package edu.internet2.middleware.shibboleth.common.provider;

import edu.internet2.middleware.shibboleth.common.PluggableConfigurationComponent;
import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
import edu.internet2.middleware.shibboleth.common.Trust;
import edu.internet2.middleware.shibboleth.metadata.EntitiesDescriptor;
import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
import edu.internet2.middleware.shibboleth.metadata.ExtendedEntitiesDescriptor;
import edu.internet2.middleware.shibboleth.metadata.ExtendedEntityDescriptor;
import edu.internet2.middleware.shibboleth.metadata.KeyAuthority;
import edu.internet2.middleware.shibboleth.metadata.KeyDescriptor;
import edu.internet2.middleware.shibboleth.metadata.RoleDescriptor;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.apache.log4j.Logger;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.content.KeyName;
import org.apache.xml.security.keys.content.X509Data;
import org.apache.xmlbeans.XmlException;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.DERString;
import org.opensaml.SAMLException;
import org.opensaml.SAMLSignedObject;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/common/provider/ShibbolethTrust.class */
public class ShibbolethTrust extends BasicTrust implements Trust, PluggableConfigurationComponent {
    private static Logger log;
    private static final String CN_OID = "2.5.4.3";
    static Class class$0;

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v2, types: [java.lang.Throwable] */
    static {
        Class<?> cls = class$0;
        if (cls == null) {
            try {
                cls = Class.forName("edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust");
                class$0 = cls;
            } catch (ClassNotFoundException unused) {
                throw new NoClassDefFoundError(cls.getMessage());
            }
        }
        log = Logger.getLogger(cls.getName());
    }

    @Override // edu.internet2.middleware.shibboleth.common.provider.BasicTrust, edu.internet2.middleware.shibboleth.common.Trust
    public boolean validate(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr, RoleDescriptor roleDescriptor) {
        return validate(x509Certificate, x509CertificateArr, roleDescriptor, true);
    }

    @Override // edu.internet2.middleware.shibboleth.common.provider.BasicTrust, edu.internet2.middleware.shibboleth.common.Trust
    public boolean validate(SAMLSignedObject sAMLSignedObject, RoleDescriptor roleDescriptor) {
        if (super.validate(sAMLSignedObject, roleDescriptor)) {
            return true;
        }
        ArrayList arrayList = new ArrayList();
        X509Certificate x509Certificate = null;
        try {
            Iterator x509Certificates = sAMLSignedObject.getX509Certificates();
            while (x509Certificates.hasNext()) {
                X509Certificate x509Certificate2 = (X509Certificate) x509Certificates.next();
                try {
                    sAMLSignedObject.verify(x509Certificate2);
                    x509Certificate = x509Certificate2;
                    arrayList.add(x509Certificate2);
                } catch (SAMLException e) {
                    arrayList.add(x509Certificate2);
                }
            }
            if (x509Certificate == null) {
                return false;
            }
            X509Certificate[] x509CertificateArr = new X509Certificate[arrayList.size()];
            int i = 0;
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                int i2 = i;
                i++;
                x509CertificateArr[i2] = (X509Certificate) it.next();
            }
            return validate(x509Certificate, x509CertificateArr, roleDescriptor);
        } catch (SAMLException e2) {
            return false;
        }
    }

    /* JADX WARN: Unreachable blocks removed: 1, instructions: 1 */
    @Override // edu.internet2.middleware.shibboleth.common.provider.BasicTrust, edu.internet2.middleware.shibboleth.common.Trust
    public boolean validate(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr, RoleDescriptor roleDescriptor, boolean z) {
        if (super.validate(x509Certificate, x509CertificateArr, roleDescriptor, z)) {
            return true;
        }
        if (roleDescriptor == null || x509Certificate == null) {
            log.error("Appropriate data was not supplied for trust evaluation.");
            return false;
        }
        log.debug("Inline validation was unsuccessful.  Attmping PKIX...");
        if (z) {
            if (matchProviderId(x509CertificateArr[0], roleDescriptor.getEntityDescriptor().getId())) {
                z = false;
            } else {
                Iterator keyDescriptors = roleDescriptor.getKeyDescriptors();
                while (z && keyDescriptors.hasNext()) {
                    KeyDescriptor keyDescriptor = (KeyDescriptor) keyDescriptors.next();
                    if (keyDescriptor.getUse() == 0) {
                        log.debug("Skipping key descriptor with inappropriate usage indicator.");
                    } else {
                        KeyInfo keyInfo = keyDescriptor.getKeyInfo();
                        if (keyInfo.containsKeyName()) {
                            int i = 0;
                            while (true) {
                                if (i >= keyInfo.lengthKeyName()) {
                                    break;
                                }
                                try {
                                } catch (XMLSecurityException e) {
                                    log.error(new StringBuffer("Problem retrieving key name from metadata: ").append(e).toString());
                                }
                                if (matchKeyName(x509CertificateArr[0], keyInfo.itemKeyName(i))) {
                                    z = false;
                                    break;
                                }
                                i++;
                            }
                        }
                    }
                }
            }
        }
        if (!z) {
            return pkixValidate(x509Certificate, x509CertificateArr, roleDescriptor.getEntityDescriptor());
        }
        log.error("cannot match certificate subject against acceptable key names based on the metadata entityId or KeyDescriptors");
        return false;
    }

