package net.shibboleth.oidc.security.impl;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.AESDecrypter;
import com.nimbusds.jose.crypto.DirectDecrypter;
import com.nimbusds.jose.crypto.ECDHDecrypter;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
import com.nimbusds.jose.jwk.gen.RSAKeyGenerator;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSet;
import java.text.ParseException;
import java.util.Date;
import javax.annotation.Nonnull;
import net.shibboleth.oidc.profile.core.OIDCAuthenticationRequest;
import net.shibboleth.oidc.security.credential.JWKCredential;
import net.shibboleth.oidc.security.impl.support.TestCredentialHelper;
import net.shibboleth.oidc.security.jose.EncryptionParameters;
import net.shibboleth.oidc.security.jose.context.SecurityParametersContext;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/oidc/security/impl/EncryptJWTHandlerTest.class */
public class EncryptJWTHandlerTest extends AbstractHandlerTest {

    @Nonnull
    private static final String CLIENT_SECRET = "Xp2s5v8y/B?E(H+MbQeThWmYq3t6w9z$";
    private EncryptJWTHandler encrypter;
    private OIDCAuthenticationRequest request;

    @Override // net.shibboleth.oidc.security.impl.AbstractHandlerTest
    @BeforeMethod
    public void setup() throws Exception {
        super.setup();
        this.encrypter = new EncryptJWTHandler();
        this.encrypter.setPayloadToEncryptLookupStrategy(messageContext -> {
            OIDCAuthenticationRequest oIDCAuthenticationRequest = (OIDCAuthenticationRequest) messageContext.getMessage();
            if (oIDCAuthenticationRequest.getRequestObject() instanceof SignedJWT) {
                return new Payload(oIDCAuthenticationRequest.getRequestObject());
            }
            if (!(oIDCAuthenticationRequest.getRequestObject() instanceof PlainJWT)) {
                return null;
            }
            try {
                return new Payload(oIDCAuthenticationRequest.getRequestObject().getJWTClaimsSet().getClaims());
            } catch (ParseException e) {
                Assert.fail();
                return null;
            }
        });
        this.encrypter.setJwtUpdateConsumer((jwt, messageContext2) -> {
            ((OIDCAuthenticationRequest) messageContext2.getMessage()).setRequestObject(jwt);
        });
        this.request = new OIDCAuthenticationRequest(new ClientID("test-client"));
        this.request.setRequestObject(new PlainJWT(new JWTClaimsSet.Builder().issuer("https://rp.example.com").audience("https://op.example.com").issueTime(new Date()).build()));
        this.prc.getOutboundMessageContext().setMessage(this.request);
    }

    private void assertStandardClaimsExist(EncryptedJWT encryptedJWT) {
        ClaimsSet claimsSet = new ClaimsSet();
        claimsSet.putAll(encryptedJWT.getPayload().toJSONObject());
        Assert.assertTrue(encryptedJWT.getState() == JWEObject.State.DECRYPTED);
        Assert.assertEquals(claimsSet.getIssuer().getValue(), "https://rp.example.com");
        Assert.assertEquals(((Audience) claimsSet.getAudience().get(0)).getValue(), "https://op.example.com");
    }

    @Test
    public void testEncryptRSA_Success() throws Exception {
        SecurityParametersContext securityParametersContext = new SecurityParametersContext();
        EncryptionParameters encryptionParameters = new EncryptionParameters();
        encryptionParameters.setDataEncryptionAlgorithm("A256GCM");
        encryptionParameters.setKeyTransportEncryptionAlgorithm("RSA-OAEP-256");
        RSAKey generate = new RSAKeyGenerator(2048).algorithm(JWEAlgorithm.RSA_OAEP_256).keyUse(KeyUse.ENCRYPTION).keyID("mock-key-rsa").generate();
        encryptionParameters.setKeyTransportEncryptionCredential(TestCredentialHelper.createKeyEncryptionCredential(generate));
        securityParametersContext.setEncryptionParameters(encryptionParameters);
        this.prc.getOutboundMessageContext().addSubcontext(securityParametersContext);
        this.encrypter.initialize();
        this.encrypter.invoke(this.prc.getOutboundMessageContext());
        JWT requestObject = this.request.getRequestObject();
        Assert.assertTrue(JWEAlgorithm.Family.RSA.contains(requestObject.getHeader().getAlgorithm()));
        Assert.assertTrue(requestObject instanceof EncryptedJWT);
        EncryptedJWT encryptedJWT = (EncryptedJWT) requestObject;
        Assert.assertTrue(JWEAlgorithm.Family.ASYMMETRIC.contains(encryptedJWT.getHeader().getAlgorithm()));
        encryptedJWT.decrypt(new RSADecrypter(generate.toPrivateKey()));
        assertStandardClaimsExist(encryptedJWT);
    }

