package org.opensaml.xmlsec.impl;

import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import com.google.common.collect.Collections2;
import groovy.inspect.Inspector;
import java.security.Key;
import java.security.KeyException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.xmlsec.EncryptionConfiguration;
import org.opensaml.xmlsec.EncryptionParameters;
import org.opensaml.xmlsec.EncryptionParametersResolver;
import org.opensaml.xmlsec.KeyTransportAlgorithmPredicate;
import org.opensaml.xmlsec.algorithm.AlgorithmRegistry;
import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion;
import org.opensaml.xmlsec.criterion.KeyInfoGenerationProfileCriterion;
import org.opensaml.xmlsec.encryption.support.RSAOAEPParameters;
import org.opensaml.xmlsec.keyinfo.KeyInfoGenerator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-335.zip:modules/system/layers/fuse/org/opensaml/3.1/opensaml-xmlsec-impl-3.1.1.jar:org/opensaml/xmlsec/impl/BasicEncryptionParametersResolver.class */
public class BasicEncryptionParametersResolver extends AbstractSecurityParametersResolver<EncryptionParameters> implements EncryptionParametersResolver {
    private Logger log = LoggerFactory.getLogger(BasicEncryptionParametersResolver.class);
    private AlgorithmRegistry algorithmRegistry = AlgorithmSupport.getGlobalAlgorithmRegistry();
    private boolean autoGenerateDataEncryptionCredential;

    public AlgorithmRegistry getAlgorithmRegistry() {
        return this.algorithmRegistry == null ? AlgorithmSupport.getGlobalAlgorithmRegistry() : this.algorithmRegistry;
    }

    public void setAlgorithmRegistry(@Nonnull AlgorithmRegistry algorithmRegistry) {
        this.algorithmRegistry = (AlgorithmRegistry) Constraint.isNotNull(algorithmRegistry, "AlgorithmRegistry was null");
    }

    public boolean isAutoGenerateDataEncryptionCredential() {
        return this.autoGenerateDataEncryptionCredential;
    }

    public void setAutoGenerateDataEncryptionCredential(boolean z) {
        this.autoGenerateDataEncryptionCredential = z;
    }

    @Nonnull
    public Iterable<EncryptionParameters> resolve(@Nonnull CriteriaSet criteriaSet) throws ResolverException {
        EncryptionParameters resolveSingle = resolveSingle(criteriaSet);
        return resolveSingle != null ? Collections.singletonList(resolveSingle) : Collections.emptyList();
    }

    @Nullable
    public EncryptionParameters resolveSingle(@Nonnull CriteriaSet criteriaSet) throws ResolverException {
        Constraint.isNotNull(criteriaSet, "CriteriaSet was null");
        Constraint.isNotNull(criteriaSet.get(EncryptionConfigurationCriterion.class), "Resolver requires an instance of EncryptionConfigurationCriterion");
        Predicate<String> whitelistBlacklistPredicate = getWhitelistBlacklistPredicate(criteriaSet);
        EncryptionParameters encryptionParameters = new EncryptionParameters();
        resolveAndPopulateCredentialsAndAlgorithms(encryptionParameters, criteriaSet, whitelistBlacklistPredicate);
        if (encryptionParameters.getDataEncryptionCredential() != null) {
            encryptionParameters.setDataKeyInfoGenerator(resolveDataKeyInfoGenerator(criteriaSet, encryptionParameters.getDataEncryptionCredential()));
        }
        if (encryptionParameters.getKeyTransportEncryptionCredential() != null) {
            encryptionParameters.setKeyTransportKeyInfoGenerator(resolveKeyTransportKeyInfoGenerator(criteriaSet, encryptionParameters.getKeyTransportEncryptionCredential()));
        }
        if (!validate(encryptionParameters)) {
            return null;
        }
        logResult(encryptionParameters);
        return encryptionParameters;
    }

