package net.shibboleth.oidc.security.impl;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.KeyLengthException;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.AESEncrypter;
import com.nimbusds.jose.crypto.DirectEncrypter;
import com.nimbusds.jose.crypto.ECDHEncrypter;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.PasswordBasedEncrypter;
import com.nimbusds.jose.crypto.RSAEncrypter;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
import com.nimbusds.jose.jwk.gen.RSAKeyGenerator;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.nio.charset.StandardCharsets;
import java.security.KeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.security.JWSAssemblyUtils;
import net.shibboleth.oidc.security.credential.BasicExpiringJWKCredential;
import net.shibboleth.oidc.security.credential.BasicJWKCredential;
import net.shibboleth.oidc.security.credential.JOSEObjectCredentialResolver;
import net.shibboleth.oidc.security.impl.support.TestCredentialHelper;
import net.shibboleth.oidc.security.jose.DecryptionParameters;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.ResolverException;
import org.opensaml.core.config.InitializationException;
import org.opensaml.security.credential.BasicCredential;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver;
import org.opensaml.security.crypto.KeySupport;
import org.opensaml.xmlsec.config.GlobalAlgorithmRegistryInitializer;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/oidc/security/impl/JWETokenDecrypterTest.class */
public class JWETokenDecrypterTest {
    private JWETokenDecrypter decrypter;
    private static final String CLIENT_SECRET = "Xp2s5v8y/B?E(H+MbQeThWmYq3t6w9z$";

    /* loaded from: input_file:net/shibboleth/oidc/security/impl/JWETokenDecrypterTest$MockKeyAgreementCriteriaFilteringCredentialResolver.class */
    private static class MockKeyAgreementCriteriaFilteringCredentialResolver extends AbstractCriteriaFilteringCredentialResolver implements JOSEObjectCredentialResolver {
        private final ECKey key;

        public MockKeyAgreementCriteriaFilteringCredentialResolver(ECKey eCKey) {
            this.key = eCKey;
        }

        @Nonnull
        protected Iterable<Credential> resolveFromSource(@Nullable CriteriaSet criteriaSet) throws ResolverException {
            BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
            basicJWKCredential.setAlgorithm(JWEAlgorithm.ECDH_ES_A256KW);
            basicJWKCredential.getKeyNames().add(this.key.getKeyID());
            basicJWKCredential.setKid(this.key.getKeyID());
            try {
                basicJWKCredential.setPrivateKey(this.key.toPrivateKey());
                basicJWKCredential.setPublicKey(this.key.toPublicKey());
            } catch (JOSEException e) {
                Assert.fail();
            }
            return CollectionSupport.listOf(basicJWKCredential);
        }
    }

    /* loaded from: input_file:net/shibboleth/oidc/security/impl/JWETokenDecrypterTest$MockKeyWrapCriteriaFilteringCredentialResolver.class */
    private static class MockKeyWrapCriteriaFilteringCredentialResolver extends AbstractCriteriaFilteringCredentialResolver implements JOSEObjectCredentialResolver {
        private final JWEAlgorithm alg;
        private final EncryptionMethod enc;

        public MockKeyWrapCriteriaFilteringCredentialResolver(JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod) {
            this.alg = jWEAlgorithm;
            this.enc = encryptionMethod;
        }

        @Nonnull
        protected Iterable<Credential> resolveFromSource(@Nullable CriteriaSet criteriaSet) throws ResolverException {
            try {
                return CollectionSupport.listOf(TestCredentialHelper.createClientSecretCredential(JWETokenDecrypterTest.CLIENT_SECRET).toEncryptionCredential(this.alg, this.enc));
            } catch (KeyException | JOSEException e) {
                Assert.fail();
                throw new ResolverException(e);
            }
        }
    }

    /* loaded from: input_file:net/shibboleth/oidc/security/impl/JWETokenDecrypterTest$MockRSACriteriaFilteringCredentialResolver.class */
    private static class MockRSACriteriaFilteringCredentialResolver extends AbstractCriteriaFilteringCredentialResolver implements JOSEObjectCredentialResolver {
        private final RSAKey key;

        public MockRSACriteriaFilteringCredentialResolver(RSAKey rSAKey) {
            this.key = rSAKey;
        }

