKU() throws JOSEException, SecurityException, URISyntaxException {
        this.credResolver = criteriaSet -> {
            return null;
        };
        this.engine = new ExplicitKeySignedJWTTrustEngine(this.credResolver, this.joseObjectCredResolver);
        Assert.assertTrue(this.engine.validate(createECSignedJWTWithJKU(this.key, this.key.getKeyID(), new URI("https://op.example.com/keys"), JWSAlgorithm.ES256, "https://op.example.com/", "https://rp.example.com"), this.criteria));
    }

    @Test
    public void testInvalid_InlineJWKWrongKid() throws JOSEException, SecurityException {
        this.engine = new ExplicitKeySignedJWTTrustEngine(new MockEmptyListCredentialResolver(), this.joseObjectCredResolver);
        Assert.assertFalse(this.engine.validate(createECSignedJWTWithInlineJWK(this.key, "WRONG-KID", JWSAlgorithm.ES256, "https://op.example.com/", "https://rp.example.com"), this.criteria));
    }

    @Test
    public void testInvalid_InlineJWKInvalidSignature() throws JOSEException, SecurityException {
        Assert.assertFalse(this.engine.validate(createECSignedJWTWithDifferentInlineJWK(this.key, this.key.getKeyID(), JWSAlgorithm.ES256, new ECKeyGenerator(Curve.P_256).keyID("new").generate(), "https://op.example.com/", "https://rp.example.com"), this.criteria));
    }

    protected static JWTClaimsSet buildStandardClaims(String str, String str2) {
        return new JWTClaimsSet.Builder().issuer(str).audience(str2).subject("jdoe").claim("preferred_username", "jdoe").claim("name", "J Doe").build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static SignedJWT createECSignedJWT(ECKey eCKey, String str, JWSAlgorithm jWSAlgorithm, String str2, String str3) throws JOSEException {
        SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(jWSAlgorithm).type(JOSEObjectType.JWT).keyID(str).build(), buildStandardClaims(str2, str3));
        signedJWT.sign(new ECDSASigner(eCKey.toECPrivateKey()));
        return signedJWT;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static SignedJWT createMACSignedJWT(String str, @Nullable String str2, JWSAlgorithm jWSAlgorithm, String str3, String str4) throws JOSEException {
        SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(jWSAlgorithm).type(JOSEObjectType.JWT).keyID(str2).build(), buildStandardClaims(str3, str4));
        signedJWT.sign(new MACSigner(str));
        return signedJWT;
    }

    protected static SignedJWT createECSignedJWTWithJKU(ECKey eCKey, String str, URI uri, JWSAlgorithm jWSAlgorithm, String str2, String str3) throws JOSEException, URISyntaxException {
        SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(jWSAlgorithm).type(JOSEObjectType.JWT).keyID(str).jwkURL(uri).build(), buildStandardClaims(str2, str3));
        signedJWT.sign(new ECDSASigner(eCKey.toECPrivateKey()));
        return signedJWT;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static SignedJWT createECSignedJWTWithInlineJWK(ECKey eCKey, String str, JWSAlgorithm jWSAlgorithm, String str2, String str3) throws JOSEException {
        SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(jWSAlgorithm).type(JOSEObjectType.JWT).keyID(str).jwk(eCKey.toPublicJWK()).build(), buildStandardClaims(str2, str3));
        signedJWT.sign(new ECDSASigner(eCKey.toECPrivateKey()));
        return signedJWT;
    }

    protected static SignedJWT createECSignedJWTWithDifferentInlineJWK(ECKey eCKey, String str, JWSAlgorithm jWSAlgorithm, ECKey eCKey2, String str2, String str3) throws JOSEException {
        SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(jWSAlgorithm).type(JOSEObjectType.JWT).keyID(str).jwk(eCKey.toPublicJWK()).build(), buildStandardClaims(str2, str3));
        signedJWT.sign(new ECDSASigner(eCKey2.toECPrivateKey()));
        return signedJWT;
    }
}
