package org.opensaml.saml.security.impl;

import com.google.common.base.Predicate;
import java.security.Key;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.annotation.ParameterName;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.saml2.metadata.EncryptionMethod;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.crypto.KeySupport;
import org.opensaml.xmlsec.EncryptionParameters;
import org.opensaml.xmlsec.KeyTransportAlgorithmPredicate;
import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.opensaml.xmlsec.encryption.MGF;
import org.opensaml.xmlsec.encryption.OAEPparams;
import org.opensaml.xmlsec.encryption.support.RSAOAEPParameters;
import org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver;
import org.opensaml.xmlsec.signature.DigestMethod;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:repository/org/opensaml/opensaml-saml-impl/3.4.3/opensaml-saml-impl-3.4.3.jar:org/opensaml/saml/security/impl/SAMLMetadataEncryptionParametersResolver.class */
public class SAMLMetadataEncryptionParametersResolver extends BasicEncryptionParametersResolver {
    private Logger log = LoggerFactory.getLogger((Class<?>) SAMLMetadataEncryptionParametersResolver.class);
    private MetadataCredentialResolver credentialResolver;
    private boolean mergeMetadataRSAOAEPParametersWithConfig;

    public SAMLMetadataEncryptionParametersResolver(@Nonnull @ParameterName(name = "resolver") MetadataCredentialResolver metadataCredentialResolver) {
        this.credentialResolver = (MetadataCredentialResolver) Constraint.isNotNull(metadataCredentialResolver, "MetadataCredentialResoler may not be null");
    }

    public boolean isMergeMetadataRSAOAEPParametersWithConfig() {
        return this.mergeMetadataRSAOAEPParametersWithConfig;
    }

    public void setMergeMetadataRSAOAEPParametersWithConfig(boolean z) {
        this.mergeMetadataRSAOAEPParametersWithConfig = z;
    }

    @Nonnull
    protected MetadataCredentialResolver getMetadataCredentialResolver() {
        return this.credentialResolver;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver
    public void resolveAndPopulateCredentialsAndAlgorithms(@Nonnull EncryptionParameters encryptionParameters, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        CriteriaSet criteriaSet2 = new CriteriaSet();
        criteriaSet2.addAll(criteriaSet);
        criteriaSet2.add(new UsageCriterion(UsageType.ENCRYPTION), true);
        try {
            for (Credential credential : getMetadataCredentialResolver().resolve(criteriaSet2)) {
                if (this.log.isTraceEnabled()) {
                    Key extractEncryptionKey = CredentialSupport.extractEncryptionKey(credential);
                    this.log.trace("Evaluating key transport encryption credential from SAML metadata of type: {}", extractEncryptionKey != null ? extractEncryptionKey.getAlgorithm() : "n/a");
                }
                SAMLMDCredentialContext sAMLMDCredentialContext = (SAMLMDCredentialContext) credential.getCredentialContextSet().get(SAMLMDCredentialContext.class);
                Pair<String, EncryptionMethod> resolveDataEncryptionAlgorithm = resolveDataEncryptionAlgorithm(criteriaSet, predicate, sAMLMDCredentialContext);
                Pair<String, EncryptionMethod> resolveKeyTransportAlgorithm = resolveKeyTransportAlgorithm(credential, criteriaSet, predicate, resolveDataEncryptionAlgorithm.getFirst(), sAMLMDCredentialContext);
                if (resolveKeyTransportAlgorithm.getFirst() != null) {
                    encryptionParameters.setKeyTransportEncryptionCredential(credential);
                    encryptionParameters.setKeyTransportEncryptionAlgorithm(resolveKeyTransportAlgorithm.getFirst());
                    encryptionParameters.setDataEncryptionAlgorithm(resolveDataEncryptionAlgorithm.getFirst());
                    resolveAndPopulateRSAOAEPParams(encryptionParameters, criteriaSet, predicate, resolveKeyTransportAlgorithm.getSecond());
                    processDataEncryptionCredentialAutoGeneration(encryptionParameters);
                    return;
                }
                this.log.debug("Unable to resolve key transport algorithm for credential with key type '{}', considering other credentials", CredentialSupport.extractEncryptionKey(credential).getAlgorithm());
            }
        } catch (ResolverException e) {
            this.log.warn("Problem resolving credentials from metadata, falling back to local configuration", (Throwable) e);
        }
        this.log.debug("Could not resolve encryption parameters based on SAML metadata, falling back to locally configured credentials and algorithms");
        super.resolveAndPopulateCredentialsAndAlgorithms(encryptionParameters, criteriaSet, predicate);
    }

