package org.geant.idpextension.oidc.security.impl;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.AsymmetricJWK;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.crypto.spec.SecretKeySpec;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.geant.idpextension.oidc.criterion.ClientInformationCriterion;
import org.geant.security.jwk.BasicJWKCredential;
import org.geant.security.jwk.JWKCredential;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion;
import org.opensaml.xmlsec.impl.BasicSignatureSigningParametersResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/geant/idpextension/oidc/security/impl/OIDCClientInformationSignatureValidationParametersResolver.class */
public class OIDCClientInformationSignatureValidationParametersResolver extends BasicSignatureSigningParametersResolver {

    @Nonnull
    private Logger log = LoggerFactory.getLogger(OIDCClientInformationSignatureValidationParametersResolver.class);
    private ParameterType target = ParameterType.REQUEST_OBJECT_VALIDATION;

    /* loaded from: input_file:org/geant/idpextension/oidc/security/impl/OIDCClientInformationSignatureValidationParametersResolver$ParameterType.class */
    public enum ParameterType {
        REQUEST_OBJECT_VALIDATION,
        TOKEN_ENDPOINT_JWT_VALIDATION
    }

    public void setParameterType(ParameterType parameterType) {
        this.target = parameterType;
    }

    @Nullable
    public SignatureSigningParameters resolveSingle(@Nonnull CriteriaSet criteriaSet) throws ResolverException {
        Constraint.isNotNull(criteriaSet, "CriteriaSet was null");
        Constraint.isNotNull((SignatureSigningConfigurationCriterion) criteriaSet.get(SignatureSigningConfigurationCriterion.class), "Resolver requires an instance of SignatureSigningConfigurationCriterion");
        Predicate whitelistBlacklistPredicate = getWhitelistBlacklistPredicate(criteriaSet);
        OIDCSignatureValidationParameters oIDCSignatureValidationParameters = new OIDCSignatureValidationParameters();
        resolveAndPopulateCredentialAndSignatureAlgorithm(oIDCSignatureValidationParameters, criteriaSet, whitelistBlacklistPredicate);
        if (!validate(oIDCSignatureValidationParameters)) {
            return null;
        }
        if (oIDCSignatureValidationParameters.getValidationCredentials().size() == 0) {
            JWKCredential basicJWKCredential = new BasicJWKCredential();
            basicJWKCredential.setAlgorithm(JWSAlgorithm.parse(oIDCSignatureValidationParameters.getSignatureAlgorithm()));
            basicJWKCredential.setPublicKey(oIDCSignatureValidationParameters.getSigningCredential().getPublicKey());
            oIDCSignatureValidationParameters.getValidationCredentials().add(basicJWKCredential);
        }
        logResult(oIDCSignatureValidationParameters);
        return oIDCSignatureValidationParameters;
    }

    private boolean curveMatchesESAlgorithm(Curve curve, JWSAlgorithm jWSAlgorithm) {
        if (jWSAlgorithm.equals(JWSAlgorithm.ES256)) {
            return curve.equals(Curve.P_256);
        }
        if (jWSAlgorithm.equals(JWSAlgorithm.ES384)) {
            return curve.equals(Curve.P_384);
        }
        if (jWSAlgorithm.equals(JWSAlgorithm.ES512)) {
            return curve.equals(Curve.P_521);
        }
        return false;
    }