    private boolean pkixValidate(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr, EntityDescriptor entityDescriptor) {
        if (entityDescriptor instanceof ExtendedEntityDescriptor) {
            Iterator keyAuthorities = ((ExtendedEntityDescriptor) entityDescriptor).getKeyAuthorities();
            while (keyAuthorities.hasNext()) {
                if (pkixValidate(x509Certificate, x509CertificateArr, (KeyAuthority) keyAuthorities.next())) {
                    return true;
                }
            }
        }
        EntitiesDescriptor entitiesDescriptor = entityDescriptor.getEntitiesDescriptor();
        return entitiesDescriptor != null && pkixValidate(x509Certificate, x509CertificateArr, entitiesDescriptor);
    }

    private boolean pkixValidate(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr, EntitiesDescriptor entitiesDescriptor) {
        log.debug("Attemping to validate against parent group.");
        if (entitiesDescriptor instanceof ExtendedEntitiesDescriptor) {
            Iterator keyAuthorities = ((ExtendedEntitiesDescriptor) entitiesDescriptor).getKeyAuthorities();
            while (keyAuthorities.hasNext()) {
                if (pkixValidate(x509Certificate, x509CertificateArr, (KeyAuthority) keyAuthorities.next())) {
                    return true;
                }
            }
        }
        EntitiesDescriptor entitiesDescriptor2 = entitiesDescriptor.getEntitiesDescriptor();
        return entitiesDescriptor2 != null && pkixValidate(x509Certificate, x509CertificateArr, entitiesDescriptor2);
    }

    private boolean pkixValidate(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr, KeyAuthority keyAuthority) {
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        Iterator keyInfos = keyAuthority.getKeyInfos();
        while (keyInfos.hasNext()) {
            KeyInfo keyInfo = (KeyInfo) keyInfos.next();
            if (keyInfo.containsX509Data()) {
                for (int i = 0; i < keyInfo.lengthX509Data(); i++) {
                    try {
                        X509Data itemX509Data = keyInfo.itemX509Data(i);
                        if (itemX509Data.containsCertificate()) {
                            for (int i2 = 0; i2 < itemX509Data.lengthCertificate(); i2++) {
                                hashSet.add(new TrustAnchor(itemX509Data.itemCertificate(i2).getX509Certificate(), null));
                            }
                        }
                        if (itemX509Data.containsCRL()) {
                            for (int i3 = 0; i3 < itemX509Data.lengthCRL(); i3++) {
                                try {
                                    X509CRL x509crl = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(new ByteArrayInputStream(itemX509Data.itemCRL(i3).getCRLBytes()));
                                    if (x509crl.getRevokedCertificates() != null && x509crl.getRevokedCertificates().size() > 0) {
                                        hashSet2.add(x509crl);
                                    }
                                } catch (GeneralSecurityException e) {
                                    log.error(new StringBuffer("Encountered an error parsing CRL from shibboleth metadata: ").append(e).toString());
                                }
                            }
                        }
                    } catch (XMLSecurityException e2) {
                        log.error(new StringBuffer("Encountered an error constructing trust list from shibboleth metadata: ").append(e2).toString());
                    }
                }
            }
        }
        if (hashSet.size() <= 0) {
            return false;
        }
        log.debug("Constructed a trust list from key authority.  Attempting path validation...");
        try {
            CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509Certificate);
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
            pKIXBuilderParameters.setMaxPathLength(keyAuthority.getVerifyDepth());
            ArrayList arrayList = new ArrayList(hashSet2);
            arrayList.addAll(Arrays.asList(x509CertificateArr));
            CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(arrayList));
            ArrayList arrayList2 = new ArrayList();
            arrayList2.add(certStore);
            pKIXBuilderParameters.setCertStores(arrayList2);
            if (hashSet2.size() > 0) {
                pKIXBuilderParameters.setRevocationEnabled(true);
            } else {
                pKIXBuilderParameters.setRevocationEnabled(false);
            }
            log.debug("Path successfully validated.");
            return true;
        } catch (CertPathValidatorException e3) {
            log.debug(new StringBuffer("Path failed to validate: ").append(e3).toString());
            return false;
        } catch (GeneralSecurityException e4) {
            log.error(new StringBuffer("Encountered an error during validation: ").append(e4).toString());
            return false;
        }
    }

