package net.shibboleth.oidc.security.credential.impl;

import com.nimbusds.jose.Header;
import com.nimbusds.jose.JOSEObject;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWSHeader;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.security.credential.JOSEObjectCredentialResolver;
import net.shibboleth.shared.annotation.ParameterName;
import net.shibboleth.shared.annotation.constraint.Live;
import net.shibboleth.shared.annotation.constraint.NonnullElements;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.ResolverException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialResolver;
import org.opensaml.security.criteria.PublicKeyCriterion;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/oidc/security/credential/impl/LocalJOSEObjectCredentialResolver.class */
public class LocalJOSEObjectCredentialResolver extends BasicJOSEObjectCredentialResolver {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(LocalJOSEObjectCredentialResolver.class);

    @Nonnull
    private final JOSEObjectCredentialResolver localCredResolver;

    public LocalJOSEObjectCredentialResolver(@ParameterName(name = "localCredentialResolver") @Nonnull JOSEObjectCredentialResolver jOSEObjectCredentialResolver) {
        this.localCredResolver = (JOSEObjectCredentialResolver) Constraint.isNotNull(jOSEObjectCredentialResolver, "Local credential resolver cannot be null");
    }

    @Nonnull
    public CredentialResolver getLocalCredentialResolver() {
        return this.localCredResolver;
    }

    @Override // net.shibboleth.oidc.security.credential.impl.BasicJOSEObjectCredentialResolver
    protected void postProcess(@Nullable CriteriaSet criteriaSet, @Nonnull JOSEObject jOSEObject, @Nonnull List<Credential> list) throws ResolverException {
        ArrayList arrayList = new ArrayList();
        String resolveKeyIdFromJoseHeader = resolveKeyIdFromJoseHeader(jOSEObject.getHeader());
        for (Credential credential : list) {
            if (credential != null) {
                if (isLocalCredential(credential)) {
                    this.log.debug("Input credential was local, including in results");
                    arrayList.add(credential);
                } else {
                    PublicKey publicKey = credential.getPublicKey();
                    if (publicKey != null) {
                        CriteriaSet criteriaSet2 = new CriteriaSet();
                        criteriaSet2.add(new PublicKeyCriterion(publicKey));
                        if (resolveKeyIdFromJoseHeader != null) {
                            this.log.trace("Adding 'kid' value '{}' to credential resolver", resolveKeyIdFromJoseHeader);
                            criteriaSet2.add(new EvaluableKeyIDCredentialCriterion(resolveKeyIdFromJoseHeader));
                        }
                        List<Credential> resolveLocalCredentialsByCriteria = resolveLocalCredentialsByCriteria(criteriaSet2);
                        this.log.trace("Matched {} local credential(s) from {} input credential(s) on 'public key' and optionally 'kid' criterion", Integer.valueOf(resolveLocalCredentialsByCriteria.size()), Integer.valueOf(list.size()));
                        if (!resolveLocalCredentialsByCriteria.isEmpty()) {
                            arrayList.addAll(resolveLocalCredentialsByCriteria);
                        }
                    }
                }
            }
        }
        if (arrayList.isEmpty()) {
            CriteriaSet criteriaSet3 = new CriteriaSet();
            if (resolveKeyIdFromJoseHeader != null) {
                this.log.trace("Adding 'kid' value '{}' to credential resolver", resolveKeyIdFromJoseHeader);
                criteriaSet3.add(new EvaluableKeyIDCredentialCriterion(resolveKeyIdFromJoseHeader));
            }
            List<Credential> resolveLocalCredentialsByCriteria2 = resolveLocalCredentialsByCriteria(criteriaSet3);
            this.log.trace("Found {} local credential(s)", Integer.valueOf(resolveLocalCredentialsByCriteria2.size()));
            arrayList.addAll(resolveLocalCredentialsByCriteria2);
        }
        list.clear();
        list.addAll(arrayList);
    }

    @Nonnull
    @Live
    @NonnullElements
    private List<Credential> resolveLocalCredentialsByCriteria(CriteriaSet criteriaSet) throws ResolverException {
        ArrayList arrayList = new ArrayList();
        for (Credential credential : getLocalCredentialResolver().resolve(criteriaSet)) {
            if (credential != null && isLocalCredential(credential)) {
                arrayList.add(credential);
            }
        }
        return arrayList;
    }

    @Nullable
    private String resolveKeyIdFromJoseHeader(@Nullable Header header) {
        if (header instanceof JWEHeader) {
            return ((JWEHeader) header).getKeyID();
        }
        if (header instanceof JWSHeader) {
            return ((JWSHeader) header).getKeyID();
        }
        return null;
    }

    protected boolean isLocalCredential(@Nonnull Credential credential) {
        return (credential.getPrivateKey() == null && credential.getSecretKey() == null) ? false : true;
    }
}
