package org.opensaml.security.httpclient;

import java.util.Collections;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.net.ssl.SSLPeerUnverifiedException;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.client.protocol.HttpClientContext;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.x509.TrustedNamesCriterion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/opensaml-security-api-3.3.0.jar:org/opensaml/security/httpclient/HttpClientSecuritySupport.class */
public final class HttpClientSecuritySupport {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) HttpClientSecuritySupport.class);

    private HttpClientSecuritySupport() {
    }

    public static void addDefaultTLSTrustEngineCriteria(@Nonnull HttpClientContext httpClientContext, @Nonnull HttpUriRequest httpUriRequest) {
        if (!"https".equalsIgnoreCase(httpUriRequest.getURI().getScheme()) || httpClientContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_TRUST_ENGINE) == null) {
            return;
        }
        CriteriaSet criteriaSet = (CriteriaSet) httpClientContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_CRITERIA_SET);
        if (criteriaSet == null) {
            criteriaSet = new CriteriaSet();
            httpClientContext.setAttribute(HttpClientSecurityConstants.CONTEXT_KEY_CRITERIA_SET, criteriaSet);
        }
        if (!criteriaSet.contains(UsageCriterion.class)) {
            criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        }
        if (criteriaSet.contains(TrustedNamesCriterion.class)) {
            return;
        }
        criteriaSet.add(new TrustedNamesCriterion(Collections.singleton(httpUriRequest.getURI().getHost())));
    }

    public static void checkTLSCredentialEvaluated(@Nonnull HttpClientContext httpClientContext, @Nonnull String str) throws SSLPeerUnverifiedException {
        if (httpClientContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_TRUST_ENGINE) != null && "https".equalsIgnoreCase(str) && httpClientContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_SERVER_TLS_CREDENTIAL_TRUSTED) == null) {
            LOG.warn("Configured TLS trust engine was not used to verify server TLS credential, the appropriate socket factory was likely not configured");
            throw new SSLPeerUnverifiedException("Evaluation of server TLS credential with configured TrustEngine was not performed");
        }
    }

    public static void marshalSecurityParameters(@Nonnull HttpClientContext httpClientContext, @Nullable HttpClientSecurityParameters httpClientSecurityParameters) {
        marshalSecurityParameters(httpClientContext, httpClientSecurityParameters, false);
    }

    public static void marshalSecurityParameters(@Nonnull HttpClientContext httpClientContext, @Nullable HttpClientSecurityParameters httpClientSecurityParameters, boolean z) {
        if (httpClientSecurityParameters == null) {
            return;
        }
        Constraint.isNotNull(httpClientContext, "HttpClientContext was null");
        if (httpClientSecurityParameters.getCredentialsProvider() != null && (z || httpClientContext.getCredentialsProvider() == null)) {
            httpClientContext.setCredentialsProvider(httpClientSecurityParameters.getCredentialsProvider());
        }
        setContextValue(httpClientContext, HttpClientSecurityConstants.CONTEXT_KEY_TRUST_ENGINE, httpClientSecurityParameters.getTLSTrustEngine(), z);
        setContextValue(httpClientContext, HttpClientSecurityConstants.CONTEXT_KEY_CRITERIA_SET, httpClientSecurityParameters.getTLSCriteriaSet(), z);
        setContextValue(httpClientContext, "javasupport.TLSProtocols", httpClientSecurityParameters.getTLSProtocols(), z);
        setContextValue(httpClientContext, "javasupport.TLSCipherSuites", httpClientSecurityParameters.getTLSCipherSuites(), z);
        setContextValue(httpClientContext, "javasupport.HostnameVerifier", httpClientSecurityParameters.getHostnameVerifier(), z);
        setContextValue(httpClientContext, HttpClientSecurityConstants.CONTEXT_KEY_CLIENT_TLS_CREDENTIAL, httpClientSecurityParameters.getClientTLSCredential(), z);
    }

    public static void setContextValue(@Nonnull HttpClientContext httpClientContext, @Nonnull String str, @Nullable Object obj, boolean z) {
        if (obj == null) {
            return;
        }
        Constraint.isNotNull(httpClientContext, "HttpClientContext was null");
        Constraint.isNotNull(str, "Context attribute name was null");
        if (z || httpClientContext.getAttribute(str) == null) {
            httpClientContext.setAttribute(str, obj);
        }
    }
}
