package org.opensaml.lite.signature.impl;

import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import org.opensaml.lite.security.Credential;
import org.opensaml.lite.security.CredentialResolver;
import org.opensaml.lite.security.CriteriaSet;
import org.opensaml.lite.security.KeyInfoCredentialResolver;
import org.opensaml.lite.security.SecurityException;
import org.opensaml.lite.security.criteria.KeyAlgorithmCriteria;
import org.opensaml.lite.security.criteria.UsageCriteria;
import org.opensaml.lite.security.trust.ITrustEvaluator;
import org.opensaml.lite.security.trust.TrustedCredentialTrustEngine;
import org.opensaml.lite.security.x509.X509Credential;
import org.opensaml.lite.signature.Signature;
import org.opensaml.lite.signature.digest.IDigester;
import org.opensaml.lite.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Required;

/* loaded from: input_file:WEB-INF/lib/yadda-aas2-common-1.10.2-SNAPSHOT.jar:org/opensaml/lite/signature/impl/X509CertificateSignatureTrustEngine.class */
public class X509CertificateSignatureTrustEngine extends BaseSignatureTrustEngine<Iterable<X509Credential>> implements TrustedCredentialTrustEngine<Signature> {
    protected final Logger log;
    private CredentialResolver credentialResolver;
    private ITrustEvaluator<X509Credential> keyTrust;

    public X509CertificateSignatureTrustEngine(CredentialResolver credentialResolver, KeyInfoCredentialResolver keyInfoCredentialResolver, IDigester iDigester, Map<String, String> map) {
        super(keyInfoCredentialResolver, iDigester, map);
        this.log = LoggerFactory.getLogger(getClass());
        if (credentialResolver == null) {
            throw new IllegalArgumentException("Credential resolver may not be null");
        }
        this.credentialResolver = credentialResolver;
    }

    @Override // org.opensaml.lite.security.trust.TrustedCredentialTrustEngine
    public CredentialResolver getCredentialResolver() {
        return this.credentialResolver;
    }

    @Override // org.opensaml.lite.security.trust.TrustEngine
    public boolean validate(Signature signature, CriteriaSet criteriaSet) throws SecurityException {
        checkParams(signature, criteriaSet);
        CriteriaSet criteriaSet2 = new CriteriaSet();
        criteriaSet2.addAll(criteriaSet);
        if (!criteriaSet2.contains(UsageCriteria.class)) {
            criteriaSet2.add(new UsageCriteria(Credential.UsageType.SIGNING));
        }
        String signatureAlgorithm = signature.getSignatureAlgorithm();
        if (!DatatypeHelper.isEmpty(signatureAlgorithm)) {
            criteriaSet2.add(new KeyAlgorithmCriteria(signatureAlgorithm), true);
        }
        Iterable<Credential> resolve = getCredentialResolver().resolve(criteriaSet2);
        if (validate(signature, (Signature) extractX509Credentials(resolve))) {
            return true;
        }
        this.log.debug("Attempting to verify signature using trusted credentials");
        Iterator<Credential> it = resolve.iterator();
        while (it.hasNext()) {
            if (verifySignature(signature, it.next())) {
                this.log.debug("Successfully verified signature using resolved trusted credential");
                return true;
            }
        }
        this.log.error("Failed to verify signature using either KeyInfo-derived or directly trusted credentials");
        return false;
    }

    protected Iterable<X509Credential> extractX509Credentials(Iterable<Credential> iterable) {
        if (iterable == null) {
            return null;
        }
        HashSet hashSet = new HashSet();
        for (Credential credential : iterable) {
            if (credential instanceof X509Credential) {
                hashSet.add((X509Credential) credential);
            }
        }
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.lite.signature.impl.BaseSignatureTrustEngine
    public boolean evaluateTrust(Credential credential, Iterable<X509Credential> iterable) throws SecurityException {
        if (credential instanceof X509Credential) {
            return this.keyTrust.validate((X509Credential) credential, iterable);
        }
        this.log.warn("cannot evaluate non X509Credential using X509CertificateSignatureTrustEngine! Credential id: " + credential.getEntityId());
        return false;
    }

    @Required
    public void setKeyTrust(ITrustEvaluator<X509Credential> iTrustEvaluator) {
        this.keyTrust = iTrustEvaluator;
    }
}
