package org.opensaml.xmlsec.signature.support.impl;

import com.google.common.base.Strings;
import java.util.Iterator;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.annotation.ParameterName;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialResolver;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.KeyAlgorithmCriterion;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.trust.TrustedCredentialTrustEngine;
import org.opensaml.security.trust.impl.ExplicitKeyTrustEvaluator;
import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.opensaml.xmlsec.crypto.XMLSigningUtil;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.Signature;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/opensaml-xmlsec-impl-3.4.5.jar:org/opensaml/xmlsec/signature/support/impl/ExplicitKeySignatureTrustEngine.class */
public class ExplicitKeySignatureTrustEngine extends BaseSignatureTrustEngine<Iterable<Credential>> implements TrustedCredentialTrustEngine<Signature> {
    private final Logger log;
    private final CredentialResolver credentialResolver;
    private final ExplicitKeyTrustEvaluator keyTrust;

    public ExplicitKeySignatureTrustEngine(@Nonnull @ParameterName(name = "resolver") CredentialResolver credentialResolver, @Nonnull @ParameterName(name = "keyInfoResolver") KeyInfoCredentialResolver keyInfoCredentialResolver) {
        super(keyInfoCredentialResolver);
        this.log = LoggerFactory.getLogger((Class<?>) ExplicitKeySignatureTrustEngine.class);
        this.credentialResolver = (CredentialResolver) Constraint.isNotNull(credentialResolver, "Credential resolver cannot be null");
        this.keyTrust = new ExplicitKeyTrustEvaluator();
    }

    @Override // org.opensaml.security.trust.TrustedCredentialTrustEngine
    @Nonnull
    public CredentialResolver getCredentialResolver() {
        return this.credentialResolver;
    }

    @Override // org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine
    protected boolean doValidate(@Nonnull Signature signature, @Nullable CriteriaSet criteriaSet) throws SecurityException {
        CriteriaSet criteriaSet2 = new CriteriaSet();
        criteriaSet2.addAll(criteriaSet);
        if (!criteriaSet2.contains(UsageCriterion.class)) {
            criteriaSet2.add(new UsageCriterion(UsageType.SIGNING));
        }
        String keyAlgorithm = AlgorithmSupport.getKeyAlgorithm(signature.getSignatureAlgorithm());
        if (!Strings.isNullOrEmpty(keyAlgorithm)) {
            criteriaSet2.add(new KeyAlgorithmCriterion(keyAlgorithm), true);
        }
        try {
            Iterable<Credential> resolve = getCredentialResolver().resolve(criteriaSet2);
            if (validate(signature, (Signature) resolve)) {
                return true;
            }
            this.log.debug("Attempting to verify signature using trusted credentials");
            Iterator<Credential> it = resolve.iterator();
            while (it.hasNext()) {
                if (verifySignature(signature, it.next())) {
                    this.log.debug("Successfully verified signature using resolved trusted credential");
                    return true;
                }
            }
            this.log.debug("Failed to verify signature using either KeyInfo-derived or directly trusted credentials");
            return false;
        } catch (ResolverException e) {
            throw new SecurityException("Error resolving trusted credentials", e);
        }
    }

    @Override // org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine
    protected boolean doValidate(@Nonnull byte[] bArr, @Nonnull byte[] bArr2, @Nonnull String str, @Nullable CriteriaSet criteriaSet, @Nullable Credential credential) throws SecurityException {
        CriteriaSet criteriaSet2 = new CriteriaSet();
        criteriaSet2.addAll(criteriaSet);
        if (!criteriaSet2.contains(UsageCriterion.class)) {
            criteriaSet2.add(new UsageCriterion(UsageType.SIGNING));
        }
        String keyAlgorithm = AlgorithmSupport.getKeyAlgorithm(str);
        if (!Strings.isNullOrEmpty(keyAlgorithm)) {
            criteriaSet2.add(new KeyAlgorithmCriterion(keyAlgorithm), true);
        }
        try {
            Iterable<Credential> resolve = getCredentialResolver().resolve(criteriaSet2);
            if (credential != null) {
                this.log.debug("Attempting to verify raw signature using supplied candidate credential");
                try {
                    if (XMLSigningUtil.verifyWithURI(credential, str, bArr, bArr2)) {
                        this.log.debug("Successfully verified signature using supplied candidate credential");
                        this.log.debug("Attempting to establish trust of supplied candidate credential");
                        if (evaluateTrust(credential, resolve)) {
                            this.log.debug("Successfully established trust of supplied candidate credential");
                            return true;
                        }
                        this.log.debug("Failed to establish trust of supplied candidate credential");
                    }
                } catch (SecurityException e) {
                    this.log.debug("Saw fatal error attempting to verify raw signature with supplied candidate credential", (Throwable) e);
                }
            }
            this.log.debug("Attempting to verify signature using trusted credentials");
            Iterator<Credential> it = resolve.iterator();
            while (it.hasNext()) {
                try {
                } catch (SecurityException e2) {
                    this.log.debug("Saw fatal error attempting to verify raw signature with trusted credential", (Throwable) e2);
                }
                if (XMLSigningUtil.verifyWithURI(it.next(), str, bArr, bArr2)) {
                    this.log.debug("Successfully verified signature using resolved trusted credential");
                    return true;
                }
                continue;
            }
            this.log.debug("Failed to verify signature using either supplied candidate credential or directly trusted credentials");
            return false;
        } catch (ResolverException e3) {
            throw new SecurityException("Error resolving trusted credentials", e3);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine
    public boolean evaluateTrust(@Nonnull Credential credential, @Nullable Iterable<Credential> iterable) throws SecurityException {
        return this.keyTrust.validate(credential, iterable);
    }
}
