package org.opensaml.xml.security.x509;

import java.security.GeneralSecurityException;
import java.security.cert.CRL;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.opensaml.xml.security.SecurityException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:wlp/lib/com.ibm.ws.org.opensaml.xmltooling.1.3.4_1.0.3.jar:org/opensaml/xml/security/x509/CertPathPKIXTrustEvaluator.class */
public class CertPathPKIXTrustEvaluator implements PKIXTrustEvaluator {
    private final Logger log;
    private X500DNHandler x500DNHandler;
    private PKIXValidationOptions options;

    public CertPathPKIXTrustEvaluator() {
        this.log = LoggerFactory.getLogger(CertPathPKIXTrustEvaluator.class);
        this.options = new PKIXValidationOptions();
        this.x500DNHandler = new InternalX500DNHandler();
    }

    public CertPathPKIXTrustEvaluator(PKIXValidationOptions pKIXValidationOptions) {
        this.log = LoggerFactory.getLogger(CertPathPKIXTrustEvaluator.class);
        if (pKIXValidationOptions == null) {
            throw new IllegalArgumentException("PKIXValidationOptions may not be null");
        }
        this.options = pKIXValidationOptions;
        this.x500DNHandler = new InternalX500DNHandler();
    }

    @Override // org.opensaml.xml.security.x509.PKIXTrustEvaluator
    public PKIXValidationOptions getPKIXValidationOptions() {
        return this.options;
    }

    public void setPKIXValidationOptions(PKIXValidationOptions pKIXValidationOptions) {
        if (pKIXValidationOptions == null) {
            throw new IllegalArgumentException("PKIXValidationOptions may not be null");
        }
        this.options = pKIXValidationOptions;
    }

    public X500DNHandler getX500DNHandler() {
        return this.x500DNHandler;
    }

    public void setX500DNHandler(X500DNHandler x500DNHandler) {
        if (x500DNHandler == null) {
            throw new IllegalArgumentException("X500DNHandler may not be null");
        }
        this.x500DNHandler = x500DNHandler;
    }

    @Override // org.opensaml.xml.security.x509.PKIXTrustEvaluator
    public boolean validate(PKIXValidationInformation pKIXValidationInformation, X509Credential x509Credential) throws SecurityException {
        if (this.log.isDebugEnabled()) {
            this.log.debug("Attempting PKIX path validation on untrusted credential: {}", X509Util.getIdentifiersToken(x509Credential, this.x500DNHandler));
        }
        try {
            PKIXBuilderParameters pKIXBuilderParameters = getPKIXBuilderParameters(pKIXValidationInformation, x509Credential);
            this.log.trace("Building certificate validation path");
            PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
            if (!this.log.isDebugEnabled()) {
                return true;
            }
            logCertPathDebug(pKIXCertPathBuilderResult, x509Credential.getEntityCertificate());
            this.log.debug("PKIX validation succeeded for untrusted credential: {}", X509Util.getIdentifiersToken(x509Credential, this.x500DNHandler));
            return true;
        } catch (CertPathBuilderException e) {
            if (this.log.isTraceEnabled()) {
                this.log.trace("PKIX path construction failed for untrusted credential: " + X509Util.getIdentifiersToken(x509Credential, this.x500DNHandler), e);
                return false;
            }
            this.log.error("PKIX path construction failed for untrusted credential: " + X509Util.getIdentifiersToken(x509Credential, this.x500DNHandler) + ": " + e.getMessage());
            return false;
        } catch (GeneralSecurityException e2) {
            this.log.error("PKIX validation failure", e2);
            throw new SecurityException("PKIX validation failure", e2);
        }
    }

