package org.opensaml.security.credential.impl;

import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.UnrecoverableEntryException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.ResolverException;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.security.credential.BasicCredential;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.X509Credential;
import org.slf4j.Logger;

/* loaded from: input_file:WEB-INF/lib/opensaml-security-impl-5.1.0.jar:org/opensaml/security/credential/impl/KeyStoreCredentialResolver.class */
public class KeyStoreCredentialResolver extends AbstractCriteriaFilteringCredentialResolver {

    @Nonnull
    private final Logger log;

    @Nonnull
    private final KeyStore keyStore;

    @Nonnull
    private final Map<String, String> keyPasswords;

    @Nonnull
    private final UsageType keystoreUsage;

    public KeyStoreCredentialResolver(@Nonnull KeyStore keyStore, @Nonnull Map<String, String> map) {
        this(keyStore, map, null);
    }

    public KeyStoreCredentialResolver(@Nonnull KeyStore keyStore, @Nonnull Map<String, String> map, @Nullable UsageType usageType) {
        this.log = LoggerFactory.getLogger((Class<?>) KeyStoreCredentialResolver.class);
        this.keyStore = (KeyStore) Constraint.isNotNull(keyStore, "Provided key store cannot be null");
        this.keyPasswords = (Map) Constraint.isNotNull(map, "Password map cannot be null");
        try {
            keyStore.size();
            if (usageType != null) {
                this.keystoreUsage = usageType;
            } else {
                this.keystoreUsage = UsageType.UNSPECIFIED;
            }
        } catch (KeyStoreException e) {
            throw new IllegalStateException("Keystore has not been initialized.");
        }
    }

    @Override // org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver
    @Nonnull
    protected Iterable<Credential> resolveFromSource(@Nullable CriteriaSet criteriaSet) throws ResolverException {
        String entityId = checkCriteriaRequirements(criteriaSet).getEntityId();
        UsageCriterion usageCriterion = criteriaSet != null ? (UsageCriterion) criteriaSet.get(UsageCriterion.class) : null;
        UsageType usage = usageCriterion != null ? usageCriterion.getUsage() : UsageType.UNSPECIFIED;
        if (!matchUsage(this.keystoreUsage, usage)) {
            this.log.debug("Specified usage criteria {} does not match keystore usage {}", usage, this.keystoreUsage);
            this.log.debug("Can not resolve credentials from this keystore");
            return CollectionSupport.emptySet();
        }
        KeyStore.PasswordProtection passwordProtection = null;
        if (this.keyPasswords.containsKey(entityId)) {
            passwordProtection = new KeyStore.PasswordProtection(this.keyPasswords.get(entityId).toCharArray());
        }
        try {
            KeyStore.Entry entry = this.keyStore.getEntry(entityId, passwordProtection);
            if (entry != null) {
                return CollectionSupport.singleton(buildCredential(entry, entityId, this.keystoreUsage));
            }
            this.log.debug("Keystore entry for entityID (keystore alias) {} does not exist", entityId);
            return CollectionSupport.emptySet();
        } catch (UnrecoverableEntryException e) {
            this.log.error("Unable to retrieve keystore entry for entityID (keystore alias): {}", entityId);
            this.log.error("Check for invalid keystore entityID/alias entry password");
            throw new ResolverException("Could not retrieve entry from keystore", e);
        } catch (GeneralSecurityException e2) {
            this.log.error("Unable to retrieve keystore entry for entityID (keystore alias): {}: {}", entityId, e2.getMessage());
            throw new ResolverException("Could not retrieve entry from keystore", e2);
        }
    }

    @Nonnull
    protected EntityIdCriterion checkCriteriaRequirements(@Nullable CriteriaSet criteriaSet) {
        EntityIdCriterion entityIdCriterion = criteriaSet != null ? (EntityIdCriterion) criteriaSet.get(EntityIdCriterion.class) : null;
        if (entityIdCriterion != null) {
            return entityIdCriterion;
        }
        this.log.error("EntityIDCriterion was not specified in the criteria set, resolution cannot be attempted");
        throw new IllegalArgumentException("No EntityIDCriterion was available in criteria set");
    }

    protected boolean matchUsage(@Nonnull UsageType usageType, @Nonnull UsageType usageType2) {
        return usageType == UsageType.UNSPECIFIED || usageType2 == UsageType.UNSPECIFIED || usageType == usageType2;
    }

    @Nonnull
    protected Credential buildCredential(@Nonnull KeyStore.Entry entry, @Nonnull String str, @Nonnull UsageType usageType) throws ResolverException {
        this.log.debug("Building credential from keystore entry for entityID {}, usage type {}", str, usageType);
        if (entry instanceof KeyStore.PrivateKeyEntry) {
            return processPrivateKeyEntry((KeyStore.PrivateKeyEntry) entry, str, this.keystoreUsage);
        }
        if (entry instanceof KeyStore.TrustedCertificateEntry) {
            return processTrustedCertificateEntry((KeyStore.TrustedCertificateEntry) entry, str, this.keystoreUsage);
        }
        if (entry instanceof KeyStore.SecretKeyEntry) {
            return processSecretKeyEntry((KeyStore.SecretKeyEntry) entry, str, this.keystoreUsage);
        }
        throw new ResolverException("KeyStore entry was of an unsupported type: " + entry.getClass().getName());
    }

    @Nonnull
    protected X509Credential processTrustedCertificateEntry(@Nonnull KeyStore.TrustedCertificateEntry trustedCertificateEntry, @Nonnull String str, @Nonnull UsageType usageType) {
        this.log.debug("Processing TrustedCertificateEntry from keystore");
        X509Certificate x509Certificate = (X509Certificate) trustedCertificateEntry.getTrustedCertificate();
        BasicX509Credential basicX509Credential = new BasicX509Credential(x509Certificate);
        basicX509Credential.setEntityId(str);
        basicX509Credential.setUsageType(usageType);
        ArrayList arrayList = new ArrayList();
        arrayList.add(x509Certificate);
        basicX509Credential.setEntityCertificateChain(arrayList);
        return basicX509Credential;
    }

    @Nonnull
    protected X509Credential processPrivateKeyEntry(@Nonnull KeyStore.PrivateKeyEntry privateKeyEntry, @Nonnull String str, @Nonnull UsageType usageType) {
        this.log.debug("Processing PrivateKeyEntry from keystore");
        BasicX509Credential basicX509Credential = new BasicX509Credential((X509Certificate) privateKeyEntry.getCertificate(), privateKeyEntry.getPrivateKey());
        basicX509Credential.setEntityId(str);
        basicX509Credential.setUsageType(usageType);
        basicX509Credential.setEntityCertificateChain(Arrays.asList((X509Certificate[]) privateKeyEntry.getCertificateChain()));
        return basicX509Credential;
    }

    @Nonnull
    protected Credential processSecretKeyEntry(@Nonnull KeyStore.SecretKeyEntry secretKeyEntry, @Nonnull String str, @Nonnull UsageType usageType) {
        this.log.debug("Processing SecretKeyEntry from keystore");
        BasicCredential basicCredential = new BasicCredential(secretKeyEntry.getSecretKey());
        basicCredential.setEntityId(str);
        basicCredential.setUsageType(usageType);
        return basicCredential;
    }
}
