package org.opensaml.xml.signature.impl;

import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.KeyInfoCriteria;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.util.DatatypeHelper;
import org.opensaml.xml.validation.ValidationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:xmltooling-1.4.6.jar:org/opensaml/xml/signature/impl/BaseSignatureTrustEngine.class */
public abstract class BaseSignatureTrustEngine<TrustBasisType> implements SignatureTrustEngine {
    private final Logger log = LoggerFactory.getLogger(BaseSignatureTrustEngine.class);
    private KeyInfoCredentialResolver keyInfoCredentialResolver;

    public BaseSignatureTrustEngine(KeyInfoCredentialResolver keyInfoCredentialResolver) {
        if (keyInfoCredentialResolver == null) {
            throw new IllegalArgumentException("KeyInfo credential resolver may not be null");
        }
        this.keyInfoCredentialResolver = keyInfoCredentialResolver;
    }

    @Override // org.opensaml.xml.signature.SignatureTrustEngine
    public KeyInfoCredentialResolver getKeyInfoResolver() {
        return this.keyInfoCredentialResolver;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean validate(Signature signature, TrustBasisType trustbasistype) throws SecurityException {
        this.log.debug("Attempting to verify signature and establish trust using KeyInfo-derived credentials");
        if (signature.getKeyInfo() != null) {
            for (Credential credential : getKeyInfoResolver().resolve(new CriteriaSet(new KeyInfoCriteria(signature.getKeyInfo())))) {
                if (verifySignature(signature, credential)) {
                    this.log.debug("Successfully verified signature using KeyInfo-derived credential");
                    this.log.debug("Attempting to establish trust of KeyInfo-derived credential");
                    if (evaluateTrust(credential, trustbasistype)) {
                        this.log.debug("Successfully established trust of KeyInfo-derived credential");
                        return true;
                    }
                    this.log.debug("Failed to establish trust of KeyInfo-derived credential");
                }
            }
        } else {
            this.log.debug("Signature contained no KeyInfo element, could not resolve verification credentials");
        }
        this.log.debug("Failed to verify signature and/or establish trust using any KeyInfo-derived credentials");
        return false;
    }

    protected abstract boolean evaluateTrust(Credential credential, TrustBasisType trustbasistype) throws SecurityException;

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean verifySignature(Signature signature, Credential credential) {
        try {
            new SignatureValidator(credential).validate(signature);
            this.log.debug("Signature validation using candidate credential was successful");
            return true;
        } catch (ValidationException e) {
            this.log.debug("Signature validation using candidate validation credential failed", e);
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkParams(Signature signature, CriteriaSet criteriaSet) throws SecurityException {
        if (signature == null) {
            throw new SecurityException("Signature was null");
        }
        if (criteriaSet == null) {
            throw new SecurityException("Trust basis criteria set was null");
        }
        if (criteriaSet.isEmpty()) {
            throw new SecurityException("Trust basis criteria set was empty");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkParamsRaw(byte[] bArr, byte[] bArr2, String str, CriteriaSet criteriaSet) throws SecurityException {
        if (bArr == null || bArr.length == 0) {
            throw new SecurityException("Signature byte array was null or empty");
        }
        if (bArr2 == null || bArr2.length == 0) {
            throw new SecurityException("Content byte array was null or empty");
        }
        if (DatatypeHelper.isEmpty(str)) {
            throw new SecurityException("Signature algorithm was null or empty");
        }
        if (criteriaSet == null) {
            throw new SecurityException("Trust basis criteria set was null");
        }
        if (criteriaSet.isEmpty()) {
            throw new SecurityException("Trust basis criteria set was empty");
        }
    }
}
