package org.opensaml.security.impl;

import java.security.GeneralSecurityException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidator;
import java.security.cert.CertStore;
import java.security.cert.CertificateParsingException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.StringTokenizer;
import javax.security.auth.x500.X500Principal;
import javolution.util.FastList;
import javolution.util.FastSet;
import org.apache.log4j.Logger;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml2.metadata.RoleDescriptor;
import org.opensaml.security.CredentialUsageTypeEnumeration;
import org.opensaml.security.TrustEngine;
import org.opensaml.security.X509EntityCredential;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.util.DatatypeHelper;
import org.opensaml.xml.validation.ValidationException;

/* loaded from: input_file:org/opensaml/security/impl/AbstractPKIXTrustEngine.class */
public abstract class AbstractPKIXTrustEngine implements TrustEngine<X509EntityCredential> {
    private static Logger log = Logger.getLogger(AbstractPKIXTrustEngine.class);

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/opensaml/security/impl/AbstractPKIXTrustEngine$PKIXValidationInformation.class */
    public final class PKIXValidationInformation {
        private int verificationDepth;
        private Set<X509Certificate> trustChain;
        private Set<X509CRL> crls;

        public PKIXValidationInformation(int i, Set<X509Certificate> set, Set<X509CRL> set2) {
            this.trustChain = set;
            this.crls = set2;
            this.verificationDepth = i;
        }

        public int getVerificationDepth() {
            return this.verificationDepth;
        }

        public Set<X509Certificate> getTrustChain() {
            return this.trustChain;
        }

        public Set<X509CRL> getCRLs() {
            return this.crls;
        }
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.opensaml.security.TrustEngine
    public X509EntityCredential validate(SignableSAMLObject signableSAMLObject, RoleDescriptor roleDescriptor) {
        if (signableSAMLObject.isSigned()) {
            if (log.isDebugEnabled()) {
                log.debug("Beginning validation of digitally signed SAML object");
            }
            List<X509Certificate> certificates = signableSAMLObject.getSignature().getKeyInfo().getCertificates();
            if (certificates == null || certificates.size() == 0) {
                if (!log.isDebugEnabled()) {
                    return null;
                }
                log.debug("Unable to perform PKIX validation, signed SAML object does not contain");
                return null;
            }
            if (log.isDebugEnabled()) {
                log.debug("Validating signature verification information using PKIX validation.");
            }
            SimpleX509EntityCredential simpleX509EntityCredential = new SimpleX509EntityCredential(certificates);
            if (validate((X509EntityCredential) simpleX509EntityCredential, roleDescriptor)) {
                if (log.isDebugEnabled()) {
                    log.debug("Verifying digital signature");
                }
                try {
                    new SignatureValidator(simpleX509EntityCredential.getPublicKey()).validate(signableSAMLObject.getSignature());
                    return simpleX509EntityCredential;
                } catch (ValidationException e) {
                    log.error("Unable to validate digital signature with verified credential.", e);
                }
            }
        }
        if (!log.isDebugEnabled()) {
            return null;
        }
        log.debug("Requested validation on unsigned SAML object, no validation performed.");
        return null;
    }

    @Override // org.opensaml.security.TrustEngine
    public boolean validate(X509EntityCredential x509EntityCredential, RoleDescriptor roleDescriptor) {
        return validate(x509EntityCredential, roleDescriptor, true);
    }

    public boolean validate(X509EntityCredential x509EntityCredential, RoleDescriptor roleDescriptor, boolean z) {
        if (log.isDebugEnabled()) {
            log.debug("Attempting to validate X.509 credential against role descriptor");
        }
        if (x509EntityCredential == null) {
            log.error("X.509 credential was null, unable to perform validation");
            return false;
        }
        if (roleDescriptor == null) {
            log.error("Role descriptor was null, unable to perform validation");
            return false;
        }
        if (z) {
            if (log.isDebugEnabled()) {
                log.debug("Checking that the entity certificate information matches either the entity ID or role key names");
            }
            if (!checkEntityNames(x509EntityCredential, roleDescriptor)) {
                return false;
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("Beginning PKIX validation process");
        }
        Iterator<PKIXValidationInformation> validationInformation = getValidationInformation(roleDescriptor);
        while (validationInformation.hasNext()) {
            if (pkixValidate(x509EntityCredential, validationInformation.next())) {
                return true;
            }
        }
        return false;
    }

    protected boolean checkEntityNames(X509EntityCredential x509EntityCredential, RoleDescriptor roleDescriptor) {
        EntityDescriptor entityDescriptor = (EntityDescriptor) roleDescriptor.getParent();
        X509Certificate entityCertificate = x509EntityCredential.getEntityCertificate();
        if (matchId(entityDescriptor.getEntityID(), entityCertificate)) {
            return true;
        }
        for (KeyDescriptor keyDescriptor : roleDescriptor.getKeyDescriptors()) {
            if (keyDescriptor.getUse() == CredentialUsageTypeEnumeration.SIGNING) {
                Iterator<String> it = keyDescriptor.getKeyInfo().getKeyNames().iterator();
                while (it.hasNext()) {
                    if (matchKeyName(it.next(), entityCertificate)) {
                        return true;
                    }
                }
            } else if (log.isDebugEnabled()) {
                log.debug("Key descriptor is not for signing, skipping it");
            }
        }
        log.error("Entity credentials are not valid for the given role descriptor");
        return false;
    }

