package org.opensaml.spring.trust;

import java.io.IOException;
import java.io.InputStream;
import java.security.Security;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.shared.annotation.constraint.NotLive;
import net.shibboleth.shared.annotation.constraint.Unmodifiable;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.StringSupport;
import net.shibboleth.shared.resource.Resource;
import net.shibboleth.shared.spring.factory.AbstractComponentAwareFactoryBean;
import org.opensaml.security.x509.PKIXTrustEvaluator;
import org.opensaml.security.x509.X509Support;
import org.opensaml.security.x509.impl.BasicPKIXValidationInformation;
import org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator;
import org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator;
import org.opensaml.security.x509.impl.CertPathPKIXValidationOptions;
import org.opensaml.security.x509.impl.PKIXX509CredentialTrustEngine;
import org.opensaml.security.x509.impl.StaticPKIXValidationInformationResolver;
import org.opensaml.security.x509.impl.X509CredentialNameEvaluator;
import org.slf4j.Logger;
import org.springframework.beans.FatalBeanException;

/* loaded from: input_file:org/opensaml/spring/trust/StaticPKIXFactoryBean.class */
public class StaticPKIXFactoryBean extends AbstractComponentAwareFactoryBean<PKIXX509CredentialTrustEngine> {

    @Nullable
    private List<Resource> certificateResources;

    @Nullable
    private List<Resource> crlResources;

    @Nullable
    private Integer verifyDepth;

    @Nullable
    private Set<String> trustedNames;

    @Nullable
    private PKIXTrustEvaluator trustEvaluator;

    @Nullable
    private X509CredentialNameEvaluator credentialNameEvaluator;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    private Logger log = LoggerFactory.getLogger(StaticPKIXFactoryBean.class);
    private boolean checkNames = true;

    @Nonnull
    public Class<?> getObjectType() {
        return PKIXX509CredentialTrustEngine.class;
    }

    public void setCertificates(@Nullable List<Resource> list) {
        this.certificateResources = list;
    }

    public void setCRLs(@Nullable List<Resource> list) {
        this.crlResources = list;
    }

    public void setVerifyDepth(@Nullable Integer num) {
        this.verifyDepth = num;
    }

    public void setCheckNames(boolean z) {
        this.checkNames = z;
    }

    public void setTrustedNames(@Nullable Collection<String> collection) {
        if (collection != null) {
            this.trustedNames = CollectionSupport.copyToSet(collection);
        } else {
            this.trustedNames = null;
        }
    }

    public void setTrustEvaluator(@Nullable PKIXTrustEvaluator pKIXTrustEvaluator) {
        this.trustEvaluator = pKIXTrustEvaluator;
    }

    public void setCredentialNameEvaluator(@Nullable X509CredentialNameEvaluator x509CredentialNameEvaluator) {
        this.credentialNameEvaluator = x509CredentialNameEvaluator;
    }

    @Unmodifiable
    @Nonnull
    @NotLive
    protected List<X509Certificate> getCertificates() {
        if (this.certificateResources == null) {
            return CollectionSupport.emptyList();
        }
        if (!$assertionsDisabled && this.certificateResources == null) {
            throw new AssertionError();
        }
        ArrayList arrayList = new ArrayList(this.certificateResources.size());
        if (!$assertionsDisabled && this.certificateResources == null) {
            throw new AssertionError();
        }
        for (Resource resource : this.certificateResources) {
            try {
                InputStream inputStream = resource.getInputStream();
                try {
                    arrayList.addAll(X509Support.decodeCertificates(inputStream));
                    if (inputStream != null) {
                        inputStream.close();
                    }
                } finally {
                }
            } catch (IOException | CertificateException e) {
                this.log.error("Could not decode Certificate at {}: {}", resource.getDescription(), e.getMessage());
                throw new FatalBeanException("Could not decode provided CertificateFile: " + resource.getDescription(), e);
            }
        }
        return arrayList;
    }

    @Unmodifiable
    @Nonnull
    @NotLive
    protected List<X509CRL> getCRLs() {
        if (this.crlResources == null) {
            return CollectionSupport.emptyList();
        }
        if (!$assertionsDisabled && this.crlResources == null) {
            throw new AssertionError();
        }
        ArrayList arrayList = new ArrayList(this.crlResources.size());
        if (!$assertionsDisabled && this.crlResources == null) {
            throw new AssertionError();
        }
        for (Resource resource : this.crlResources) {
            try {
                InputStream inputStream = resource.getInputStream();
                try {
                    arrayList.addAll(X509Support.decodeCRLs(inputStream));
                    if (inputStream != null) {
                        inputStream.close();
                    }
                } finally {
                }
            } catch (IOException | CRLException e) {
                this.log.error("Could not decode CRL file at {}: {}", resource.getDescription(), e.getMessage());
                throw new FatalBeanException("Could not decode provided CRL file " + resource.getDescription(), e);
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    /* renamed from: doCreateInstance, reason: merged with bridge method [inline-methods] */
    public PKIXX509CredentialTrustEngine m17doCreateInstance() throws Exception {
        StaticPKIXValidationInformationResolver staticPKIXValidationInformationResolver = new StaticPKIXValidationInformationResolver(CollectionSupport.singletonList(new BasicPKIXValidationInformation(getCertificates(), getCRLs(), this.verifyDepth)), this.trustedNames, this.checkNames);
        PKIXTrustEvaluator certPathPKIXTrustEvaluator = this.trustEvaluator != null ? this.trustEvaluator : new CertPathPKIXTrustEvaluator();
        X509CredentialNameEvaluator basicX509CredentialNameEvaluator = this.credentialNameEvaluator != null ? this.credentialNameEvaluator : this.checkNames ? new BasicX509CredentialNameEvaluator() : null;
        validateConfiguration(certPathPKIXTrustEvaluator);
        return new PKIXX509CredentialTrustEngine(staticPKIXValidationInformationResolver, certPathPKIXTrustEvaluator, basicX509CredentialNameEvaluator);
    }

    protected void validateConfiguration(@Nonnull PKIXTrustEvaluator pKIXTrustEvaluator) throws Exception {
        if (CertPathPKIXTrustEvaluator.class.isInstance(pKIXTrustEvaluator) && CertPathPKIXValidationOptions.class.isInstance(pKIXTrustEvaluator.getPKIXValidationOptions())) {
            CertPathPKIXValidationOptions certPathPKIXValidationOptions = (CertPathPKIXValidationOptions) CertPathPKIXValidationOptions.class.cast(pKIXTrustEvaluator.getPKIXValidationOptions());
            if (certPathPKIXValidationOptions.isForceRevocationEnabled() && certPathPKIXValidationOptions.isRevocationEnabled() && getCRLs().isEmpty() && !Boolean.getBoolean("com.sun.security.enableCRLDP") && !"true".equalsIgnoreCase(StringSupport.trimOrNull(Security.getProperty("oscp.enable")))) {
                this.log.error("Certificate revocation checking was force enabled, but no static CRLs were supplied and both CRLDP and OCSP processing is disabled");
                throw new FatalBeanException("Certificate revocation checking was force enabled, but no static CRLs were supplied and both CRLDP and OCSP processing is disabled");
            }
        }
    }

    static {
        $assertionsDisabled = !StaticPKIXFactoryBean.class.desiredAssertionStatus();
    }
}
