package org.apache.cxf.xkms.x509.validator;

import java.security.cert.X509Certificate;
import java.util.List;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.xkms.handlers.Validator;
import org.apache.cxf.xkms.handlers.XKMSConstants;
import org.apache.cxf.xkms.model.xkms.KeyBindingEnum;
import org.apache.cxf.xkms.model.xkms.KeyUsageEnum;
import org.apache.cxf.xkms.model.xkms.StatusType;
import org.apache.cxf.xkms.model.xkms.ValidateRequestType;
import org.apache.cxf.xkms.x509.repo.CertificateRepo;

/* loaded from: input_file:WEB-INF/lib/cxf-services-xkms-x509-handlers-3.5.1.jar:org/apache/cxf/xkms/x509/validator/DirectTrustValidator.class */
public class DirectTrustValidator implements Validator {
    private static final Logger LOG = LogUtils.getL7dLogger(DirectTrustValidator.class);
    private final CertificateRepo certRepo;

    public DirectTrustValidator(CertificateRepo certificateRepo) {
        this.certRepo = certificateRepo;
    }

    public boolean isCertificateInRepo(X509Certificate x509Certificate) {
        return this.certRepo.findBySubjectDn(x509Certificate.getSubjectDN().getName()) != null;
    }

    @Override // org.apache.cxf.xkms.handlers.Validator
    public StatusType validate(ValidateRequestType validateRequestType) {
        StatusType statusType = new StatusType();
        if (validateRequestType.getQueryKeyBinding() != null && validateRequestType.getQueryKeyBinding().getKeyUsage().contains(KeyUsageEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_SIGNATURE)) {
            List<X509Certificate> parse = ValidateRequestParser.parse(validateRequestType);
            if (parse == null || parse.isEmpty()) {
                statusType.setStatusValue(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_INDETERMINATE);
                statusType.getIndeterminateReason().add("http://www.cxf.apache.org/2002/03/xkms#RequestNotSupported");
                return statusType;
            }
            for (X509Certificate x509Certificate : parse) {
                if (!isCertificateInRepo(x509Certificate)) {
                    LOG.warning("Certificate is not found in XKMS repo and is not directly trusted: " + x509Certificate.getSubjectDN().getName());
                    statusType.getInvalidReason().add(XKMSConstants.DIRECT_TRUST_VALIDATION);
                    statusType.setStatusValue(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_INVALID);
                    return statusType;
                }
            }
            statusType.getValidReason().add(XKMSConstants.DIRECT_TRUST_VALIDATION);
        }
        statusType.setStatusValue(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_VALID);
        return statusType;
    }
}
