package org.opensaml.security.httpclient.impl;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSocket;
import net.shibboleth.utilities.java.support.httpclient.HttpClientSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.DeprecationSupport;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apache.http.HttpHost;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.conn.socket.LayeredConnectionSocketFactory;
import org.apache.http.conn.ssl.X509HostnameVerifier;
import org.apache.http.protocol.HttpContext;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.httpclient.HttpClientSecurityConstants;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.TrustedNamesCriterion;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.security.x509.tls.impl.ThreadLocalX509CredentialContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/opensaml-security-impl-3.4.5.jar:org/opensaml/security/httpclient/impl/SecurityEnhancedTLSSocketFactory.class */
public class SecurityEnhancedTLSSocketFactory implements LayeredConnectionSocketFactory {
    private static final ThreadLocalClientTLSCredentialHandler CLIENT_TLS_HANDLER = new ThreadLocalClientTLSCredentialHandler();
    private final Logger log;

    @Nonnull
    private LayeredConnectionSocketFactory wrappedFactory;

    @Nullable
    private X509HostnameVerifier hostnameVerifier;
    private boolean engineRequired;

    public SecurityEnhancedTLSSocketFactory(@Nonnull LayeredConnectionSocketFactory layeredConnectionSocketFactory, boolean z) {
        this(layeredConnectionSocketFactory, null, z);
    }

    public SecurityEnhancedTLSSocketFactory(@Nonnull LayeredConnectionSocketFactory layeredConnectionSocketFactory) {
        this(layeredConnectionSocketFactory, null, true);
    }

    public SecurityEnhancedTLSSocketFactory(@Nonnull LayeredConnectionSocketFactory layeredConnectionSocketFactory, @Nullable X509HostnameVerifier x509HostnameVerifier) {
        this(layeredConnectionSocketFactory, x509HostnameVerifier, true);
    }

    public SecurityEnhancedTLSSocketFactory(@Nonnull LayeredConnectionSocketFactory layeredConnectionSocketFactory, @Nullable X509HostnameVerifier x509HostnameVerifier, boolean z) {
        this.log = LoggerFactory.getLogger((Class<?>) SecurityEnhancedTLSSocketFactory.class);
        this.engineRequired = true;
        this.wrappedFactory = (LayeredConnectionSocketFactory) Constraint.isNotNull(layeredConnectionSocketFactory, "Socket factory was null");
        this.hostnameVerifier = x509HostnameVerifier;
        this.engineRequired = z;
    }

    public boolean isTrustEngineRequired() {
        return this.engineRequired;
    }

    public Socket createSocket(HttpContext httpContext) throws IOException {
        this.log.trace("In createSocket");
        return this.wrappedFactory.createSocket(httpContext);
    }

    public Socket connectSocket(int i, Socket socket, HttpHost httpHost, InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2, HttpContext httpContext) throws IOException {
        this.log.trace("In connectSocket");
        try {
            setup(httpContext);
            Socket connectSocket = this.wrappedFactory.connectSocket(i, socket, httpHost, inetSocketAddress, inetSocketAddress2, httpContext);
            performTrustEval(connectSocket, httpHost.getHostName(), httpContext);
            performHostnameVerification(connectSocket, httpHost.getHostName(), httpContext);
            teardown(httpContext);
            return connectSocket;
        } catch (Throwable th) {
            teardown(httpContext);
            throw th;
        }
    }

    public Socket createLayeredSocket(Socket socket, String str, int i, HttpContext httpContext) throws IOException {
        this.log.trace("In createLayeredSocket");
        try {
            setup(httpContext);
            Socket createLayeredSocket = this.wrappedFactory.createLayeredSocket(socket, str, i, httpContext);
            performTrustEval(createLayeredSocket, str, httpContext);
            performHostnameVerification(createLayeredSocket, str, httpContext);
            teardown(httpContext);
            return createLayeredSocket;
        } catch (Throwable th) {
            teardown(httpContext);
            throw th;
        }
    }

    @Deprecated
    protected void performTrustEval(@Nonnull Socket socket, @Nonnull HttpContext httpContext) throws IOException {
        DeprecationSupport.warn(DeprecationSupport.ObjectType.METHOD, getClass().getName() + ".performTrustEval(Socket, HttpContext)", null, null);
        performTrustEval(socket, null, httpContext);
    }

