package org.opensaml.xmlsec.keyinfo.impl;

import java.security.Key;
import java.security.KeyException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.crypto.SecretKey;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.BasicCredential;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver;
import org.opensaml.security.crypto.KeySupport;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCriterion;
import org.opensaml.xmlsec.keyinfo.KeyInfoSupport;
import org.opensaml.xmlsec.signature.DEREncodedKeyValue;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xmlsec.signature.KeyName;
import org.opensaml.xmlsec.signature.KeyValue;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/opensaml-xmlsec-impl-3.3.0.jar:org/opensaml/xmlsec/keyinfo/impl/BasicProviderKeyInfoCredentialResolver.class */
public class BasicProviderKeyInfoCredentialResolver extends AbstractCriteriaFilteringCredentialResolver implements KeyInfoCredentialResolver {
    private final Logger log = LoggerFactory.getLogger((Class<?>) BasicProviderKeyInfoCredentialResolver.class);
    private final List<KeyInfoProvider> providers = new ArrayList();

    public BasicProviderKeyInfoCredentialResolver(@Nonnull List<KeyInfoProvider> list) {
        this.providers.addAll(list);
    }

    @Nonnull
    protected List<KeyInfoProvider> getProviders() {
        return this.providers;
    }

    @Override // org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver
    @Nonnull
    protected Iterable<Credential> resolveFromSource(@Nullable CriteriaSet criteriaSet) throws ResolverException {
        KeyInfoCriterion keyInfoCriterion = null;
        if (criteriaSet != null) {
            keyInfoCriterion = (KeyInfoCriterion) criteriaSet.get(KeyInfoCriterion.class);
        }
        if (keyInfoCriterion == null) {
            this.log.error("No KeyInfo criteria supplied, resolver could not process");
            throw new ResolverException("Credential criteria set did not contain an instance of KeyInfoCredentialCriteria");
        }
        KeyInfo keyInfo = keyInfoCriterion.getKeyInfo();
        ArrayList arrayList = new ArrayList();
        KeyInfoResolutionContext keyInfoResolutionContext = new KeyInfoResolutionContext(arrayList);
        if (keyInfo != null) {
            processKeyInfo(keyInfo, keyInfoResolutionContext, criteriaSet, arrayList);
        } else {
            this.log.info("KeyInfo was null, any credentials will be resolved by post-processing hooks only");
        }
        postProcess(keyInfoResolutionContext, criteriaSet, arrayList);
        if (arrayList.isEmpty()) {
            this.log.debug("No credentials were found, calling empty credentials post-processing hook");
            postProcessEmptyCredentials(keyInfoResolutionContext, criteriaSet, arrayList);
        }
        this.log.debug("A total of {} credentials were resolved", Integer.valueOf(arrayList.size()));
        return arrayList;
    }

    private void processKeyInfo(@Nonnull KeyInfo keyInfo, @Nonnull KeyInfoResolutionContext keyInfoResolutionContext, @Nullable CriteriaSet criteriaSet, @Nonnull List<Credential> list) throws ResolverException {
        Credential buildBasicCredential;
        initResolutionContext(keyInfoResolutionContext, keyInfo, criteriaSet);
        Key key = keyInfoResolutionContext.getKey();
        HashSet hashSet = new HashSet();
        hashSet.addAll(keyInfoResolutionContext.getKeyNames());
        processKeyInfoChildren(keyInfoResolutionContext, criteriaSet, list);
        if (!list.isEmpty() || key == null || (buildBasicCredential = buildBasicCredential(key, hashSet)) == null) {
            return;
        }
        this.log.debug("No credentials were extracted by registered non-KeyValue handling providers, adding KeyValue credential to returned credential set");
        list.add(buildBasicCredential);
    }

    protected void postProcess(@Nonnull KeyInfoResolutionContext keyInfoResolutionContext, @Nullable CriteriaSet criteriaSet, @Nonnull List<Credential> list) throws ResolverException {
    }

    protected void postProcessEmptyCredentials(@Nonnull KeyInfoResolutionContext keyInfoResolutionContext, @Nullable CriteriaSet criteriaSet, @Nonnull List<Credential> list) throws ResolverException {
    }

    protected void processKeyInfoChildren(@Nonnull KeyInfoResolutionContext keyInfoResolutionContext, @Nullable CriteriaSet criteriaSet, @Nonnull List<Credential> list) throws ResolverException {
        for (XMLObject xMLObject : keyInfoResolutionContext.getKeyInfo().getXMLObjects()) {
            if (!(xMLObject instanceof KeyValue) && !(xMLObject instanceof DEREncodedKeyValue)) {
                this.log.debug("Processing KeyInfo child with QName: {}", xMLObject.getElementQName());
                Collection<Credential> processKeyInfoChild = processKeyInfoChild(keyInfoResolutionContext, criteriaSet, xMLObject);
                if (processKeyInfoChild != null && !processKeyInfoChild.isEmpty()) {
                    list.addAll(processKeyInfoChild);
                } else if (xMLObject instanceof KeyName) {
                    this.log.debug("KeyName {} did not independently produce a credential based on any registered providers", ((KeyName) xMLObject).getValue());
                } else {
                    this.log.warn("No credentials could be extracted from KeyInfo child with QName {} by any registered provider", xMLObject.getElementQName());
                }
            }
        }
    }

