package org.opensaml.xml.security.x509;

import java.security.GeneralSecurityException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.apache.log4j.Logger;
import org.opensaml.xml.util.DatatypeHelper;

/* loaded from: input_file:org/opensaml/xml/security/x509/PKIXTrustEvaluator.class */
public class PKIXTrustEvaluator {
    private static Logger log = Logger.getLogger(PKIXTrustEvaluator.class);
    private boolean checkSubjectAltNames;
    private boolean checkSubjectDNCommonName;
    private boolean checkSubjectDN;
    private X500DNHandler x500DNHandler = new InternalX500DNHandler();
    private Set<Integer> subjectAltNameTypes = new HashSet();

    public PKIXTrustEvaluator() {
        setCheckSubjectAltNames(true);
        setCheckSubjectDNCommonName(true);
        setCheckSubjectDN(true);
        this.subjectAltNameTypes.add(X509Util.DNS_ALT_NAME);
        this.subjectAltNameTypes.add(X509Util.URI_ALT_NAME);
    }

    public boolean isNameChecking() {
        return checkSubjectAltNames() || checkSubjectDNCommonName() || checkSubjectDN();
    }

    public Set<Integer> getSubjectAltNameTypes() {
        return this.subjectAltNameTypes;
    }

    public boolean checkSubjectAltNames() {
        return this.checkSubjectAltNames;
    }

    public void setCheckSubjectAltNames(boolean z) {
        this.checkSubjectAltNames = z;
    }

    public boolean checkSubjectDNCommonName() {
        return this.checkSubjectDNCommonName;
    }

    public void setCheckSubjectDNCommonName(boolean z) {
        this.checkSubjectDNCommonName = z;
    }

    public boolean checkSubjectDN() {
        return this.checkSubjectDN;
    }

    public void setCheckSubjectDN(boolean z) {
        this.checkSubjectDN = z;
    }

    public X500DNHandler getX500DNHandler() {
        return this.x500DNHandler;
    }

    public void setX500DNHandler(X500DNHandler x500DNHandler) {
        if (x500DNHandler == null) {
            throw new IllegalArgumentException("X500DNHandler may not be null");
        }
        this.x500DNHandler = x500DNHandler;
    }

    protected boolean checkName(X509Credential x509Credential, Set<String> set) {
        if (!isNameChecking() || set == null || set.isEmpty()) {
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug("Checking untrusted " + x509Credential.getEntityId() + " credential against trusted names");
            log.debug("Trusted names being evaluated are: " + set.toString());
        }
        X509Certificate entityCertificate = x509Credential.getEntityCertificate();
        if (checkSubjectAltNames() && processSubjectAltNames(entityCertificate, set)) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Untrusted credential for entity " + x509Credential.getEntityId() + " passed name checking based on subject alt names.");
            return true;
        }
        if (checkSubjectDNCommonName() && processSubjectDNCommonName(entityCertificate, set)) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Untrusted credential for entity " + x509Credential.getEntityId() + " passed name checking based on subject DN's common name.");
            return true;
        }
        if (!checkSubjectDN() || !processSubjectDN(entityCertificate, set)) {
            log.error("Untrusted credential for entity " + x509Credential.getEntityId() + " failed name checking.");
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Untrusted credential for entity " + x509Credential.getEntityId() + " passed name checking based on matching subject DN.");
        return true;
    }

    protected boolean processSubjectDNCommonName(X509Certificate x509Certificate, Set<String> set) {
        List<String> commonNames = X509Util.getCommonNames(x509Certificate.getSubjectX500Principal());
        if (commonNames == null || commonNames.isEmpty()) {
            return false;
        }
        String str = commonNames.get(0);
        if (log.isDebugEnabled()) {
            log.debug("Extracted common name from certificate: " + str);
        }
        if (DatatypeHelper.isEmpty(str) || !set.contains(str)) {
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Matched subject DN common name to trusted names: " + str);
        return true;
    }

    protected boolean processSubjectDN(X509Certificate x509Certificate, Set<String> set) {
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        if (log.isDebugEnabled()) {
            log.debug("Extracted X500Principal from certificate: " + this.x500DNHandler.getName(subjectX500Principal));
        }
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (subjectX500Principal.equals(this.x500DNHandler.parse(it.next()))) {
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug("Matched subject DN to trusted names: " + this.x500DNHandler.getName(subjectX500Principal));
                return true;
            }
            continue;
        }
        return false;
    }