        @Nonnull
        protected Iterable<Credential> resolveFromSource(@Nullable CriteriaSet criteriaSet) throws ResolverException {
            BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
            basicJWKCredential.setAlgorithm(JWEAlgorithm.RSA_OAEP_256);
            basicJWKCredential.getKeyNames().add(this.key.getKeyID());
            basicJWKCredential.setKid(this.key.getKeyID());
            try {
                basicJWKCredential.setPrivateKey(this.key.toPrivateKey());
                basicJWKCredential.setPublicKey(this.key.toPublicKey());
            } catch (JOSEException e) {
                Assert.fail();
            }
            return CollectionSupport.listOf(basicJWKCredential);
        }
    }

    /* loaded from: input_file:net/shibboleth/oidc/security/impl/JWETokenDecrypterTest$MockRSAKeysCriteriaFilteringCredentialResolver.class */
    private static class MockRSAKeysCriteriaFilteringCredentialResolver extends AbstractCriteriaFilteringCredentialResolver implements JOSEObjectCredentialResolver {
        private final List<RSAKey> keys;

        public MockRSAKeysCriteriaFilteringCredentialResolver(List<RSAKey> list) {
            this.keys = list;
        }

        @Nonnull
        protected Iterable<Credential> resolveFromSource(@Nullable CriteriaSet criteriaSet) throws ResolverException {
            ArrayList arrayList = new ArrayList();
            for (RSAKey rSAKey : this.keys) {
                BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
                basicJWKCredential.setAlgorithm(JWEAlgorithm.RSA_OAEP_256);
                basicJWKCredential.getKeyNames().add(rSAKey.getKeyID());
                basicJWKCredential.setKid(rSAKey.getKeyID());
                try {
                    basicJWKCredential.setPrivateKey(rSAKey.toPrivateKey());
                    basicJWKCredential.setPublicKey(rSAKey.toPublicKey());
                } catch (JOSEException e) {
                    Assert.fail();
                }
                arrayList.add(basicJWKCredential);
            }
            return arrayList;
        }
    }

    private JWTClaimsSet createClaims() {
        return new JWTClaimsSet.Builder().issuer("https://localhost:9918").audience(List.of("test-client")).subject("jdoe").claim("nonce", "abadnonce").claim("azp", "test-client").claim("name", "jdoe").expirationTime(Date.from(Instant.now().plusSeconds(120L))).build();
    }

    private SignedJWT createdSignedJWT() throws KeyLengthException, JOSEException {
        SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.HS256).type(JOSEObjectType.JWT).keyID("mock-key").build(), createClaims());
        signedJWT.sign(new MACSigner(CLIENT_SECRET));
        return signedJWT;
    }

    @BeforeMethod
    public void setup() {
        try {
            new GlobalAlgorithmRegistryInitializer().init();
        } catch (InitializationException e) {
            Assert.fail();
        }
    }

    @Test(expectedExceptions = {DecryptionException.class})
    void testUnsupportedAlg() throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.PBES2_HS256_A128KW, EncryptionMethod.A256GCM).contentType("JWT").keyID("mock-key").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new PasswordBasedEncrypter(CLIENT_SECRET.getBytes(StandardCharsets.UTF_8), 8, 1000));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        this.decrypter = new JWETokenDecrypter(new DecryptionParameters());
        this.decrypter.decrypt(parse);
    }

    @Test
    void testDecryptionByKeyWrapping() throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.A256KW, EncryptionMethod.A256GCM).contentType("JWT").keyID("client_secret_credential").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new AESEncrypter(TestCredentialHelper.createClientSecretCredential(CLIENT_SECRET).toEncryptionCredential(JWEAlgorithm.A256KW, EncryptionMethod.A256GCM).getSecretKey()));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        DecryptionParameters decryptionParameters = new DecryptionParameters();
        decryptionParameters.setKEKCredentialResolver(new JOSEObjectCredentialResolver() { // from class: net.shibboleth.oidc.security.impl.JWETokenDecrypterTest.1
            @Nullable
            public Credential resolveSingle(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                try {
                    return TestCredentialHelper.createClientSecretCredential(JWETokenDecrypterTest.CLIENT_SECRET).toEncryptionCredential(JWEAlgorithm.A256KW, EncryptionMethod.A256GCM);
                } catch (KeyException | JOSEException e) {
                    Assert.fail();
                    return null;
                }
            }

