package org.opensaml.xml.signature.impl;

import java.util.Iterator;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.SigningUtil;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.CredentialResolver;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.KeyAlgorithmCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.trust.ExplicitKeyTrustEvaluator;
import org.opensaml.xml.security.trust.TrustedCredentialTrustEngine;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/opensaml-2.6.6.wso2v3.jar:org/opensaml/xml/signature/impl/ExplicitKeySignatureTrustEngine.class
 */
/* loaded from: input_file:WEB-INF/lib/xmltooling-1.3.1.jar:org/opensaml/xml/signature/impl/ExplicitKeySignatureTrustEngine.class */
public class ExplicitKeySignatureTrustEngine extends BaseSignatureTrustEngine<Iterable<Credential>> implements TrustedCredentialTrustEngine<Signature> {
    private final Logger log;
    private CredentialResolver credentialResolver;
    private ExplicitKeyTrustEvaluator keyTrust;

    public ExplicitKeySignatureTrustEngine(CredentialResolver credentialResolver, KeyInfoCredentialResolver keyInfoCredentialResolver) {
        super(keyInfoCredentialResolver);
        this.log = LoggerFactory.getLogger((Class<?>) ExplicitKeySignatureTrustEngine.class);
        if (credentialResolver == null) {
            throw new IllegalArgumentException("Credential resolver may not be null");
        }
        this.credentialResolver = credentialResolver;
        this.keyTrust = new ExplicitKeyTrustEvaluator();
    }

    @Override // org.opensaml.xml.security.trust.TrustedCredentialTrustEngine
    public CredentialResolver getCredentialResolver() {
        return this.credentialResolver;
    }

    @Override // org.opensaml.xml.security.trust.TrustEngine
    public boolean validate(Signature signature, CriteriaSet criteriaSet) throws SecurityException {
        checkParams(signature, criteriaSet);
        CriteriaSet criteriaSet2 = new CriteriaSet();
        criteriaSet2.addAll(criteriaSet);
        if (!criteriaSet2.contains(UsageCriteria.class)) {
            criteriaSet2.add(new UsageCriteria(UsageType.SIGNING));
        }
        String keyAlgorithmFromURI = SecurityHelper.getKeyAlgorithmFromURI(signature.getSignatureAlgorithm());
        if (!DatatypeHelper.isEmpty(keyAlgorithmFromURI)) {
            criteriaSet2.add(new KeyAlgorithmCriteria(keyAlgorithmFromURI), true);
        }
        Iterable<Credential> resolve = getCredentialResolver().resolve(criteriaSet2);
        if (validate(signature, (Signature) resolve)) {
            return true;
        }
        this.log.debug("Attempting to verify signature using trusted credentials");
        Iterator<Credential> it = resolve.iterator();
        while (it.hasNext()) {
            if (verifySignature(signature, it.next())) {
                this.log.debug("Successfully verified signature using resolved trusted credential");
                return true;
            }
        }
        this.log.debug("Failed to verify signature using either KeyInfo-derived or directly trusted credentials");
        return false;
    }

    @Override // org.opensaml.xml.signature.SignatureTrustEngine
    public boolean validate(byte[] bArr, byte[] bArr2, String str, CriteriaSet criteriaSet, Credential credential) throws SecurityException {
        checkParamsRaw(bArr, bArr2, str, criteriaSet);
        CriteriaSet criteriaSet2 = new CriteriaSet();
        criteriaSet2.addAll(criteriaSet);
        if (!criteriaSet2.contains(UsageCriteria.class)) {
            criteriaSet2.add(new UsageCriteria(UsageType.SIGNING));
        }
        String keyAlgorithmFromURI = SecurityHelper.getKeyAlgorithmFromURI(str);
        if (!DatatypeHelper.isEmpty(keyAlgorithmFromURI)) {
            criteriaSet2.add(new KeyAlgorithmCriteria(keyAlgorithmFromURI), true);
        }
        Iterable<Credential> resolve = getCredentialResolver().resolve(criteriaSet2);
        if (credential != null && SigningUtil.verifyWithURI(credential, str, bArr, bArr2)) {
            this.log.debug("Successfully verified signature using supplied candidate credential");
            this.log.debug("Attempting to establish trust of supplied candidate credential");
            if (evaluateTrust(credential, resolve)) {
                this.log.debug("Successfully established trust of supplied candidate credential");
                return true;
            }
            this.log.debug("Failed to establish trust of supplied candidate credential");
        }
        this.log.debug("Attempting to verify signature using trusted credentials");
        Iterator<Credential> it = resolve.iterator();
        while (it.hasNext()) {
            if (SigningUtil.verifyWithURI(it.next(), str, bArr, bArr2)) {
                this.log.debug("Successfully verified signature using resolved trusted credential");
                return true;
            }
        }
        this.log.debug("Failed to verify signature using either supplied candidate credential or directly trusted credentials");
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.xml.signature.impl.BaseSignatureTrustEngine
    public boolean evaluateTrust(Credential credential, Iterable<Credential> iterable) throws SecurityException {
        return this.keyTrust.validate(credential, iterable);
    }
}
