package org.opensaml.saml.common.binding.security.impl;

import com.google.common.base.Strings;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.logic.ConstraintViolationException;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.common.messaging.context.SAMLProtocolContext;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.messaging.impl.BaseTrustEngineSecurityHandler;
import org.opensaml.xmlsec.context.SecurityParametersContext;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureValidationParametersCriterion;

/* loaded from: input_file:org/opensaml/saml/common/binding/security/impl/BaseSAMLXMLSignatureSecurityHandler.class */
public abstract class BaseSAMLXMLSignatureSecurityHandler extends BaseTrustEngineSecurityHandler<Signature, SAMLObject> {
    @Nonnull
    protected CriteriaSet buildCriteriaSet(@Nullable String str, @Nonnull MessageContext<SAMLObject> messageContext) throws MessageHandlerException {
        CriteriaSet criteriaSet = new CriteriaSet();
        if (!Strings.isNullOrEmpty(str)) {
            criteriaSet.add(new EntityIdCriterion(str));
        }
        try {
            SAMLPeerEntityContext subcontext = messageContext.getSubcontext(SAMLPeerEntityContext.class);
            Constraint.isNotNull(subcontext, "SAMLPeerEntityContext was null");
            Constraint.isNotNull(subcontext.getRole(), "SAML peer role was null");
            criteriaSet.add(new EntityRoleCriterion(subcontext.getRole()));
            SAMLProtocolContext sAMLProtocolContext = getSAMLProtocolContext(messageContext);
            Constraint.isNotNull(sAMLProtocolContext, "SAMLProtocolContext was null");
            Constraint.isNotNull(sAMLProtocolContext.getProtocol(), "SAML protocol was null");
            criteriaSet.add(new ProtocolCriterion(sAMLProtocolContext.getProtocol()));
            criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
            SecurityParametersContext subcontext2 = messageContext.getSubcontext(SecurityParametersContext.class);
            if (subcontext2 != null && subcontext2.getSignatureValidationParameters() != null) {
                criteriaSet.add(new SignatureValidationParametersCriterion(subcontext2.getSignatureValidationParameters()));
            }
            return criteriaSet;
        } catch (ConstraintViolationException e) {
            throw new MessageHandlerException(e);
        }
    }

    protected SAMLProtocolContext getSAMLProtocolContext(@Nonnull MessageContext<SAMLObject> messageContext) {
        return messageContext.getSubcontext(SAMLProtocolContext.class, false);
    }
}