    protected void performTrustEval(@Nonnull Socket socket, @Nullable String str, @Nonnull HttpContext httpContext) throws IOException {
        if (!(socket instanceof SSLSocket)) {
            this.log.debug("Socket was not an instance of SSLSocket, skipping trust eval");
            return;
        }
        SSLSocket sSLSocket = (SSLSocket) socket;
        this.log.debug("Attempting to evaluate server TLS credential against supplied TrustEngine and CriteriaSet");
        TrustEngine trustEngine = (TrustEngine) httpContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_TRUST_ENGINE);
        if (trustEngine == null) {
            if (isTrustEngineRequired()) {
                this.log.warn("The required trust engine was not supplied by the caller, failing socket TLS creation");
                throw new SSLPeerUnverifiedException("The required trust engine was not supplied by the caller");
            }
            this.log.debug("No trust engine supplied by caller, skipping trust eval");
            return;
        }
        this.log.trace("Saw trust engine of type: {}", trustEngine.getClass().getName());
        CriteriaSet criteriaSet = (CriteriaSet) httpContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_CRITERIA_SET);
        if (criteriaSet == null) {
            this.log.debug("No criteria set supplied by caller, building new criteria set with signing and trusted names criteria");
            criteriaSet = new CriteriaSet(new UsageCriterion(UsageType.SIGNING));
            if (str != null) {
                criteriaSet.add(new TrustedNamesCriterion(Collections.singleton(str)));
            }
        } else {
            this.log.trace("Saw CriteriaSet: {}", criteriaSet);
        }
        try {
            if (trustEngine.validate(extractCredential(sSLSocket), criteriaSet)) {
                this.log.debug("Credential evaluated as trusted");
                httpContext.setAttribute(HttpClientSecurityConstants.CONTEXT_KEY_SERVER_TLS_CREDENTIAL_TRUSTED, Boolean.TRUE);
            } else {
                httpContext.setAttribute(HttpClientSecurityConstants.CONTEXT_KEY_SERVER_TLS_CREDENTIAL_TRUSTED, Boolean.FALSE);
                Boolean bool = (Boolean) httpContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_SERVER_TLS_FAILURE_IS_FATAL);
                if (bool == null || bool.booleanValue()) {
                    this.log.debug("Credential evaluated as untrusted, failure indicated as fatal");
                    throw new SSLPeerUnverifiedException("Trust engine could not establish trust of server TLS credential");
                }
                this.log.debug("Credential evaluated as untrusted, failure indicated as non-fatal");
            }
        } catch (SecurityException e) {
            this.log.error("Trust engine error evaluating credential", (Throwable) e);
            throw new IOException("Trust engine error evaluating credential", e);
        }
    }

    @Nonnull
    protected X509Credential extractCredential(@Nonnull SSLSocket sSLSocket) throws IOException {
        Certificate[] peerCertificates = sSLSocket.getSession().getPeerCertificates();
        if (peerCertificates == null || peerCertificates.length < 1) {
            throw new SSLPeerUnverifiedException("SSLSession peer certificates array was null or empty");
        }
        ArrayList arrayList = new ArrayList();
        for (Certificate certificate : peerCertificates) {
            arrayList.add((X509Certificate) certificate);
        }
        BasicX509Credential basicX509Credential = new BasicX509Credential((X509Certificate) arrayList.get(0));
        basicX509Credential.setEntityCertificateChain(arrayList);
        return basicX509Credential;
    }

    protected void performHostnameVerification(Socket socket, String str, HttpContext httpContext) throws IOException {
        if (this.hostnameVerifier == null || !(socket instanceof SSLSocket)) {
            return;
        }
        this.hostnameVerifier.verify(str, (SSLSocket) socket);
    }

    protected void setup(@Nullable HttpContext httpContext) {
        this.log.trace("Attempting to setup thread-local client TLS X509Credential");
        if (httpContext == null) {
            this.log.trace("HttpContext was null, skipping thread-local setup");
            return;
        }
        X509Credential x509Credential = (X509Credential) httpContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_CLIENT_TLS_CREDENTIAL);
        if (x509Credential == null) {
            this.log.trace("HttpContext did not contain a client TLS credential, nothing to do");
            return;
        }
        this.log.trace("Loading ThreadLocalX509CredentialContext with client TLS credential: {}", x509Credential);
        if (ThreadLocalX509CredentialContext.haveCurrent()) {
            this.log.trace("ThreadLocalX509CredentialContext was already loaded with client TLS credential, will be overwritten with credential from HttpContext");
        }
        ThreadLocalX509CredentialContext.loadCurrent(x509Credential);
    }

    protected void teardown(@Nullable HttpContext httpContext) {
        if (ThreadLocalX509CredentialContext.haveCurrent()) {
            this.log.trace("Scheduling deferred clearing of thread-local client TLS X509Credential");
            HttpClientSupport.addDynamicContextHandlerLast(HttpClientContext.adapt(httpContext), CLIENT_TLS_HANDLER);
        }
    }
}
