package net.shibboleth.oidc.security.jose.impl;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import java.security.Key;
import java.security.PrivateKey;
import java.security.interfaces.ECKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.function.Predicate;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.crypto.SecretKey;
import net.shibboleth.oidc.security.CredentialConversionUtil;
import net.shibboleth.oidc.security.credential.JWACredentialSupport;
import net.shibboleth.oidc.security.jose.SignatureSigningConfiguration;
import net.shibboleth.oidc.security.jose.SignatureSigningParameters;
import net.shibboleth.oidc.security.jose.SignatureSigningParametersResolver;
import net.shibboleth.oidc.security.jose.criterion.SignatureSigningConfigurationCriterion;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.logic.PredicateSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.ResolverException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.xmlsec.algorithm.AlgorithmDescriptor;
import org.opensaml.xmlsec.algorithm.AlgorithmRegistry;
import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver;
import org.opensaml.xmlsec.impl.AlgorithmRuntimeSupportedPredicate;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/oidc/security/jose/impl/BasicSignatureSigningParametersResolver.class */
public class BasicSignatureSigningParametersResolver extends AbstractSecurityParametersResolver<SignatureSigningParameters> implements SignatureSigningParametersResolver {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(BasicSignatureSigningParametersResolver.class);

    @Nullable
    private AlgorithmRegistry algorithmRegistry = AlgorithmSupport.getGlobalAlgorithmRegistry();
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    public AlgorithmRegistry getAlgorithmRegistry() {
        if (this.algorithmRegistry == null) {
            return AlgorithmSupport.ensureGlobalAlgorithmRegistry();
        }
        if ($assertionsDisabled || this.algorithmRegistry != null) {
            return this.algorithmRegistry;
        }
        throw new AssertionError();
    }

    public void setAlgorithmRegistry(@Nonnull AlgorithmRegistry algorithmRegistry) {
        this.algorithmRegistry = (AlgorithmRegistry) Constraint.isNotNull(algorithmRegistry, "AlgorithmRegistry was null");
    }

    @Nonnull
    public Iterable<SignatureSigningParameters> resolve(@Nullable CriteriaSet criteriaSet) throws ResolverException {
        SignatureSigningParameters resolveSingle = resolveSingle(criteriaSet);
        return resolveSingle != null ? CollectionSupport.singletonList(resolveSingle) : CollectionSupport.emptyList();
    }

    @Nullable
    public SignatureSigningParameters resolveSingle(@Nullable CriteriaSet criteriaSet) throws ResolverException {
        if ((criteriaSet != null ? (SignatureSigningConfigurationCriterion) criteriaSet.get(SignatureSigningConfigurationCriterion.class) : null) == null) {
            throw new ResolverException("Resolver requires an instance of SignatureSigningConfigurationCriterion");
        }
        if (!$assertionsDisabled && criteriaSet == null) {
            throw new AssertionError();
        }
        Predicate<String> includeExcludePredicate = getIncludeExcludePredicate(criteriaSet);
        SignatureSigningParameters signatureSigningParameters = new SignatureSigningParameters();
        resolveAndPopulateCredentialAndSignatureAlgorithm(signatureSigningParameters, criteriaSet, includeExcludePredicate);
        if (!validate(signatureSigningParameters)) {
            return null;
        }
        logResult(signatureSigningParameters);
        return signatureSigningParameters;
    }

    protected void logResult(@Nonnull SignatureSigningParameters signatureSigningParameters) {
        if (this.log.isDebugEnabled()) {
            this.log.debug("Resolved SignatureSigningParameters:");
            Credential signingCredential = signatureSigningParameters.getSigningCredential();
            Key extractSigningKey = signingCredential != null ? CredentialSupport.extractSigningKey(signingCredential) : null;
            if (extractSigningKey != null) {
                this.log.debug("\tSigning credential with key algorithm: {}", extractSigningKey.getAlgorithm());
            } else {
                this.log.debug("\tSigning credential: null");
            }
            this.log.debug("\tSignature algorithm URI: {}", signatureSigningParameters.getSignatureAlgorithm());
        }
    }

    protected boolean validate(@Nonnull SignatureSigningParameters signatureSigningParameters) {
        if (signatureSigningParameters.getSigningCredential() == null) {
            this.log.warn("Validation failure: Unable to resolve signing credential");
            return false;
        }
        if (signatureSigningParameters.getSignatureAlgorithm() != null) {
            return true;
        }
        this.log.warn("Validation failure: Unable to resolve signing algorithm URI");
        return false;
    }

    @Nonnull
    protected Predicate<String> getIncludeExcludePredicate(@Nonnull CriteriaSet criteriaSet) {
        SignatureSigningConfigurationCriterion signatureSigningConfigurationCriterion = (SignatureSigningConfigurationCriterion) criteriaSet.get(SignatureSigningConfigurationCriterion.class);
        if ($assertionsDisabled || signatureSigningConfigurationCriterion != null) {
            return resolveIncludeExcludePredicate(criteriaSet, signatureSigningConfigurationCriterion.getConfigurations());
        }
        throw new AssertionError();
    }

