package pl.edu.icm.yadda.aas.keystore.impl;

import java.security.Key;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Map;
import org.opensaml.lite.security.AbstractCriteriaFilteringCredentialResolver;
import org.opensaml.lite.security.Credential;
import org.opensaml.lite.security.CredentialResolver;
import org.opensaml.lite.security.CriteriaSet;
import org.opensaml.lite.security.ITrustAware;
import org.opensaml.lite.security.SecurityException;
import org.opensaml.lite.security.SecurityHelper;
import org.opensaml.lite.security.TrustLevel;
import org.opensaml.lite.security.criteria.EntityIDCriteria;
import org.opensaml.lite.security.criteria.KeyAlgorithmCriteria;
import org.opensaml.lite.security.criteria.KeyLengthCriteria;
import org.opensaml.lite.security.criteria.KeyNameCriteria;
import org.opensaml.lite.security.criteria.PublicKeyCriteria;
import org.opensaml.lite.security.criteria.TrustLevelCriteria;
import org.opensaml.lite.security.criteria.UsageCriteria;
import org.opensaml.lite.security.x509.X509CRLEvaluationCriteria;
import org.opensaml.lite.security.x509.X509Credential;
import org.opensaml.lite.security.x509.X509ExpirationDateCriteria;
import org.opensaml.lite.security.x509.X509IssuerSerialCriteria;
import org.opensaml.lite.security.x509.X509OnlyCritieria;
import org.opensaml.lite.security.x509.X509SubjectKeyIdentifierCriteria;
import org.opensaml.lite.security.x509.X509SubjectNameCriteria;
import org.opensaml.lite.security.x509.X509TrustAwareCredential;
import org.opensaml.lite.security.x509.X509Util;
import org.slf4j.Logger;

/* loaded from: input_file:WEB-INF/lib/yadda-aas2-common-1.11.7-SNAPSHOT.jar:pl/edu/icm/yadda/aas/keystore/impl/AbstractCredentialResolvableKeystore.class */
public abstract class AbstractCredentialResolvableKeystore extends AbstractCriteriaFilteringCredentialResolver implements CredentialResolver {
    protected abstract Map<String, Credential> getKeyStoreMapToResolve();

    protected abstract Logger getLogger();