    protected void logResult(@Nonnull EncryptionParameters encryptionParameters) {
        if (this.log.isDebugEnabled()) {
            this.log.debug("Resolved EncryptionParameters:");
            Key extractEncryptionKey = CredentialSupport.extractEncryptionKey(encryptionParameters.getKeyTransportEncryptionCredential());
            if (extractEncryptionKey != null) {
                this.log.debug("\tKey transport credential with key algorithm: {}", extractEncryptionKey.getAlgorithm());
            } else {
                this.log.debug("\tKey transport credential: null");
            }
            this.log.debug("\tKey transport algorithm URI: {}", encryptionParameters.getKeyTransportEncryptionAlgorithm());
            if (encryptionParameters.getRSAOAEPParameters() != null) {
                this.log.debug("\t\tKey transport RSA OAEP digest method URI: {}", encryptionParameters.getRSAOAEPParameters().getDigestMethod());
                this.log.debug("\t\tKey transport RSA OAEP MGF URI: {}", encryptionParameters.getRSAOAEPParameters().getMaskGenerationFunction());
                this.log.debug("\t\tKey transport RSA OAEP OAEPparams: {}", encryptionParameters.getRSAOAEPParameters().getOAEPParams());
            }
            this.log.debug("\tKey transport KeyInfoGenerator: {}", encryptionParameters.getKeyTransportKeyInfoGenerator() != null ? "present" : "null");
            Key extractEncryptionKey2 = CredentialSupport.extractEncryptionKey(encryptionParameters.getDataEncryptionCredential());
            if (extractEncryptionKey2 != null) {
                this.log.debug("\tData encryption credential with key algorithm: {}", extractEncryptionKey2.getAlgorithm());
            } else {
                this.log.debug("\tData encryption credential: null");
            }
            this.log.debug("\tData encryption algorithm URI: {}", encryptionParameters.getDataEncryptionAlgorithm());
            this.log.debug("\tData encryption KeyInfoGenerator: {}", encryptionParameters.getDataKeyInfoGenerator() != null ? "present" : "null");
        }
    }

    protected boolean validate(@Nonnull EncryptionParameters encryptionParameters) {
        if (encryptionParameters.getKeyTransportEncryptionCredential() == null && encryptionParameters.getDataEncryptionCredential() == null) {
            this.log.warn("Validation failure: Failed to resolve both a data and a key encryption credential");
            return false;
        }
        if (encryptionParameters.getKeyTransportEncryptionCredential() != null && encryptionParameters.getKeyTransportEncryptionAlgorithm() == null) {
            this.log.warn("Validation failure: Unable to resolve key encryption algorithm URI for credential");
            return false;
        }
        if (encryptionParameters.getDataEncryptionCredential() != null && encryptionParameters.getDataEncryptionAlgorithm() == null) {
            this.log.warn("Validation failure: Unable to resolve data encryption algorithm URI for credential");
            return false;
        }
        if (encryptionParameters.getKeyTransportEncryptionCredential() == null || encryptionParameters.getDataEncryptionCredential() != null || encryptionParameters.getDataEncryptionAlgorithm() != null) {
            return true;
        }
        this.log.warn("Validation failure: Unable to resolve a data encryption algorithm URI for auto-generation of data encryption key");
        return false;
    }

