package org.opensaml.xml.security.keyinfo.provider;

import java.math.BigInteger;
import java.security.PublicKey;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialContext;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.KeyInfoHelper;
import org.opensaml.xml.security.keyinfo.KeyInfoResolutionContext;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.security.x509.InternalX500DNHandler;
import org.opensaml.xml.security.x509.X500DNHandler;
import org.opensaml.xml.security.x509.X509Util;
import org.opensaml.xml.signature.X509Data;
import org.opensaml.xml.signature.X509Digest;
import org.opensaml.xml.signature.X509IssuerSerial;
import org.opensaml.xml.signature.X509SKI;
import org.opensaml.xml.signature.X509SubjectName;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.DatatypeHelper;
import org.opensaml.xml.util.LazySet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/xmltooling-1.4.4.jar:org/opensaml/xml/security/keyinfo/provider/InlineX509DataProvider.class */
public class InlineX509DataProvider extends AbstractKeyInfoProvider {
    private final Logger log = LoggerFactory.getLogger((Class<?>) InlineX509DataProvider.class);
    private X500DNHandler x500DNHandler = new InternalX500DNHandler();

    public X500DNHandler getX500DNHandler() {
        return this.x500DNHandler;
    }

    public void setX500DNHandler(X500DNHandler x500DNHandler) {
        if (x500DNHandler == null) {
            throw new IllegalArgumentException("X500DNHandler may not be null");
        }
        this.x500DNHandler = x500DNHandler;
    }

    @Override // org.opensaml.xml.security.keyinfo.KeyInfoProvider
    public boolean handles(XMLObject xMLObject) {
        return xMLObject instanceof X509Data;
    }

    @Override // org.opensaml.xml.security.keyinfo.KeyInfoProvider
    public Collection<Credential> process(KeyInfoCredentialResolver keyInfoCredentialResolver, XMLObject xMLObject, CriteriaSet criteriaSet, KeyInfoResolutionContext keyInfoResolutionContext) throws SecurityException {
        if (!handles(xMLObject)) {
            return null;
        }
        X509Data x509Data = (X509Data) xMLObject;
        this.log.debug("Attempting to extract credential from an X509Data");
        List<X509Certificate> extractCertificates = extractCertificates(x509Data);
        if (extractCertificates.isEmpty()) {
            this.log.info("The X509Data contained no X509Certificate elements, skipping credential extraction");
            return null;
        }
        List<X509CRL> extractCRLs = extractCRLs(x509Data);
        PublicKey publicKey = null;
        if (keyInfoResolutionContext != null && keyInfoResolutionContext.getKey() != null && (keyInfoResolutionContext.getKey() instanceof PublicKey)) {
            publicKey = (PublicKey) keyInfoResolutionContext.getKey();
        }
        X509Certificate findEntityCert = findEntityCert(extractCertificates, x509Data, publicKey);
        if (findEntityCert == null) {
            this.log.warn("The end-entity cert could not be identified, skipping credential extraction");
            return null;
        }
        BasicX509Credential basicX509Credential = new BasicX509Credential();
        basicX509Credential.setEntityCertificate(findEntityCert);
        basicX509Credential.setCRLs(extractCRLs);
        basicX509Credential.setEntityCertificateChain(extractCertificates);
        if (keyInfoResolutionContext != null) {
            basicX509Credential.getKeyNames().addAll(keyInfoResolutionContext.getKeyNames());
        }
        KeyInfoCredentialContext buildCredentialContext = buildCredentialContext(keyInfoResolutionContext);
        if (buildCredentialContext != null) {
            basicX509Credential.getCredentalContextSet().add(buildCredentialContext);
        }
        LazySet lazySet = new LazySet();
        lazySet.add(basicX509Credential);
        return lazySet;
    }

    private List<X509CRL> extractCRLs(X509Data x509Data) throws SecurityException {
        try {
            List<X509CRL> cRLs = KeyInfoHelper.getCRLs(x509Data);
            this.log.debug("Found {} X509CRLs", Integer.valueOf(cRLs.size()));
            return cRLs;
        } catch (CRLException e) {
            this.log.error("Error extracting CRL's from X509Data", (Throwable) e);
            throw new SecurityException("Error extracting CRL's from X509Data", e);
        }
    }

    private List<X509Certificate> extractCertificates(X509Data x509Data) throws SecurityException {
        try {
            List<X509Certificate> certificates = KeyInfoHelper.getCertificates(x509Data);
            this.log.debug("Found {} X509Certificates", Integer.valueOf(certificates.size()));
            return certificates;
        } catch (CertificateException e) {
            this.log.error("Error extracting certificates from X509Data", (Throwable) e);
            throw new SecurityException("Error extracting certificates from X509Data", e);
        }
    }