    @Override // org.opensaml.lite.security.AbstractCriteriaFilteringCredentialResolver
    protected Iterable<Credential> resolveFromSource(CriteriaSet criteriaSet) throws SecurityException {
        Map<String, Credential> keyStoreMapToResolve = getKeyStoreMapToResolve();
        if (criteriaSet == null || criteriaSet.isEmpty()) {
            return Collections.unmodifiableSet(new HashSet(keyStoreMapToResolve.values()));
        }
        HashSet hashSet = new HashSet();
        EntityIDCriteria entityIDCriteria = (EntityIDCriteria) criteriaSet.get(EntityIDCriteria.class);
        if (entityIDCriteria != null && entityIDCriteria.getEntityID() != null) {
            Credential credential = keyStoreMapToResolve.get(entityIDCriteria.getEntityID());
            if (credential == null) {
                return hashSet;
            }
            if (criteriaSet.size() == 1) {
                hashSet.add(credential);
                return hashSet;
            }
            hashSet.add(credential);
            return hashSet;
        }
        for (Credential credential2 : keyStoreMapToResolve.values()) {
            PublicKeyCriteria publicKeyCriteria = (PublicKeyCriteria) criteriaSet.get(PublicKeyCriteria.class);
            if (publicKeyCriteria != null && publicKeyCriteria.getPublicKey() != null && (credential2.getPublicKey() == null || !publicKeyCriteria.getPublicKey().equals(credential2.getPublicKey()))) {
                getLogger().debug("PublicKey criteria for credential " + credential2.getEntityId() + " not met");
            } else if (((X509OnlyCritieria) criteriaSet.get(X509OnlyCritieria.class)) == null || (credential2 instanceof X509Credential)) {
                X509IssuerSerialCriteria x509IssuerSerialCriteria = (X509IssuerSerialCriteria) criteriaSet.get(X509IssuerSerialCriteria.class);
                if (x509IssuerSerialCriteria != null) {
                    if (!(credential2 instanceof X509Credential) || ((X509Credential) credential2).getEntityCertificate() == null) {
                        getLogger().debug("X509IssuerSerial criteria for credential " + credential2.getEntityId() + " not met");
                    } else {
                        X509Certificate entityCertificate = ((X509Credential) credential2).getEntityCertificate();
                        if (x509IssuerSerialCriteria.getIssuerName() != null && !entityCertificate.getIssuerX500Principal().equals(x509IssuerSerialCriteria.getIssuerName())) {
                            getLogger().debug("X509IssuerSerial criteria for credential " + credential2.getEntityId() + " not met. Bad issuer name: " + entityCertificate.getIssuerX500Principal().getName() + ", expected: " + x509IssuerSerialCriteria.getIssuerName().getName());
                        } else if (x509IssuerSerialCriteria.getSerialNumber() != null && (entityCertificate.getSerialNumber() == null || !x509IssuerSerialCriteria.getSerialNumber().equals(entityCertificate.getSerialNumber()))) {
                            getLogger().debug("X509IssuerSerial criteria for credential " + credential2.getEntityId() + " not met. Bad serial number: " + entityCertificate.getSerialNumber() + ", expected: " + x509IssuerSerialCriteria.getSerialNumber());
                        }
                    }
                }
                X509SubjectKeyIdentifierCriteria x509SubjectKeyIdentifierCriteria = (X509SubjectKeyIdentifierCriteria) criteriaSet.get(X509SubjectKeyIdentifierCriteria.class);
                if (x509SubjectKeyIdentifierCriteria != null && x509SubjectKeyIdentifierCriteria.getSubjectKeyIdentifier() != null) {
                    if (!(credential2 instanceof X509Credential) || ((X509Credential) credential2).getEntityCertificate() == null) {
                        getLogger().debug("X509SubjectKeyIdentifier criteria for credential " + credential2.getEntityId() + " not met");
                    } else {
                        byte[] subjectKeyIdentifier = X509Util.getSubjectKeyIdentifier(((X509Credential) credential2).getEntityCertificate());
                        if (subjectKeyIdentifier == null || subjectKeyIdentifier.length == 0) {
                            getLogger().info("Could not evaluate X509SubjectKeyIdentifier criteria, can not determine credential's SKI");
                            getLogger().debug("X509SubjectKeyIdentifier criteria for credential " + credential2.getEntityId() + " not met.");
                        } else if (!Arrays.equals(x509SubjectKeyIdentifierCriteria.getSubjectKeyIdentifier(), subjectKeyIdentifier)) {
                            getLogger().debug("X509SubjectKeyIdentifier criteria for credential " + credential2.getEntityId() + " not met.");
                        }
                    }
                }