    @Nonnull
    protected Predicate<String> getWhitelistBlacklistPredicate(@Nonnull CriteriaSet criteriaSet) {
        return resolveWhitelistBlacklistPredicate(criteriaSet, ((EncryptionConfigurationCriterion) criteriaSet.get(EncryptionConfigurationCriterion.class)).getConfigurations());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void resolveAndPopulateCredentialsAndAlgorithms(@Nonnull EncryptionParameters encryptionParameters, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        List<Credential> effectiveKeyTransportCredentials = getEffectiveKeyTransportCredentials(criteriaSet);
        List<String> effectiveKeyTransportAlgorithms = getEffectiveKeyTransportAlgorithms(criteriaSet, predicate);
        this.log.trace("Resolved effective key transport algorithms: {}", effectiveKeyTransportAlgorithms);
        List<Credential> effectiveDataEncryptionCredentials = getEffectiveDataEncryptionCredentials(criteriaSet);
        List<String> effectiveDataEncryptionAlgorithms = getEffectiveDataEncryptionAlgorithms(criteriaSet, predicate);
        this.log.trace("Resolved effective data encryption algorithms: {}", effectiveDataEncryptionAlgorithms);
        if (effectiveDataEncryptionCredentials.isEmpty()) {
            encryptionParameters.setDataEncryptionAlgorithm(resolveDataEncryptionAlgorithm(null, effectiveDataEncryptionAlgorithms));
        } else {
            Iterator<Credential> it = effectiveDataEncryptionCredentials.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Credential next = it.next();
                String resolveDataEncryptionAlgorithm = resolveDataEncryptionAlgorithm(next, effectiveDataEncryptionAlgorithms);
                if (resolveDataEncryptionAlgorithm != null) {
                    encryptionParameters.setDataEncryptionCredential(next);
                    encryptionParameters.setDataEncryptionAlgorithm(resolveDataEncryptionAlgorithm);
                    break;
                }
                this.log.debug("Unable to resolve data encryption algorithm for credential with key type '{}', considering other credentials", CredentialSupport.extractEncryptionKey(next).getAlgorithm());
            }
        }
        KeyTransportAlgorithmPredicate resolveKeyTransportAlgorithmPredicate = resolveKeyTransportAlgorithmPredicate(criteriaSet);
        Iterator<Credential> it2 = effectiveKeyTransportCredentials.iterator();
        while (true) {
            if (!it2.hasNext()) {
                break;
            }
            Credential next2 = it2.next();
            String resolveKeyTransportAlgorithm = resolveKeyTransportAlgorithm(next2, effectiveKeyTransportAlgorithms, encryptionParameters.getDataEncryptionAlgorithm(), resolveKeyTransportAlgorithmPredicate);
            if (resolveKeyTransportAlgorithm != null) {
                encryptionParameters.setKeyTransportEncryptionCredential(next2);
                encryptionParameters.setKeyTransportEncryptionAlgorithm(resolveKeyTransportAlgorithm);
                break;
            }
            this.log.debug("Unable to resolve key transport algorithm for credential with key type '{}', considering other credentials", CredentialSupport.extractEncryptionKey(next2).getAlgorithm());
        }
        resolveAndPopulateRSAOAEPParams(encryptionParameters, criteriaSet, predicate);
        processDataEncryptionCredentialAutoGeneration(encryptionParameters);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void resolveAndPopulateRSAOAEPParams(@Nonnull EncryptionParameters encryptionParameters, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        if (AlgorithmSupport.isRSAOAEP(encryptionParameters.getKeyTransportEncryptionAlgorithm())) {
            if (encryptionParameters.getRSAOAEPParameters() == null) {
                encryptionParameters.setRSAOAEPParameters(new RSAOAEPParameters());
            }
            populateRSAOAEPParams(encryptionParameters.getRSAOAEPParameters(), criteriaSet, predicate);
        }
    }

    protected void populateRSAOAEPParams(@Nonnull RSAOAEPParameters rSAOAEPParameters, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        if (rSAOAEPParameters.isComplete()) {
            return;
        }
        Predicate<String> algorithmRuntimeSupportedPredicate = getAlgorithmRuntimeSupportedPredicate();
        for (EncryptionConfiguration encryptionConfiguration : ((EncryptionConfigurationCriterion) criteriaSet.get(EncryptionConfigurationCriterion.class)).getConfigurations()) {
            RSAOAEPParameters rSAOAEPParameters2 = encryptionConfiguration.getRSAOAEPParameters();
            if (rSAOAEPParameters2 != null) {
                if (rSAOAEPParameters.getDigestMethod() == null && rSAOAEPParameters2.getDigestMethod() != null && predicate.apply(rSAOAEPParameters2.getDigestMethod()) && algorithmRuntimeSupportedPredicate.apply(rSAOAEPParameters2.getDigestMethod())) {
                    rSAOAEPParameters.setDigestMethod(rSAOAEPParameters2.getDigestMethod());
                }
                if (rSAOAEPParameters.getMaskGenerationFunction() == null && rSAOAEPParameters2.getMaskGenerationFunction() != null && predicate.apply(rSAOAEPParameters2.getMaskGenerationFunction())) {
                    rSAOAEPParameters.setMaskGenerationFunction(rSAOAEPParameters2.getMaskGenerationFunction());
                }
                if (rSAOAEPParameters.getOAEPParams() == null && rSAOAEPParameters2.getOAEPParams() != null) {
                    rSAOAEPParameters.setOAEPparams(rSAOAEPParameters2.getOAEPParams());
                }
            }
            if (rSAOAEPParameters.isComplete() || !encryptionConfiguration.isRSAOAEPParametersMerge()) {
                return;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nullable
    public KeyTransportAlgorithmPredicate resolveKeyTransportAlgorithmPredicate(@Nonnull CriteriaSet criteriaSet) {
        for (EncryptionConfiguration encryptionConfiguration : ((EncryptionConfigurationCriterion) criteriaSet.get(EncryptionConfigurationCriterion.class)).getConfigurations()) {
            if (encryptionConfiguration.getKeyTransportAlgorithmPredicate() != null) {
                return encryptionConfiguration.getKeyTransportAlgorithmPredicate();
            }
        }
        return null;
    }

