package org.opensaml.security.trust.impl;

import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.net.ssl.X509TrustManager;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.X509Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/opensaml-security-impl-3.4.5.jar:org/opensaml/security/trust/impl/TrustEngineX509TrustManager.class */
public class TrustEngineX509TrustManager implements X509TrustManager {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) TrustEngineX509TrustManager.class);

    @Nullable
    private TrustEngine<? super X509Credential> tlsTrustEngine;

    @Nullable
    private CriteriaSet tlsCriteriaSet;

    public void setTLSTrustEngine(@Nullable TrustEngine<? super X509Credential> trustEngine) {
        this.tlsTrustEngine = trustEngine;
    }

    public void setTLSCriteriaSet(@Nullable CriteriaSet criteriaSet) {
        this.tlsCriteriaSet = criteriaSet;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length < 1) {
            throw new CertificateException("Peer certificate array was null or empty");
        }
        if (this.tlsTrustEngine == null) {
            throw new CertificateException("TrustEngine was null");
        }
        ArrayList arrayList = new ArrayList();
        for (X509Certificate x509Certificate : x509CertificateArr) {
            arrayList.add(x509Certificate);
        }
        BasicX509Credential basicX509Credential = new BasicX509Credential(x509CertificateArr[0]);
        basicX509Credential.setEntityCertificateChain(arrayList);
        try {
            if (!this.tlsTrustEngine.validate(basicX509Credential, this.tlsCriteriaSet != null ? this.tlsCriteriaSet : new CriteriaSet(new UsageCriterion(UsageType.SIGNING)))) {
                this.log.debug("Credential evaluated as untrusted");
                throw new CertificateException("Trust engine could not establish trust of TLS credential");
            }
            this.log.debug("Credential evaluated as trusted");
        } catch (SecurityException e) {
            this.log.error("Trust engine error evaluating credential", (Throwable) e);
            throw new CertificateException("Trust engine error evaluating credential", e);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
}