    protected boolean pkixValidate(X509EntityCredential x509EntityCredential, PKIXValidationInformation pKIXValidationInformation) {
        Set<X509Certificate> trustChain = pKIXValidationInformation.getTrustChain();
        if (trustChain == null || trustChain.size() < 1) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Unable to validate signature, no trust anchors found in the PKIX validation information");
            return false;
        }
        if (log.isDebugEnabled()) {
            log.debug("Attempting PKIX path validation on entity credential");
        }
        try {
            if (log.isDebugEnabled()) {
                log.debug("Constructring trust anchors");
            }
            FastSet fastSet = new FastSet();
            Iterator<X509Certificate> it = trustChain.iterator();
            while (it.hasNext()) {
                fastSet.add(new TrustAnchor(it.next(), null));
            }
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509EntityCredential.getEntityCertificate());
            if (log.isDebugEnabled()) {
                log.debug("Adding trust anchors to PKIX validator parameters");
            }
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters((Set<TrustAnchor>) fastSet, x509CertSelector);
            if (log.isDebugEnabled()) {
                log.debug("Setting verification depth to " + pKIXValidationInformation.getVerificationDepth());
            }
            pKIXBuilderParameters.setMaxPathLength(pKIXValidationInformation.getVerificationDepth());
            if (log.isDebugEnabled()) {
                log.debug("Adding entity ceritifcate chain to certificate store");
            }
            FastList fastList = new FastList(x509EntityCredential.getEntityCertificateChain());
            Set<X509CRL> cRLs = pKIXValidationInformation.getCRLs();
            if (cRLs.size() > 0) {
                if (log.isDebugEnabled()) {
                    log.debug(cRLs.size() + " CRLs available, enabling CRL support and adding CRLs to certificate store");
                }
                fastList.addAll(cRLs);
                pKIXBuilderParameters.setRevocationEnabled(true);
            } else {
                pKIXBuilderParameters.setRevocationEnabled(false);
            }
            if (log.isDebugEnabled()) {
                log.debug("Adding certificate store to PKIX validator parameters");
            }
            CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(fastList));
            FastList fastList2 = new FastList();
            fastList2.add(certStore);
            pKIXBuilderParameters.setCertStores(fastList2);
            if (log.isDebugEnabled()) {
                log.debug("Building certificate validation path");
            }
            CertPath certPath = ((PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters)).getCertPath();
            if (log.isDebugEnabled()) {
                log.debug("Validating given entity credentials using built PKIX validator");
            }
            CertPathValidator.getInstance("PKIX").validate(certPath, pKIXBuilderParameters);
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("PKIX validation of credentials for entity " + x509EntityCredential.getEntityID() + " successful");
            return true;
        } catch (GeneralSecurityException e) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("PKIX validation of credentials for entity " + x509EntityCredential + " failed.", e);
            return false;
        }
    }

    protected abstract Iterator<PKIXValidationInformation> getValidationInformation(RoleDescriptor roleDescriptor);

    private boolean matchId(String str, X509Certificate x509Certificate) {
        if (log.isDebugEnabled()) {
            log.debug("Attempting to match entity ID " + str + " with certificate subject information");
        }
        if (DatatypeHelper.isEmpty(str)) {
            log.error("Entity ID was empty or null");
            return false;
        }
        if (x509Certificate == null) {
            log.error("X509 certificate null");
            return false;
        }
        String lowerCase = str.trim().toLowerCase();
        if (log.isDebugEnabled()) {
            log.debug("Attempting to match entity ID " + str + " with the first CN component of the certificate's subject DN");
        }
        String firstCN = getFirstCN(x509Certificate.getSubjectX500Principal());
        if (!DatatypeHelper.isEmpty(firstCN) && lowerCase.equals(firstCN.toLowerCase())) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Entity ID matched the first CN component of the certificate's subject DN");
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug("Attempting to match entity ID with certificate's DNS and URI subject alt names");
        }
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames != null && subjectAlternativeNames.size() > 0) {
                for (List<?> list : subjectAlternativeNames) {
                    if ((list.get(0).equals(new Integer(2)) || list.get(0).equals(new Integer(6))) && list.get(1).equals(str)) {
                        if (!log.isDebugEnabled()) {
                            return true;
                        }
                        log.debug("ID matched against subject alt name");
                        return true;
                    }
                }
            }
        } catch (CertificateParsingException e) {
            log.error("Unable to extract subject alt names from certificate", e);
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("Unable to match ID against subject alt names");
        return false;
    }

    private String getFirstCN(X500Principal x500Principal) {
        if (x500Principal == null) {
            return null;
        }
        String name = x500Principal.getName("CANONICAL");
        if (log.isDebugEnabled()) {
            log.debug("Extracting first CN component from DN " + name);
        }
        StringTokenizer stringTokenizer = new StringTokenizer(name, ",");
        while (stringTokenizer.hasMoreTokens()) {
            String trim = stringTokenizer.nextToken().trim();
            if (trim.startsWith("cn=")) {
                return trim.substring(trim.indexOf("=") + 1);
            }
        }
        return null;
    }

    private boolean matchKeyName(String str, X509Certificate x509Certificate) {
        if (log.isDebugEnabled()) {
            log.debug("Attempting to match key name " + str + " against certificate information");
        }
        if (DatatypeHelper.isEmpty(str)) {
            log.error("Key name is null or empty");
            return false;
        }
        if (x509Certificate == null) {
            log.error("Certificate is null");
            return false;
        }
        if (log.isDebugEnabled()) {
            log.debug("Attempting to match key name against certificate's subject DN");
        }
        try {
            if (x509Certificate.getSubjectX500Principal().equals(new X500Principal(str))) {
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug("Key name matched certificate's subject DN");
                return true;
            }
        } catch (IllegalArgumentException e) {
        }
        return matchId(str, x509Certificate);
    }
}