    @Test
    public void testEncryptEC_Success() throws Exception {
        SecurityParametersContext securityParametersContext = new SecurityParametersContext();
        EncryptionParameters encryptionParameters = new EncryptionParameters();
        encryptionParameters.setDataEncryptionAlgorithm("A256GCM");
        encryptionParameters.setKeyTransportEncryptionAlgorithm("ECDH-ES");
        ECKey generate = new ECKeyGenerator(Curve.P_256).algorithm(JWEAlgorithm.RSA_OAEP_256).keyUse(KeyUse.ENCRYPTION).keyID("mock-key-rsa").generate();
        encryptionParameters.setKeyTransportEncryptionCredential(TestCredentialHelper.createKeyAgreementCredential(generate));
        securityParametersContext.setEncryptionParameters(encryptionParameters);
        this.prc.getOutboundMessageContext().addSubcontext(securityParametersContext);
        this.encrypter.initialize();
        this.encrypter.invoke(this.prc.getOutboundMessageContext());
        JWT requestObject = this.request.getRequestObject();
        Assert.assertTrue(JWEAlgorithm.Family.ECDH_ES.contains(requestObject.getHeader().getAlgorithm()));
        Assert.assertTrue(requestObject instanceof EncryptedJWT);
        EncryptedJWT encryptedJWT = (EncryptedJWT) requestObject;
        Assert.assertTrue(JWEAlgorithm.Family.ASYMMETRIC.contains(encryptedJWT.getHeader().getAlgorithm()));
        encryptedJWT.decrypt(new ECDHDecrypter(generate));
        assertStandardClaimsExist(encryptedJWT);
    }

    @Test
    public void testEncryptDirect_Success() throws Exception {
        SecurityParametersContext securityParametersContext = new SecurityParametersContext();
        EncryptionParameters encryptionParameters = new EncryptionParameters();
        encryptionParameters.setDataEncryptionAlgorithm("A256GCM");
        encryptionParameters.setKeyTransportEncryptionAlgorithm("dir");
        JWKCredential createDirectEncryptionCredentialFromSharedSecret = TestCredentialHelper.createDirectEncryptionCredentialFromSharedSecret(CLIENT_SECRET);
        encryptionParameters.setDataEncryptionCredential(createDirectEncryptionCredentialFromSharedSecret);
        securityParametersContext.setEncryptionParameters(encryptionParameters);
        this.prc.getOutboundMessageContext().addSubcontext(securityParametersContext);
        this.encrypter.initialize();
        this.encrypter.invoke(this.prc.getOutboundMessageContext());
        JWT requestObject = this.request.getRequestObject();
        Assert.assertTrue(JWEAlgorithm.DIR.equals(requestObject.getHeader().getAlgorithm()));
        Assert.assertTrue(requestObject instanceof EncryptedJWT);
        EncryptedJWT encryptedJWT = (EncryptedJWT) requestObject;
        encryptedJWT.decrypt(new DirectDecrypter(createDirectEncryptionCredentialFromSharedSecret.getSecretKey()));
        assertStandardClaimsExist(encryptedJWT);
    }

    @Test
    public void testKeyWrap_Success() throws Exception {
        SecurityParametersContext securityParametersContext = new SecurityParametersContext();
        EncryptionParameters encryptionParameters = new EncryptionParameters();
        encryptionParameters.setDataEncryptionAlgorithm("A256GCM");
        encryptionParameters.setKeyTransportEncryptionAlgorithm("A256KW");
        JWKCredential encryptionCredential = TestCredentialHelper.createClientSecretCredential(CLIENT_SECRET).toEncryptionCredential(JWEAlgorithm.A256KW, EncryptionMethod.A256GCM);
        encryptionParameters.setKeyTransportEncryptionCredential(encryptionCredential);
        securityParametersContext.setEncryptionParameters(encryptionParameters);
        this.prc.getOutboundMessageContext().addSubcontext(securityParametersContext);
        this.encrypter.initialize();
        this.encrypter.invoke(this.prc.getOutboundMessageContext());
        JWT requestObject = this.request.getRequestObject();
        Assert.assertTrue(JWEAlgorithm.A256KW.equals(requestObject.getHeader().getAlgorithm()));
        Assert.assertTrue(requestObject instanceof EncryptedJWT);
        EncryptedJWT encryptedJWT = (EncryptedJWT) requestObject;
        encryptedJWT.decrypt(new AESDecrypter(encryptionCredential.getSecretKey()));
        assertStandardClaimsExist(encryptedJWT);
    }