    protected void resolveAndPopulateCredentialAndSignatureAlgorithm(@Nonnull SignatureSigningParameters signatureSigningParameters, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        this.log.debug("Resolving SignatureSigningParameters, purpose {}", this.target.equals(ParameterType.REQUEST_OBJECT_VALIDATION) ? "request object signature validation" : "token endpoint jwt signature validation");
        if (!criteriaSet.contains(ClientInformationCriterion.class)) {
            this.log.debug("No client criterion, nothing to do");
            super.resolveAndPopulateCredentialAndSignatureAlgorithm(signatureSigningParameters, criteriaSet, predicate);
            return;
        }
        OIDCClientInformation oidcClientInformation = ((ClientInformationCriterion) criteriaSet.get(ClientInformationCriterion.class)).getOidcClientInformation();
        if (oidcClientInformation == null) {
            this.log.debug("No client information, nothing to do");
            super.resolveAndPopulateCredentialAndSignatureAlgorithm(signatureSigningParameters, criteriaSet, predicate);
            return;
        }
        List effectiveSignatureAlgorithms = getEffectiveSignatureAlgorithms(criteriaSet, predicate);
        this.log.trace("Resolved effective signature algorithms: {}", effectiveSignatureAlgorithms);
        JWSAlgorithm requestObjectJWSAlg = this.target == ParameterType.REQUEST_OBJECT_VALIDATION ? oidcClientInformation.getOIDCMetadata().getRequestObjectJWSAlg() : oidcClientInformation.getOIDCMetadata().getTokenEndpointAuthJWSAlg();
        if (requestObjectJWSAlg != null && !effectiveSignatureAlgorithms.contains(requestObjectJWSAlg.getName())) {
            this.log.warn("Client requests algorithm {} that is not available", requestObjectJWSAlg.getName());
            super.resolveAndPopulateCredentialAndSignatureAlgorithm(signatureSigningParameters, criteriaSet, predicate);
            return;
        }
        List<JWSAlgorithm> convertToJWSAlgorithmList = requestObjectJWSAlg == null ? convertToJWSAlgorithmList(effectiveSignatureAlgorithms) : Arrays.asList(requestObjectJWSAlg);
        Iterator<JWSAlgorithm> it = convertToJWSAlgorithmList.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            JWSAlgorithm next = it.next();
            if (JWSAlgorithm.Family.HMAC_SHA.contains(next)) {
                if (oidcClientInformation.getSecret() == null) {
                    this.log.debug("No client secret to use as a key");
                    break;
                }
                JWKCredential basicJWKCredential = new BasicJWKCredential();
                basicJWKCredential.setSecretKey(new SecretKeySpec(oidcClientInformation.getSecret().getValueBytes(), "NONE"));
                basicJWKCredential.setAlgorithm(next);
                this.log.trace("HS Credential initialized from client secret for algorithm {}", next.getName());
                signatureSigningParameters.setSigningCredential(basicJWKCredential);
                signatureSigningParameters.setSignatureAlgorithm(next.getName());
                ((OIDCSignatureValidationParameters) signatureSigningParameters).getValidationCredentials().add(basicJWKCredential);
            }
        }
        JWKSet jWKSet = oidcClientInformation.getOIDCMetadata().getJWKSet();
        if (jWKSet == null) {
            this.log.debug("No keyset available");
        } else {
            for (AsymmetricJWK asymmetricJWK : jWKSet.getKeys()) {
                if (!KeyUse.ENCRYPTION.equals(asymmetricJWK.getKeyUse())) {
                    for (JWSAlgorithm jWSAlgorithm : convertToJWSAlgorithmList) {
                        if ((JWSAlgorithm.Family.RSA.contains(jWSAlgorithm) && (asymmetricJWK instanceof RSAKey)) || (JWSAlgorithm.Family.EC.contains(jWSAlgorithm) && (asymmetricJWK instanceof ECKey) && curveMatchesESAlgorithm(((ECKey) asymmetricJWK).getCurve(), jWSAlgorithm))) {
                            JWKCredential basicJWKCredential2 = new BasicJWKCredential();
                            basicJWKCredential2.setAlgorithm(jWSAlgorithm);
                            basicJWKCredential2.setKid(asymmetricJWK.getKeyID());
                            try {
                                basicJWKCredential2.setPublicKey(asymmetricJWK.toPublicKey());
                                this.log.debug("Selected key {} for alg {}", asymmetricJWK.getKeyID(), jWSAlgorithm.getName());
                                signatureSigningParameters.setSigningCredential(basicJWKCredential2);
                                signatureSigningParameters.setSignatureAlgorithm(jWSAlgorithm.getName());
                                if (signatureSigningParameters instanceof OIDCSignatureValidationParameters) {
                                    ((OIDCSignatureValidationParameters) signatureSigningParameters).getValidationCredentials().add(basicJWKCredential2);
                                }
                            } catch (JOSEException e) {
                                this.log.warn("Unable to parse key from keyset");
                            }
                        }
                    }
                }
            }
        }
        if (signatureSigningParameters.getSigningCredential() == null) {
            this.log.debug("Not able to resolve signature validation credential based on provided client information");
            super.resolveAndPopulateCredentialAndSignatureAlgorithm(signatureSigningParameters, criteriaSet, predicate);
        }
    }

    private List<JWSAlgorithm> convertToJWSAlgorithmList(List<String> list) {
        ArrayList arrayList = new ArrayList();
        if (list == null) {
            return arrayList;
        }
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(JWSAlgorithm.parse(it.next()));
        }
        return arrayList;
    }

    protected boolean validate(@Nonnull SignatureSigningParameters signatureSigningParameters) {
        if (signatureSigningParameters.getSigningCredential() == null) {
            this.log.debug("Validation failure: Unable to resolve signature validation credential");
            return false;
        }
        if (signatureSigningParameters.getSignatureAlgorithm() != null) {
            return true;
        }
        this.log.debug("Validation failure: Unable to resolve signature validation algorithm URI");
        return false;
    }
}
