package org.opensaml.xml.security.x509;

import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-216-05.zip:modules/system/layers/fuse/org/opensaml/xmltooling/1.4.1/xmltooling-1.4.1.jar:org/opensaml/xml/security/x509/BasicX509CredentialNameEvaluator.class */
public class BasicX509CredentialNameEvaluator implements X509CredentialNameEvaluator {
    private boolean checkSubjectAltNames;
    private boolean checkSubjectDNCommonName;
    private boolean checkSubjectDN;
    private final Logger log = LoggerFactory.getLogger(BasicX509CredentialNameEvaluator.class);
    private X500DNHandler x500DNHandler = new InternalX500DNHandler();
    private Set<Integer> subjectAltNameTypes = new HashSet(5);

    public BasicX509CredentialNameEvaluator() {
        setCheckSubjectAltNames(true);
        setCheckSubjectDNCommonName(true);
        setCheckSubjectDN(true);
        this.subjectAltNameTypes.add(X509Util.DNS_ALT_NAME);
        this.subjectAltNameTypes.add(X509Util.URI_ALT_NAME);
    }

    public boolean isNameCheckingActive() {
        return checkSubjectAltNames() || checkSubjectDNCommonName() || checkSubjectDN();
    }

    public Set<Integer> getSubjectAltNameTypes() {
        return this.subjectAltNameTypes;
    }

    public boolean checkSubjectAltNames() {
        return this.checkSubjectAltNames;
    }

    public void setCheckSubjectAltNames(boolean z) {
        this.checkSubjectAltNames = z;
    }

    public boolean checkSubjectDNCommonName() {
        return this.checkSubjectDNCommonName;
    }

    public void setCheckSubjectDNCommonName(boolean z) {
        this.checkSubjectDNCommonName = z;
    }

    public boolean checkSubjectDN() {
        return this.checkSubjectDN;
    }

    public void setCheckSubjectDN(boolean z) {
        this.checkSubjectDN = z;
    }

    public X500DNHandler getX500DNHandler() {
        return this.x500DNHandler;
    }

    public void setX500DNHandler(X500DNHandler x500DNHandler) {
        if (x500DNHandler == null) {
            throw new IllegalArgumentException("X500DNHandler may not be null");
        }
        this.x500DNHandler = x500DNHandler;
    }

    @Override // org.opensaml.xml.security.x509.X509CredentialNameEvaluator
    public boolean evaluate(X509Credential x509Credential, Set<String> set) throws SecurityException {
        if (!isNameCheckingActive()) {
            this.log.debug("No trusted name options are active, skipping name evaluation");
            return true;
        }
        if (set == null || set.isEmpty()) {
            this.log.debug("Supplied trusted names are null or empty, skipping name evaluation");
            return true;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("Checking trusted names against credential: {}", X509Util.getIdentifiersToken(x509Credential, this.x500DNHandler));
            this.log.debug("Trusted names being evaluated are: {}", set.toString());
        }
        return processNameChecks(x509Credential, set);
    }

    protected boolean processNameChecks(X509Credential x509Credential, Set<String> set) {
        X509Certificate entityCertificate = x509Credential.getEntityCertificate();
        if (checkSubjectAltNames() && processSubjectAltNames(entityCertificate, set)) {
            if (!this.log.isDebugEnabled()) {
                return true;
            }
            this.log.debug("Credential {} passed name check based on subject alt names.", X509Util.getIdentifiersToken(x509Credential, this.x500DNHandler));
            return true;
        }
        if (checkSubjectDNCommonName() && processSubjectDNCommonName(entityCertificate, set)) {
            if (!this.log.isDebugEnabled()) {
                return true;
            }
            this.log.debug("Credential {} passed name check based on subject common name.", X509Util.getIdentifiersToken(x509Credential, this.x500DNHandler));
            return true;
        }
        if (!checkSubjectDN() || !processSubjectDN(entityCertificate, set)) {
            this.log.error("Credential failed name check: " + X509Util.getIdentifiersToken(x509Credential, this.x500DNHandler));
            return false;
        }
        if (!this.log.isDebugEnabled()) {
            return true;
        }
        this.log.debug("Credential {} passed name check based on subject DN.", X509Util.getIdentifiersToken(x509Credential, this.x500DNHandler));
        return true;
    }

    protected boolean processSubjectDNCommonName(X509Certificate x509Certificate, Set<String> set) {
        this.log.debug("Processing subject DN common name");
        List<String> commonNames = X509Util.getCommonNames(x509Certificate.getSubjectX500Principal());
        if (commonNames == null || commonNames.isEmpty()) {
            return false;
        }
        String str = commonNames.get(0);
        this.log.debug("Extracted common name from certificate: {}", str);
        if (DatatypeHelper.isEmpty(str) || !set.contains(str)) {
            return false;
        }
        this.log.debug("Matched subject DN common name to trusted names: {}", str);
        return true;
    }

    protected boolean processSubjectDN(X509Certificate x509Certificate, Set<String> set) {
        X500Principal parse;
        this.log.debug("Processing subject DN");
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        if (this.log.isDebugEnabled()) {
            this.log.debug("Extracted X500Principal from certificate: {}", this.x500DNHandler.getName(subjectX500Principal));
        }
        for (String str : set) {
            try {
                parse = this.x500DNHandler.parse(str);
                this.log.debug("Evaluating principal successfully parsed from trusted name: {}", str);
            } catch (IllegalArgumentException e) {
                this.log.debug("Trusted name was not a DN or could not be parsed: {}", str);
            }
            if (subjectX500Principal.equals(parse)) {
                if (!this.log.isDebugEnabled()) {
                    return true;
                }
                this.log.debug("Matched subject DN to trusted names: {}", this.x500DNHandler.getName(subjectX500Principal));
                return true;
            }
            continue;
        }
        return false;
    }

    protected boolean processSubjectAltNames(X509Certificate x509Certificate, Set<String> set) {
        this.log.debug("Processing subject alt names");
        Integer[] numArr = new Integer[this.subjectAltNameTypes.size()];
        this.subjectAltNameTypes.toArray(numArr);
        List altNames = X509Util.getAltNames(x509Certificate, numArr);
        if (altNames == null) {
            return false;
        }
        this.log.debug("Extracted subject alt names from certificate: {}", altNames);
        for (Object obj : altNames) {
            if (set.contains(obj)) {
                this.log.debug("Matched subject alt name to trusted names: {}", obj.toString());
                return true;
            }
        }
        return false;
    }
}
