package net.shibboleth.idp.profile.spring.resource.impl;

import com.google.common.base.Predicates;
import com.google.common.collect.Collections2;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.ext.spring.resource.FileBackedHTTPResource;
import net.shibboleth.ext.spring.resource.HTTPResource;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.httpclient.HttpClientContextHandler;
import org.apache.http.client.HttpClient;
import org.cryptacular.EncodingException;
import org.cryptacular.StreamException;
import org.cryptacular.util.KeyPairUtil;
import org.opensaml.security.credential.BasicCredential;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.impl.StaticCredentialResolver;
import org.opensaml.security.httpclient.HttpClientSecurityContextHandler;
import org.opensaml.security.httpclient.HttpClientSecurityParameters;
import org.opensaml.security.trust.impl.ExplicitKeyTrustEngine;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.X509Support;
import org.opensaml.security.x509.impl.BasicPKIXValidationInformation;
import org.opensaml.security.x509.impl.PKIXX509CredentialTrustEngine;
import org.opensaml.security.x509.impl.StaticPKIXValidationInformationResolver;
import org.opensaml.security.x509.impl.X509CredentialNameEvaluator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.FatalBeanException;
import org.springframework.beans.factory.config.AbstractFactoryBean;
import org.springframework.core.io.Resource;

/* loaded from: input_file:net/shibboleth/idp/profile/spring/resource/impl/HTTPResourceFactoryBean.class */
public class HTTPResourceFactoryBean extends AbstractFactoryBean<HTTPResource> {

    @Nullable
    private String backingResource;

    @Nullable
    private HttpClient httpClient;

    @Nullable
    private URL resourceURL;

    @Nullable
    private HttpClientContextHandler httpClientContextHandler;
    private boolean usePKIX;

    @Nullable
    private Integer verifyDepth;

    @Nonnull
    private Logger log = LoggerFactory.getLogger(FileBackedHTTPResource.class);

    @Nonnull
    private List<Resource> keyResources = Collections.emptyList();

    @Nonnull
    private List<Resource> certificateResources = Collections.emptyList();

    public void setURL(@Nullable URL url) {
        this.resourceURL = url;
    }

    public void setBackingResource(@NotEmpty @Nullable String str) {
        this.backingResource = str;
    }

    public void setHttpClient(@Nullable HttpClient httpClient) {
        this.httpClient = httpClient;
    }

    public void setHttpClientContextHandler(@Nullable HttpClientContextHandler httpClientContextHandler) {
        this.httpClientContextHandler = httpClientContextHandler;
    }

    public void setPublicKeys(@Nullable List<Resource> list) {
        this.keyResources = list != null ? list : Collections.emptyList();
    }

    public void setCertificates(@Nullable List<Resource> list) {
        this.certificateResources = list != null ? list : Collections.emptyList();
    }

    public void setUsePKIX(boolean z) {
        this.usePKIX = z;
    }

    public void setVerifyDepth(@Nullable Integer num) {
        this.verifyDepth = num;
    }

    @NonnullElements
    @Nullable
    protected List<Credential> getCredentials() {
        InputStream inputStream;
        ArrayList arrayList = new ArrayList(this.keyResources.size() + this.certificateResources.size());
        for (Resource resource : this.keyResources) {
            try {
                inputStream = resource.getInputStream();
                Throwable th = null;
                try {
                    try {
                        arrayList.add(new BasicCredential(KeyPairUtil.readPublicKey(inputStream)));
                        if (inputStream != null) {
                            if (0 != 0) {
                                try {
                                    inputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                inputStream.close();
                            }
                        }
                    } finally {
                    }
                } finally {
                }
            } catch (EncodingException | StreamException | IOException e) {
                this.log.error("Could not decode public key from {}", resource.getDescription(), e);
                throw new FatalBeanException("Could not decode public key from: " + resource.getDescription(), e);
            }
        }
        for (Resource resource2 : this.certificateResources) {
            try {
                inputStream = resource2.getInputStream();
                Throwable th3 = null;
                try {
                    try {
                        Iterator it = Collections2.filter(X509Support.decodeCertificates(inputStream), Predicates.notNull()).iterator();
                        while (it.hasNext()) {
                            arrayList.add(new BasicX509Credential((X509Certificate) it.next()));
                        }
                        if (inputStream != null) {
                            if (0 != 0) {
                                try {
                                    inputStream.close();
                                } catch (Throwable th4) {
                                    th3.addSuppressed(th4);
                                }
                            } else {
                                inputStream.close();
                            }
                        }
                    } finally {
                        if (inputStream != null) {
                            if (th3 != null) {
                                try {
                                    inputStream.close();
                                } catch (Throwable th5) {
                                    th3.addSuppressed(th5);
                                }
                            } else {
                                inputStream.close();
                            }
                        }
                    }
                } finally {
                }
            } catch (IOException | CertificateException e2) {
                this.log.error("Could not decode certificate from {}", resource2.getDescription(), e2);
                throw new FatalBeanException("Could not decode certificate from: " + resource2.getDescription(), e2);
            }
        }
        return arrayList;
    }

