package net.shibboleth.idp.plugin.authn.oidc.rp.impl;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import java.security.interfaces.ECKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.security.JWTSignatureSigningParameters;
import net.shibboleth.oidc.security.criterion.ProviderMetadataCriterion;
import net.shibboleth.oidc.security.criterion.StaticCredentialCriterion;
import net.shibboleth.oidc.security.impl.BasicJWTSignatureSigningParametersResolver;
import net.shibboleth.oidc.security.impl.CredentialConversionUtil;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.logic.FunctionSupport;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.opensaml.security.credential.Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/impl/RelyingPartyProxySigningParametersResolver.class */
public class RelyingPartyProxySigningParametersResolver extends BasicJWTSignatureSigningParametersResolver {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(RelyingPartyProxySigningParametersResolver.class);

    @Nonnull
    private Function<OIDCProviderMetadata, List<String>> providerMetadataAlgorithmLookupStrategy = FunctionSupport.constant((Object) null);

    public void setProviderMetadataAlgorithmLookupStrategy(@Nonnull Function<OIDCProviderMetadata, List<String>> function) {
        this.providerMetadataAlgorithmLookupStrategy = (Function) Constraint.isNotNull(function, "ProviderMetadataAlgorithmLookupStrategy can not be null");
    }

    protected void resolveAndPopulateCredentialAndSignatureAlgorithm(@Nonnull JWTSignatureSigningParameters jWTSignatureSigningParameters, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        ArrayList<Credential> arrayList = new ArrayList();
        if (criteriaSet.contains(StaticCredentialCriterion.class)) {
            Credential credential = ((StaticCredentialCriterion) criteriaSet.get(StaticCredentialCriterion.class)).getCredential();
            this.log.trace("Signing credential found in criterion '{}'", credential.getKeyNames());
            arrayList.add(credential);
        }
        arrayList.addAll(getEffectiveSigningCredentials(criteriaSet));
        List effectiveSignatureAlgorithms = getEffectiveSignatureAlgorithms(criteriaSet, predicate);
        this.log.debug("Resolved effectice signature algorithms from config: '{}'", effectiveSignatureAlgorithms);
        List<JWSAlgorithm> convertSupportAlgorithmsToJwkAlgorithms = convertSupportAlgorithmsToJwkAlgorithms(filterForProviderSupportedAlgorithms(criteriaSet, effectiveSignatureAlgorithms));
        this.log.trace("Resolved effective signature algorithms: {}", convertSupportAlgorithmsToJwkAlgorithms);
        for (JWSAlgorithm jWSAlgorithm : convertSupportAlgorithmsToJwkAlgorithms) {
            for (Credential credential2 : arrayList) {
                if (this.log.isTraceEnabled()) {
                    this.log.trace("Evaluating signing credential '{}'", CredentialConversionUtil.resolveKid(credential2));
                }
                JWSAlgorithm credentialSupportsSigningAlgorithm = credentialSupportsSigningAlgorithm(credential2, jWSAlgorithm);
                if (credentialSupportsSigningAlgorithm != null) {
                    this.log.trace("Credential supports algorithm '{}'", credentialSupportsSigningAlgorithm);
                    jWTSignatureSigningParameters.setSigningCredential(credential2);
                    jWTSignatureSigningParameters.setSignatureAlgorithm(credentialSupportsSigningAlgorithm.getName());
                    return;
                }
                this.log.trace("Credential failed eval against Signing Algorithm");
            }
        }
    }

    @Nonnull
    private List<JWSAlgorithm> convertSupportAlgorithmsToJwkAlgorithms(@Nonnull List<String> list) {
        return (List) list.stream().map(JWSAlgorithm::parse).collect(Collectors.toList());
    }

    @Nullable
    private JWSAlgorithm credentialSupportsSigningAlgorithm(@Nonnull Credential credential, @Nonnull JWSAlgorithm jWSAlgorithm) {
        if ((!JWSAlgorithm.Family.HMAC_SHA.contains(jWSAlgorithm) || credential.getSecretKey() == null) && !((JWSAlgorithm.Family.RSA.contains(jWSAlgorithm) && (credential.getPrivateKey() instanceof RSAPrivateKey)) || (JWSAlgorithm.Family.EC.contains(jWSAlgorithm) && (credential.getPrivateKey() instanceof ECPrivateKey) && curveMatchesESAlgorithm(Curve.forECParameterSpec(((ECKey) credential.getPrivateKey()).getParams()), jWSAlgorithm)))) {
            return null;
        }
        return jWSAlgorithm;
    }

    private boolean curveMatchesESAlgorithm(Curve curve, JWSAlgorithm jWSAlgorithm) {
        if (jWSAlgorithm.equals(JWSAlgorithm.ES256)) {
            return curve.equals(Curve.P_256);
        }
        if (jWSAlgorithm.equals(JWSAlgorithm.ES384)) {
            return curve.equals(Curve.P_384);
        }
        if (jWSAlgorithm.equals(JWSAlgorithm.ES512)) {
            return curve.equals(Curve.P_521);
        }
        return false;
    }

    private List<String> filterForProviderSupportedAlgorithms(@Nonnull CriteriaSet criteriaSet, @Nonnull List<String> list) {
        if (!criteriaSet.contains(ProviderMetadataCriterion.class)) {
            this.log.debug("No provider metadata criterion, unable to filter for provider supported algorithms");
            return List.copyOf(list);
        }
        List<String> apply = this.providerMetadataAlgorithmLookupStrategy.apply(((ProviderMetadataCriterion) criteriaSet.get(ProviderMetadataCriterion.class)).getMetadata());
        this.log.trace("Provider metadata supports the following signature algorithms '{}'", apply);
        if (apply == null) {
            this.log.trace("Lookup strategy could not determine provider supported algorithms from metadata, no further filtering performed");
            return List.copyOf(list);
        }
        Stream<String> stream = list.stream();
        Objects.requireNonNull(apply);
        return (List) stream.filter((v1) -> {
            return r1.contains(v1);
        }).collect(Collectors.toList());
    }
}