    protected void resolveAndPopulateRSAOAEPParams(@Nonnull EncryptionParameters encryptionParameters, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate, @Nullable EncryptionMethod encryptionMethod) {
        if (AlgorithmSupport.isRSAOAEP(encryptionParameters.getKeyTransportEncryptionAlgorithm())) {
            if (encryptionMethod == null) {
                super.resolveAndPopulateRSAOAEPParams(encryptionParameters, criteriaSet, predicate);
                return;
            }
            if (encryptionParameters.getRSAOAEPParameters() == null) {
                encryptionParameters.setRSAOAEPParameters(new RSAOAEPParameters());
            }
            populateRSAOAEPParamsFromEncryptionMethod(encryptionParameters.getRSAOAEPParameters(), encryptionMethod, predicate);
            if (encryptionParameters.getRSAOAEPParameters().isComplete()) {
                return;
            }
            if (encryptionParameters.getRSAOAEPParameters().isEmpty()) {
                super.resolveAndPopulateRSAOAEPParams(encryptionParameters, criteriaSet, predicate);
            } else if (isMergeMetadataRSAOAEPParametersWithConfig()) {
                super.resolveAndPopulateRSAOAEPParams(encryptionParameters, criteriaSet, predicate);
            }
        }
    }

    protected void populateRSAOAEPParamsFromEncryptionMethod(@Nonnull RSAOAEPParameters rSAOAEPParameters, @Nonnull EncryptionMethod encryptionMethod, @Nonnull Predicate<String> predicate) {
        String trimOrNull;
        String trimOrNull2;
        String trimOrNull3;
        Predicate<String> algorithmRuntimeSupportedPredicate = getAlgorithmRuntimeSupportedPredicate();
        List<XMLObject> unknownXMLObjects = encryptionMethod.getUnknownXMLObjects(DigestMethod.DEFAULT_ELEMENT_NAME);
        if (unknownXMLObjects.size() > 0 && (trimOrNull3 = StringSupport.trimOrNull(((DigestMethod) unknownXMLObjects.get(0)).getAlgorithm())) != null && predicate.apply(trimOrNull3) && algorithmRuntimeSupportedPredicate.apply(trimOrNull3)) {
            rSAOAEPParameters.setDigestMethod(trimOrNull3);
        }
        if ("http://www.w3.org/2009/xmlenc11#rsa-oaep".equals(encryptionMethod.getAlgorithm())) {
            List<XMLObject> unknownXMLObjects2 = encryptionMethod.getUnknownXMLObjects(MGF.DEFAULT_ELEMENT_NAME);
            if (unknownXMLObjects2.size() > 0 && (trimOrNull2 = StringSupport.trimOrNull(((MGF) unknownXMLObjects2.get(0)).getAlgorithm())) != null && predicate.apply(trimOrNull2)) {
                rSAOAEPParameters.setMaskGenerationFunction(trimOrNull2);
            }
        }
        OAEPparams oAEPparams = encryptionMethod.getOAEPparams();
        if (oAEPparams == null || (trimOrNull = StringSupport.trimOrNull(oAEPparams.getValue())) == null) {
            return;
        }
        rSAOAEPParameters.setOAEPparams(trimOrNull);
    }

    @Nonnull
    protected Pair<String, EncryptionMethod> resolveKeyTransportAlgorithm(@Nonnull Credential credential, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate, @Nullable String str, @Nullable SAMLMDCredentialContext sAMLMDCredentialContext) {
        if (sAMLMDCredentialContext != null) {
            KeyTransportAlgorithmPredicate resolveKeyTransportAlgorithmPredicate = resolveKeyTransportAlgorithmPredicate(criteriaSet);
            for (EncryptionMethod encryptionMethod : sAMLMDCredentialContext.getEncryptionMethods()) {
                String algorithm = encryptionMethod.getAlgorithm();
                this.log.trace("Evaluating SAML metadata EncryptionMethod algorithm for key transport: {}", algorithm);
                if (isKeyTransportAlgorithm(algorithm) && predicate.apply(algorithm) && getAlgorithmRuntimeSupportedPredicate().apply(algorithm) && credentialSupportsEncryptionMethod(credential, encryptionMethod) && evaluateEncryptionMethodChildren(encryptionMethod, criteriaSet, predicate)) {
                    if (resolveKeyTransportAlgorithmPredicate != null ? resolveKeyTransportAlgorithmPredicate.apply(new KeyTransportAlgorithmPredicate.SelectionInput(algorithm, str, credential)) : true) {
                        this.log.debug("Resolved key transport algorithm URI from SAML metadata EncryptionMethod: {}", algorithm);
                        return new Pair<>(algorithm, encryptionMethod);
                    }
                }
            }
        }
        this.log.debug("Could not resolve key transport algorithm based on SAML metadata, falling back to locally configured algorithms");
        return new Pair<>(super.resolveKeyTransportAlgorithm(credential, criteriaSet, predicate, str), null);
    }

