package net.shibboleth.oidc.security.impl;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.SignedJWT;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.interfaces.ECPrivateKey;
import java.text.ParseException;
import java.util.List;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import net.shibboleth.oidc.security.credential.BasicJWKCredential;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.context.SecurityParametersContext;
import org.testng.Assert;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/oidc/security/impl/JWTSignatureValidationUtilTest.class */
public class JWTSignatureValidationUtilTest {
    final String invalidJwtEventId = "invalid_jwt";
    BasicJWKCredential rsaCredential;
    BasicJWKCredential ecCredential;
    BasicJWKCredential sharedCredential;

    @BeforeClass
    public void init() throws NoSuchAlgorithmException {
        this.rsaCredential = createKeyPairCredential("RSA", "RS256", "mockRSAKey", 2048);
        this.ecCredential = createKeyPairCredential("EC", "ES256", "mockECKey", 256);
        this.sharedCredential = createSharedSecretCredential("HS256", "mockSharedSecret");
    }

    @Test
    public void validateSignature_shouldReturnInvalidSecCfgWhenNoSecCtx() {
        Assert.assertEquals(JWTSignatureValidationUtil.validateSignature((SecurityParametersContext) null, (SignedJWT) null, "invalid_jwt"), "InvalidSecurityConfiguration");
    }

    @Test
    public void validateSignature_shouldReturnInvalidSecCfgWhenNoSecCtxObject() {
        Assert.assertEquals(JWTSignatureValidationUtil.validateSignature((SecurityParametersContext) null, (SignedJWT) null, "invalid_jwt"), "InvalidSecurityConfiguration");
    }

    @Test
    public void validateSignature_shouldReturnInvalidSecCfgWhenNoSigningParameters() {
        Assert.assertEquals(JWTSignatureValidationUtil.validateSignature(new SecurityParametersContext(), (SignedJWT) null, "invalid_jwt"), "InvalidSecurityConfiguration");
    }

    @Test
    public void validateSignature_shouldReturnInvalidSecCfgWhenWrongSigningParameters() {
        SecurityParametersContext securityParametersContext = new SecurityParametersContext();
        securityParametersContext.setSignatureSigningParameters(new SignatureSigningParameters());
        Assert.assertEquals(JWTSignatureValidationUtil.validateSignature(securityParametersContext, (SignedJWT) null, "invalid_jwt"), "InvalidSecurityConfiguration");
    }

    @Test
    public void validateSignature_shouldReturnNullWhenValidRSASignature() throws JOSEException, ParseException, NoSuchAlgorithmException {
        Assert.assertNull(JWTSignatureValidationUtil.validateSignature(initSecurityParamsContext("RS256", this.rsaCredential), signRSA(this.rsaCredential.getPrivateKey()), "invalid_jwt"));
    }

    @Test
    public void validateSignature_shouldReturnEventIdWhenInvalidRSASignature() throws NoSuchAlgorithmException, JOSEException, ParseException {
        Assert.assertEquals(JWTSignatureValidationUtil.validateSignature(initSecurityParamsContext("RS256", this.rsaCredential), signRSA(createKeyPairCredential("RSA", "RS256", "mockRSAKey2", 2048).getPrivateKey()), "invalid_jwt"), "invalid_jwt");
    }

    @Test
    public void validateSignature_shouldReturnNullWhenValidECSignature() throws JOSEException, ParseException, NoSuchAlgorithmException {
        Assert.assertNull(JWTSignatureValidationUtil.validateSignature(initSecurityParamsContext("ES256", this.ecCredential), signEC((ECPrivateKey) this.ecCredential.getPrivateKey()), "invalid_jwt"));
    }

    @Test
    public void validateSignature_shouldReturnEventIdWhenInvalidECSignature() throws JOSEException, ParseException, NoSuchAlgorithmException {
        Assert.assertEquals(JWTSignatureValidationUtil.validateSignature(initSecurityParamsContext("ES256", this.ecCredential), signEC((ECPrivateKey) createKeyPairCredential("EC", "ES256", "mockECKey2", 256).getPrivateKey()), "invalid_jwt"), "invalid_jwt");
    }

    @Test
    public void validateSignature_shouldReturnNullWhenValidMACSignature() throws JOSEException, ParseException {
        Assert.assertNull(JWTSignatureValidationUtil.validateSignature(initSecurityParamsContext("HS256", this.sharedCredential), signMAC(this.sharedCredential.getSecretKey()), "invalid_jwt"));
    }

