package org.opensaml.xml.security.x509;

import java.util.Iterator;
import java.util.Set;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/rampart-core-1.6.1-wso2v42.jar:xmltooling-1.4.6.jar:org/opensaml/xml/security/x509/PKIXX509CredentialTrustEngine.class
  input_file:WEB-INF/lib/xmltooling-1.3.1.jar:org/opensaml/xml/security/x509/PKIXX509CredentialTrustEngine.class
 */
/* loaded from: input_file:WEB-INF/lib/org.apache.rampart.wso2-rampart-trust-1.6.1-wso2v42.jar:xmltooling-1.4.6.jar:org/opensaml/xml/security/x509/PKIXX509CredentialTrustEngine.class */
public class PKIXX509CredentialTrustEngine implements PKIXTrustEngine<X509Credential> {
    private final Logger log = LoggerFactory.getLogger(PKIXX509CredentialTrustEngine.class);
    private PKIXValidationInformationResolver pkixResolver;
    private PKIXTrustEvaluator pkixTrustEvaluator;
    private X509CredentialNameEvaluator credNameEvaluator;

    public PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver pKIXValidationInformationResolver) {
        if (pKIXValidationInformationResolver == null) {
            throw new IllegalArgumentException("PKIX trust information resolver may not be null");
        }
        this.pkixResolver = pKIXValidationInformationResolver;
        this.pkixTrustEvaluator = new CertPathPKIXTrustEvaluator();
        this.credNameEvaluator = new BasicX509CredentialNameEvaluator();
    }

    public PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver pKIXValidationInformationResolver, PKIXTrustEvaluator pKIXTrustEvaluator, X509CredentialNameEvaluator x509CredentialNameEvaluator) {
        if (pKIXValidationInformationResolver == null) {
            throw new IllegalArgumentException("PKIX trust information resolver may not be null");
        }
        this.pkixResolver = pKIXValidationInformationResolver;
        if (pKIXTrustEvaluator == null) {
            throw new IllegalArgumentException("PKIX trust evaluator may not be null");
        }
        this.pkixTrustEvaluator = pKIXTrustEvaluator;
        this.credNameEvaluator = x509CredentialNameEvaluator;
    }

    @Override // org.opensaml.xml.security.x509.PKIXTrustEngine
    public PKIXValidationInformationResolver getPKIXResolver() {
        return this.pkixResolver;
    }

    public PKIXTrustEvaluator getPKIXTrustEvaluator() {
        return this.pkixTrustEvaluator;
    }

    public X509CredentialNameEvaluator getX509CredentialNameEvaluator() {
        return this.credNameEvaluator;
    }

    @Override // org.opensaml.xml.security.trust.TrustEngine
    public boolean validate(X509Credential x509Credential, CriteriaSet criteriaSet) throws SecurityException {
        this.log.debug("Attempting PKIX validation of untrusted credential");
        if (x509Credential == null) {
            this.log.error("X.509 credential was null, unable to perform validation");
            return false;
        }
        if (x509Credential.getEntityCertificate() == null) {
            this.log.error("Untrusted X.509 credential's entity certificate was null, unable to perform validation");
            return false;
        }
        Set<String> set = null;
        if (this.pkixResolver.supportsTrustedNameResolution()) {
            set = this.pkixResolver.resolveTrustedNames(criteriaSet);
        } else {
            this.log.debug("PKIX resolver does not support resolution of trusted names, skipping name checking");
        }
        return validate(x509Credential, set, this.pkixResolver.resolve(criteriaSet));
    }

    protected boolean validate(X509Credential x509Credential, Set<String> set, Iterable<PKIXValidationInformation> iterable) throws SecurityException {
        this.log.debug("Beginning PKIX validation using trusted validation information");
        if (!checkNames(set, x509Credential)) {
            this.log.debug("Evaluation of credential against trusted names failed. Aborting PKIX validation");
            return false;
        }
        Iterator<PKIXValidationInformation> it = iterable.iterator();
        while (it.hasNext()) {
            try {
            } catch (SecurityException e) {
                this.log.debug("Error performing PKIX validation on untrusted credential", (Throwable) e);
            }
            if (this.pkixTrustEvaluator.validate(it.next(), x509Credential)) {
                this.log.debug("Credential trust established via PKIX validation");
                return true;
            }
            continue;
        }
        this.log.debug("Trust of untrusted credential could not be established via PKIX validation");
        return false;
    }

    protected boolean checkNames(Set<String> set, X509Credential x509Credential) throws SecurityException {
        if (this.credNameEvaluator == null) {
            this.log.debug("No credential name evaluator was available, skipping trusted name evaluation");
            return true;
        }
        if (set != null) {
            return this.credNameEvaluator.evaluate(x509Credential, set);
        }
        this.log.debug("Trusted names was null, signalling PKIX resolver does not support trusted names resolution, skipping trusted name evaluation");
        return true;
    }
}
