package org.opensaml.lite.security.trust;

import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Required;
import pl.edu.icm.yadda.aas.extractor.IExtractor;
import pl.edu.icm.yadda.aas.timesync.IDateTimeProvider;
import pl.edu.icm.yadda.aas.x509.X509Constants;
import pl.edu.icm.yadda.aas.x509.crl.ICRLManager;

/* loaded from: input_file:WEB-INF/lib/yadda-aas2-common-1.10.2.jar:org/opensaml/lite/security/trust/X509CertificateTrustEvaluator.class */
public class X509CertificateTrustEvaluator<C> implements ITrustEvaluator<C> {
    private IDateTimeProvider dateTimeProvider;
    private ICRLManager crlManager;
    private CertificateFactory certificateFactory;
    private CertPathValidator validator;
    private IExtractor<C, X509Certificate> credentialCertificateExtractor;
    private IExtractor<C, String> credentialIdExtractor;
    protected final Logger log = LoggerFactory.getLogger(getClass());
    private String certificateFactoryType = "X.509";
    private String certificateFactoryProv = "BC";
    private String validatorAlgorithm = X509Constants.DEFAULT_CERT_PATH_VALIDATOR_ALG;
    private String validatorProv = "BC";

    public X509CertificateTrustEvaluator() {
    }

    public X509CertificateTrustEvaluator(CertificateFactory certificateFactory) {
        this.certificateFactory = certificateFactory;
    }

    public void init() throws CertificateException, NoSuchProviderException, NoSuchAlgorithmException {
        if (this.certificateFactory == null) {
            this.log.debug("initializing CertificateFactory");
            this.certificateFactory = CertificateFactory.getInstance(this.certificateFactoryType, this.certificateFactoryProv);
        }
        this.validator = CertPathValidator.getInstance(this.validatorAlgorithm, this.validatorProv);
    }

    @Override // org.opensaml.lite.security.trust.ITrustEvaluator
    public boolean validate(C c, Iterable<C> iterable) {
        if (c == null || iterable == null) {
            return false;
        }
        try {
            if (validateDirectly(c, iterable)) {
                this.log.info("untrusted credential validated succesfully by direct comparison");
                return true;
            }
            ArrayList arrayList = new ArrayList();
            arrayList.add(this.credentialCertificateExtractor.extract(c));
            CertPath generateCertPath = this.certificateFactory.generateCertPath(arrayList);
            HashSet hashSet = new HashSet();
            Iterator<C> it = iterable.iterator();
            while (it.hasNext()) {
                X509Certificate extract = this.credentialCertificateExtractor.extract(it.next());
                if (isCACertificate(extract)) {
                    hashSet.add(new TrustAnchor(extract, null));
                } else {
                    this.log.debug("cannot use as an anchor, not CA certificate: " + extract);
                }
            }
            PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
            pKIXParameters.setDate(new Date(this.dateTimeProvider.getCurrentDateTime().getMillis()));
            if (this.crlManager != null) {
                Collection<CRL> cRLCollection = this.crlManager.getCRLCollection(arrayList);
                if (cRLCollection.isEmpty()) {
                    pKIXParameters.setRevocationEnabled(false);
                } else {
                    pKIXParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(cRLCollection)));
                }
            } else {
                this.log.warn("no CRLManager specified, CRLs will not be verified!");
                pKIXParameters.setRevocationEnabled(false);
            }
            PKIXCertPathValidatorResult pKIXCertPathValidatorResult = (PKIXCertPathValidatorResult) this.validator.validate(generateCertPath, pKIXParameters);
            return (pKIXCertPathValidatorResult == null || pKIXCertPathValidatorResult.getTrustAnchor() == null) ? false : true;
        } catch (InvalidAlgorithmParameterException e) {
            this.log.error("problem occured when evaluating trust to credential id: " + this.credentialIdExtractor.extract(c) + ", containing certificate: " + this.credentialCertificateExtractor.extract(c), (Throwable) e);
            return false;
        } catch (NoSuchAlgorithmException e2) {
            this.log.error("problem occured when evaluating trust to credential id: " + this.credentialIdExtractor.extract(c) + ", containing certificate: " + this.credentialCertificateExtractor.extract(c), (Throwable) e2);
            return false;
        } catch (CRLException e3) {
            this.log.error("problem occured when initializing CRL list for credential id: " + this.credentialIdExtractor.extract(c) + ", containing certificate: " + this.credentialCertificateExtractor.extract(c), (Throwable) e3);
            return false;
        } catch (CertPathValidatorException e4) {
            this.log.error("credential did not validate succesfully, credential id: " + this.credentialIdExtractor.extract(c) + ", containing certificate: " + this.credentialCertificateExtractor.extract(c), (Throwable) e4);
            return false;
        } catch (CertificateException e5) {
            this.log.error("problem occured when evaluating trust to credential id: " + this.credentialIdExtractor.extract(c) + ", containing certificate: " + this.credentialCertificateExtractor.extract(c), (Throwable) e5);
            return false;
        }
    }

    boolean validateDirectly(C c, Iterable<C> iterable) {
        X509Certificate extract = this.credentialCertificateExtractor.extract(c);
        if (extract == null) {
            return false;
        }
        Iterator<C> it = iterable.iterator();
        while (it.hasNext()) {
            X509Certificate extract2 = this.credentialCertificateExtractor.extract(it.next());
            if (extract2 != null && extract2.equals(extract)) {
                return true;
            }
        }
        return false;
    }

    protected boolean isCACertificate(X509Certificate x509Certificate) {
        return x509Certificate != null && x509Certificate.getBasicConstraints() >= 0;
    }

    @Required
    public void setDateTimeProvider(IDateTimeProvider iDateTimeProvider) {
        this.dateTimeProvider = iDateTimeProvider;
    }

    public void setCrlManager(ICRLManager iCRLManager) {
        this.crlManager = iCRLManager;
    }

    public void setCertificateFactoryType(String str) {
        this.certificateFactoryType = str;
    }

    public void setCertificateFactoryProv(String str) {
        this.certificateFactoryProv = str;
    }

    public void setValidatorAlgorithm(String str) {
        this.validatorAlgorithm = str;
    }

    public void setValidatorProv(String str) {
        this.validatorProv = str;
    }

    public void setCredentialCertificateExtractor(IExtractor<C, X509Certificate> iExtractor) {
        this.credentialCertificateExtractor = iExtractor;
    }

    public void setCredentialIdExtractor(IExtractor<C, String> iExtractor) {
        this.credentialIdExtractor = iExtractor;
    }
}
