package net.shibboleth.oidc.security.impl;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.PrivateKey;
import java.security.interfaces.ECPrivateKey;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.security.CredentialConversionUtil;
import net.shibboleth.oidc.security.credential.JWKCredential;
import net.shibboleth.oidc.security.jose.SignatureException;
import net.shibboleth.oidc.security.jose.SignatureSigningParameters;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.security.credential.Credential;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/oidc/security/impl/JWSTokenSigner.class */
public class JWSTokenSigner {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(JWSTokenSigner.class);

    @Nonnull
    private final SignatureSigningParameters params;

    public JWSTokenSigner(@Nonnull SignatureSigningParameters signatureSigningParameters) {
        this.params = (SignatureSigningParameters) Constraint.isNotNull(signatureSigningParameters, "Signing params can not be null");
    }

    @Nonnull
    public SignedJWT sign(@Nonnull JWTClaimsSet jWTClaimsSet, @Nullable String str) throws SignatureException {
        try {
            Credential signingCredential = this.params.getSigningCredential();
            String signatureAlgorithm = this.params.getSignatureAlgorithm();
            if (signingCredential == null) {
                throw new SignatureException("Signature signinig credential is not available");
            }
            if (signatureAlgorithm == null) {
                throw new SignatureException("Signature signinig algorithm is not available");
            }
            JWSAlgorithm resolveAlgorithm = resolveAlgorithm(signingCredential, signatureAlgorithm);
            JWSSigner signer = getSigner(resolveAlgorithm, signingCredential);
            JWSHeader.Builder keyID = new JWSHeader.Builder(new JWSAlgorithm(resolveAlgorithm.getName())).keyID(CredentialConversionUtil.resolveKid(signingCredential));
            if (str != null) {
                keyID.type(new JOSEObjectType(str));
            }
            SignedJWT signedJWT = new SignedJWT(keyID.build(), jWTClaimsSet);
            signedJWT.sign(signer);
            if (this.log.isDebugEnabled()) {
                this.log.debug("Signed JWT using kid '{}'", CredentialConversionUtil.resolveKid(signingCredential));
            }
            if (signedJWT.getState() != JWSObject.State.SIGNED) {
                throw new SignatureException("JWT was not signed, unknown cause");
            }
            return signedJWT;
        } catch (JOSEException e) {
            throw new SignatureException(e.getMessage(), e);
        }
    }

    @Nonnull
    protected JWSSigner getSigner(@Nonnull Algorithm algorithm, @Nonnull Credential credential) throws JOSEException {
        PrivateKey privateKey;
        if (JWSAlgorithm.Family.EC.contains(algorithm)) {
            PrivateKey privateKey2 = credential.getPrivateKey();
            if (privateKey2 instanceof ECPrivateKey) {
                return new ECDSASigner((ECPrivateKey) privateKey2);
            }
        }
        if (JWSAlgorithm.Family.RSA.contains(algorithm) && (privateKey = credential.getPrivateKey()) != null && "RSA".equals(privateKey.getAlgorithm())) {
            return new RSASSASigner(credential.getPrivateKey());
        }
        if (!JWSAlgorithm.Family.HMAC_SHA.contains(algorithm) || credential.getSecretKey() == null) {
            throw new JOSEException("Unsupported algorithm " + algorithm.getName() + " for key '" + CredentialConversionUtil.resolveKid(credential) + "'");
        }
        return new MACSigner(credential.getSecretKey());
    }

    @Nonnull
    protected JWSAlgorithm resolveAlgorithm(@Nonnull Credential credential, @Nonnull String str) {
        JWSAlgorithm jWSAlgorithm = new JWSAlgorithm(str);
        if (credential instanceof JWKCredential) {
            JWKCredential jWKCredential = (JWKCredential) credential;
            if (!jWSAlgorithm.equals(jWKCredential.getAlgorithm())) {
                this.log.debug("Signature signing algorithm {} differs from JWK algorithm '{}'", jWSAlgorithm.getName(), jWKCredential.getAlgorithm() != null ? jWKCredential.getAlgorithm() : "not specified");
            }
        }
        this.log.trace("Algorithm resolved {}", jWSAlgorithm.getName());
        return jWSAlgorithm;
    }
}