                X509SubjectNameCriteria x509SubjectNameCriteria = (X509SubjectNameCriteria) criteriaSet.get(X509SubjectNameCriteria.class);
                if (x509SubjectNameCriteria != null && x509SubjectNameCriteria.getSubjectName() != null) {
                    if (!(credential2 instanceof X509Credential) || ((X509Credential) credential2).getEntityCertificate() == null) {
                        getLogger().debug("X509SubjectName criteria for credential " + credential2.getEntityId() + " not met");
                    } else if (!x509SubjectNameCriteria.getSubjectName().equals(((X509Credential) credential2).getEntityCertificate().getSubjectX500Principal())) {
                        getLogger().debug("X509SubjectName criteria for credential " + credential2.getEntityId() + " not met.");
                    }
                }
                X509ExpirationDateCriteria x509ExpirationDateCriteria = (X509ExpirationDateCriteria) criteriaSet.get(X509ExpirationDateCriteria.class);
                if (x509ExpirationDateCriteria != null && x509ExpirationDateCriteria.getDateTimeProvider() != null) {
                    if ((credential2 instanceof X509Credential) && ((X509Credential) credential2).getEntityCertificate() != null) {
                        X509Certificate entityCertificate2 = ((X509Credential) credential2).getEntityCertificate();
                        Date date = new Date(x509ExpirationDateCriteria.getDateTimeProvider().getCurrentDateTime().getMillis());
                        if (date.before(entityCertificate2.getNotBefore()) || date.after(entityCertificate2.getNotAfter())) {
                            getLogger().debug("X509ExpirationDateCriteria criteria for credential " + credential2.getEntityId() + " not met. Current date: " + date + ", cert not before date: " + entityCertificate2.getNotBefore() + ", cert not after date: " + entityCertificate2.getNotAfter());
                        }
                    } else if (credential2 instanceof X509Credential) {
                        getLogger().debug("X509ExpirationDateCriteria criteria for credential " + credential2.getEntityId() + " not met");
                    } else {
                        getLogger().debug("X509ExpirationDateCriteria criteria for credential " + credential2.getEntityId() + " not met, allowing - credential is not an X509Credential instance");
                    }
                }
                X509CRLEvaluationCriteria x509CRLEvaluationCriteria = (X509CRLEvaluationCriteria) criteriaSet.get(X509CRLEvaluationCriteria.class);
                if (x509CRLEvaluationCriteria != null && x509CRLEvaluationCriteria.getCrlManager() != null) {
                    if ((credential2 instanceof X509Credential) && ((X509Credential) credential2).getEntityCertificate() != null) {
                        X509Certificate entityCertificate3 = ((X509Credential) credential2).getEntityCertificate();
                        HashSet hashSet2 = new HashSet(1);
                        hashSet2.add(entityCertificate3);
                        try {
                            for (CRL crl : x509CRLEvaluationCriteria.getCrlManager().getCRLCollection(hashSet2)) {
                                if (crl.isRevoked(entityCertificate3)) {
                                    getLogger().debug("X509CRLEvaluationCriteria criteria for credential " + credential2.getEntityId() + " not met. Certificate " + entityCertificate3.toString() + " is revoked on CRL list: " + crl.toString());
                                }
                            }
                        } catch (CRLException e) {
                            getLogger().error("Exception occured when evaluating X509CRLEvaluationCriteria criteria for credential " + credential2.getEntityId(), (Throwable) e);
                        }
                    } else if (credential2 instanceof X509Credential) {
                        getLogger().debug("X509CRLEvaluationCriteria criteria for credential " + credential2.getEntityId() + " not met");
                    } else {
                        getLogger().debug("X509CRLEvaluationCriteria criteria for credential " + credential2.getEntityId() + " not met, allowing - credential is not an X509Credential instance");
                    }
                }
                KeyAlgorithmCriteria keyAlgorithmCriteria = (KeyAlgorithmCriteria) criteriaSet.get(KeyAlgorithmCriteria.class);
                if (keyAlgorithmCriteria != null && keyAlgorithmCriteria.getKeyAlgorithm() != null) {
                    Key secretKey = credential2.getSecretKey() != null ? credential2.getSecretKey() : credential2.getPrivateKey() != null ? credential2.getPrivateKey() : credential2.getPublicKey();
                    if (secretKey == null || secretKey.getAlgorithm() == null || !secretKey.getAlgorithm().equals(keyAlgorithmCriteria.getKeyAlgorithm())) {
