package net.shibboleth.oidc.security.impl;

import com.google.common.base.Strings;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.AESDecrypter;
import com.nimbusds.jose.crypto.DirectDecrypter;
import com.nimbusds.jose.crypto.ECDHDecrypter;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.text.ParseException;
import java.util.List;
import java.util.Objects;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.crypto.SecretKey;
import net.shibboleth.oidc.security.CredentialConversionUtil;
import net.shibboleth.oidc.security.credential.JWKCredential;
import net.shibboleth.oidc.security.credential.impl.DataEncryptionAlgorithmCriterion;
import net.shibboleth.oidc.security.credential.impl.EvaluableKeyIDCredentialCriterion;
import net.shibboleth.oidc.security.credential.impl.KeyManagmentAlgorithmCriterion;
import net.shibboleth.oidc.security.jose.DecryptionParameters;
import net.shibboleth.oidc.security.jose.criterion.JOSEObjectCriterion;
import net.shibboleth.oidc.security.jose.criterion.KeyIdCriterion;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.StringSupport;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.Criterion;
import net.shibboleth.shared.resolver.ResolverException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialResolver;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.KeyAlgorithmCriterion;
import org.opensaml.security.criteria.KeyLengthCriterion;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/oidc/security/impl/JWETokenDecrypter.class */
public class JWETokenDecrypter {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(JWETokenDecrypter.class);

    @Nonnull
    private final DecryptionParameters params;
    static final /* synthetic */ boolean $assertionsDisabled;

    public JWETokenDecrypter(@Nonnull DecryptionParameters decryptionParameters) {
        this.params = (DecryptionParameters) Constraint.isNotNull(decryptionParameters, "Decryption params can not be null");
    }

    @Nonnull
    public JWT decrypt(@Nonnull EncryptedJWT encryptedJWT) throws DecryptionException {
        if (encryptedJWT.getHeader() == null) {
            throw new DecryptionException("JWT headers are not available, decryption failed");
        }
        JWEAlgorithm algorithm = encryptedJWT.getHeader().getAlgorithm();
        if (JWEAlgorithm.DIR.equals(algorithm)) {
            decryptUsingDirectEncryption(encryptedJWT);
        } else if (JWEAlgorithm.Family.RSA.contains(algorithm)) {
            decryptUsingKeyEncryption(encryptedJWT);
        } else if (JWEAlgorithm.Family.AES_GCM_KW.contains(algorithm) || JWEAlgorithm.Family.AES_KW.contains(algorithm)) {
            decryptUsingKeyWrapping(encryptedJWT);
        } else {
            if (!JWEAlgorithm.Family.ECDH_ES.contains(algorithm)) {
                throw new DecryptionException("JWE algorithm '" + algorithm.getName() + "' not supported");
            }
            decryptUsingKeyAgreement(encryptedJWT);
        }
        Payload payload = encryptedJWT.getPayload();
        if (payload == null || encryptedJWT.getState() != JWEObject.State.DECRYPTED) {
            throw new DecryptionException("JWE failed to decryptm, no error given");
        }
        try {
            JWT parse = JWTParser.parse(payload.toString());
            if ($assertionsDisabled || parse != null) {
                return parse;
            }
            throw new AssertionError();
        } catch (ParseException e) {
            throw new DecryptionException("Error decrypting JWT", e);
        }
    }