    /* JADX WARN: Unreachable blocks removed: 1, instructions: 1 */
    private static boolean matchKeyName(X509Certificate x509Certificate, KeyName keyName) {
        try {
            if (x509Certificate.getSubjectX500Principal().getName("RFC2253").equals(new X500Principal(keyName.getKeyName()).getName("RFC2253"))) {
                log.debug("Matched against DN.");
                return true;
            }
        } catch (IllegalArgumentException e) {
        }
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames != null) {
                for (List<?> list : subjectAlternativeNames) {
                    if (list.get(0).equals(new Integer(2)) || list.get(0).equals(new Integer(6))) {
                        if (list.get(0).equals(keyName.getKeyName())) {
                            log.debug("Matched against SubjectAltName.");
                            return true;
                        }
                    }
                }
            }
        } catch (CertificateParsingException e2) {
            log.error(new StringBuffer("Encountered an problem trying to extract Subject Alternate Name from supplied certificate: ").append(e2).toString());
        }
        if (!getHostNameFromDN(x509Certificate.getSubjectX500Principal()).equals(keyName.getKeyName())) {
            return false;
        }
        log.debug("Matched against hostname.");
        return true;
    }

    public static String[] getCredentialNames(X509Certificate x509Certificate) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(x509Certificate.getSubjectX500Principal().getName("RFC2253"));
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames != null) {
                for (List<?> list : subjectAlternativeNames) {
                    if (list.get(0).equals(new Integer(2))) {
                        arrayList.add(list.get(1));
                    } else if (list.get(0).equals(new Integer(6))) {
                        arrayList.add(list.get(1));
                    }
                }
            }
        } catch (CertificateParsingException e) {
            log.error(new StringBuffer("Encountered an problem trying to extract Subject Alternate Name from supplied certificate: ").append(e).toString());
        }
        arrayList.add(getHostNameFromDN(x509Certificate.getSubjectX500Principal()));
        return (String[]) arrayList.toArray(new String[1]);
    }

    private static boolean matchProviderId(X509Certificate x509Certificate, String str) {
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames != null) {
                for (List<?> list : subjectAlternativeNames) {
                    if (list.get(0).equals(new Integer(6)) && list.get(1).equals(str)) {
                        log.debug("Entity ID matched against SubjectAltName.");
                        return true;
                    }
                }
            }
        } catch (CertificateParsingException e) {
            log.error(new StringBuffer("Encountered an problem trying to extract Subject Alternate Name from supplied certificate: ").append(e).toString());
        }
        if (!getHostNameFromDN(x509Certificate.getSubjectX500Principal()).equals(str)) {
            return false;
        }
        log.debug("Entity ID matched against hostname.");
        return true;
    }

    public static String getHostNameFromDN(X500Principal x500Principal) {
        try {
            ASN1InputStream aSN1InputStream = new ASN1InputStream(x500Principal.getEncoded());
            DERSequence readObject = aSN1InputStream.readObject();
            if (!(readObject instanceof DERSequence)) {
                log.error("Unable to extract host name name from certificate subject DN: incorrect ASN.1 encoding.");
                return null;
            }
            String str = null;
            for (int i = 0; i < readObject.size(); i++) {
                DERSet dERObject = readObject.getObjectAt(i).getDERObject();
                if (dERObject instanceof DERSet) {
                    for (int i2 = 0; i2 < dERObject.size(); i2++) {
                        DERSequence dERObject2 = dERObject.getObjectAt(i2).getDERObject();
                        if (dERObject2.getObjectAt(0) != null && (dERObject2.getObjectAt(0).getDERObject() instanceof DERObjectIdentifier) && CN_OID.equals(dERObject2.getObjectAt(0).getDERObject().getId()) && dERObject2.getObjectAt(1) != null && (dERObject2.getObjectAt(1).getDERObject() instanceof DERString)) {
                            str = dERObject2.getObjectAt(1).getDERObject().getString();
                        }
                    }
                } else {
                    log.debug("No DN components.");
                }
            }
            aSN1InputStream.close();
            return str;
        } catch (IOException e) {
            log.error(new StringBuffer("Unable to extract host name name from certificate subject DN: ASN.1 parsing failed: ").append(e).toString());
            return null;
        }
    }

    public void initialize(Node node) throws XmlException, ShibbolethConfigurationException {
    }

    @Override // edu.internet2.middleware.shibboleth.common.PluggableConfigurationComponent
    public void initialize(Element element) throws SAMLException, ShibbolethConfigurationException {
    }
}
