package org.opensaml.xml.security.x509;

import java.util.Iterator;
import java.util.Set;
import org.apache.log4j.Logger;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;

/* loaded from: input_file:org/opensaml/xml/security/x509/PKIXX509CredentialTrustEngine.class */
public class PKIXX509CredentialTrustEngine implements PKIXTrustEngine<X509Credential> {
    private static Logger log = Logger.getLogger(PKIXX509CredentialTrustEngine.class);
    private PKIXValidationInformationResolver pkixResolver;
    private PKIXTrustEvaluator pkixTrustEvaluator;

    public PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver pKIXValidationInformationResolver) {
        if (pKIXValidationInformationResolver == null) {
            throw new IllegalArgumentException("PKIX trust information resolver may not be null");
        }
        this.pkixResolver = pKIXValidationInformationResolver;
        this.pkixTrustEvaluator = new PKIXTrustEvaluator();
    }

    @Override // org.opensaml.xml.security.x509.PKIXTrustEngine
    public PKIXValidationInformationResolver getPKIXResolver() {
        return this.pkixResolver;
    }

    public PKIXTrustEvaluator getPKIXTrustEvaluator() {
        return this.pkixTrustEvaluator;
    }

    @Override // org.opensaml.xml.security.trust.TrustEngine
    public boolean validate(X509Credential x509Credential, CriteriaSet criteriaSet) throws SecurityException {
        if (log.isDebugEnabled()) {
            log.debug("PKIX validating credential for entity " + x509Credential.getEntityId());
        }
        if (x509Credential == null) {
            log.error("X.509 credential was null, unable to perform validation");
            return false;
        }
        if (x509Credential.getEntityCertificate() == null) {
            log.error("Untrusted X.509 credential's entity certificate was null, unable to perform validation");
            return false;
        }
        PKIXCriteriaSet pKIXCriteria = SecurityHelper.getPKIXCriteria(criteriaSet);
        Set<String> set = null;
        if (this.pkixTrustEvaluator.isNameChecking()) {
            if (this.pkixResolver.supportsTrustedNameResolution()) {
                set = this.pkixResolver.resolveTrustedNames(pKIXCriteria);
            } else {
                log.debug("PKIX resolver does not support resolution of trusted names, skipping name checking");
            }
        }
        return validate(x509Credential, set, this.pkixResolver.resolve(pKIXCriteria));
    }

    protected boolean validate(X509Credential x509Credential, Set<String> set, Iterable<PKIXValidationInformation> iterable) {
        log.debug("Beginning PKIX validation using trusted validation information");
        Iterator<PKIXValidationInformation> it = iterable.iterator();
        while (it.hasNext()) {
            if (this.pkixTrustEvaluator.pkixValidate(it.next(), set, x509Credential)) {
                return true;
            }
        }
        return false;
    }
}