    @Nullable
    protected String resolveKeyTransportAlgorithm(@Nonnull Credential credential, @Nonnull List<String> list, @Nullable String str, @Nullable KeyTransportAlgorithmPredicate keyTransportAlgorithmPredicate) {
        if (this.log.isTraceEnabled()) {
            Key extractEncryptionKey = CredentialSupport.extractEncryptionKey(credential);
            this.log.trace("Evaluating key transport encryption credential of type: {}", extractEncryptionKey != null ? extractEncryptionKey.getAlgorithm() : Inspector.NOT_APPLICABLE);
        }
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            String next = it.next();
            this.log.trace("Evaluating key transport credential against algorithm: {}", next);
            if (!credentialSupportsAlgorithm(credential, next) || !isKeyTransportAlgorithm(next) || (keyTransportAlgorithmPredicate != null && !keyTransportAlgorithmPredicate.apply(new KeyTransportAlgorithmPredicate.SelectionInput(next, str, credential)))) {
            }
            return next;
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nullable
    public String resolveKeyTransportAlgorithm(@Nonnull Credential credential, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate, @Nullable String str) {
        return resolveKeyTransportAlgorithm(credential, getEffectiveKeyTransportAlgorithms(criteriaSet, predicate), str, resolveKeyTransportAlgorithmPredicate(criteriaSet));
    }

    @Nullable
    protected String resolveDataEncryptionAlgorithm(@Nullable Credential credential, @Nonnull List<String> list) {
        if (this.log.isTraceEnabled()) {
            Key extractEncryptionKey = CredentialSupport.extractEncryptionKey(credential);
            this.log.trace("Evaluating data encryption credential of type: {}", extractEncryptionKey != null ? extractEncryptionKey.getAlgorithm() : Inspector.NOT_APPLICABLE);
        }
        if (credential == null) {
            this.log.trace("Data encryption credential was null, selecting algorithm based on effective algorithms alone");
            if (list.isEmpty()) {
                return null;
            }
            return list.get(0);
        }
        for (String str : list) {
            this.log.trace("Evaluating data encryption credential against algorithm: {}", str);
            if (credentialSupportsAlgorithm(credential, str) && isDataEncryptionAlgorithm(str)) {
                return str;
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nullable
    public String resolveDataEncryptionAlgorithm(@Nonnull Credential credential, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        return resolveDataEncryptionAlgorithm(credential, getEffectiveDataEncryptionAlgorithms(criteriaSet, predicate));
    }

    @Nonnull
    protected List<Credential> getEffectiveDataEncryptionCredentials(@Nonnull CriteriaSet criteriaSet) {
        ArrayList arrayList = new ArrayList();
        Iterator<EncryptionConfiguration> it = ((EncryptionConfigurationCriterion) criteriaSet.get(EncryptionConfigurationCriterion.class)).getConfigurations().iterator();
        while (it.hasNext()) {
            arrayList.addAll(it.next().getDataEncryptionCredentials());
        }
        return arrayList;
    }

    @Nonnull
    protected List<String> getEffectiveDataEncryptionAlgorithms(@Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        ArrayList arrayList = new ArrayList();
        Iterator<EncryptionConfiguration> it = ((EncryptionConfigurationCriterion) criteriaSet.get(EncryptionConfigurationCriterion.class)).getConfigurations().iterator();
        while (it.hasNext()) {
            arrayList.addAll(Collections2.filter(it.next().getDataEncryptionAlgorithms(), Predicates.and(getAlgorithmRuntimeSupportedPredicate(), predicate)));
        }
        return arrayList;
    }

    @Nonnull
    protected List<Credential> getEffectiveKeyTransportCredentials(@Nonnull CriteriaSet criteriaSet) {
        ArrayList arrayList = new ArrayList();
        Iterator<EncryptionConfiguration> it = ((EncryptionConfigurationCriterion) criteriaSet.get(EncryptionConfigurationCriterion.class)).getConfigurations().iterator();
        while (it.hasNext()) {
            arrayList.addAll(it.next().getKeyTransportEncryptionCredentials());
        }
        return arrayList;
    }