    @Nonnull
    private CriteriaSet buildCriteria(@Nonnull EncryptedJWT encryptedJWT, @Nullable List<Criterion> list) {
        CriteriaSet criteriaSet = new CriteriaSet();
        if (!this.params.getAdditionalCriteria().isEmpty()) {
            CriteriaSet additionalCriteria = this.params.getAdditionalCriteria();
            Objects.requireNonNull(criteriaSet);
            additionalCriteria.forEach((v1) -> {
                r1.add(v1);
            });
        }
        if (list != null) {
            Objects.requireNonNull(criteriaSet);
            list.forEach((v1) -> {
                r1.add(v1);
            });
        }
        if (encryptedJWT.getHeader().getKeyID() != null) {
            String keyID = encryptedJWT.getHeader().getKeyID();
            this.log.debug("Added keyID criteria: '{}'", keyID);
            criteriaSet.add(new EvaluableKeyIDCredentialCriterion(new KeyIdCriterion(keyID)));
        }
        JWEAlgorithm algorithm = encryptedJWT.getHeader().getAlgorithm();
        if (algorithm != null) {
            String name = algorithm.getName();
            if (!$assertionsDisabled && name == null) {
                throw new AssertionError();
            }
            criteriaSet.add(new KeyManagmentAlgorithmCriterion(name));
        }
        EncryptionMethod encryptionMethod = encryptedJWT.getHeader().getEncryptionMethod();
        if (encryptionMethod != null) {
            String name2 = encryptionMethod.getName();
            if (!$assertionsDisabled && name2 == null) {
                throw new AssertionError();
            }
            criteriaSet.add(new DataEncryptionAlgorithmCriterion(name2));
        }
        criteriaSet.add(new JOSEObjectCriterion(encryptedJWT));
        return criteriaSet;
    }

    private void buildKeyManagementAlgorithmCriteria(@Nonnull CriteriaSet criteriaSet, @Nonnull EncryptedJWT encryptedJWT) {
        String trimOrNull;
        JWEAlgorithm algorithm = encryptedJWT.getHeader().getAlgorithm();
        if (algorithm == null || (trimOrNull = StringSupport.trimOrNull(algorithm.getName())) == null) {
            return;
        }
        KeyAlgorithmCriterion buildKeyAlgorithmCriteria = buildKeyAlgorithmCriteria(trimOrNull);
        if (buildKeyAlgorithmCriteria != null) {
            criteriaSet.add(buildKeyAlgorithmCriteria);
            this.log.debug("Added decryption key algorithm ('alg') criteria: {}", buildKeyAlgorithmCriteria.getKeyAlgorithm());
        }
        KeyLengthCriterion buildKeyLengthCriteria = buildKeyLengthCriteria(trimOrNull);
        if (buildKeyLengthCriteria != null) {
            criteriaSet.add(buildKeyLengthCriteria);
            this.log.debug("Added decryption key length criteria from EncryptionMethod algorithm URI: {}", Integer.valueOf(buildKeyLengthCriteria.getKeyLength()));
        }
    }

    private void buildContentEncryptionKeyAlgorithmCriteria(@Nonnull CriteriaSet criteriaSet, @Nonnull EncryptedJWT encryptedJWT) {
        String trimOrNull;
        EncryptionMethod encryptionMethod = encryptedJWT.getHeader().getEncryptionMethod();
        if (encryptionMethod == null || (trimOrNull = StringSupport.trimOrNull(encryptionMethod.getName())) == null) {
            return;
        }
        KeyAlgorithmCriterion buildKeyAlgorithmCriteria = buildKeyAlgorithmCriteria(trimOrNull);
        if (buildKeyAlgorithmCriteria != null) {
            criteriaSet.add(buildKeyAlgorithmCriteria);
            this.log.debug("Added decryption key algorithm 'enc' criteria: {}", buildKeyAlgorithmCriteria.getKeyAlgorithm());
        }
        KeyLengthCriterion buildKeyLengthCriteria = buildKeyLengthCriteria(trimOrNull);
        if (buildKeyLengthCriteria != null) {
            criteriaSet.add(buildKeyLengthCriteria);
            this.log.debug("Added decryption key length criteria from EncryptionMethod algorithm URI: {}", Integer.valueOf(buildKeyLengthCriteria.getKeyLength()));
        } else if (encryptionMethod.cekBitLength() != 0) {
            KeyLengthCriterion keyLengthCriterion = new KeyLengthCriterion(encryptionMethod.cekBitLength());
            criteriaSet.add(keyLengthCriterion);
            this.log.debug("Added decryption key length criteria from EncryptionMethod/KeySize: {}", Integer.valueOf(keyLengthCriterion.getKeyLength()));
        }
    }

    @Nullable
    private KeyAlgorithmCriterion buildKeyAlgorithmCriteria(@Nullable String str) {
        if (Strings.isNullOrEmpty(str)) {
            return null;
        }
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        String keyAlgorithm = AlgorithmSupport.getKeyAlgorithm(str);
        if (Strings.isNullOrEmpty(keyAlgorithm)) {
            return null;
        }
        if ($assertionsDisabled || keyAlgorithm != null) {
            return new KeyAlgorithmCriterion(keyAlgorithm);
        }
        throw new AssertionError();
    }