    @Test
    public void validateSignature_shouldReturnEventIdWhenInvalidMACSignature() throws JOSEException, ParseException {
        Assert.assertEquals(JWTSignatureValidationUtil.validateSignature(initSecurityParamsContext("HS256", this.sharedCredential), signMAC(generateSecretKey()), "invalid_jwt"), "invalid_jwt");
    }

    @Test
    public void validateSignature_credentialOnly_shouldReturnNullWhenValidMACSignature() throws JOSEException, ParseException {
        Assert.assertNull(JWTSignatureValidationUtil.validateSignature(List.of(this.sharedCredential), signMAC(this.sharedCredential.getSecretKey()), "invalid_jwt"));
    }

    @Test
    public void validateSignature_credentialOnly_shouldReturnEventIdWhenInvalidMACSignature() throws JOSEException, ParseException {
        Assert.assertEquals(JWTSignatureValidationUtil.validateSignature(List.of(this.sharedCredential), signMAC(generateSecretKey()), "invalid_jwt"), "invalid_jwt");
    }

    protected SignedJWT signRSA(PrivateKey privateKey) throws JOSEException, ParseException {
        RSASSASigner rSASSASigner = new RSASSASigner(privateKey);
        JWSObject jWSObject = new JWSObject(new JWSHeader.Builder(JWSAlgorithm.RS256).keyID("mockId").build(), new Payload("RSA payload"));
        jWSObject.sign(rSASSASigner);
        return SignedJWT.parse(jWSObject.serialize());
    }

    protected SignedJWT signEC(ECPrivateKey eCPrivateKey) throws JOSEException, ParseException {
        ECDSASigner eCDSASigner = new ECDSASigner(eCPrivateKey);
        JWSObject jWSObject = new JWSObject(new JWSHeader.Builder(JWSAlgorithm.ES256).keyID("mockId").build(), new Payload("RSA payload"));
        jWSObject.sign(eCDSASigner);
        return SignedJWT.parse(jWSObject.serialize());
    }

    protected BasicJWKCredential createKeyPairCredential(String str, String str2, String str3, int i) throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str);
        keyPairGenerator.initialize(i);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
        basicJWKCredential.setAlgorithm(JWSAlgorithm.parse(str2));
        basicJWKCredential.setPublicKey(generateKeyPair.getPublic());
        basicJWKCredential.setPrivateKey(generateKeyPair.getPrivate());
        basicJWKCredential.setKid(str3);
        return basicJWKCredential;
    }

    protected BasicJWKCredential createSharedSecretCredential(String str, String str2) {
        BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
        basicJWKCredential.setAlgorithm(JWSAlgorithm.parse(str));
        basicJWKCredential.setSecretKey(generateSecretKey());
        basicJWKCredential.setKid(str2);
        return basicJWKCredential;
    }

    protected SecretKey generateSecretKey() {
        byte[] bArr = new byte[32];
        new SecureRandom().nextBytes(bArr);
        return new SecretKeySpec(bArr, "AES");
    }

    protected SignedJWT signMAC(SecretKey secretKey) throws JOSEException, ParseException {
        MACSigner mACSigner = new MACSigner(secretKey.getEncoded());
        JWSObject jWSObject = new JWSObject(new JWSHeader(JWSAlgorithm.HS256), new Payload("MAC payload"));
        jWSObject.sign(mACSigner);
        return SignedJWT.parse(jWSObject.serialize());
    }

    protected SecurityParametersContext initSecurityParamsContext(String str, BasicJWKCredential... basicJWKCredentialArr) {
        SecurityParametersContext securityParametersContext = new SecurityParametersContext();
        OIDCSignatureValidationParameters oIDCSignatureValidationParameters = new OIDCSignatureValidationParameters();
        for (BasicJWKCredential basicJWKCredential : basicJWKCredentialArr) {
            oIDCSignatureValidationParameters.getValidationCredentials().add(basicJWKCredential);
        }
        oIDCSignatureValidationParameters.setSignatureAlgorithm(str);
        securityParametersContext.setSignatureSigningParameters(oIDCSignatureValidationParameters);
        return securityParametersContext;
    }
}