            @Nonnull
            public Iterable<Credential> resolve(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                Credential resolveSingle = resolveSingle(criteriaSet);
                return resolveSingle != null ? CollectionSupport.singletonList(resolveSingle) : CollectionSupport.emptyList();
            }
        });
        this.decrypter = new JWETokenDecrypter(decryptionParameters);
        JWT decrypt = this.decrypter.decrypt(parse);
        Assert.assertTrue(parse.getState() == JWEObject.State.DECRYPTED);
        Assert.assertTrue(decrypt instanceof SignedJWT);
        Assert.assertEquals(decrypt.getJWTClaimsSet().getSubject(), "jdoe");
    }

    @Test
    void testDecryptionByKeyWrapping_Using_EvaluableCriteriaFiltering() throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.A256KW, EncryptionMethod.A256GCM).contentType("JWT").keyID("client_secret_credential").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new AESEncrypter(TestCredentialHelper.createClientSecretCredential(CLIENT_SECRET).toEncryptionCredential(JWEAlgorithm.A256KW, EncryptionMethod.A256GCM).getSecretKey()));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        DecryptionParameters decryptionParameters = new DecryptionParameters();
        decryptionParameters.setKEKCredentialResolver(new MockKeyWrapCriteriaFilteringCredentialResolver(JWEAlgorithm.A256KW, EncryptionMethod.A256GCM));
        this.decrypter = new JWETokenDecrypter(decryptionParameters);
        JWT decrypt = this.decrypter.decrypt(parse);
        Assert.assertTrue(parse.getState() == JWEObject.State.DECRYPTED);
        Assert.assertTrue(decrypt instanceof SignedJWT);
        Assert.assertEquals(decrypt.getJWTClaimsSet().getSubject(), "jdoe");
    }

    @Test(expectedExceptions = {DecryptionException.class})
    void testDecryptionByKeyWrapping_WrongCredentialType() throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.A256KW, EncryptionMethod.A256GCM).contentType("JWT").keyID("client_secret_credential").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new AESEncrypter(TestCredentialHelper.createClientSecretCredential(CLIENT_SECRET).toEncryptionCredential(JWEAlgorithm.DIR, EncryptionMethod.A256GCM).getSecretKey()));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        DecryptionParameters decryptionParameters = new DecryptionParameters();
        decryptionParameters.setKEKCredentialResolver(new JOSEObjectCredentialResolver() { // from class: net.shibboleth.oidc.security.impl.JWETokenDecrypterTest.2
            @Nullable
            public Credential resolveSingle(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                try {
                    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
                    keyPairGenerator.initialize(2048);
                    KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
                    return new BasicCredential(generateKeyPair.getPublic(), generateKeyPair.getPrivate());
                } catch (NoSuchAlgorithmException e) {
                    Assert.fail();
                    return null;
                }
            }

            @Nonnull
            public Iterable<Credential> resolve(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                Credential resolveSingle = resolveSingle(criteriaSet);
                return resolveSingle != null ? CollectionSupport.singletonList(resolveSingle) : CollectionSupport.emptyList();
            }
        });
        this.decrypter = new JWETokenDecrypter(decryptionParameters);
        this.decrypter.decrypt(parse);
    }

    @Test
    void testDecryptionByDirectEncryption() throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.DIR, EncryptionMethod.A256GCM).contentType("JWT").keyID("mock-key").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new DirectEncrypter(TestCredentialHelper.createClientSecretCredential(CLIENT_SECRET).toEncryptionCredential(JWEAlgorithm.DIR, EncryptionMethod.A256GCM).getSecretKey()));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        DecryptionParameters decryptionParameters = new DecryptionParameters();
        decryptionParameters.setContentEncryptionKeyCredentialResolver(new JOSEObjectCredentialResolver() { // from class: net.shibboleth.oidc.security.impl.JWETokenDecrypterTest.3
            @Nullable
            public Credential resolveSingle(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                try {
                    return TestCredentialHelper.createClientSecretCredential(JWETokenDecrypterTest.CLIENT_SECRET).toEncryptionCredential(JWEAlgorithm.DIR, EncryptionMethod.A256GCM);
                } catch (KeyException | JOSEException e) {
                    Assert.fail();
                    return null;
                }
            }