    @Nullable
    private KeyLengthCriterion buildKeyLengthCriteria(@Nullable String str) {
        if (Strings.isNullOrEmpty(str)) {
            return null;
        }
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        Integer keyLength = AlgorithmSupport.getKeyLength(str);
        if (keyLength != null) {
            return new KeyLengthCriterion(keyLength.intValue());
        }
        return null;
    }

    private void decryptUsingKeyAgreement(@Nonnull EncryptedJWT encryptedJWT) throws DecryptionException {
        this.log.debug("Attempting decryption of JWE using Key Agreement managment mode");
        CredentialResolver kEKCredentialResolver = this.params.getKEKCredentialResolver();
        if (kEKCredentialResolver == null) {
            throw new DecryptionException("Decryption can not be attempted, KEK resolver is not available");
        }
        CriteriaSet buildCriteria = buildCriteria(encryptedJWT, CollectionSupport.singletonList(new UsageCriterion(UsageType.ENCRYPTION)));
        buildKeyManagementAlgorithmCriteria(buildCriteria, encryptedJWT);
        try {
        } catch (ResolverException e) {
            this.log.warn("Unable to decrypt JWE with Key Encryption", e);
        }
        for (Credential credential : kEKCredentialResolver.resolve(buildCriteria)) {
            if (!$assertionsDisabled && credential == null) {
                throw new AssertionError();
            }
            if (credential instanceof JWKCredential) {
                try {
                    validateKeyManagmentAlgorithm(encryptedJWT, (JWKCredential) credential);
                    validateContentEncryptionAlgorithm(encryptedJWT);
                    encryptedJWT.decrypt(new ECDHDecrypter((ECPrivateKey) credential.getPrivateKey()));
                    return;
                } catch (JOSEException | DecryptionException e2) {
                    this.log.debug("Failed to decrypt JWE using key '{}', continuing: {}", credential.getKeyNames(), e2.getMessage());
                }
            } else if (this.log.isTraceEnabled()) {
                this.log.trace("JWT decryption requires a JWK credential, resolved credential '{}' was not", CredentialConversionUtil.resolveKid(credential));
            }
            this.log.warn("Unable to decrypt JWE with Key Encryption", e);
            throw new DecryptionException("All attempts to decrypt the JWE using a Key Wrapped CEK have failed");
        }
        throw new DecryptionException("All attempts to decrypt the JWE using a Key Wrapped CEK have failed");
    }

    private void decryptUsingKeyWrapping(@Nonnull EncryptedJWT encryptedJWT) throws DecryptionException {
        this.log.debug("Attempting decryption of JWE using Key Wrapping managment mode");
        CredentialResolver kEKCredentialResolver = this.params.getKEKCredentialResolver();
        if (kEKCredentialResolver == null) {
            throw new DecryptionException("Decryption can not be attempted, KEK resolver is not available");
        }
        CriteriaSet buildCriteria = buildCriteria(encryptedJWT, CollectionSupport.singletonList(new UsageCriterion(UsageType.ENCRYPTION)));
        buildKeyManagementAlgorithmCriteria(buildCriteria, encryptedJWT);
        try {
            for (Credential credential : kEKCredentialResolver.resolve(buildCriteria)) {
                if (credential instanceof JWKCredential) {
                    try {
                        validateKeyManagmentAlgorithm(encryptedJWT, (JWKCredential) credential);
                        validateContentEncryptionAlgorithm(encryptedJWT, (JWKCredential) credential);
                        encryptedJWT.decrypt(new AESDecrypter(credential.getSecretKey()));
                        return;
                    } catch (JOSEException | DecryptionException e) {
                        this.log.debug("Failed to decrypt JWE using key '{}', continuing: {}", credential.getKeyNames(), e.getMessage());
                    }
                } else if (this.log.isTraceEnabled()) {
                    this.log.trace("JWT decryption requires a JWK credential, resolved credential '{}' was not", CredentialConversionUtil.resolveKid(credential));
                }
            }
        } catch (ResolverException e2) {
            this.log.warn("Unable to decrypt JWE with Key Encryption", e2);
        }
        throw new DecryptionException("All attempts to decrypt the JWE using a Key Wrapped CEK have failed");
    }

