package eu.unicore.samly2.trust;

import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.unicore.samly2.SAMLConstants;
import eu.unicore.samly2.SAMLUtils;
import eu.unicore.samly2.exceptions.SAMLValidationException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.w3.x2000.x09.xmldsig.SignatureType;

/* loaded from: input_file:eu/unicore/samly2/trust/StrictSamlTrustChecker.class */
public class StrictSamlTrustChecker extends DsigSamlTrustCheckerBase {
    protected Map<String, List<PublicKey>> trustedIssuers = new HashMap();

    public void addTrustedIssuer(String str, String str2, PublicKey publicKey) {
        addTrustedIssuer(str, str2, Collections.singletonList(publicKey));
    }

    public void addTrustedIssuer(String str, String str2, List<PublicKey> list) {
        if (list == null || list.size() == 0) {
            throw new IllegalArgumentException("Must have a non empty set of trusted keys");
        }
        if (SAMLConstants.NFORMAT_DN.equals(str2)) {
            str = X500NameUtils.getComparableForm(str);
        }
        this.trustedIssuers.put(str2 + "--_--" + str, list);
    }

    @Override // eu.unicore.samly2.trust.DsigSamlTrustCheckerBase
    protected PublicKey establishKey(NameIDType nameIDType, SignatureType signatureType) throws SAMLValidationException {
        if (nameIDType == null) {
            throw new SAMLValidationException("Issuer must be set when SAML artifact is signed");
        }
        List<PublicKey> publicKeys = getPublicKeys(nameIDType);
        X509Certificate[] issuerFromSignature = SAMLUtils.getIssuerFromSignature(signatureType);
        if (issuerFromSignature == null) {
            if (publicKeys.size() == 1) {
                return publicKeys.get(0);
            }
            throw new SAMLValidationException("Issuer certificate is not set and the issuer '" + nameIDType.getStringValue() + "' has several trusted public keys - it is undefined which was used for signing.");
        }
        for (PublicKey publicKey : publicKeys) {
            if (publicKey.equals(issuerFromSignature[0].getPublicKey())) {
                return publicKey;
            }
        }
        throw new SAMLValidationException("Issuer certificate is not among trusted certificates for the issuer'" + nameIDType.getStringValue() + "' Untrusted issuer certificate subject is: " + X500NameUtils.getReadableForm(issuerFromSignature[0].getSubjectX500Principal()));
    }

    protected List<PublicKey> getPublicKeys(NameIDType nameIDType) throws SAMLValidationException {
        List<PublicKey> list = this.trustedIssuers.get(getIssuerKey(nameIDType));
        if (list == null) {
            throw new SAMLValidationException("The issuer of the SAML artifact is not trusted: " + nameIDType.getStringValue());
        }
        return list;
    }

    protected String getIssuerKey(NameIDType nameIDType) throws SAMLValidationException {
        String format = nameIDType.getFormat();
        if (format == null || format.equals(SAMLConstants.NFORMAT_ENTITY) || format.equals(SAMLConstants.NFORMAT_PERSISTENT) || format.equals(SAMLConstants.NFORMAT_UNSPEC) || format.equals(SAMLConstants.NFORMAT_EMAIL)) {
            return format + "--_--" + nameIDType.getStringValue();
        }
        if (nameIDType.getFormat().equals(SAMLConstants.NFORMAT_DN)) {
            return format + "--_--" + X500NameUtils.getComparableForm(nameIDType.getStringValue());
        }
        throw new SAMLValidationException("Issuer name format is unknown: " + nameIDType.getFormat());
    }
}