    @NonnullElements
    @Nullable
    protected List<X509Certificate> getCertificates() {
        if (this.certificateResources == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList(this.certificateResources.size());
        for (Resource resource : this.certificateResources) {
            try {
                InputStream inputStream = resource.getInputStream();
                Throwable th = null;
                try {
                    try {
                        arrayList.addAll(X509Support.decodeCertificates(inputStream));
                        if (inputStream != null) {
                            if (0 != 0) {
                                try {
                                    inputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                inputStream.close();
                            }
                        }
                    } finally {
                    }
                } finally {
                }
            } catch (IOException | CertificateException e) {
                this.log.error("Could not decode Certificate at {}", resource.getDescription(), e);
                throw new FatalBeanException("Could not decode provided CertificateFile: " + resource.getDescription(), e);
            }
        }
        return arrayList;
    }

    public Class<?> getObjectType() {
        return HTTPResource.class;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* renamed from: createInstance, reason: merged with bridge method [inline-methods] */
    public HTTPResource m73createInstance() throws Exception {
        FileBackedHTTPResource fileBackedHTTPResource = this.backingResource != null ? new FileBackedHTTPResource(this.backingResource, this.httpClient, this.resourceURL) : new HTTPResource(this.httpClient, this.resourceURL);
        if (this.httpClientContextHandler != null) {
            if (!this.keyResources.isEmpty() || !this.certificateResources.isEmpty()) {
                this.log.warn("httpClientContextHandler set, ignoring supplied keys/certificates");
            }
            fileBackedHTTPResource.setHttpClientContextHandler(this.httpClientContextHandler);
        } else if (this.usePKIX) {
            if (!this.keyResources.isEmpty()) {
                this.log.warn("usePKIX set, ignoring supplied keys");
            }
            this.log.debug("Auto-wiring PKIXX509CredentialTrustEngine into HTTPResource");
            PKIXX509CredentialTrustEngine pKIXX509CredentialTrustEngine = new PKIXX509CredentialTrustEngine(new StaticPKIXValidationInformationResolver(Collections.singletonList(new BasicPKIXValidationInformation(getCertificates(), (Collection) null, this.verifyDepth)), (Set) null, false), (X509CredentialNameEvaluator) null);
            HttpClientSecurityParameters httpClientSecurityParameters = new HttpClientSecurityParameters();
            httpClientSecurityParameters.setTLSTrustEngine(pKIXX509CredentialTrustEngine);
            HttpClientSecurityContextHandler httpClientSecurityContextHandler = new HttpClientSecurityContextHandler();
            httpClientSecurityContextHandler.setHttpClientSecurityParameters(httpClientSecurityParameters);
            httpClientSecurityContextHandler.initialize();
            fileBackedHTTPResource.setHttpClientContextHandler(httpClientSecurityContextHandler);
        } else {
            this.log.debug("Auto-wiring ExplicitKeyTrustEngine into HTTPResource");
            ExplicitKeyTrustEngine explicitKeyTrustEngine = new ExplicitKeyTrustEngine(new StaticCredentialResolver(getCredentials()));
            HttpClientSecurityParameters httpClientSecurityParameters2 = new HttpClientSecurityParameters();
            httpClientSecurityParameters2.setTLSTrustEngine(explicitKeyTrustEngine);
            HttpClientSecurityContextHandler httpClientSecurityContextHandler2 = new HttpClientSecurityContextHandler();
            httpClientSecurityContextHandler2.setHttpClientSecurityParameters(httpClientSecurityParameters2);
            httpClientSecurityContextHandler2.initialize();
            fileBackedHTTPResource.setHttpClientContextHandler(httpClientSecurityContextHandler2);
        }
        return fileBackedHTTPResource;
    }
}