    private void decryptUsingKeyEncryption(@Nonnull EncryptedJWT encryptedJWT) throws DecryptionException {
        this.log.debug("Attempting decryption of JWE using Key Encryption managment mode");
        CredentialResolver kEKCredentialResolver = this.params.getKEKCredentialResolver();
        if (kEKCredentialResolver == null) {
            throw new DecryptionException("Decryption can not be attempted, KEK resolver is not available");
        }
        CriteriaSet buildCriteria = buildCriteria(encryptedJWT, CollectionSupport.singletonList(new UsageCriterion(UsageType.ENCRYPTION)));
        buildKeyManagementAlgorithmCriteria(buildCriteria, encryptedJWT);
        try {
            for (Credential credential : kEKCredentialResolver.resolve(buildCriteria)) {
                if (credential instanceof JWKCredential) {
                    try {
                        validateKeyManagmentAlgorithm(encryptedJWT, (JWKCredential) credential);
                        validateContentEncryptionAlgorithm(encryptedJWT);
                        encryptedJWT.decrypt(new RSADecrypter(credential.getPrivateKey()));
                        return;
                    } catch (JOSEException | DecryptionException e) {
                        this.log.debug("Failed to decrypt JWE using key '{}', continuing: {}", credential.getKeyNames(), e.getMessage());
                    }
                } else if (this.log.isTraceEnabled()) {
                    this.log.trace("JWT decryption requires a JWK credential, resolved credential '{}' was not", CredentialConversionUtil.resolveKid(credential));
                }
            }
        } catch (ResolverException e2) {
            this.log.warn("Unable to decrypt JWE with Key Encryption", e2);
        }
        throw new DecryptionException("All attempts to decrypt the JWE using a Key Encrypted CEK have failed");
    }

    private void decryptUsingDirectEncryption(@Nonnull EncryptedJWT encryptedJWT) throws DecryptionException {
        this.log.debug("Attempting decryption of JWE using Direct Encryption managment mode");
        CredentialResolver contentEncryptionKeyCredentialResolver = this.params.getContentEncryptionKeyCredentialResolver();
        if (contentEncryptionKeyCredentialResolver == null) {
            throw new DecryptionException("Decryption can not be attempted, CEK resolver is not available");
        }
        CriteriaSet buildCriteria = buildCriteria(encryptedJWT, List.of(new UsageCriterion(UsageType.ENCRYPTION)));
        buildContentEncryptionKeyAlgorithmCriteria(buildCriteria, encryptedJWT);
        try {
            for (Credential credential : contentEncryptionKeyCredentialResolver.resolve(buildCriteria)) {
                if (!$assertionsDisabled && credential == null) {
                    throw new AssertionError();
                }
                if (credential instanceof JWKCredential) {
                    try {
                        validateKeyManagmentAlgorithm(encryptedJWT, (JWKCredential) credential);
                        validateContentEncryptionAlgorithm(encryptedJWT, (JWKCredential) credential);
                        encryptedJWT.decrypt(new DirectDecrypter(credential.getSecretKey()));
                        return;
                    } catch (JOSEException | DecryptionException e) {
                        this.log.debug("Content encryption key '{}' failed to decrypt JWE, continuing: {}", credential.getKeyNames(), e.getMessage());
                    }
                } else if (this.log.isTraceEnabled()) {
                    this.log.trace("JWT decryption requires a JWK credential, resolved credential '{}' was not", CredentialConversionUtil.resolveKid(credential));
                }
            }
        } catch (ResolverException e2) {
            this.log.warn("Unable to decrypt JWE using Direct Encryption", e2);
        }
        throw new DecryptionException("Failed to decrypt JWE, no suitable credential found");
    }

