package org.opensaml.security.httpclient.impl;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSocket;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import org.apache.http.HttpHost;
import org.apache.http.conn.socket.LayeredConnectionSocketFactory;
import org.apache.http.conn.ssl.X509HostnameVerifier;
import org.apache.http.protocol.HttpContext;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.httpclient.HttpClientSecurityConstants;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.X509Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-283-10.zip:modules/system/layers/fuse/org/opensaml/3.1/opensaml-security-impl-3.1.1.jar:org/opensaml/security/httpclient/impl/TrustEngineTLSSocketFactory.class */
public class TrustEngineTLSSocketFactory implements LayeredConnectionSocketFactory {
    private final Logger log = LoggerFactory.getLogger(TrustEngineTLSSocketFactory.class);

    @Nonnull
    private LayeredConnectionSocketFactory wrappedFactory;

    @Nullable
    private X509HostnameVerifier hostnameVerifier;

    public TrustEngineTLSSocketFactory(LayeredConnectionSocketFactory layeredConnectionSocketFactory, X509HostnameVerifier x509HostnameVerifier) {
        this.wrappedFactory = (LayeredConnectionSocketFactory) Constraint.isNotNull(layeredConnectionSocketFactory, "Socket factory was null");
        this.hostnameVerifier = x509HostnameVerifier;
    }

    @Override // org.apache.http.conn.socket.ConnectionSocketFactory
    public Socket createSocket(HttpContext httpContext) throws IOException {
        return this.wrappedFactory.createSocket(httpContext);
    }

    @Override // org.apache.http.conn.socket.ConnectionSocketFactory
    public Socket connectSocket(int i, Socket socket, HttpHost httpHost, InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2, HttpContext httpContext) throws IOException {
        Socket connectSocket = this.wrappedFactory.connectSocket(i, socket, httpHost, inetSocketAddress, inetSocketAddress2, httpContext);
        performTrustEval(connectSocket, httpContext);
        performHostnameVerification(connectSocket, httpHost.getHostName(), httpContext);
        return connectSocket;
    }

    @Override // org.apache.http.conn.socket.LayeredConnectionSocketFactory
    public Socket createLayeredSocket(Socket socket, String str, int i, HttpContext httpContext) throws IOException {
        Socket createLayeredSocket = this.wrappedFactory.createLayeredSocket(socket, str, i, httpContext);
        performTrustEval(createLayeredSocket, httpContext);
        performHostnameVerification(createLayeredSocket, str, httpContext);
        return createLayeredSocket;
    }

    protected void performTrustEval(@Nonnull Socket socket, @Nonnull HttpContext httpContext) throws IOException {
        if (!(socket instanceof SSLSocket)) {
            this.log.debug("Socket was not an instance of SSLSocket, skipping trust eval");
            return;
        }
        SSLSocket sSLSocket = (SSLSocket) socket;
        this.log.debug("Attempting to evaluate server TLS credential against supplied TrustEngine and CriteriaSet");
        TrustEngine trustEngine = (TrustEngine) httpContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_TRUST_ENGINE);
        if (trustEngine == null) {
            this.log.debug("No trust engine supplied by caller, skipping trust eval");
            return;
        }
        this.log.trace("Saw trust engine of type: {}", trustEngine.getClass().getName());
        CriteriaSet criteriaSet = (CriteriaSet) httpContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_CRITERIA_SET);
        if (criteriaSet == null) {
            this.log.debug("No criteria set supplied by caller, building new criteria set with signing criteria");
            criteriaSet = new CriteriaSet(new Criterion[]{new UsageCriterion(UsageType.SIGNING)});
        } else {
            this.log.trace("Saw CriteriaSet: {}", criteriaSet);
        }
        try {
            if (trustEngine.validate(extractCredential(sSLSocket), criteriaSet)) {
                this.log.debug("Credential evaluated as trusted");
                httpContext.setAttribute(HttpClientSecurityConstants.CONTEXT_KEY_SERVER_TLS_CREDENTIAL_TRUSTED, Boolean.TRUE);
            } else {
                this.log.debug("Credential evaluated as untrusted");
                httpContext.setAttribute(HttpClientSecurityConstants.CONTEXT_KEY_SERVER_TLS_CREDENTIAL_TRUSTED, Boolean.FALSE);
                throw new SSLPeerUnverifiedException("Trust engine could not establish trust of server TLS credential");
            }
        } catch (SecurityException e) {
            this.log.error("Trust engine error evaluating credential", e);
            throw new IOException("Trust engine error evaluating credential", e);
        }
    }

    @Nonnull
    protected X509Credential extractCredential(@Nonnull SSLSocket sSLSocket) throws IOException {
        Certificate[] peerCertificates = sSLSocket.getSession().getPeerCertificates();
        if (peerCertificates == null || peerCertificates.length < 1) {
            throw new SSLPeerUnverifiedException("SSLSession peer certificates array was null or empty");
        }
        ArrayList arrayList = new ArrayList();
        for (Certificate certificate : peerCertificates) {
            arrayList.add((X509Certificate) certificate);
        }
        BasicX509Credential basicX509Credential = new BasicX509Credential((X509Certificate) arrayList.get(0));
        basicX509Credential.setEntityCertificateChain(arrayList);
        return basicX509Credential;
    }

    protected void performHostnameVerification(Socket socket, String str, HttpContext httpContext) throws IOException {
        if (this.hostnameVerifier == null || !(socket instanceof SSLSocket)) {
            return;
        }
        this.hostnameVerifier.verify(str, (SSLSocket) socket);
    }
}