            @Nonnull
            public Iterable<Credential> resolve(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                Credential resolveSingle = resolveSingle(criteriaSet);
                return resolveSingle != null ? CollectionSupport.singletonList(resolveSingle) : CollectionSupport.emptyList();
            }
        });
        this.decrypter = new JWETokenDecrypter(decryptionParameters);
        JWT decrypt = this.decrypter.decrypt(parse);
        Assert.assertTrue(parse.getState() == JWEObject.State.DECRYPTED);
        Assert.assertTrue(decrypt instanceof SignedJWT);
        Assert.assertEquals(decrypt.getJWTClaimsSet().getSubject(), "jdoe");
    }

    @Test(expectedExceptions = {DecryptionException.class})
    void testDecryptionByDirectEncryption_SecretKeyIsNull() throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.DIR, EncryptionMethod.A256GCM).contentType("JWT").keyID("mock-key").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new DirectEncrypter(TestCredentialHelper.createClientSecretCredential(CLIENT_SECRET).toEncryptionCredential(JWEAlgorithm.DIR, EncryptionMethod.A256GCM).getSecretKey()));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        DecryptionParameters decryptionParameters = new DecryptionParameters();
        decryptionParameters.setContentEncryptionKeyCredentialResolver(new JOSEObjectCredentialResolver() { // from class: net.shibboleth.oidc.security.impl.JWETokenDecrypterTest.4
            @Nullable
            public Credential resolveSingle(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                BasicExpiringJWKCredential basicExpiringJWKCredential = new BasicExpiringJWKCredential();
                basicExpiringJWKCredential.getKeyNames().add("mock-key");
                basicExpiringJWKCredential.setKid("mock-key");
                basicExpiringJWKCredential.setUsageType(UsageType.ENCRYPTION);
                return basicExpiringJWKCredential;
            }

            @Nonnull
            public Iterable<Credential> resolve(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                Credential resolveSingle = resolveSingle(criteriaSet);
                return resolveSingle != null ? CollectionSupport.singletonList(resolveSingle) : CollectionSupport.emptyList();
            }
        });
        this.decrypter = new JWETokenDecrypter(decryptionParameters);
        this.decrypter.decrypt(parse);
    }

    @Test
    void testDecryptionByDirectEncryption_Using_EvaluableCriteriaFiltering() throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.DIR, EncryptionMethod.A256GCM).contentType("JWT").keyID("client_secret_credential").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new DirectEncrypter(TestCredentialHelper.createClientSecretCredential(CLIENT_SECRET).toEncryptionCredential(JWEAlgorithm.DIR, EncryptionMethod.A256GCM).getSecretKey()));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        DecryptionParameters decryptionParameters = new DecryptionParameters();
        decryptionParameters.setContentEncryptionKeyCredentialResolver(new MockKeyWrapCriteriaFilteringCredentialResolver(JWEAlgorithm.DIR, EncryptionMethod.A256GCM));
        this.decrypter = new JWETokenDecrypter(decryptionParameters);
        JWT decrypt = this.decrypter.decrypt(parse);
        Assert.assertTrue(parse.getState() == JWEObject.State.DECRYPTED);
        Assert.assertTrue(decrypt instanceof SignedJWT);
        Assert.assertEquals(decrypt.getJWTClaimsSet().getSubject(), "jdoe");
    }

    @Test
    void testDecryptionByDirectEncryption_AlgorithmExcluded() throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.DIR, EncryptionMethod.A256GCM).contentType("JWT").keyID("mock-key").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new DirectEncrypter(CLIENT_SECRET.getBytes(StandardCharsets.UTF_8)));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        DecryptionParameters decryptionParameters = new DecryptionParameters();
        decryptionParameters.setContentEncryptionKeyCredentialResolver(new JOSEObjectCredentialResolver() { // from class: net.shibboleth.oidc.security.impl.JWETokenDecrypterTest.5
            @Nullable
            public Credential resolveSingle(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
                basicJWKCredential.setAlgorithm(JWEAlgorithm.DIR);
                basicJWKCredential.getKeyNames().add("mock-key");
                basicJWKCredential.setKid("mock-key");
                try {
                    basicJWKCredential.setSecretKey(KeySupport.decodeSecretKey(JWSAssemblyUtils.getSecretBytes(JWETokenDecrypterTest.CLIENT_SECRET), "AES"));
                    return basicJWKCredential;
                } catch (KeyException e) {
                    throw new ResolverException(e);
                }
            }

