package net.shibboleth.idp.plugin.authn.oidc.rp.messaging.impl;

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import javax.annotation.Nonnull;
import net.shibboleth.oidc.profile.core.OAuthAuthorizationRequest;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.codec.Base64Support;
import net.shibboleth.shared.codec.EncodingException;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/messaging/impl/AddPCKECodeVerifierAndChallenge.class */
public class AddPCKECodeVerifierAndChallenge extends AbstractOIDCAuthenticationRequestActionMessageHandler {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(AddPCKECodeVerifierAndChallenge.class);
    static final /* synthetic */ boolean $assertionsDisabled;

    protected void doInvoke(MessageContext messageContext) throws MessageHandlerException {
        if (!getProfileConfiguration().isForcePKCE(lookupProfileRequestContext(messageContext))) {
            this.log.trace("{} PKCE not enabled", getLogPrefix());
            return;
        }
        this.log.trace("{} PKCE enabled, adding code_challenge to request", getLogPrefix());
        OAuthAuthorizationRequest.CodeChallengeMethod codeChallengeMethod = getProfileConfiguration().isAllowPKCEPlain(lookupProfileRequestContext(messageContext)) ? OAuthAuthorizationRequest.CodeChallengeMethod.PLAIN : OAuthAuthorizationRequest.CodeChallengeMethod.S256;
        String generateCodeVerifier = generateCodeVerifier(32);
        String computeCodeChallenge = computeCodeChallenge(generateCodeVerifier, codeChallengeMethod);
        if (this.log.isTraceEnabled()) {
            this.log.trace("{} Created code verifier '...{}'", getLogPrefix(), generateCodeVerifier.substring(computeCodeChallenge.length() - 3));
            this.log.trace("{} Derived code challenge '...{}'", getLogPrefix(), computeCodeChallenge.substring(computeCodeChallenge.length() - 3));
        }
        getAuthenticationRequest().setCodeVerifier(generateCodeVerifier);
        getAuthenticationRequest().setCodeChallenge(computeCodeChallenge);
        getAuthenticationRequest().setCodeChallengeMethod(codeChallengeMethod);
    }

    @Nonnull
    private static String generateCodeVerifier(@Nonnull Integer num) throws MessageHandlerException {
        if (num.intValue() < 32) {
            throw new MessageHandlerException("PKCE coder_verifier must be at least 32 bytes long");
        }
        try {
            SecureRandom secureRandom = new SecureRandom();
            byte[] bArr = new byte[num.intValue()];
            secureRandom.nextBytes(bArr);
            return Base64Support.encodeURLSafe(bArr);
        } catch (Exception e) {
            throw new MessageHandlerException(e);
        }
    }

    @Nonnull
    @NotEmpty
    private String computeCodeChallenge(@Nonnull @NotEmpty String str, @Nonnull OAuthAuthorizationRequest.CodeChallengeMethod codeChallengeMethod) throws MessageHandlerException {
        if (codeChallengeMethod == OAuthAuthorizationRequest.CodeChallengeMethod.PLAIN) {
            return str;
        }
        try {
            byte[] digest = MessageDigest.getInstance("SHA-256").digest(str.getBytes());
            if ($assertionsDisabled || digest != null) {
                return Base64Support.encodeURLSafe(digest);
            }
            throw new AssertionError();
        } catch (NoSuchAlgorithmException | EncodingException e) {
            throw new MessageHandlerException("Unable to compute code_challenge", e);
        }
    }

    static {
        $assertionsDisabled = !AddPCKECodeVerifierAndChallenge.class.desiredAssertionStatus();
    }
}