    protected PKIXBuilderParameters getPKIXBuilderParameters(PKIXValidationInformation pKIXValidationInformation, X509Credential x509Credential) throws GeneralSecurityException {
        Set<TrustAnchor> trustAnchors = getTrustAnchors(pKIXValidationInformation);
        if (trustAnchors == null || trustAnchors.isEmpty()) {
            throw new GeneralSecurityException("Unable to validate X509 certificate, no trust anchors found in the PKIX validation information");
        }
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Credential.getEntityCertificate());
        this.log.trace("Adding trust anchors to PKIX validator parameters");
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(trustAnchors, x509CertSelector);
        Integer effectiveVerificationDepth = getEffectiveVerificationDepth(pKIXValidationInformation);
        this.log.trace("Setting max verification depth to: {} ", effectiveVerificationDepth);
        pKIXBuilderParameters.setMaxPathLength(effectiveVerificationDepth.intValue());
        CertStore buildCertStore = buildCertStore(pKIXValidationInformation, x509Credential);
        pKIXBuilderParameters.addCertStore(buildCertStore);
        boolean z = false;
        boolean z2 = false;
        if (this.options instanceof CertPathPKIXValidationOptions) {
            CertPathPKIXValidationOptions certPathPKIXValidationOptions = (CertPathPKIXValidationOptions) this.options;
            z = certPathPKIXValidationOptions.isForceRevocationEnabled();
            z2 = certPathPKIXValidationOptions.isRevocationEnabled();
        }
        if (z) {
            this.log.trace("PKIXBuilderParameters#setRevocationEnabled is being forced to: {}", Boolean.valueOf(z2));
            pKIXBuilderParameters.setRevocationEnabled(z2);
        } else if (storeContainsCRLs(buildCertStore)) {
            this.log.trace("At least one CRL was present in cert store, enabling revocation checking");
            pKIXBuilderParameters.setRevocationEnabled(true);
        } else {
            this.log.trace("No CRLs present in cert store, disabling revocation checking");
            pKIXBuilderParameters.setRevocationEnabled(false);
        }
        return pKIXBuilderParameters;
    }

    protected boolean storeContainsCRLs(CertStore certStore) {
        try {
            Collection<? extends CRL> cRLs = certStore.getCRLs(null);
            return (cRLs == null || cRLs.isEmpty()) ? false : true;
        } catch (CertStoreException e) {
            this.log.error("Error examining cert store for CRL's, treating as if no CRL's present", e);
            return false;
        }
    }

    protected Integer getEffectiveVerificationDepth(PKIXValidationInformation pKIXValidationInformation) {
        Integer verificationDepth = pKIXValidationInformation.getVerificationDepth();
        if (verificationDepth == null) {
            verificationDepth = this.options.getDefaultVerificationDepth();
        }
        return verificationDepth;
    }

    protected Set<TrustAnchor> getTrustAnchors(PKIXValidationInformation pKIXValidationInformation) {
        Collection<X509Certificate> certificates = pKIXValidationInformation.getCertificates();
        this.log.trace("Constructing trust anchors for PKIX validation");
        HashSet hashSet = new HashSet();
        Iterator<X509Certificate> it = certificates.iterator();
        while (it.hasNext()) {
            hashSet.add(buildTrustAnchor(it.next()));
        }
        if (this.log.isTraceEnabled()) {
            Iterator it2 = hashSet.iterator();
            while (it2.hasNext()) {
                this.log.trace("TrustAnchor: {}", ((TrustAnchor) it2.next()).toString());
            }
        }
        return hashSet;
    }

    protected TrustAnchor buildTrustAnchor(X509Certificate x509Certificate) {
        return new TrustAnchor(x509Certificate, null);
    }

