package org.opensaml.xmlsec.signature.support.impl;

import java.util.Iterator;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.security.x509.PKIXTrustEngine;
import org.opensaml.security.x509.PKIXTrustEvaluator;
import org.opensaml.security.x509.PKIXValidationInformation;
import org.opensaml.security.x509.PKIXValidationInformationResolver;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator;
import org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator;
import org.opensaml.security.x509.impl.X509CredentialNameEvaluator;
import org.opensaml.xmlsec.crypto.XMLSigningUtil;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.Signature;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-343-07.zip:modules/system/layers/fuse/org/opensaml/3.1/opensaml-xmlsec-impl-3.1.1.jar:org/opensaml/xmlsec/signature/support/impl/PKIXSignatureTrustEngine.class */
public class PKIXSignatureTrustEngine extends BaseSignatureTrustEngine<Pair<Set<String>, Iterable<PKIXValidationInformation>>> implements PKIXTrustEngine<Signature> {
    private final Logger log;
    private final PKIXValidationInformationResolver pkixResolver;
    private final PKIXTrustEvaluator pkixTrustEvaluator;
    private final X509CredentialNameEvaluator credNameEvaluator;

    public PKIXSignatureTrustEngine(@Nonnull PKIXValidationInformationResolver pKIXValidationInformationResolver, @Nonnull KeyInfoCredentialResolver keyInfoCredentialResolver) {
        super(keyInfoCredentialResolver);
        this.log = LoggerFactory.getLogger(PKIXSignatureTrustEngine.class);
        this.pkixResolver = (PKIXValidationInformationResolver) Constraint.isNotNull(pKIXValidationInformationResolver, "PKIX trust information resolver cannot be null");
        this.pkixTrustEvaluator = new CertPathPKIXTrustEvaluator();
        this.credNameEvaluator = new BasicX509CredentialNameEvaluator();
    }

    public PKIXSignatureTrustEngine(@Nonnull PKIXValidationInformationResolver pKIXValidationInformationResolver, @Nonnull KeyInfoCredentialResolver keyInfoCredentialResolver, @Nonnull PKIXTrustEvaluator pKIXTrustEvaluator, @Nullable X509CredentialNameEvaluator x509CredentialNameEvaluator) {
        super(keyInfoCredentialResolver);
        this.log = LoggerFactory.getLogger(PKIXSignatureTrustEngine.class);
        this.pkixResolver = (PKIXValidationInformationResolver) Constraint.isNotNull(pKIXValidationInformationResolver, "PKIX trust information resolver cannot be null");
        this.pkixTrustEvaluator = (PKIXTrustEvaluator) Constraint.isNotNull(pKIXTrustEvaluator, "PKIX trust evaluator cannot be null");
        this.credNameEvaluator = x509CredentialNameEvaluator;
    }

    @Nonnull
    public PKIXTrustEvaluator getPKIXTrustEvaluator() {
        return this.pkixTrustEvaluator;
    }

    @Nullable
    public X509CredentialNameEvaluator getX509CredentialNameEvaluator() {
        return this.credNameEvaluator;
    }

    @Override // org.opensaml.security.x509.PKIXTrustEngine
    @Nonnull
    public PKIXValidationInformationResolver getPKIXResolver() {
        return this.pkixResolver;
    }

    @Override // org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine
    protected boolean doValidate(@Nonnull Signature signature, @Nullable CriteriaSet criteriaSet) throws SecurityException {
        if (validate(signature, (Signature) resolveValidationInfo(criteriaSet))) {
            return true;
        }
        this.log.debug("PKIX validation of signature failed, unable to resolve valid and trusted signing key");
        return false;
    }

