package net.shibboleth.idp.plugin.authn.oidc.rp.messaging.impl;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.interfaces.ECPrivateKey;
import java.util.function.BiConsumer;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.security.JWTSignatureSigningParameters;
import net.shibboleth.oidc.security.context.JWTSecurityParametersContext;
import net.shibboleth.oidc.security.credential.JWKCredential;
import net.shibboleth.oidc.security.impl.CredentialConversionUtil;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.handler.AbstractMessageHandler;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.security.credential.Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/messaging/impl/SignJWTHandler.class */
public class SignJWTHandler extends AbstractMessageHandler {

    @NonnullAfterInit
    private BiConsumer<JWT, MessageContext> jwtUpdateConsumer;

    @NonnullAfterInit
    private Function<MessageContext, JWTClaimsSet> claimsToSignLookupStrategy;

    @Nullable
    private JWTSignatureSigningParameters signatureSigningParameters;

    @Nullable
    private Credential credential;

    @Nullable
    private JWTClaimsSet jwtClaimSetToSign;

    @NotEmpty
    @Nullable
    private String typeHeader;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(SignJWTHandler.class);

    @Nonnull
    private String logName = "not-specified";

    @Nonnull
    private Function<MessageContext, JWTSecurityParametersContext> securityParametersLookupStrategy = new ChildContextLookup(JWTSecurityParametersContext.class);

    public void setLogName(@NotEmpty @Nonnull String str) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.logName = Constraint.isNotEmpty(str, "ForFriendlyName can not be null or empty");
    }

    protected void doInitialize() throws ComponentInitializationException {
        if (this.claimsToSignLookupStrategy == null) {
            throw new ComponentInitializationException("claimsToSignLookupStrategy can not be null");
        }
        if (this.jwtUpdateConsumer == null) {
            throw new ComponentInitializationException("jwtUpdateConsumer can not be null");
        }
        super.doInitialize();
    }

    public void setClaimsToSignLookupStrategy(@Nonnull Function<MessageContext, JWTClaimsSet> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.claimsToSignLookupStrategy = (Function) Constraint.isNotNull(function, "claimsToSignLookupStrategy can not be null");
    }

    public void setJwtUpdateConsumer(BiConsumer<JWT, MessageContext> biConsumer) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.jwtUpdateConsumer = (BiConsumer) Constraint.isNotNull(biConsumer, "JwtUpdateConsumer can not be null");
    }

    public void setTypeHeader(@NotEmpty @Nullable String str) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.typeHeader = StringSupport.trimOrNull(str);
    }

    public void setSecurityParametersLookupStrategy(@Nonnull Function<MessageContext, JWTSecurityParametersContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.securityParametersLookupStrategy = (Function) Constraint.isNotNull(function, "SecurityParameterContext lookup strategy cannot be null");
    }

    protected boolean doPreInvoke(@Nonnull MessageContext messageContext) throws MessageHandlerException {
        if (!super.doPreInvoke(messageContext)) {
            return false;
        }
        JWTSecurityParametersContext apply = this.securityParametersLookupStrategy.apply(messageContext);
        if (apply == null) {
            this.log.debug("{} Message context did not contain signing parameters, request object will not be signed", getLogPrefix());
            return false;
        }
        this.signatureSigningParameters = apply.getSignatureSigningParameters();
        if (this.signatureSigningParameters == null || this.signatureSigningParameters.getSigningCredential() == null) {
            this.log.debug("{} No signature signing credentials available", getLogPrefix());
            return false;
        }
        this.jwtClaimSetToSign = this.claimsToSignLookupStrategy.apply(messageContext);
        if (this.jwtClaimSetToSign == null) {
            this.log.debug("{} No JWT ClaimsSet, nothing to sign", getLogPrefix());
            return false;
        }
        this.credential = this.signatureSigningParameters.getSigningCredential();
        return true;
    }

    protected void doInvoke(@Nonnull MessageContext messageContext) throws MessageHandlerException {
        try {
            JWSAlgorithm resolveAlgorithm = resolveAlgorithm();
            JWSSigner signer = getSigner(resolveAlgorithm);
            JWSHeader.Builder keyID = new JWSHeader.Builder(new JWSAlgorithm(resolveAlgorithm.getName())).keyID(CredentialConversionUtil.resolveKid(this.credential));
            if (this.typeHeader != null) {
                keyID.type(new JOSEObjectType(this.typeHeader));
            }
            JWT signedJWT = new SignedJWT(keyID.build(), this.jwtClaimSetToSign);
            signedJWT.sign(signer);
            if (this.log.isDebugEnabled() && !this.log.isTraceEnabled()) {
                this.log.debug("{} Signed JWT '{}'", getLogPrefix(), this.logName);
            } else if (this.log.isTraceEnabled()) {
                this.log.debug("{} Signed JWT '{}': {}", new Object[]{getLogPrefix(), this.logName, signedJWT.serialize()});
            }
            if (signedJWT.getState() != JWSObject.State.SIGNED) {
                this.log.error("{} JWT '{}' was not signed", getLogPrefix(), this.logName);
                throw new MessageHandlerException("JWT was not signed, unknown cause");
            }
            this.jwtUpdateConsumer.accept(signedJWT, messageContext);
        } catch (JOSEException e) {
            this.log.error("{} Error signing claim set: {}", getLogPrefix(), e.getMessage());
            throw new MessageHandlerException("Error signing claims set", e);
        }
    }

    private JWSSigner getSigner(Algorithm algorithm) throws JOSEException {
        if (JWSAlgorithm.Family.EC.contains(algorithm)) {
            return new ECDSASigner((ECPrivateKey) this.credential.getPrivateKey());
        }
        if (JWSAlgorithm.Family.RSA.contains(algorithm)) {
            return new RSASSASigner(this.credential.getPrivateKey());
        }
        if (JWSAlgorithm.Family.HMAC_SHA.contains(algorithm)) {
            return new MACSigner(this.credential.getSecretKey());
        }
        throw new JOSEException("Unsupported algorithm " + algorithm.getName());
    }

    protected JWSAlgorithm resolveAlgorithm() {
        JWSAlgorithm jWSAlgorithm = new JWSAlgorithm(this.signatureSigningParameters.getSignatureAlgorithm());
        if ((this.credential instanceof JWKCredential) && !jWSAlgorithm.equals(this.credential.getAlgorithm())) {
            this.log.debug("{} Signature signing algorithm {} differs from JWK algorithm {}", new Object[]{getLogPrefix(), jWSAlgorithm.getName(), this.credential.getAlgorithm()});
        }
        this.log.debug("{} Algorithm resolved {}", getLogPrefix(), jWSAlgorithm.getName());
        return jWSAlgorithm;
    }
}