    @Nonnull
    protected Pair<String, EncryptionMethod> resolveDataEncryptionAlgorithm(@Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate, @Nullable SAMLMDCredentialContext sAMLMDCredentialContext) {
        if (sAMLMDCredentialContext != null) {
            for (EncryptionMethod encryptionMethod : sAMLMDCredentialContext.getEncryptionMethods()) {
                String algorithm = encryptionMethod.getAlgorithm();
                this.log.trace("Evaluating SAML metadata EncryptionMethod algorithm for data encryption: {}", algorithm);
                if (isDataEncryptionAlgorithm(algorithm) && predicate.apply(algorithm) && getAlgorithmRuntimeSupportedPredicate().apply(algorithm) && evaluateEncryptionMethodChildren(encryptionMethod, criteriaSet, predicate)) {
                    this.log.debug("Resolved data encryption algorithm URI from SAML metadata EncryptionMethod: {}", algorithm);
                    return new Pair<>(algorithm, encryptionMethod);
                }
            }
        }
        this.log.debug("Could not resolve data encryption algorithm based on SAML metadata, falling back to locally configured algorithms");
        return new Pair<>(super.resolveDataEncryptionAlgorithm((Credential) null, criteriaSet, predicate), null);
    }

    protected boolean evaluateEncryptionMethodChildren(@Nonnull EncryptionMethod encryptionMethod, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        String algorithm = encryptionMethod.getAlgorithm();
        boolean z = -1;
        switch (algorithm.hashCode()) {
            case -403936234:
                if (algorithm.equals("http://www.w3.org/2009/xmlenc11#rsa-oaep")) {
                    z = true;
                    break;
                }
                break;
            case 800977209:
                if (algorithm.equals("http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
                return evaluateRSAOAEPChildren(encryptionMethod, criteriaSet, predicate);
            default:
                return true;
        }
    }

    protected boolean evaluateRSAOAEPChildren(@Nonnull EncryptionMethod encryptionMethod, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        String trimOrNull;
        String trimOrNull2;
        Predicate<String> algorithmRuntimeSupportedPredicate = getAlgorithmRuntimeSupportedPredicate();
        List<XMLObject> unknownXMLObjects = encryptionMethod.getUnknownXMLObjects(DigestMethod.DEFAULT_ELEMENT_NAME);
        if (unknownXMLObjects.size() > 0 && (trimOrNull2 = StringSupport.trimOrNull(((DigestMethod) unknownXMLObjects.get(0)).getAlgorithm())) != null && (!predicate.apply(trimOrNull2) || !algorithmRuntimeSupportedPredicate.apply(trimOrNull2))) {
            this.log.debug("Rejecting RSA OAEP EncryptionMethod due to unsupported or disallowed DigestMethod: {}", trimOrNull2);
            return false;
        }
        if (!"http://www.w3.org/2009/xmlenc11#rsa-oaep".equals(encryptionMethod.getAlgorithm())) {
            return true;
        }
        List<XMLObject> unknownXMLObjects2 = encryptionMethod.getUnknownXMLObjects(MGF.DEFAULT_ELEMENT_NAME);
        if (unknownXMLObjects2.size() <= 0 || (trimOrNull = StringSupport.trimOrNull(((MGF) unknownXMLObjects2.get(0)).getAlgorithm())) == null || predicate.apply(trimOrNull)) {
            return true;
        }
        this.log.debug("Rejecting RSA OAEP EncryptionMethod due to disallowed MGF: {}", trimOrNull);
        return false;
    }

    protected boolean credentialSupportsEncryptionMethod(@Nonnull Credential credential, @NotEmpty @Nonnull EncryptionMethod encryptionMethod) {
        if (!credentialSupportsAlgorithm(credential, encryptionMethod.getAlgorithm())) {
            return false;
        }
        if (encryptionMethod.getKeySize() == null || encryptionMethod.getKeySize().getValue() == null) {
            return true;
        }
        Key extractEncryptionKey = CredentialSupport.extractEncryptionKey(credential);
        if (extractEncryptionKey == null) {
            this.log.warn("Could not extract encryption key from credential. Failing evaluation");
            return false;
        }
        Integer keyLength = KeySupport.getKeyLength(extractEncryptionKey);
        if (keyLength != null) {
            return keyLength.equals(encryptionMethod.getKeySize().getValue());
        }
        this.log.warn("Could not determine key length of candidate encryption credential. Failing evaluation");
        return false;
    }
}