    protected boolean processSubjectAltNames(X509Certificate x509Certificate, Set<String> set) {
        Integer[] numArr = new Integer[this.subjectAltNameTypes.size()];
        this.subjectAltNameTypes.toArray(numArr);
        List altNames = X509Util.getAltNames(x509Certificate, numArr);
        if (log.isDebugEnabled()) {
            log.debug("Extracted subject alt names from certificate: " + altNames);
        }
        for (Object obj : altNames) {
            if (set.contains(obj)) {
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug("Matched subject alt name to trusted names: " + obj.toString());
                return true;
            }
        }
        return false;
    }

    public boolean pkixValidate(PKIXValidationInformation pKIXValidationInformation, Set<String> set, X509Credential x509Credential) throws SecurityException {
        if (checkName(x509Credential, set)) {
            return pkixValidate(pKIXValidationInformation, x509Credential);
        }
        log.debug("Name checking failed, aborting PKIX validation");
        return false;
    }

    public boolean pkixValidate(PKIXValidationInformation pKIXValidationInformation, X509Credential x509Credential) throws SecurityException {
        if (log.isDebugEnabled()) {
            log.debug("Attempting PKIX path validation on untrusted credential " + x509Credential.getEntityId());
        }
        try {
            PKIXBuilderParameters pKIXBuilderParameters = getPKIXBuilderParameters(pKIXValidationInformation, x509Credential);
            if (log.isDebugEnabled()) {
                log.debug("Building certificate validation path");
            }
            CertPath certPath = ((PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters)).getCertPath();
            if (log.isDebugEnabled()) {
                log.debug("Validating given entity credentials using built PKIX validator");
            }
            CertPathValidator.getInstance("PKIX").validate(certPath, pKIXBuilderParameters);
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("PKIX validation of credentials for " + x509Credential.getEntityId() + " successful");
            return true;
        } catch (CertPathValidatorException e) {
            log.error("PKIX validation of credentials for entity " + x509Credential + " failed.", e);
            return false;
        } catch (GeneralSecurityException e2) {
            log.error("Unable to create PKIX validator", e2);
            throw new SecurityException("Unable to create PKIX validator", e2);
        }
    }

    protected PKIXBuilderParameters getPKIXBuilderParameters(PKIXValidationInformation pKIXValidationInformation, X509Credential x509Credential) throws GeneralSecurityException {
        Set<TrustAnchor> trustAnchors = getTrustAnchors(pKIXValidationInformation);
        if (trustAnchors.size() < 1) {
            throw new GeneralSecurityException("Unable to validate signature, no trust anchors found in the PKIX validation information");
        }
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Credential.getEntityCertificate());
        if (log.isDebugEnabled()) {
            log.debug("Adding trust anchors to PKIX validator parameters");
        }
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(trustAnchors, x509CertSelector);
        if (log.isDebugEnabled()) {
            log.debug("Setting verification depth to " + pKIXValidationInformation.getVerificationDepth());
        }
        pKIXBuilderParameters.setMaxPathLength(pKIXValidationInformation.getVerificationDepth().intValue());
        pKIXBuilderParameters.addCertStore(buildCertStore(pKIXValidationInformation, x509Credential));
        if (pKIXValidationInformation.getCRLs() == null || pKIXValidationInformation.getCRLs().size() > 0) {
            if (log.isDebugEnabled()) {
                log.debug("No CRLs available in PKIX validation information, disable revocation checking");
            }
            pKIXBuilderParameters.setRevocationEnabled(false);
        }
        return pKIXBuilderParameters;
    }

    protected Set<TrustAnchor> getTrustAnchors(PKIXValidationInformation pKIXValidationInformation) {
        Collection<X509Certificate> trustChain = pKIXValidationInformation.getTrustChain();
        if (log.isDebugEnabled()) {
            log.debug("Constructring trust anchors");
        }
        HashSet hashSet = new HashSet();
        Iterator<X509Certificate> it = trustChain.iterator();
        while (it.hasNext()) {
            hashSet.add(new TrustAnchor(it.next(), null));
        }
        return hashSet;
    }

    protected CertStore buildCertStore(PKIXValidationInformation pKIXValidationInformation, X509Credential x509Credential) throws GeneralSecurityException {
        if (log.isDebugEnabled()) {
            log.debug("Creating cert store to use during path validation");
            log.debug("Adding entity ceritifcate chain to certificate store");
        }
        ArrayList arrayList = new ArrayList(x509Credential.getEntityCertificateChain());
        arrayList.addAll(pKIXValidationInformation.getTrustChain());
        return CertStore.getInstance("Collection", new CollectionCertStoreParameters(arrayList));
    }
}