    @Nonnull
    protected List<String> getEffectiveKeyTransportAlgorithms(@Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        ArrayList arrayList = new ArrayList();
        Iterator<EncryptionConfiguration> it = ((EncryptionConfigurationCriterion) criteriaSet.get(EncryptionConfigurationCriterion.class)).getConfigurations().iterator();
        while (it.hasNext()) {
            arrayList.addAll(Collections2.filter(it.next().getKeyTransportEncryptionAlgorithms(), Predicates.and(getAlgorithmRuntimeSupportedPredicate(), predicate)));
        }
        return arrayList;
    }

    @Nullable
    protected KeyInfoGenerator resolveDataKeyInfoGenerator(@Nullable CriteriaSet criteriaSet, @Nullable Credential credential) {
        if (credential == null) {
            return null;
        }
        String str = null;
        if (criteriaSet.get(KeyInfoGenerationProfileCriterion.class) != null) {
            str = ((KeyInfoGenerationProfileCriterion) criteriaSet.get(KeyInfoGenerationProfileCriterion.class)).getName();
        }
        Iterator<EncryptionConfiguration> it = ((EncryptionConfigurationCriterion) criteriaSet.get(EncryptionConfigurationCriterion.class)).getConfigurations().iterator();
        while (it.hasNext()) {
            KeyInfoGenerator lookupKeyInfoGenerator = lookupKeyInfoGenerator(credential, it.next().getDataKeyInfoGeneratorManager(), str);
            if (lookupKeyInfoGenerator != null) {
                return lookupKeyInfoGenerator;
            }
        }
        return null;
    }

    @Nullable
    protected KeyInfoGenerator resolveKeyTransportKeyInfoGenerator(@Nonnull CriteriaSet criteriaSet, @Nullable Credential credential) {
        if (credential == null) {
            return null;
        }
        String str = null;
        if (criteriaSet.get(KeyInfoGenerationProfileCriterion.class) != null) {
            str = ((KeyInfoGenerationProfileCriterion) criteriaSet.get(KeyInfoGenerationProfileCriterion.class)).getName();
        }
        Iterator<EncryptionConfiguration> it = ((EncryptionConfigurationCriterion) criteriaSet.get(EncryptionConfigurationCriterion.class)).getConfigurations().iterator();
        while (it.hasNext()) {
            KeyInfoGenerator lookupKeyInfoGenerator = lookupKeyInfoGenerator(credential, it.next().getKeyTransportKeyInfoGeneratorManager(), str);
            if (lookupKeyInfoGenerator != null) {
                return lookupKeyInfoGenerator;
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    public Predicate<String> getAlgorithmRuntimeSupportedPredicate() {
        return new AlgorithmRuntimeSupportedPredicate(getAlgorithmRegistry());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean credentialSupportsAlgorithm(@Nonnull Credential credential, @NotEmpty @Nonnull String str) {
        return AlgorithmSupport.credentialSupportsAlgorithmForEncryption(credential, getAlgorithmRegistry().get(str));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isKeyTransportAlgorithm(@Nonnull String str) {
        return AlgorithmSupport.isKeyEncryptionAlgorithm(getAlgorithmRegistry().get(str));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isDataEncryptionAlgorithm(String str) {
        return AlgorithmSupport.isDataEncryptionAlgorithm(getAlgorithmRegistry().get(str));
    }

    @Nullable
    protected Credential generateDataEncryptionCredential(@Nonnull String str) {
        try {
            return AlgorithmSupport.generateSymmetricKeyAndCredential(str);
        } catch (KeyException | NoSuchAlgorithmException e) {
            this.log.warn("Error generating a symmetric key credential using algorithm URI: " + str, e);
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void processDataEncryptionCredentialAutoGeneration(@Nonnull EncryptionParameters encryptionParameters) {
        if (!isAutoGenerateDataEncryptionCredential() || encryptionParameters.getKeyTransportEncryptionCredential() == null || encryptionParameters.getDataEncryptionCredential() != null || encryptionParameters.getDataEncryptionAlgorithm() == null) {
            return;
        }
        this.log.debug("Auto-generating data encryption credential using algorithm URI: {}", encryptionParameters.getDataEncryptionAlgorithm());
        encryptionParameters.setDataEncryptionCredential(generateDataEncryptionCredential(encryptionParameters.getDataEncryptionAlgorithm()));
    }
}
