package org.springframework.security.saml.trust;

import java.security.GeneralSecurityException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidator;
import java.security.cert.Certificate;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.x509.PKIXValidationInformation;
import org.opensaml.xml.security.x509.PKIXValidationOptions;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.security.x509.X509Util;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-core-1.0.3.RELEASE.jar:org/springframework/security/saml/trust/CertPathPKIXTrustEvaluator.class */
public class CertPathPKIXTrustEvaluator extends org.opensaml.xml.security.x509.CertPathPKIXTrustEvaluator {
    private final Logger log;
    private String securityProvider;
    private boolean validateCertPath;

    public CertPathPKIXTrustEvaluator() {
        this.log = LoggerFactory.getLogger((Class<?>) MetadataCredentialResolver.class);
        this.securityProvider = null;
        this.validateCertPath = true;
    }

    public CertPathPKIXTrustEvaluator(PKIXValidationOptions pKIXValidationOptions) {
        super(pKIXValidationOptions);
        this.log = LoggerFactory.getLogger((Class<?>) MetadataCredentialResolver.class);
        this.securityProvider = null;
        this.validateCertPath = true;
    }

    @Override // org.opensaml.xml.security.x509.CertPathPKIXTrustEvaluator, org.opensaml.xml.security.x509.PKIXTrustEvaluator
    public boolean validate(PKIXValidationInformation pKIXValidationInformation, X509Credential x509Credential) throws SecurityException {
        CertPathBuilder certPathBuilder;
        if (this.log.isDebugEnabled()) {
            this.log.debug("Attempting PKIX path validation on untrusted credential: {}", X509Util.getIdentifiersToken(x509Credential, getX500DNHandler()));
        }
        try {
            PKIXBuilderParameters pKIXBuilderParameters = getPKIXBuilderParameters(pKIXValidationInformation, x509Credential);
            if (this.securityProvider == null) {
                certPathBuilder = CertPathBuilder.getInstance("PKIX");
                this.log.trace("Building certificate path using default security provider");
            } else {
                certPathBuilder = CertPathBuilder.getInstance("PKIX", this.securityProvider);
                this.log.trace("Building certificate path using security provider {}", this.securityProvider);
            }
            PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) certPathBuilder.build(pKIXBuilderParameters);
            if (this.log.isDebugEnabled()) {
                logCertPathDebug(pKIXCertPathBuilderResult, x509Credential.getEntityCertificate());
                this.log.debug("PKIX validation succeeded for untrusted credential: {}", X509Util.getIdentifiersToken(x509Credential, getX500DNHandler()));
            }
            if (!this.validateCertPath) {
                return true;
            }
            this.log.trace("Validating certificate path");
            (this.securityProvider == null ? CertPathValidator.getInstance("PKIX") : CertPathValidator.getInstance("PKIX", this.securityProvider)).validate(pKIXCertPathBuilderResult.getCertPath(), pKIXBuilderParameters);
            return true;
        } catch (CertPathBuilderException e) {
            if (this.log.isTraceEnabled()) {
                this.log.trace("PKIX path construction failed for untrusted credential: " + X509Util.getIdentifiersToken(x509Credential, getX500DNHandler()), (Throwable) e);
                return false;
            }
            this.log.error("PKIX path construction failed for untrusted credential: " + X509Util.getIdentifiersToken(x509Credential, getX500DNHandler()) + ": " + e.getMessage());
            return false;
        } catch (GeneralSecurityException e2) {
            this.log.error("PKIX validation failure", (Throwable) e2);
            throw new SecurityException("PKIX validation failure", e2);
        }
    }

    private void logCertPathDebug(PKIXCertPathBuilderResult pKIXCertPathBuilderResult, X509Certificate x509Certificate) {
        this.log.debug("Built valid PKIX cert path");
        this.log.debug("Target certificate: {}", getX500DNHandler().getName(x509Certificate.getSubjectX500Principal()));
        Iterator<? extends Certificate> it = pKIXCertPathBuilderResult.getCertPath().getCertificates().iterator();
        while (it.hasNext()) {
            this.log.debug("CertPath certificate: {}", getX500DNHandler().getName(((X509Certificate) it.next()).getSubjectX500Principal()));
        }
        TrustAnchor trustAnchor = pKIXCertPathBuilderResult.getTrustAnchor();
        if (trustAnchor.getTrustedCert() != null) {
            this.log.debug("TrustAnchor: {}", getX500DNHandler().getName(trustAnchor.getTrustedCert().getSubjectX500Principal()));
        } else if (trustAnchor.getCA() != null) {
            this.log.debug("TrustAnchor: {}", getX500DNHandler().getName(trustAnchor.getCA()));
        } else {
            this.log.debug("TrustAnchor: {}", trustAnchor.getCAName());
        }
    }

    public void setSecurityProvider(String str) {
        this.securityProvider = str;
    }

    public void setValidateCertPath(boolean z) {
        this.validateCertPath = z;
    }
}