    @Override // org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine
    protected boolean doValidate(@Nonnull byte[] bArr, @Nonnull byte[] bArr2, @Nonnull String str, @Nullable CriteriaSet criteriaSet, @Nullable Credential credential) throws SecurityException {
        if (credential == null || CredentialSupport.extractVerificationKey(credential) == null) {
            this.log.debug("Candidate credential was either not supplied or did not contain verification key");
            this.log.debug("PKIX trust engine requires supplied key, skipping PKIX trust evaluation");
            return false;
        }
        Pair<Set<String>, Iterable<PKIXValidationInformation>> resolveValidationInfo = resolveValidationInfo(criteriaSet);
        try {
            if (XMLSigningUtil.verifyWithURI(credential, str, bArr, bArr2)) {
                this.log.debug("Successfully verified raw signature using supplied candidate credential");
                this.log.debug("Attempting to establish trust of supplied candidate credential");
                if (evaluateTrust(credential, resolveValidationInfo)) {
                    this.log.debug("Successfully established trust of supplied candidate credential");
                    return true;
                }
                this.log.debug("Failed to establish trust of supplied candidate credential");
            } else {
                this.log.debug("Cryptographic verification of raw signature failed with candidate credential");
            }
        } catch (SecurityException e) {
        }
        this.log.debug("PKIX validation of raw signature failed, unable to establish trust of supplied verification credential");
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine
    public boolean evaluateTrust(@Nonnull Credential credential, @Nullable Pair<Set<String>, Iterable<PKIXValidationInformation>> pair) throws SecurityException {
        if (!(credential instanceof X509Credential)) {
            this.log.debug("Can not evaluate trust of non-X509Credential");
            return false;
        }
        X509Credential x509Credential = (X509Credential) credential;
        Set<String> set = (Set) pair.getFirst();
        Iterable iterable = (Iterable) pair.getSecond();
        if (iterable == null) {
            this.log.debug("PKIX validation information not available. Aborting PKIX validation");
            return false;
        }
        if (!checkNames(set, x509Credential)) {
            this.log.debug("Evaluation of credential against trusted names failed. Aborting PKIX validation");
            return false;
        }
        Iterator it = iterable.iterator();
        while (it.hasNext()) {
            try {
            } catch (SecurityException e) {
                this.log.debug("Error performing PKIX validation on untrusted credential", e);
            }
            if (this.pkixTrustEvaluator.validate((PKIXValidationInformation) it.next(), x509Credential)) {
                this.log.debug("Signature trust established via PKIX validation of signing credential");
                return true;
            }
            continue;
        }
        this.log.debug("Signature trust could not be established via PKIX validation of signing credential");
        return false;
    }

    @Nonnull
    protected Pair<Set<String>, Iterable<PKIXValidationInformation>> resolveValidationInfo(@Nullable CriteriaSet criteriaSet) throws SecurityException {
        Set<String> set = null;
        if (this.pkixResolver.supportsTrustedNameResolution()) {
            try {
                set = this.pkixResolver.resolveTrustedNames(criteriaSet);
            } catch (ResolverException e) {
                throw new SecurityException("Error resolving trusted names", e);
            } catch (UnsupportedOperationException e2) {
                throw new SecurityException("Error resolving trusted names", e2);
            }
        } else {
            this.log.debug("PKIX resolver does not support resolution of trusted names, skipping name checking");
        }
        try {
            return new Pair<>(set, this.pkixResolver.resolve(criteriaSet));
        } catch (ResolverException e3) {
            throw new SecurityException("Error resolving trusted PKIX validation information", e3);
        }
    }

    protected boolean checkNames(@Nullable Set<String> set, @Nonnull X509Credential x509Credential) throws SecurityException {
        if (this.credNameEvaluator == null) {
            this.log.debug("No credential name evaluator was available, skipping trusted name evaluation");
            return true;
        }
        if (set != null) {
            return this.credNameEvaluator.evaluate(x509Credential, set);
        }
        this.log.debug("Trusted names was null, signalling PKIX resolver does not support trusted names resolution, skipping trusted name evaluation");
        return true;
    }
}
