package net.shibboleth.idp.saml.security;

import com.google.common.base.Predicates;
import com.google.common.collect.Collections2;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.saml.xmlobject.KeyAuthority;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.security.SecurityException;
import org.opensaml.security.x509.PKIXValidationInformation;
import org.opensaml.xmlsec.keyinfo.KeyInfoSupport;
import org.opensaml.xmlsec.signature.KeyInfo;

/* loaded from: input_file:BOOT-INF/lib/idp-saml-api-3.3.2.jar:net/shibboleth/idp/saml/security/KeyAuthoritySupport.class */
public final class KeyAuthoritySupport {
    public static final int KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT = 1;

    /* loaded from: input_file:BOOT-INF/lib/idp-saml-api-3.3.2.jar:net/shibboleth/idp/saml/security/KeyAuthoritySupport$KeyAuthorityPKIXValidationInformation.class */
    public static class KeyAuthorityPKIXValidationInformation implements PKIXValidationInformation {

        @NonnullElements
        @Nullable
        private final Collection<X509Certificate> trustAnchors;

        @NonnullElements
        @Nullable
        private final Collection<X509CRL> trustedCRLs;

        @Nonnull
        private final Integer verificationDepth;

        public KeyAuthorityPKIXValidationInformation(@Nullable Collection<X509Certificate> collection, @Nullable Collection<X509CRL> collection2, @Nonnull Integer num) {
            this.verificationDepth = (Integer) Constraint.isNotNull(num, "Verification depth cannot be null");
            if (collection != null) {
                this.trustAnchors = new ArrayList(Collections2.filter(collection, Predicates.notNull()));
            } else {
                this.trustAnchors = null;
            }
            if (collection2 != null) {
                this.trustedCRLs = new ArrayList(Collections2.filter(collection2, Predicates.notNull()));
            } else {
                this.trustedCRLs = null;
            }
        }

        @Override // org.opensaml.security.x509.PKIXValidationInformation
        @Nullable
        public Collection<X509CRL> getCRLs() {
            return this.trustedCRLs;
        }

        @Override // org.opensaml.security.x509.PKIXValidationInformation
        @Nullable
        public Collection<X509Certificate> getCertificates() {
            return this.trustAnchors;
        }

        @Override // org.opensaml.security.x509.PKIXValidationInformation
        @Nonnull
        public Integer getVerificationDepth() {
            return this.verificationDepth;
        }
    }

    private KeyAuthoritySupport() {
    }

    @Nullable
    public static PKIXValidationInformation extractPKIXValidationInfo(@Nullable KeyAuthority keyAuthority) throws SecurityException {
        if (keyAuthority == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        Integer verifyDepth = keyAuthority.getVerifyDepth();
        if (verifyDepth == null) {
            verifyDepth = 1;
        }
        List<KeyInfo> keyInfos = keyAuthority.getKeyInfos();
        if (keyInfos == null || keyInfos.isEmpty()) {
            return null;
        }
        for (KeyInfo keyInfo : keyInfos) {
            arrayList.addAll(getX509Certificates(keyInfo));
            arrayList2.addAll(getX509CRLs(keyInfo));
        }
        if (arrayList.isEmpty() && arrayList2.isEmpty()) {
            return null;
        }
        return new KeyAuthorityPKIXValidationInformation(arrayList, arrayList2, verifyDepth);
    }

    private static Collection<X509Certificate> getX509Certificates(KeyInfo keyInfo) throws SecurityException {
        try {
            return KeyInfoSupport.getCertificates(keyInfo);
        } catch (CertificateException e) {
            throw new SecurityException("Error extracting certificates from KeyAuthority KeyInfo", e);
        }
    }

    private static Collection<X509CRL> getX509CRLs(KeyInfo keyInfo) throws SecurityException {
        try {
            return KeyInfoSupport.getCRLs(keyInfo);
        } catch (CRLException e) {
            throw new SecurityException("Error extracting CRL's from KeyAuthority KeyInfo", e);
        }
    }
}