    @Nonnull
    private JWEAlgorithm validateKeyManagmentAlgorithm(@Nonnull EncryptedJWT encryptedJWT, @Nonnull JWKCredential jWKCredential) throws DecryptionException {
        SecretKey secretKey;
        if (encryptedJWT.getHeader() == null) {
            throw new DecryptionException("JWE did not contain a JOSE header, is in an illegal state");
        }
        JWEAlgorithm algorithm = encryptedJWT.getHeader().getAlgorithm();
        validateAlgorithmURI(algorithm.getName());
        if (jWKCredential.getAlgorithm() != null && !algorithm.equals(jWKCredential.getAlgorithm())) {
            throw new DecryptionException("Credential algorithm '" + jWKCredential.getAlgorithm() + "' was not a match for the algorithm '" + encryptedJWT.getHeader().getAlgorithm() + "'");
        }
        if (JWEAlgorithm.Family.RSA.contains(algorithm) && !(jWKCredential.getPrivateKey() instanceof RSAPrivateKey)) {
            throw new DecryptionException("Credential did not contain an RSA private key");
        }
        if (JWEAlgorithm.Family.ECDH_ES.contains(algorithm) && !(jWKCredential.getPrivateKey() instanceof ECPrivateKey)) {
            throw new DecryptionException("Credential did not contain an EC private key");
        }
        if ((JWEAlgorithm.Family.AES_GCM_KW.contains(algorithm) || JWEAlgorithm.Family.AES_KW.contains(algorithm)) && ((secretKey = jWKCredential.getSecretKey()) == null || !"AES".equals(secretKey.getAlgorithm()))) {
            throw new DecryptionException("Credential did not contain an AES secret key");
        }
        if (JWEAlgorithm.DIR.equals(algorithm) && jWKCredential.getSecretKey() == null) {
            throw new DecryptionException("Credential did not contain a direct encryption secret key");
        }
        return algorithm;
    }

    @Nonnull
    private EncryptionMethod validateContentEncryptionAlgorithm(@Nonnull EncryptedJWT encryptedJWT) throws DecryptionException {
        if (encryptedJWT.getHeader() == null) {
            throw new DecryptionException("JWE did not contain a JOSE header, is in an illegal state");
        }
        EncryptionMethod encryptionMethod = encryptedJWT.getHeader().getEncryptionMethod();
        if (encryptionMethod == null) {
            throw new DecryptionException("JWE did not contain an 'enc' JOSE header, is in an illegal state");
        }
        validateAlgorithmURI(StringSupport.trimOrNull(encryptionMethod.getName()));
        return encryptionMethod;
    }

    @Nonnull
    private EncryptionMethod validateContentEncryptionAlgorithm(@Nonnull EncryptedJWT encryptedJWT, @Nonnull JWKCredential jWKCredential) throws DecryptionException {
        SecretKey secretKey = jWKCredential.getSecretKey();
        if (secretKey == null) {
            throw new DecryptionException("Credential does not contain a content encryption secret key");
        }
        EncryptionMethod validateContentEncryptionAlgorithm = validateContentEncryptionAlgorithm(encryptedJWT);
        String trimOrNull = StringSupport.trimOrNull(validateContentEncryptionAlgorithm.getName());
        String keyAlgorithm = trimOrNull != null ? AlgorithmSupport.getKeyAlgorithm(trimOrNull) : null;
        if (keyAlgorithm == null) {
            throw new DecryptionException("JOSE Header 'enc' algorithm is not supported by the algorithm registry");
        }
        if (keyAlgorithm.equals(secretKey.getAlgorithm())) {
            return validateContentEncryptionAlgorithm;
        }
        throw new DecryptionException("JOSE Header 'enc' algorithm " + keyAlgorithm + " does not match credential algorithm " + secretKey.getAlgorithm());
    }

    private void validateAlgorithmURI(@Nullable String str) throws DecryptionException {
        if (str == null) {
            throw new DecryptionException("Algorithm was null, failed include/exclude validation");
        }
        this.log.debug("Validating algorithm URI against include and exclude lists: algorithm: {}, included: {}, excluded: {}", new Object[]{str, this.params.getIncludedAlgorithms(), this.params.getExcludedAlgorithms()});
        if (!AlgorithmSupport.validateAlgorithmURI(str, this.params.getIncludedAlgorithms(), this.params.getExcludedAlgorithms())) {
            throw new DecryptionException("Algorithm failed include/exclude validation: " + str);
        }
    }

    static {
        $assertionsDisabled = !JWETokenDecrypter.class.desiredAssertionStatus();
    }
}
