package org.opensaml.security.impl;

import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import org.apache.log4j.Logger;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml2.metadata.RoleDescriptor;
import org.opensaml.security.CredentialUsageTypeEnumeration;
import org.opensaml.security.TrustEngine;
import org.opensaml.security.X509EntityCredential;
import org.opensaml.xml.signature.KeyInfo;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;

/* loaded from: input_file:org/opensaml/security/impl/InlinePKIKeyTrustEngine.class */
public class InlinePKIKeyTrustEngine implements TrustEngine<X509EntityCredential> {
    private static Logger log = Logger.getLogger(InlinePKIKeyTrustEngine.class);

    @Override // org.opensaml.security.TrustEngine
    public boolean validate(X509EntityCredential x509EntityCredential, RoleDescriptor roleDescriptor) {
        if (x509EntityCredential == null) {
            log.error("Unable to validate, entity credential was null");
            return false;
        }
        if (roleDescriptor == null) {
            log.error("Unable to validate, role descriptor was null");
            return false;
        }
        List<KeyDescriptor> keyDescriptors = roleDescriptor.getKeyDescriptors();
        if (keyDescriptors == null || keyDescriptors.size() == 0) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Unable to validate entity credential, role descriptor does not contain any key descriptors");
            return false;
        }
        if (log.isDebugEnabled()) {
            log.debug("Attempting to match key information within role descriptor with end-entity certificate");
        }
        for (KeyDescriptor keyDescriptor : keyDescriptors) {
            if (CredentialUsageTypeEnumeration.SIGNING.equals(keyDescriptor.getUse())) {
                if (log.isDebugEnabled()) {
                    log.debug("Located a key descriptor used for signing");
                }
                KeyInfo keyInfo = keyDescriptor.getKeyInfo();
                List<X509Certificate> certificates = keyInfo.getCertificates();
                if ((certificates == null || certificates.size() == 0) && log.isDebugEnabled()) {
                    log.debug("Key descriptor does not contain any certificates, skipping this key descriptor");
                } else {
                    if (log.isDebugEnabled()) {
                        log.debug("Checking if certificates contained within match end-entity certificate");
                    }
                    Iterator<X509Certificate> it = keyInfo.getCertificates().iterator();
                    while (it.hasNext()) {
                        try {
                        } catch (CertificateEncodingException e) {
                            log.error("Error encoding certificate during matching process", e);
                        }
                        if (Arrays.equals(it.next().getEncoded(), x509EntityCredential.getEntityCertificate().getEncoded())) {
                            if (!log.isDebugEnabled()) {
                                return true;
                            }
                            log.debug("End-entity certificate matches a role descriptor certificate, success");
                            return true;
                        }
                        continue;
                    }
                }
            } else if (log.isDebugEnabled()) {
                log.debug("Key descriptor is not for signing, skipping it");
            }
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("No certificates within this role descriptor matched the given end-entity certificate");
        return false;
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.opensaml.security.TrustEngine
    public X509EntityCredential validate(SignableSAMLObject signableSAMLObject, RoleDescriptor roleDescriptor) {
        if (signableSAMLObject.getSignature() == null) {
            if (!log.isDebugEnabled()) {
                return null;
            }
            log.debug("Signature validation requested on unsigned object, returning");
            return null;
        }
        EntityDescriptor entityDescriptor = (EntityDescriptor) roleDescriptor.getParent();
        List<KeyDescriptor> keyDescriptors = roleDescriptor.getKeyDescriptors();
        if (keyDescriptors == null || keyDescriptors.size() == 0) {
            log.warn("Unable to validate signature, entity " + entityDescriptor.getEntityID() + " does not contain any keying information for role this role");
            return null;
        }
        if (log.isDebugEnabled()) {
            log.debug("Attempting to validate signature with the keying information for entity " + entityDescriptor.getEntityID());
        }
        Signature signature = signableSAMLObject.getSignature();
        for (KeyDescriptor keyDescriptor : keyDescriptors) {
            if (keyDescriptor.getUse() == CredentialUsageTypeEnumeration.SIGNING) {
                PublicKey publicKey = keyDescriptor.getKeyInfo().getPublicKey();
                if (publicKey != null) {
                    if (log.isDebugEnabled()) {
                        log.debug("Attempting to validate signature with public key");
                    }
                    try {
                        new SignatureValidator(publicKey).validate(signature);
                        if (log.isDebugEnabled()) {
                            log.debug("Signature validated with public key");
                        }
                        return new SimpleX509EntityCredential(entityDescriptor.getEntityID(), (PrivateKey) null, publicKey);
                    } catch (ValidationException e) {
                        if (log.isDebugEnabled()) {
                            log.debug("Public key did not validate signature");
                        }
                    }
                } else if (log.isDebugEnabled()) {
                    log.debug("Signing key information does not contain a public key, skipping it");
                }
            } else if (log.isDebugEnabled()) {
                log.debug("Found keying information, but was not for signing, skipping it");
            }
        }
        if (!log.isDebugEnabled()) {
            return null;
        }
        log.debug("No keying information validated the signature");
        return null;
    }
}