                        getLogger().debug("KeyAlgorithm criteria for credential " + credential2.getEntityId() + " not met. Expected: " + keyAlgorithmCriteria.getKeyAlgorithm() + ", got: " + (secretKey == null ? " null key!" : secretKey.getAlgorithm()));
                    }
                }
                UsageCriteria usageCriteria = (UsageCriteria) criteriaSet.get(UsageCriteria.class);
                if (usageCriteria == null || usageCriteria.getUsage() == null || matchUsage(credential2.getUsageType(), usageCriteria.getUsage())) {
                    KeyNameCriteria keyNameCriteria = (KeyNameCriteria) criteriaSet.get(KeyNameCriteria.class);
                    if (keyNameCriteria == null || keyNameCriteria.getKeyName() == null || (credential2.getKeyNames() != null && credential2.getKeyNames().contains(keyNameCriteria.getKeyName()))) {
                        KeyLengthCriteria keyLengthCriteria = (KeyLengthCriteria) criteriaSet.get(KeyLengthCriteria.class);
                        if (keyLengthCriteria != null && keyLengthCriteria.getKeyLength() != null) {
                            Key secretKey2 = credential2.getSecretKey() != null ? credential2.getSecretKey() : credential2.getPrivateKey() != null ? credential2.getPrivateKey() : credential2.getPublicKey();
                            if (secretKey2 == null) {
                                getLogger().debug("KeyLength criteria for credential " + credential2.getEntityId() + " not met. Expected: " + keyLengthCriteria.getKeyLength() + ", got null key!");
                            } else {
                                Integer keyLength = SecurityHelper.getKeyLength(secretKey2);
                                if (keyLength == null) {
                                    getLogger().info("Could not evaluate KeyLength criteria, can not determine length of key");
                                    getLogger().debug("KeyLength criteria for credential " + credential2.getEntityId() + " not met. Expected: " + keyLengthCriteria.getKeyLength());
                                } else if (!keyLength.equals(keyLengthCriteria.getKeyLength())) {
                                    getLogger().debug("KeyLength criteria for credential " + credential2.getEntityId() + " not met. Expected: " + keyLengthCriteria.getKeyLength() + ", got: " + keyLength);
                                }
                            }
                        }
                        TrustLevelCriteria trustLevelCriteria = (TrustLevelCriteria) criteriaSet.get(TrustLevelCriteria.class);
                        if (trustLevelCriteria == null || trustLevelCriteria.getTrustLevel() == null || verifyTrust(credential2, trustLevelCriteria.getTrustLevel())) {
                            hashSet.add(credential2);
                        } else {
                            getLogger().debug("Trust level criteria for credential " + credential2.getEntityId() + " not met. Specified criteria: " + trustLevelCriteria.getTrustLevel() + ", cert trust level: " + getCredentialTrustLevelInfo(credential2));
                        }
                    } else {
                        getLogger().debug("KeyName criteria for credential id " + credential2.getEntityId() + " not met. Expected name: " + keyNameCriteria.getKeyName());
                    }
                } else {
                    getLogger().debug("Usage criteria for credential " + credential2.getEntityId() + " not met. Expected: " + usageCriteria.getUsage() + ", got: " + credential2.getUsageType());
                }
            } else {
                getLogger().debug("X509-only criteria for credential " + credential2.getEntityId() + " not met");
            }
        }
        return hashSet;
    }

    public static boolean verifyTrust(Credential credential, TrustLevel trustLevel) {
        if (credential == null) {
            return false;
        }
        if (!(credential instanceof ITrustAware)) {
            return trustLevel == TrustLevel.DEFAULT_TRUST;
        }
        ITrustAware iTrustAware = (ITrustAware) credential;
        return iTrustAware.getTrustLevel() != null && iTrustAware.getTrustLevel().ordinal() <= trustLevel.ordinal();
    }

    protected String getCredentialTrustLevelInfo(Credential credential) {
        return (credential == null || !(credential instanceof X509TrustAwareCredential)) ? "unknown" : ((X509TrustAwareCredential) credential).getTrustLevel() != null ? ((X509TrustAwareCredential) credential).getTrustLevel().toString() : "null";
    }

    protected boolean matchUsage(Credential.UsageType usageType, Credential.UsageType usageType2) {
        return usageType == Credential.UsageType.UNSPECIFIED || usageType2 == Credential.UsageType.UNSPECIFIED || usageType == usageType2;
    }
}