    protected CertStore buildCertStore(PKIXValidationInformation pKIXValidationInformation, X509Credential x509Credential) throws GeneralSecurityException {
        this.log.trace("Creating cert store to use during path validation");
        this.log.trace("Adding entity certificate chain to cert store");
        ArrayList arrayList = new ArrayList(x509Credential.getEntityCertificateChain());
        if (this.log.isTraceEnabled()) {
            for (X509Certificate x509Certificate : x509Credential.getEntityCertificateChain()) {
                this.log.trace(String.format("Added X509Certificate from entity cert chain to cert store with subject name '%s' issued by '%s' with serial number '%s'", this.x500DNHandler.getName(x509Certificate.getSubjectX500Principal()), this.x500DNHandler.getName(x509Certificate.getIssuerX500Principal()), x509Certificate.getSerialNumber().toString()));
            }
        }
        Date date = new Date();
        if (pKIXValidationInformation.getCRLs() != null && !pKIXValidationInformation.getCRLs().isEmpty()) {
            this.log.trace("Processing CRL's from PKIX info set");
            addCRLsToStoreMaterial(arrayList, pKIXValidationInformation.getCRLs(), date);
        }
        if (x509Credential.getCRLs() != null && !x509Credential.getCRLs().isEmpty() && this.options.isProcessCredentialCRLs()) {
            this.log.trace("Processing CRL's from untrusted credential");
            addCRLsToStoreMaterial(arrayList, x509Credential.getCRLs(), date);
        }
        return CertStore.getInstance("Collection", new CollectionCertStoreParameters(arrayList));
    }

    protected void addCRLsToStoreMaterial(List<Object> list, Collection<X509CRL> collection, Date date) {
        for (X509CRL x509crl : collection) {
            boolean z = x509crl.getRevokedCertificates() == null || x509crl.getRevokedCertificates().isEmpty();
            boolean before = x509crl.getNextUpdate().before(date);
            if (!z || this.options.isProcessEmptyCRLs()) {
                if (!before || this.options.isProcessExpiredCRLs()) {
                    list.add(x509crl);
                    if (this.log.isTraceEnabled()) {
                        this.log.trace("Added X509CRL to cert store from issuer {} dated {}", this.x500DNHandler.getName(x509crl.getIssuerX500Principal()), x509crl.getThisUpdate());
                        if (z) {
                            this.log.trace("X509CRL added to cert store from issuer {} dated {} was empty", this.x500DNHandler.getName(x509crl.getIssuerX500Principal()), x509crl.getThisUpdate());
                        }
                    }
                    if (before) {
                        this.log.warn("Using X509CRL from issuer {} with a nextUpdate in the past: {}", this.x500DNHandler.getName(x509crl.getIssuerX500Principal()), x509crl.getNextUpdate());
                    }
                } else if (this.log.isTraceEnabled()) {
                    this.log.trace("Expired X509CRL not added to cert store, from issuer {} nextUpdate {}", this.x500DNHandler.getName(x509crl.getIssuerX500Principal()), x509crl.getNextUpdate());
                }
            } else if (this.log.isTraceEnabled()) {
                this.log.trace("Empty X509CRL not added to cert store, from issuer {} dated {}", this.x500DNHandler.getName(x509crl.getIssuerX500Principal()), x509crl.getThisUpdate());
            }
        }
    }

    private void logCertPathDebug(PKIXCertPathBuilderResult pKIXCertPathBuilderResult, X509Certificate x509Certificate) {
        this.log.debug("Built valid PKIX cert path");
        this.log.debug("Target certificate: {}", this.x500DNHandler.getName(x509Certificate.getSubjectX500Principal()));
        Iterator<? extends Certificate> it = pKIXCertPathBuilderResult.getCertPath().getCertificates().iterator();
        while (it.hasNext()) {
            this.log.debug("CertPath certificate: {}", this.x500DNHandler.getName(((X509Certificate) it.next()).getSubjectX500Principal()));
        }
        TrustAnchor trustAnchor = pKIXCertPathBuilderResult.getTrustAnchor();
        if (trustAnchor.getTrustedCert() != null) {
            this.log.debug("TrustAnchor: {}", this.x500DNHandler.getName(trustAnchor.getTrustedCert().getSubjectX500Principal()));
        } else if (trustAnchor.getCA() != null) {
            this.log.debug("TrustAnchor: {}", this.x500DNHandler.getName(trustAnchor.getCA()));
        } else {
            this.log.debug("TrustAnchor: {}", trustAnchor.getCAName());
        }
    }
}
