package net.shibboleth.idp.authn.impl;

import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import net.shibboleth.idp.authn.AbstractCredentialValidator;
import net.shibboleth.idp.authn.CredentialValidator;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.CertificateContext;
import net.shibboleth.shared.annotation.constraint.ThreadSafeAfterInit;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.resolver.CriteriaSet;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.security.SecurityException;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.X509Credential;
import org.slf4j.Logger;

@ThreadSafeAfterInit
/* loaded from: input_file:net/shibboleth/idp/authn/impl/X509CertificateCredentialValidator.class */
public class X509CertificateCredentialValidator extends AbstractCredentialValidator {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(X509CertificateCredentialValidator.class);

    @Nonnull
    private Function<AuthenticationContext, CertificateContext> certContextLookupStrategy = new ChildContextLookup(CertificateContext.class);

    @Nullable
    private TrustEngine<? super X509Credential> trustEngine;
    private boolean saveCertificateToCredentialSet;
    static final /* synthetic */ boolean $assertionsDisabled;

    public void setCertificateContextLookupStrategy(@Nonnull Function<AuthenticationContext, CertificateContext> function) {
        checkSetterPreconditions();
        this.certContextLookupStrategy = (Function) Constraint.isNotNull(function, "CertificateContextLookupStrategy cannot be null");
    }

    public void setTrustEngine(@Nullable TrustEngine<? super X509Credential> trustEngine) {
        checkSetterPreconditions();
        this.trustEngine = trustEngine;
    }

    public void setSaveCertificateToCredentialSet(boolean z) {
        checkSetterPreconditions();
        this.saveCertificateToCredentialSet = z;
    }

    @Nullable
    protected Subject doValidate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nullable CredentialValidator.WarningHandler warningHandler, @Nullable CredentialValidator.ErrorHandler errorHandler) throws Exception {
        CertificateContext apply = this.certContextLookupStrategy.apply(authenticationContext);
        if (apply == null) {
            this.log.debug("{} No CertificateContext available within authentication context", getLogPrefix());
            return null;
        }
        Certificate certificate = apply.getCertificate();
        if (certificate == null || !(certificate instanceof X509Certificate)) {
            this.log.debug("{} No X.509 certificate available within CertificateContext", getLogPrefix());
            return null;
        }
        if (this.trustEngine != null) {
            this.log.debug("{} Attempting to validate certificate using trust engine", getLogPrefix());
            try {
                BasicX509Credential basicX509Credential = new BasicX509Credential((X509Certificate) certificate);
                if (!apply.getIntermediates().isEmpty()) {
                    basicX509Credential.getEntityCertificateChain().add((X509Certificate) apply.getCertificate());
                    for (Certificate certificate2 : apply.getIntermediates()) {
                        if (certificate2 instanceof X509Certificate) {
                            basicX509Credential.getEntityCertificateChain().add((X509Certificate) certificate2);
                        }
                    }
                }
                if (!$assertionsDisabled && this.trustEngine == null) {
                    throw new AssertionError();
                }
                if (!this.trustEngine.validate(basicX509Credential, new CriteriaSet())) {
                    this.log.warn("{} Trust engine failed to validate X.509 certificate", getLogPrefix());
                    LoginException loginException = new LoginException("InvalidCredentials");
                    if (errorHandler != null) {
                        errorHandler.handleError(profileRequestContext, authenticationContext, loginException, "InvalidCredentials");
                    }
                    throw loginException;
                }
                this.log.debug("{} Trust engine validated X.509 certificate", getLogPrefix());
            } catch (SecurityException e) {
                this.log.error("{} Exception raised by trust engine", getLogPrefix(), e);
                if (errorHandler != null) {
                    errorHandler.handleError(profileRequestContext, authenticationContext, e, "InvalidCredentials");
                }
                throw e;
            }
        } else {
            this.log.debug("{} No trust engine configured, certificate will be trusted", getLogPrefix());
        }
        this.log.info("{} Login by '{}' succeeded", getLogPrefix(), ((X509Certificate) certificate).getSubjectX500Principal().getName());
        return populateSubject((X509Certificate) certificate);
    }

    @Nonnull
    protected Subject populateSubject(@Nonnull X509Certificate x509Certificate) {
        Subject subject = new Subject();
        subject.getPrincipals().add(x509Certificate.getSubjectX500Principal());
        if (this.saveCertificateToCredentialSet) {
            subject.getPublicCredentials().add(x509Certificate);
        }
        return super.populateSubject(subject);
    }

    static {
        $assertionsDisabled = !X509CertificateCredentialValidator.class.desiredAssertionStatus();
    }
}