            @Nonnull
            public Iterable<Credential> resolve(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                Credential resolveSingle = resolveSingle(criteriaSet);
                return resolveSingle != null ? CollectionSupport.singletonList(resolveSingle) : CollectionSupport.emptyList();
            }
        });
        decryptionParameters.setIncludedAlgorithms(List.of("A256GCM"));
        try {
            this.decrypter = new JWETokenDecrypter(decryptionParameters);
            this.decrypter.decrypt(parse);
        } catch (DecryptionException e) {
        }
        Assert.assertTrue(parse.getState() == JWEObject.State.ENCRYPTED);
    }

    @Test
    void testDecryptionByDirectEncryption_NoSuitableKey() throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.DIR, EncryptionMethod.A256GCM).contentType("JWT").keyID("mock-key").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new DirectEncrypter(CLIENT_SECRET.getBytes(StandardCharsets.UTF_8)));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        DecryptionParameters decryptionParameters = new DecryptionParameters();
        decryptionParameters.setContentEncryptionKeyCredentialResolver(new JOSEObjectCredentialResolver() { // from class: net.shibboleth.oidc.security.impl.JWETokenDecrypterTest.6
            @Nullable
            public Credential resolveSingle(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
                basicJWKCredential.setAlgorithm(JWEAlgorithm.A128KW);
                basicJWKCredential.getKeyNames().add("mock-key");
                basicJWKCredential.setKid("mock-key");
                try {
                    basicJWKCredential.setSecretKey(KeySupport.decodeSecretKey(JWSAssemblyUtils.getSecretBytes(JWETokenDecrypterTest.CLIENT_SECRET), "AES"));
                    return basicJWKCredential;
                } catch (KeyException e) {
                    throw new ResolverException(e);
                }
            }

            @Nonnull
            public Iterable<Credential> resolve(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                Credential resolveSingle = resolveSingle(criteriaSet);
                return resolveSingle != null ? CollectionSupport.singletonList(resolveSingle) : CollectionSupport.emptyList();
            }
        });
        try {
            this.decrypter = new JWETokenDecrypter(decryptionParameters);
            this.decrypter.decrypt(parse);
        } catch (DecryptionException e) {
        }
        Assert.assertTrue(parse.getState() == JWEObject.State.ENCRYPTED);
    }

    @Test
    void testDecryptionByKeyWrapping_WrongAlgorithm() throws KeyLengthException, JOSEException, ParseException {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.A256KW, EncryptionMethod.A256GCM).contentType("JWT").keyID("mock-key").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new AESEncrypter(CLIENT_SECRET.getBytes(StandardCharsets.UTF_8)));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        DecryptionParameters decryptionParameters = new DecryptionParameters();
        decryptionParameters.setKEKCredentialResolver(new JOSEObjectCredentialResolver() { // from class: net.shibboleth.oidc.security.impl.JWETokenDecrypterTest.7
            @Nullable
            public Credential resolveSingle(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
                basicJWKCredential.setAlgorithm(JWEAlgorithm.A128KW);
                basicJWKCredential.getKeyNames().add("mock-key");
                basicJWKCredential.setKid("mock-key");
                try {
                    basicJWKCredential.setSecretKey(KeySupport.decodeSecretKey(JWSAssemblyUtils.getSecretBytes(JWETokenDecrypterTest.CLIENT_SECRET), "AES"));
                    return basicJWKCredential;
                } catch (KeyException e) {
                    throw new ResolverException(e);
                }
            }