    @Test(expectedExceptions = {MessageHandlerException.class})
    public void testEncryptDirect_Fail_WrongAlgorithmForCredential() throws Exception {
        SecurityParametersContext securityParametersContext = new SecurityParametersContext();
        EncryptionParameters encryptionParameters = new EncryptionParameters();
        encryptionParameters.setDataEncryptionAlgorithm("A256GCM");
        encryptionParameters.setKeyTransportEncryptionAlgorithm("RSA-OAEP-256");
        encryptionParameters.setDataEncryptionCredential(TestCredentialHelper.createDirectEncryptionCredentialFromSharedSecret(CLIENT_SECRET));
        securityParametersContext.setEncryptionParameters(encryptionParameters);
        this.prc.getOutboundMessageContext().addSubcontext(securityParametersContext);
        this.encrypter.initialize();
        this.encrypter.invoke(this.prc.getOutboundMessageContext());
    }

    @Test
    public void testFail_NoEncryptionContext() throws Exception {
        this.encrypter.initialize();
        this.encrypter.invoke(this.prc.getOutboundMessageContext());
        Assert.assertTrue(this.request.getRequestObject() instanceof PlainJWT);
    }

    @Test
    public void testFail_NoEncryptionParams() throws Exception {
        this.prc.getOutboundMessageContext().addSubcontext(new SecurityParametersContext());
        this.encrypter.initialize();
        this.encrypter.invoke(this.prc.getOutboundMessageContext());
        Assert.assertTrue(this.request.getRequestObject() instanceof PlainJWT);
    }

    @Test(expectedExceptions = {MessageHandlerException.class})
    public void testFail_IncorrectParamState() throws Exception {
        SecurityParametersContext securityParametersContext = new SecurityParametersContext();
        EncryptionParameters encryptionParameters = new EncryptionParameters();
        encryptionParameters.setDataEncryptionAlgorithm("A256GCM");
        encryptionParameters.setKeyTransportEncryptionAlgorithm("RSA-OAEP-256");
        encryptionParameters.setDataEncryptionCredential(TestCredentialHelper.createDirectEncryptionCredentialFromSharedSecret(CLIENT_SECRET));
        encryptionParameters.setKeyTransportEncryptionCredential(TestCredentialHelper.createKeyAgreementCredential(new ECKeyGenerator(Curve.P_256).algorithm(JWEAlgorithm.RSA_OAEP_256).keyUse(KeyUse.ENCRYPTION).keyID("mock-key-rsa").generate()));
        securityParametersContext.setEncryptionParameters(encryptionParameters);
        this.prc.getOutboundMessageContext().addSubcontext(securityParametersContext);
        this.encrypter.initialize();
        this.encrypter.invoke(this.prc.getOutboundMessageContext());
        Assert.assertTrue(this.request.getRequestObject() instanceof PlainJWT);
    }

    @Test(expectedExceptions = {MessageHandlerException.class})
    public void testEncryptWithUnsupportedAlgorithm() throws Exception {
        SecurityParametersContext securityParametersContext = new SecurityParametersContext();
        EncryptionParameters encryptionParameters = new EncryptionParameters();
        encryptionParameters.setKeyTransportEncryptionAlgorithm("NotSupported");
        encryptionParameters.setDataEncryptionAlgorithm("A128GCM");
        encryptionParameters.setKeyTransportEncryptionCredential(TestCredentialHelper.createKeyEncryptionCredential(new RSAKeyGenerator(2048).algorithm(JWEAlgorithm.RSA_OAEP_256).keyUse(KeyUse.ENCRYPTION).keyID("mock-key").generate()));
        securityParametersContext.setEncryptionParameters(encryptionParameters);
        this.prc.getOutboundMessageContext().addSubcontext(securityParametersContext);
        this.encrypter.initialize();
        this.encrypter.invoke(this.prc.getOutboundMessageContext());
    }
}
