package net.shibboleth.idp.authn.impl;

import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.x500.X500Principal;
import net.shibboleth.idp.authn.AbstractSubjectCanonicalizationAction;
import net.shibboleth.idp.authn.SubjectCanonicalizationException;
import net.shibboleth.idp.authn.context.SubjectCanonicalizationContext;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.cryptacular.x509.dn.Attribute;
import org.cryptacular.x509.dn.NameReader;
import org.cryptacular.x509.dn.RDN;
import org.cryptacular.x509.dn.RDNSequence;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.security.x509.X509Support;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/authn/impl/X500SubjectCanonicalization.class */
public class X500SubjectCanonicalization extends AbstractSubjectCanonicalizationAction {
    private static final String CN_OID = "2.5.4.3";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(X500SubjectCanonicalization.class);

    @Nonnull
    private final ActivationCondition embeddedPredicate = new ActivationCondition();

    @NonnullElements
    @Nonnull
    private List<Integer> subjectAltNameTypes = Collections.emptyList();

    @NonnullElements
    @Nonnull
    private List<String> objectIds = Collections.singletonList(CN_OID);

    @Nullable
    private X509Certificate certificate;

    @Nullable
    private X500Principal x500Principal;

    /* loaded from: input_file:net/shibboleth/idp/authn/impl/X500SubjectCanonicalization$ActivationCondition.class */
    public static class ActivationCondition implements Predicate<ProfileRequestContext> {
        @Override // java.util.function.Predicate
        public boolean test(@Nullable ProfileRequestContext profileRequestContext) {
            SubjectCanonicalizationContext subjectCanonicalizationContext;
            if (profileRequestContext == null || (subjectCanonicalizationContext = (SubjectCanonicalizationContext) profileRequestContext.getSubcontext(SubjectCanonicalizationContext.class)) == null) {
                return false;
            }
            return apply(profileRequestContext, subjectCanonicalizationContext, false);
        }

        public boolean apply(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull SubjectCanonicalizationContext subjectCanonicalizationContext, boolean z) {
            if (subjectCanonicalizationContext.getSubject() != null) {
                Set publicCredentials = subjectCanonicalizationContext.getSubject().getPublicCredentials(X509Certificate.class);
                if (publicCredentials != null && publicCredentials.size() == 1) {
                    return true;
                }
                Set principals = subjectCanonicalizationContext.getSubject().getPrincipals(X500Principal.class);
                if (principals != null && principals.size() == 1) {
                    return true;
                }
            }
            if (!z) {
                return false;
            }
            subjectCanonicalizationContext.setException(new SubjectCanonicalizationException("Neither a single X509Certificate nor X500Principal were found"));
            ActionSupport.buildEvent(profileRequestContext, "InvalidSubject");
            return false;
        }
    }

    public void setSubjectAltNameTypes(@NonnullElements @Nullable List<Integer> list) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        if (list != null) {
            this.subjectAltNameTypes = List.copyOf(list);
        } else {
            this.subjectAltNameTypes = Collections.emptyList();
        }
    }

    public void setObjectIds(@NonnullElements @Nullable List<String> list) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.objectIds = List.copyOf(StringSupport.normalizeStringCollection(list));
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull SubjectCanonicalizationContext subjectCanonicalizationContext) {
        Set publicCredentials = subjectCanonicalizationContext.getSubject().getPublicCredentials(X509Certificate.class);
        if (publicCredentials == null || publicCredentials.size() != 1) {
            Set principals = subjectCanonicalizationContext.getSubject().getPrincipals(X500Principal.class);
            if (principals != null && principals.size() == 1) {
                this.x500Principal = (X500Principal) principals.iterator().next();
            }
        } else {
            this.certificate = (X509Certificate) publicCredentials.iterator().next();
            this.x500Principal = this.certificate.getSubjectX500Principal();
        }
        if (this.x500Principal != null) {
            return super.doPreExecute(profileRequestContext, subjectCanonicalizationContext);
        }
        subjectCanonicalizationContext.setException(new SubjectCanonicalizationException("Neither a single X509Certificate nor X500Principal were found"));
        ActionSupport.buildEvent(profileRequestContext, "InvalidSubject");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull SubjectCanonicalizationContext subjectCanonicalizationContext) {
        if (this.certificate != null && !this.subjectAltNameTypes.isEmpty()) {
            this.log.debug("{} Searching for subjectAltName types ({})", getLogPrefix(), this.subjectAltNameTypes);
            for (Object obj : X509Support.getAltNames(this.certificate, (Integer[]) this.subjectAltNameTypes.toArray(new Integer[0]))) {
                if (obj instanceof String) {
                    this.log.debug("{} Extracted String-valued subjectAltName: {}", getLogPrefix(), obj);
                    subjectCanonicalizationContext.setPrincipalName(applyTransforms((String) obj));
                    return;
                }
            }
            this.log.debug("{} No suitable subjectAltName extension");
        }
        this.log.debug("{} Searching for RDN to extract from DN: {}", getLogPrefix(), this.x500Principal.getName());
        try {
            RDNSequence readX500Principal = NameReader.readX500Principal(this.x500Principal);
            for (String str : this.objectIds) {
                String findRDN = findRDN(readX500Principal, str);
                if (findRDN != null) {
                    this.log.debug("{} Extracted RDN with OID {}: {}", new Object[]{getLogPrefix(), str, findRDN});
                    subjectCanonicalizationContext.setPrincipalName(applyTransforms(findRDN));
                    return;
                }
            }
            this.log.warn("{} Unable to extract a suitable RDN from DN: {}", getLogPrefix(), this.x500Principal.getName());
            ActionSupport.buildEvent(profileRequestContext, "InvalidSubject");
        } catch (IllegalArgumentException e) {
            this.log.warn("{} Unable to parse subject DN: {}", new Object[]{getLogPrefix(), this.x500Principal.getName(), e});
            ActionSupport.buildEvent(profileRequestContext, "InvalidSubject");
        }
    }

    @Nullable
    protected String findRDN(@Nonnull RDNSequence rDNSequence, @NotEmpty @Nonnull String str) {
        Iterator it = rDNSequence.backward().iterator();
        while (it.hasNext()) {
            Iterator it2 = ((RDN) it.next()).getAttributes().iterator();
            while (it2.hasNext()) {
                Attribute attribute = (Attribute) it2.next();
                if (attribute.getType().getOid().equals(str)) {
                    return attribute.getValue();
                }
            }
        }
        return null;
    }
}