            @Nonnull
            public Iterable<Credential> resolve(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                Credential resolveSingle = resolveSingle(criteriaSet);
                return resolveSingle != null ? CollectionSupport.singletonList(resolveSingle) : CollectionSupport.emptyList();
            }
        });
        this.decrypter = new JWETokenDecrypter(decryptionParameters);
        try {
            this.decrypter.decrypt(parse);
        } catch (DecryptionException e) {
        }
        Assert.assertTrue(parse.getState() == JWEObject.State.ENCRYPTED);
    }

    @Test
    void testDecryptionByKeyEncryption() throws Exception {
        final RSAKey generate = new RSAKeyGenerator(2048).keyID("1").keyUse(KeyUse.ENCRYPTION).generate();
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A256GCM).contentType("JWT").keyID("1").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new RSAEncrypter((RSAPublicKey) generate.toPublicKey()));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        DecryptionParameters decryptionParameters = new DecryptionParameters();
        decryptionParameters.setKEKCredentialResolver(new JOSEObjectCredentialResolver() { // from class: net.shibboleth.oidc.security.impl.JWETokenDecrypterTest.8
            @Nullable
            public Credential resolveSingle(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
                basicJWKCredential.setAlgorithm(JWEAlgorithm.RSA_OAEP_256);
                basicJWKCredential.getKeyNames().add(generate.getKeyID());
                basicJWKCredential.setKid(generate.getKeyID());
                try {
                    basicJWKCredential.setPrivateKey(generate.toPrivateKey());
                    basicJWKCredential.setPublicKey(generate.toPublicKey());
                } catch (JOSEException e) {
                    Assert.fail();
                }
                return basicJWKCredential;
            }

            @Nonnull
            public Iterable<Credential> resolve(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                Credential resolveSingle = resolveSingle(criteriaSet);
                return resolveSingle != null ? CollectionSupport.singletonList(resolveSingle) : CollectionSupport.emptyList();
            }
        });
        this.decrypter = new JWETokenDecrypter(decryptionParameters);
        JWT decrypt = this.decrypter.decrypt(parse);
        Assert.assertTrue(parse.getState() == JWEObject.State.DECRYPTED);
        Assert.assertTrue(decrypt instanceof SignedJWT);
        Assert.assertEquals(decrypt.getJWTClaimsSet().getSubject(), "jdoe");
    }

    @Test
    void testDecryptionByKeyEncryption_Using_EvaluableCriteriaFiltering() throws Exception {
        RSAKey generate = new RSAKeyGenerator(2048).keyID("1").keyUse(KeyUse.ENCRYPTION).generate();
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A256GCM).contentType("JWT").keyID("1").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new RSAEncrypter((RSAPublicKey) generate.toPublicKey()));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        DecryptionParameters decryptionParameters = new DecryptionParameters();
        decryptionParameters.setKEKCredentialResolver(new MockRSACriteriaFilteringCredentialResolver(generate));
        this.decrypter = new JWETokenDecrypter(decryptionParameters);
        JWT decrypt = this.decrypter.decrypt(parse);
        Assert.assertTrue(parse.getState() == JWEObject.State.DECRYPTED);
        Assert.assertTrue(decrypt instanceof SignedJWT);
        Assert.assertEquals(decrypt.getJWTClaimsSet().getSubject(), "jdoe");
    }

    @Test
    void testDecryptionByKeyEncryption_TwoRSAKeysInCredentialSet_NoKeyIdInJOSEHeader() throws Exception {
        RSAKey generate = new RSAKeyGenerator(2048).keyID("1").keyUse(KeyUse.ENCRYPTION).generate();
        RSAKey generate2 = new RSAKeyGenerator(2048).keyID("2").keyUse(KeyUse.ENCRYPTION).generate();
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A256GCM).contentType("JWT").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new RSAEncrypter((RSAPublicKey) generate2.toPublicKey()));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        DecryptionParameters decryptionParameters = new DecryptionParameters();
        decryptionParameters.setKEKCredentialResolver(new MockRSAKeysCriteriaFilteringCredentialResolver(List.of(generate, generate2)));
        this.decrypter = new JWETokenDecrypter(decryptionParameters);
        JWT decrypt = this.decrypter.decrypt(parse);
        Assert.assertTrue(parse.getState() == JWEObject.State.DECRYPTED);
        Assert.assertTrue(decrypt instanceof SignedJWT);
        Assert.assertEquals(decrypt.getJWTClaimsSet().getSubject(), "jdoe");
    }

