package eu.unicore.samly2.trust;

import eu.emi.security.authn.x509.ValidationResult;
import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.unicore.samly2.SAMLUtils;
import eu.unicore.samly2.exceptions.SAMLValidationException;
import eu.unicore.security.dsig.IdAttribute;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.List;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.w3.x2000.x09.xmldsig.SignatureType;

/* loaded from: input_file:eu/unicore/samly2/trust/PKISamlTrustChecker.class */
public class PKISamlTrustChecker extends DsigSamlTrustCheckerBase {
    protected X509CertChainValidator validator;
    protected boolean allowUnsigned;

    public PKISamlTrustChecker(X509CertChainValidator x509CertChainValidator, boolean z) {
        this.validator = x509CertChainValidator;
        this.allowUnsigned = z;
    }

    public PKISamlTrustChecker(X509CertChainValidator x509CertChainValidator) {
        this(x509CertChainValidator, false);
    }

    @Override // eu.unicore.samly2.trust.DsigSamlTrustCheckerBase
    protected PublicKey establishKey(NameIDType nameIDType, SignatureType signatureType) throws SAMLValidationException {
        X509Certificate[] issuerFromSignature = SAMLUtils.getIssuerFromSignature(signatureType);
        if (issuerFromSignature == null) {
            throw new SAMLValidationException("Issuer certificate is not set - it is impossible to verify the signature.");
        }
        ValidationResult validate = this.validator.validate(issuerFromSignature);
        if (validate.isValid()) {
            return issuerFromSignature[0].getPublicKey();
        }
        throw new SAMLValidationException("Issuer certificate is not issued by a trusted CA: " + X500NameUtils.getReadableForm(issuerFromSignature[0].getSubjectX500Principal()) + " Cause: " + validate.toShortString());
    }

    @Override // eu.unicore.samly2.trust.DsigSamlTrustCheckerBase, eu.unicore.samly2.trust.SamlTrustChecker
    public boolean isSignatureRequired() {
        return !this.allowUnsigned;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // eu.unicore.samly2.trust.DsigSamlTrustCheckerBase
    public void isCorrectlySigned(Document document, PublicKey publicKey, SignatureType signatureType, List<Element> list, IdAttribute idAttribute) throws SAMLValidationException {
        if (this.allowUnsigned && (signatureType == null || signatureType.isNil())) {
            return;
        }
        super.isCorrectlySigned(document, publicKey, signatureType, list, idAttribute);
    }
}