    protected X509Certificate findEntityCert(List<X509Certificate> list, X509Data x509Data, PublicKey publicKey) {
        if (list == null || list.isEmpty()) {
            return null;
        }
        if (list.size() == 1) {
            this.log.debug("Single certificate was present, treating as end-entity certificate");
            return list.get(0);
        }
        X509Certificate findCertFromKey = findCertFromKey(list, publicKey);
        if (findCertFromKey != null) {
            this.log.debug("End-entity certificate resolved by matching previously resolved public key");
            return findCertFromKey;
        }
        X509Certificate findCertFromSubjectNames = findCertFromSubjectNames(list, x509Data.getX509SubjectNames());
        if (findCertFromSubjectNames != null) {
            this.log.debug("End-entity certificate resolved by matching X509SubjectName");
            return findCertFromSubjectNames;
        }
        X509Certificate findCertFromIssuerSerials = findCertFromIssuerSerials(list, x509Data.getX509IssuerSerials());
        if (findCertFromIssuerSerials != null) {
            this.log.debug("End-entity certificate resolved by matching X509IssuerSerial");
            return findCertFromIssuerSerials;
        }
        X509Certificate findCertFromSubjectKeyIdentifier = findCertFromSubjectKeyIdentifier(list, x509Data.getX509SKIs());
        if (findCertFromSubjectKeyIdentifier != null) {
            this.log.debug("End-entity certificate resolved by matching X509SKI");
            return findCertFromSubjectKeyIdentifier;
        }
        X509Certificate findCertFromDigest = findCertFromDigest(list, x509Data.getXMLObjects(X509Digest.DEFAULT_ELEMENT_NAME));
        if (findCertFromDigest != null) {
            this.log.debug("End-entity certificate resolved by matching X509Digest");
            return findCertFromDigest;
        }
        this.log.debug("Treating the first certificate in the X509Data as the end-entity certificate");
        return list.get(0);
    }

    protected X509Certificate findCertFromKey(List<X509Certificate> list, PublicKey publicKey) {
        if (publicKey == null) {
            return null;
        }
        for (X509Certificate x509Certificate : list) {
            if (x509Certificate.getPublicKey().equals(publicKey)) {
                return x509Certificate;
            }
        }
        return null;
    }

    protected X509Certificate findCertFromSubjectNames(List<X509Certificate> list, List<X509SubjectName> list2) {
        for (X509SubjectName x509SubjectName : list2) {
            if (!DatatypeHelper.isEmpty(x509SubjectName.getValue())) {
                try {
                    X500Principal parse = this.x500DNHandler.parse(x509SubjectName.getValue());
                    for (X509Certificate x509Certificate : list) {
                        if (x509Certificate.getSubjectX500Principal().equals(parse)) {
                            return x509Certificate;
                        }
                    }
                } catch (IllegalArgumentException e) {
                    this.log.warn("X500 subject name '{}' could not be parsed by configured X500DNHandler '{}'", x509SubjectName.getValue(), this.x500DNHandler.getClass().getName());
                    return null;
                }
            }
        }
        return null;
    }

    protected X509Certificate findCertFromIssuerSerials(List<X509Certificate> list, List<X509IssuerSerial> list2) {
        for (X509IssuerSerial x509IssuerSerial : list2) {
            if (x509IssuerSerial.getX509IssuerName() != null && x509IssuerSerial.getX509SerialNumber() != null) {
                String value = x509IssuerSerial.getX509IssuerName().getValue();
                BigInteger value2 = x509IssuerSerial.getX509SerialNumber().getValue();
                if (DatatypeHelper.isEmpty(value)) {
                    continue;
                } else {
                    try {
                        X500Principal parse = this.x500DNHandler.parse(value);
                        for (X509Certificate x509Certificate : list) {
                            if (x509Certificate.getIssuerX500Principal().equals(parse) && x509Certificate.getSerialNumber().equals(value2)) {
                                return x509Certificate;
                            }
                        }
                    } catch (IllegalArgumentException e) {
                        this.log.warn("X500 issuer name '{}' could not be parsed by configured X500DNHandler '{}'", value, this.x500DNHandler.getClass().getName());
                        return null;
                    }
                }
            }
        }
        return null;
    }

    protected X509Certificate findCertFromSubjectKeyIdentifier(List<X509Certificate> list, List<X509SKI> list2) {
        for (X509SKI x509ski : list2) {
            if (!DatatypeHelper.isEmpty(x509ski.getValue())) {
                byte[] decode = Base64.decode(x509ski.getValue());
                for (X509Certificate x509Certificate : list) {
                    byte[] subjectKeyIdentifier = X509Util.getSubjectKeyIdentifier(x509Certificate);
                    if (subjectKeyIdentifier != null && Arrays.equals(decode, subjectKeyIdentifier)) {
                        return x509Certificate;
                    }
                }
            }
        }
        return null;
    }

    protected X509Certificate findCertFromDigest(List<X509Certificate> list, List<XMLObject> list2) {
        for (XMLObject xMLObject : list2) {
            if (xMLObject instanceof X509Digest) {
                X509Digest x509Digest = (X509Digest) xMLObject;
                if (DatatypeHelper.isEmpty(x509Digest.getValue())) {
                    continue;
                } else {
                    byte[] decode = Base64.decode(x509Digest.getValue());
                    for (X509Certificate x509Certificate : list) {
                        try {
                            byte[] x509Digest2 = X509Util.getX509Digest(x509Certificate, x509Digest.getAlgorithm());
                            if (x509Digest2 != null && Arrays.equals(decode, x509Digest2)) {
                                return x509Certificate;
                            }
                        } catch (SecurityException e) {
                        }
                    }
                }
            }
        }
        return null;
    }
}