    @Test
    void testDecryptionByKeyEncryption_TwoRSAKeysInCredentialSet_FilteredOnKeyId() throws Exception {
        RSAKey generate = new RSAKeyGenerator(2048).keyID("1").keyUse(KeyUse.ENCRYPTION).generate();
        RSAKey generate2 = new RSAKeyGenerator(2048).keyID("2").keyUse(KeyUse.ENCRYPTION).generate();
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A256GCM).contentType("JWT").keyID("2").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new RSAEncrypter((RSAPublicKey) generate2.toPublicKey()));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        DecryptionParameters decryptionParameters = new DecryptionParameters();
        decryptionParameters.setKEKCredentialResolver(new MockRSAKeysCriteriaFilteringCredentialResolver(List.of(generate, generate2)));
        this.decrypter = new JWETokenDecrypter(decryptionParameters);
        JWT decrypt = this.decrypter.decrypt(parse);
        Assert.assertTrue(parse.getState() == JWEObject.State.DECRYPTED);
        Assert.assertTrue(decrypt instanceof SignedJWT);
        Assert.assertEquals(decrypt.getJWTClaimsSet().getSubject(), "jdoe");
    }

    @Test
    void testDecryptionByKeyAgreement() throws Exception {
        final ECKey generate = new ECKeyGenerator(Curve.P_256).keyUse(KeyUse.ENCRYPTION).keyID("1").generate();
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.ECDH_ES_A256KW, EncryptionMethod.A256GCM).contentType("JWT").keyID("1").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new ECDHEncrypter(generate.toECPublicKey()));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        DecryptionParameters decryptionParameters = new DecryptionParameters();
        decryptionParameters.setKEKCredentialResolver(new JOSEObjectCredentialResolver() { // from class: net.shibboleth.oidc.security.impl.JWETokenDecrypterTest.9
            @Nullable
            public Credential resolveSingle(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
                basicJWKCredential.setAlgorithm(JWEAlgorithm.ECDH_ES_A256KW);
                basicJWKCredential.getKeyNames().add(generate.getKeyID());
                basicJWKCredential.setKid(generate.getKeyID());
                try {
                    basicJWKCredential.setPrivateKey(generate.toPrivateKey());
                    basicJWKCredential.setPublicKey(generate.toPublicKey());
                } catch (JOSEException e) {
                    Assert.fail();
                }
                return basicJWKCredential;
            }

            @Nonnull
            public Iterable<Credential> resolve(@Nullable CriteriaSet criteriaSet) throws ResolverException {
                Credential resolveSingle = resolveSingle(criteriaSet);
                return resolveSingle != null ? CollectionSupport.singletonList(resolveSingle) : CollectionSupport.emptyList();
            }
        });
        this.decrypter = new JWETokenDecrypter(decryptionParameters);
        JWT decrypt = this.decrypter.decrypt(parse);
        Assert.assertTrue(parse.getState() == JWEObject.State.DECRYPTED);
        Assert.assertTrue(decrypt instanceof SignedJWT);
        Assert.assertEquals(decrypt.getJWTClaimsSet().getSubject(), "jdoe");
    }

    @Test
    void testDecryptionByKeyAgreement_Using_EvaluableCriteriaFiltering() throws Exception {
        ECKey generate = new ECKeyGenerator(Curve.P_256).keyUse(KeyUse.ENCRYPTION).keyID("1").generate();
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.ECDH_ES_A256KW, EncryptionMethod.A256GCM).contentType("JWT").keyID("1").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new ECDHEncrypter(generate.toECPublicKey()));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        DecryptionParameters decryptionParameters = new DecryptionParameters();
        decryptionParameters.setKEKCredentialResolver(new MockKeyAgreementCriteriaFilteringCredentialResolver(generate));
        this.decrypter = new JWETokenDecrypter(decryptionParameters);
        JWT decrypt = this.decrypter.decrypt(parse);
        Assert.assertTrue(parse.getState() == JWEObject.State.DECRYPTED);
        Assert.assertTrue(decrypt instanceof SignedJWT);
        Assert.assertEquals(decrypt.getJWTClaimsSet().getSubject(), "jdoe");
    }
}