    protected void resolveAndPopulateCredentialAndSignatureAlgorithm(@Nonnull SignatureSigningParameters signatureSigningParameters, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        List<Credential> effectiveSigningCredentials = getEffectiveSigningCredentials(criteriaSet);
        List<String> effectiveSignatureAlgorithms = getEffectiveSignatureAlgorithms(criteriaSet, predicate);
        this.log.trace("Resolved effective signature algorithms: {}", effectiveSignatureAlgorithms);
        findCompatibleAlgorithmAndCredential(effectiveSignatureAlgorithms, effectiveSigningCredentials, signatureSigningParameters);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void findCompatibleAlgorithmAndCredential(@Nonnull List<String> list, @Nonnull List<Credential> list2, @Nonnull SignatureSigningParameters signatureSigningParameters) {
        for (String str : list) {
            if (!$assertionsDisabled && str == null) {
                throw new AssertionError();
            }
            for (Credential credential : list2) {
                if (!$assertionsDisabled && credential == null) {
                    throw new AssertionError();
                }
                if (this.log.isTraceEnabled()) {
                    Key extractSigningKey = CredentialSupport.extractSigningKey(credential);
                    Logger logger = this.log;
                    Object[] objArr = new Object[3];
                    objArr[0] = CredentialConversionUtil.resolveKid(credential);
                    objArr[1] = extractSigningKey != null ? extractSigningKey.getAlgorithm() : "n/a";
                    objArr[2] = str;
                    logger.trace("Evaluating signing credential '{}' of type '{}' against algorithm: {}", objArr);
                }
                if (credentialSupportsSigningAlgorithm(credential, str)) {
                    if (this.log.isTraceEnabled()) {
                        this.log.trace("Credential '{}' passed eval against algorithm: {}", CredentialConversionUtil.resolveKid(credential), str);
                    }
                    signatureSigningParameters.setSigningCredential(credential);
                    signatureSigningParameters.setSignatureAlgorithm(str);
                    return;
                }
                if (this.log.isTraceEnabled()) {
                    this.log.trace("Credential '{}' failed eval against algorithm: {}", CredentialConversionUtil.resolveKid(credential), str);
                }
            }
        }
    }

    @Nonnull
    protected Predicate<String> getAlgorithmRuntimeSupportedPredicate() {
        return new AlgorithmRuntimeSupportedPredicate(getAlgorithmRegistry());
    }

    protected boolean credentialSupportsSigningAlgorithm(@Nonnull Credential credential, @Nonnull @NotEmpty String str) {
        try {
            JWSAlgorithm parse = JWSAlgorithm.parse(str);
            if (!$assertionsDisabled && parse == null) {
                throw new AssertionError();
            }
            Key extractSigningKey = CredentialSupport.extractSigningKey(credential);
            if (extractSigningKey == null) {
                return false;
            }
            boolean z = false;
            SecretKey secretKey = credential.getSecretKey();
            PrivateKey privateKey = credential.getPrivateKey();
            if (JWSAlgorithm.Family.HMAC_SHA.contains(parse) && secretKey != null && JWACredentialSupport.keyLengthSupportsMACAlgorithm(parse, secretKey)) {
                z = true;
            } else if (JWSAlgorithm.Family.RSA.contains(parse) && (credential.getPrivateKey() instanceof RSAPrivateKey)) {
                z = true;
            } else if (JWSAlgorithm.Family.EC.contains(parse) && (privateKey instanceof ECPrivateKey) && JWACredentialSupport.keySupportsCurve((ECKey) privateKey, parse)) {
                z = true;
            }
            AlgorithmDescriptor algorithmDescriptor = getAlgorithmRegistry().get(str);
            return algorithmDescriptor == null ? z : z && AlgorithmSupport.checkKeyAlgorithmAndLength(extractSigningKey, algorithmDescriptor);
        } catch (JOSEException e) {
            this.log.trace("Algorithm '{}' and EC credential '{}' threw an error while checking for compatibility, credential can not be used", new Object[]{str, CredentialConversionUtil.resolveKid(credential), e});
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    public List<Credential> getEffectiveSigningCredentials(@Nonnull CriteriaSet criteriaSet) {
        SignatureSigningConfigurationCriterion signatureSigningConfigurationCriterion = (SignatureSigningConfigurationCriterion) criteriaSet.get(SignatureSigningConfigurationCriterion.class);
        if (!$assertionsDisabled && signatureSigningConfigurationCriterion == null) {
            throw new AssertionError();
        }
        ArrayList arrayList = new ArrayList();
        Iterator it = signatureSigningConfigurationCriterion.getConfigurations().iterator();
        while (it.hasNext()) {
            arrayList.addAll(((SignatureSigningConfiguration) it.next()).getSigningCredentials());
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    public List<String> getEffectiveSignatureAlgorithms(@Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        SignatureSigningConfigurationCriterion signatureSigningConfigurationCriterion = (SignatureSigningConfigurationCriterion) criteriaSet.get(SignatureSigningConfigurationCriterion.class);
        if (!$assertionsDisabled && signatureSigningConfigurationCriterion == null) {
            throw new AssertionError();
        }
        ArrayList arrayList = new ArrayList();
        Iterator it = signatureSigningConfigurationCriterion.getConfigurations().iterator();
        while (it.hasNext()) {
            Stream filter = ((SignatureSigningConfiguration) it.next()).getSignatureAlgorithms().stream().filter(PredicateSupport.and(getAlgorithmRuntimeSupportedPredicate(), predicate));
            Objects.requireNonNull(arrayList);
            filter.forEach((v1) -> {
                r1.add(v1);
            });
        }
        return arrayList;
    }

    static {
        $assertionsDisabled = !BasicSignatureSigningParametersResolver.class.desiredAssertionStatus();
    }
}