    @Nullable
    protected Collection<Credential> processKeyInfoChild(@Nonnull KeyInfoResolutionContext keyInfoResolutionContext, @Nullable CriteriaSet criteriaSet, @Nonnull XMLObject xMLObject) throws ResolverException {
        for (KeyInfoProvider keyInfoProvider : getProviders()) {
            if (keyInfoProvider.handles(xMLObject)) {
                this.log.debug("Processing KeyInfo child {} with provider {}", xMLObject.getElementQName(), keyInfoProvider.getClass().getName());
                try {
                    Collection<Credential> process = keyInfoProvider.process(this, xMLObject, criteriaSet, keyInfoResolutionContext);
                    if (process != null && !process.isEmpty()) {
                        this.log.debug("Credentials successfully extracted from child {} by provider {}", xMLObject.getElementQName(), keyInfoProvider.getClass().getName());
                        return process;
                    }
                } catch (SecurityException e) {
                    throw new ResolverException("Error processing KeyInfo child element", e);
                }
            } else {
                this.log.debug("Provider {} doesn't handle objects of type {}, skipping", keyInfoProvider.getClass().getName(), xMLObject.getElementQName());
            }
        }
        return null;
    }

    protected void initResolutionContext(@Nonnull KeyInfoResolutionContext keyInfoResolutionContext, @Nonnull KeyInfo keyInfo, @Nullable CriteriaSet criteriaSet) throws ResolverException {
        keyInfoResolutionContext.setKeyInfo(keyInfo);
        keyInfoResolutionContext.getKeyNames().addAll(KeyInfoSupport.getKeyNames(keyInfo));
        this.log.debug("Found {} key names: {}", Integer.valueOf(keyInfoResolutionContext.getKeyNames().size()), keyInfoResolutionContext.getKeyNames());
        resolveKeyValue(keyInfoResolutionContext, criteriaSet, keyInfo.getKeyValues());
        resolveKeyValue(keyInfoResolutionContext, criteriaSet, keyInfo.getDEREncodedKeyValues());
    }

    protected void resolveKeyValue(@Nonnull KeyInfoResolutionContext keyInfoResolutionContext, @Nullable CriteriaSet criteriaSet, @Nonnull List<? extends XMLObject> list) throws ResolverException {
        for (XMLObject xMLObject : list) {
            if ((xMLObject instanceof KeyValue) || (xMLObject instanceof DEREncodedKeyValue)) {
                Collection<Credential> processKeyInfoChild = processKeyInfoChild(keyInfoResolutionContext, criteriaSet, xMLObject);
                if (processKeyInfoChild != null) {
                    Iterator<Credential> it = processKeyInfoChild.iterator();
                    while (it.hasNext()) {
                        Key extractKeyValue = extractKeyValue(it.next());
                        if (extractKeyValue != null) {
                            keyInfoResolutionContext.setKey(extractKeyValue);
                            this.log.debug("Found a credential based on a KeyValue/DEREncodedKeyValue having key type: {}", extractKeyValue.getAlgorithm());
                            return;
                        }
                    }
                } else {
                    continue;
                }
            }
        }
    }

    @Nullable
    protected Credential buildBasicCredential(@Nullable Key key, @Nonnull Set<String> set) throws ResolverException {
        if (key == null) {
            this.log.debug("Key supplied was null, could not build credential");
            return null;
        }
        BasicCredential basicCredential = null;
        if (key instanceof PublicKey) {
            basicCredential = new BasicCredential((PublicKey) key);
        } else if (key instanceof SecretKey) {
            basicCredential = new BasicCredential((SecretKey) key);
        } else if (key instanceof PrivateKey) {
            PrivateKey privateKey = (PrivateKey) key;
            try {
                PublicKey derivePublicKey = KeySupport.derivePublicKey(privateKey);
                if (derivePublicKey != null) {
                    basicCredential = new BasicCredential(derivePublicKey, privateKey);
                } else {
                    this.log.error("Failed to derive public key from private key");
                }
            } catch (KeyException e) {
                this.log.error("Could not derive public key from private key", (Throwable) e);
            }
        } else {
            this.log.error("Key was of an unsupported type '{}'", key.getClass().getName());
        }
        if (basicCredential != null) {
            basicCredential.getKeyNames().addAll(set);
        }
        return basicCredential;
    }

    @Nullable
    protected Key extractKeyValue(@Nullable Credential credential) {
        if (credential == null) {
            return null;
        }
        if (credential.getPublicKey() != null) {
            return credential.getPublicKey();
        }
        if (credential.getSecretKey() != null) {
            return credential.getSecretKey();
        }
        if (credential.getPrivateKey() != null) {
            return credential.getPrivateKey();
        }
        return null;
    }
}
