package org.geant.idpextension.oidc.profile.impl;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.crypto.AESDecrypter;
import com.nimbusds.jose.crypto.ECDHDecrypter;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import java.security.interfaces.ECPrivateKey;
import java.text.ParseException;
import java.util.Iterator;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.geant.idpextension.oidc.messaging.context.OIDCAuthenticationResponseContext;
import org.geant.idpextension.oidc.messaging.context.OIDCMetadataContext;
import org.geant.idpextension.oidc.security.impl.OIDCDecryptionParameters;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.saml2.profile.context.EncryptionContext;
import org.opensaml.security.credential.Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/geant/idpextension/oidc/profile/impl/DecryptRequestObject.class */
public class DecryptRequestObject extends AbstractOIDCAuthenticationResponseAction {

    @Nonnull
    private Logger log = LoggerFactory.getLogger(DecryptRequestObject.class);

    @Nonnull
    private Function<ProfileRequestContext, EncryptionContext> encryptionContextLookupStrategy = new ChildContextLookup(EncryptionContext.class).compose(new ChildContextLookup(RelyingPartyContext.class));

    @Nullable
    private OIDCDecryptionParameters params;

    @Nullable
    private JWT requestObject;

    public void setEncryptionContextLookupStrategy(@Nonnull Function<ProfileRequestContext, EncryptionContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.encryptionContextLookupStrategy = (Function) Constraint.isNotNull(function, "EncryptionContext lookup strategy cannot be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.geant.idpextension.oidc.profile.impl.AbstractOIDCAuthenticationResponseAction, org.geant.idpextension.oidc.profile.impl.AbstractOIDCRequestAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.requestObject = getOidcResponseContext().getRequestObject();
        if (this.requestObject == null) {
            this.log.debug("{} No request object, nothing to do", getLogPrefix());
            return false;
        }
        if (!(this.requestObject instanceof EncryptedJWT)) {
            this.log.debug("{} Request object not encrypted, nothing to do", getLogPrefix());
            return false;
        }
        EncryptionContext apply = this.encryptionContextLookupStrategy.apply(profileRequestContext);
        if (apply != null && (apply.getAttributeEncryptionParameters() instanceof OIDCDecryptionParameters)) {
            this.params = (OIDCDecryptionParameters) apply.getAttributeEncryptionParameters();
            return true;
        }
        this.log.error("{} Encrypted request object but no EncryptionContext/OIDCDecryptionParameters parameters available", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidSecurityConfiguration");
        return false;
    }

    private JWT decryptRequestObject(@Nonnull EncryptedJWT encryptedJWT) {
        if (!encryptedJWT.getHeader().getAlgorithm().getName().equals(this.params.getKeyTransportEncryptionAlgorithm())) {
            this.log.error("{} Request object alg {} not matching expected {}", new Object[]{getLogPrefix(), encryptedJWT.getHeader().getAlgorithm().getName(), this.params.getKeyTransportEncryptionAlgorithm()});
            return null;
        }
        if (!encryptedJWT.getHeader().getEncryptionMethod().getName().equals(this.params.getDataEncryptionAlgorithm())) {
            this.log.error("{} Request object enc {} not matching expected {}", new Object[]{getLogPrefix(), encryptedJWT.getHeader().getEncryptionMethod().getName(), this.params.getDataEncryptionAlgorithm()});
            return null;
        }
        JWEAlgorithm algorithm = encryptedJWT.getHeader().getAlgorithm();
        Iterator<Credential> it = this.params.getKeyTransportDecryptionCredentials().iterator();
        while (it.hasNext()) {
            Credential next = it.next();
            RSADecrypter rSADecrypter = null;
            try {
                if (JWEAlgorithm.Family.RSA.contains(algorithm)) {
                    rSADecrypter = new RSADecrypter(next.getPrivateKey());
                }
                if (JWEAlgorithm.Family.ECDH_ES.contains(algorithm)) {
                    rSADecrypter = new ECDHDecrypter((ECPrivateKey) next.getPrivateKey());
                }
                if (JWEAlgorithm.Family.AES_GCM_KW.contains(algorithm) || JWEAlgorithm.Family.AES_KW.contains(algorithm)) {
                    rSADecrypter = new AESDecrypter(next.getSecretKey());
                }
                if (rSADecrypter == null) {
                    this.log.error("{} No decrypter for request object for encAlg {}", getLogPrefix(), encryptedJWT.getHeader().getEncryptionMethod().getName());
                    return null;
                }
                encryptedJWT.decrypt(rSADecrypter);
                return JWTParser.parse(encryptedJWT.getPayload().toString());
            } catch (JOSEException | ParseException e) {
                if (!it.hasNext()) {
                    this.log.error("{} Unable to decrypt request object with credential, {}", getLogPrefix(), e.getMessage());
                    return null;
                }
                this.log.debug("{} Unable to decrypt request object with credential, {}, picking next key", getLogPrefix(), e.getMessage());
            }
        }
        return null;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        this.requestObject = decryptRequestObject((EncryptedJWT) this.requestObject);
        if (this.requestObject == null) {
            this.log.error("{} Unable to decrypt request object", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidRequestObject");
        } else {
            getOidcResponseContext().setRequestObject(this.requestObject);
            this.log.debug("{} Request object decrypted as {}", getLogPrefix(), getOidcResponseContext().getRequestObject().serialize());
        }
    }

    @Override // org.geant.idpextension.oidc.profile.impl.AbstractOIDCAuthenticationResponseAction
    public /* bridge */ /* synthetic */ OIDCMetadataContext getMetadataContext() {
        return super.getMetadataContext();
    }

    @Override // org.geant.idpextension.oidc.profile.impl.AbstractOIDCAuthenticationResponseAction
    @Nonnull
    public /* bridge */ /* synthetic */ OIDCAuthenticationResponseContext getOidcResponseContext() {
        return super.getOidcResponseContext();
    }
}
