package net.shibboleth.oidc.security.credential.impl;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.KeyLengthException;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.RSAEncrypter;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.gen.RSAKeyGenerator;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.time.Instant;
import java.util.Date;
import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.StreamSupport;
import net.shibboleth.oidc.security.credential.BasicJWKCredential;
import net.shibboleth.oidc.security.credential.JOSEObjectCredentialResolver;
import net.shibboleth.oidc.security.jose.criterion.JOSEObjectCriterion;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.Criterion;
import net.shibboleth.shared.resolver.ResolverException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/oidc/security/credential/impl/LocalJOSEObjectCredentialResolverTest.class */
public class LocalJOSEObjectCredentialResolverTest {
    private static final String CLIENT_SECRET = "Xp2s5v8y/B?E(H+MbQeThWmYq3t6w9z$";
    private LocalJOSEObjectCredentialResolver resolver;
    private RSAKey localRSAKey;

    /* loaded from: input_file:net/shibboleth/oidc/security/credential/impl/LocalJOSEObjectCredentialResolverTest$MockRSACriteriaFilteringCredentialResolver.class */
    private static class MockRSACriteriaFilteringCredentialResolver extends AbstractCriteriaFilteringCredentialResolver implements JOSEObjectCredentialResolver {
        private final RSAKey key;

        public MockRSACriteriaFilteringCredentialResolver(RSAKey rSAKey) {
            this.key = rSAKey;
        }

        protected Iterable<Credential> resolveFromSource(CriteriaSet criteriaSet) throws ResolverException {
            BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
            basicJWKCredential.setAlgorithm(JWEAlgorithm.RSA_OAEP_256);
            basicJWKCredential.getKeyNames().add("mock-key");
            basicJWKCredential.setKid("mock-key");
            try {
                basicJWKCredential.setPrivateKey(this.key.toPrivateKey());
                basicJWKCredential.setPublicKey(this.key.toPublicKey());
            } catch (JOSEException e) {
                Assert.fail();
            }
            return List.of(basicJWKCredential);
        }
    }

    @BeforeMethod
    public void setup() throws Exception {
        this.localRSAKey = new RSAKeyGenerator(2048).algorithm(JWEAlgorithm.RSA_OAEP_256).keyUse(KeyUse.ENCRYPTION).keyID("mock-key").generate();
        this.resolver = new LocalJOSEObjectCredentialResolver(new MockRSACriteriaFilteringCredentialResolver(this.localRSAKey));
    }

    private SignedJWT createdSignedJWT() throws KeyLengthException, JOSEException {
        SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.HS256).type(JOSEObjectType.JWT).keyID("mock-key").build(), createClaims());
        signedJWT.sign(new MACSigner(CLIENT_SECRET));
        return signedJWT;
    }

    private JWTClaimsSet createClaims() {
        return new JWTClaimsSet.Builder().issuer("https://localhost:9918").audience(List.of("test-client")).subject("jdoe").claim("nonce", "abadnonce").claim("azp", "test-client").claim("name", "jdoe").expirationTime(Date.from(Instant.now().plusSeconds(120L))).build();
    }

    @Test
    public void testSuccessful_PublicKeyInJOSEHeaderMatchesLocal() throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A256GCM).contentType("JWT").jwk(this.localRSAKey.toPublicJWK()).build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new RSAEncrypter(this.localRSAKey));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        System.out.println(parse.serialize());
        Credential resolveSingle = this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new JOSEObjectCriterion(parse)}));
        Assert.assertNotNull(resolveSingle);
        Assert.assertNotNull(resolveSingle.getPrivateKey());
        Assert.assertTrue(resolveSingle.getKeyNames().contains("mock-key"));
    }

    @Test
    public void testUnsuccessful_PublicKeyInJOSEHeaderDoesNotMatchLocal() throws Exception {
        RSAKey generate = new RSAKeyGenerator(2048).algorithm(JWEAlgorithm.RSA_OAEP_256).keyUse(KeyUse.ENCRYPTION).keyID("enc-key").generate();
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A256GCM).contentType("JWT").keyID("enc-key").jwk(generate.toPublicJWK()).build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new RSAEncrypter(generate));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        System.out.println(parse.serialize());
        Assert.assertNull(this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new JOSEObjectCriterion(parse)})));
    }

    @Test
    public void testSuccessful_KeyIDInJOSEHeader() throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A256GCM).contentType("JWT").keyID("mock-key").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new RSAEncrypter(this.localRSAKey));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        System.out.println(parse.serialize());
        List list = (List) StreamSupport.stream(this.resolver.resolve(new CriteriaSet(new Criterion[]{new JOSEObjectCriterion(parse)})).spliterator(), false).collect(Collectors.toList());
        Assert.assertNotNull(list);
        Assert.assertEquals(list.size(), 1);
        Assert.assertNotNull(((Credential) list.get(0)).getPrivateKey());
        Assert.assertTrue(((Credential) list.get(0)).getKeyNames().contains("mock-key"));
    }

    @Test
    public void testSuccessful_NoKeyIDInJOSEHeader() throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A256GCM).contentType("JWT").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new RSAEncrypter(this.localRSAKey));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        System.out.println(parse.serialize());
        List list = (List) StreamSupport.stream(this.resolver.resolve(new CriteriaSet(new Criterion[]{new JOSEObjectCriterion(parse)})).spliterator(), false).collect(Collectors.toList());
        Assert.assertNotNull(list);
        Assert.assertEquals(list.size(), 1);
        Assert.assertNotNull(((Credential) list.get(0)).getPrivateKey());
        Assert.assertTrue(((Credential) list.get(0)).getKeyNames().contains("mock-key"));
    }

    @Test
    public void testUnSuccessful_KeyIDInJOSEHeaderDifferentThanLocalCred() throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A256GCM).contentType("JWT").keyID("different-than-local-cred").build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new RSAEncrypter(this.localRSAKey));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        System.out.println(parse.serialize());
        Assert.assertNull(this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new JOSEObjectCriterion(parse)})));
    }

    @Test
    public void testSuccessful_KeyIDInJOSEHeader_And_JWK() throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A256GCM).contentType("JWT").keyID("mock-key").jwk(this.localRSAKey.toPublicJWK()).build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new RSAEncrypter(this.localRSAKey));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        System.out.println(parse.serialize());
        List list = (List) StreamSupport.stream(this.resolver.resolve(new CriteriaSet(new Criterion[]{new JOSEObjectCriterion(parse)})).spliterator(), false).collect(Collectors.toList());
        Assert.assertNotNull(list);
        Assert.assertEquals(list.size(), 1);
        Assert.assertNotNull(((Credential) list.get(0)).getPrivateKey());
        Assert.assertTrue(((Credential) list.get(0)).getKeyNames().contains("mock-key"));
    }

    @Test
    public void testUnsuccessful_KeyIDInJOSEHeader_And_JWK_KidDoesNotMatch() throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A256GCM).contentType("JWT").keyID("different-than-jwk").jwk(this.localRSAKey.toPublicJWK()).build(), new Payload(createdSignedJWT()));
        jWEObject.encrypt(new RSAEncrypter(this.localRSAKey));
        EncryptedJWT parse = EncryptedJWT.parse(jWEObject.serialize());
        System.out.println(parse.serialize());
        List list = (List) StreamSupport.stream(this.resolver.resolve(new CriteriaSet(new Criterion[]{new JOSEObjectCriterion(parse)})).spliterator(), false).collect(Collectors.toList());
        Assert.assertNotNull(list);
        Assert.assertEquals(list.size(), 0);
    }
}
