package net.shibboleth.oidc.security.credential;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.util.StandardCharset;
import java.nio.charset.StandardCharsets;
import javax.annotation.Nonnull;
import javax.annotation.concurrent.ThreadSafe;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.annotation.constraint.NotLive;
import net.shibboleth.shared.logic.Constraint;
import org.opensaml.security.credential.UsageType;

@ThreadSafe
/* loaded from: input_file:net/shibboleth/oidc/security/credential/DefaultClientSecretCredential.class */
public class DefaultClientSecretCredential implements ClientSecretCredential {

    @Nonnull
    private static final String DEFAULT_SECRET_KEY_NAME = "client_secret_credential";

    @Nonnull
    private final byte[] clientSecret;

    @Nonnull
    @NotEmpty
    private final String secretKeyName;
    static final /* synthetic */ boolean $assertionsDisabled;

    public DefaultClientSecretCredential(@Nonnull String str) {
        this(str, DEFAULT_SECRET_KEY_NAME);
    }

    public DefaultClientSecretCredential(@Nonnull String str, @Nonnull String str2) {
        Constraint.isNotEmpty(str, "Secret can not be null or empty");
        byte[] bytes = str.getBytes(StandardCharset.UTF_8);
        if (!$assertionsDisabled && bytes == null) {
            throw new AssertionError();
        }
        this.clientSecret = bytes;
        this.secretKeyName = Constraint.isNotEmpty(str2, "Secret keyname can not be null or empty");
    }

    @Override // net.shibboleth.oidc.security.credential.ClientSecretCredential
    @Nonnull
    public String getSecret() {
        return new String(this.clientSecret, StandardCharsets.UTF_8);
    }

    @Override // net.shibboleth.oidc.security.credential.ClientSecretCredential
    @Nonnull
    @NotLive
    public byte[] getSecretAsBytes() {
        return (byte[]) this.clientSecret.clone();
    }

    @Override // net.shibboleth.oidc.security.credential.ClientSecretCredential
    @Nonnull
    public JWKCredential toSigningCredential() {
        BasicExpiringJWKCredential basicExpiringJWKCredential = new BasicExpiringJWKCredential();
        basicExpiringJWKCredential.getKeyNames().add(this.secretKeyName);
        basicExpiringJWKCredential.setKid(this.secretKeyName);
        basicExpiringJWKCredential.setSecretKey(new SecretKeySpec(getSecretAsBytes(), "NONE"));
        basicExpiringJWKCredential.setUsageType(UsageType.SIGNING);
        return basicExpiringJWKCredential;
    }

    @Override // net.shibboleth.oidc.security.credential.ClientSecretCredential
    @Nonnull
    public JWKCredential toEncryptionCredential(@Nonnull JWEAlgorithm jWEAlgorithm, @Nonnull EncryptionMethod encryptionMethod) throws JOSEException {
        SecretKey generateSymmetricKey = JWKCredentialSupport.generateSymmetricKey(this.clientSecret, jWEAlgorithm, encryptionMethod);
        BasicExpiringJWKCredential basicExpiringJWKCredential = new BasicExpiringJWKCredential();
        basicExpiringJWKCredential.getKeyNames().add(this.secretKeyName);
        basicExpiringJWKCredential.setKid(this.secretKeyName);
        basicExpiringJWKCredential.setAlgorithm(jWEAlgorithm);
        basicExpiringJWKCredential.setUsageType(UsageType.ENCRYPTION);
        basicExpiringJWKCredential.setSecretKey(generateSymmetricKey);
        return basicExpiringJWKCredential;
    }

    static {
        $assertionsDisabled = !DefaultClientSecretCredential.class.desiredAssertionStatus();
    }
}
