package org.opensaml.security.x509.tls.impl;

import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import javax.annotation.Nonnull;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSocket;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.X509Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/opensaml-security-impl-4.2.0.jar:org/opensaml/security/x509/tls/impl/ThreadLocalX509TrustEngineSupport.class */
public final class ThreadLocalX509TrustEngineSupport {
    private static final Logger LOG = LoggerFactory.getLogger(ThreadLocalX509TrustEngineSupport.class);

    private ThreadLocalX509TrustEngineSupport() {
    }

    public static void evaluate(@Nonnull SSLSocket sSLSocket) throws SSLPeerUnverifiedException {
        Certificate[] peerCertificates = sSLSocket.getSession().getPeerCertificates();
        if (peerCertificates == null || peerCertificates.length == 0) {
            throw new IllegalArgumentException("Certificate chain was null or empty");
        }
        X509Certificate[] x509CertificateArr = new X509Certificate[peerCertificates.length];
        for (int i = 0; i < peerCertificates.length; i++) {
            if (!X509Certificate.class.isInstance(peerCertificates[i])) {
                throw new SSLPeerUnverifiedException("Certificate chain contained non-X509Certificate");
            }
            x509CertificateArr[i] = (X509Certificate) X509Certificate.class.cast(peerCertificates[i]);
        }
        try {
            evaluate(x509CertificateArr);
        } catch (CertificateException e) {
            throw new SSLPeerUnverifiedException(e.getMessage());
        }
    }

    public static void evaluate(@Nonnull X509Certificate[] x509CertificateArr) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("Certificate chain was null or empty");
        }
        if (!ThreadLocalX509TrustEngineContext.haveCurrent()) {
            throw new CertificateException("Trust of X509Certificate could not be established, ThreadLocalX509TrustEngineContext is not populated");
        }
        LOG.trace("Evaluating X509Certificate[] chain against ThreadLocalX509TrustEngineContext");
        if (performTrustEval(x509CertificateArr, ThreadLocalX509TrustEngineContext.getTrustEngine(), ThreadLocalX509TrustEngineContext.getCriteria())) {
            ThreadLocalX509TrustEngineContext.setTrusted(true);
            return;
        }
        ThreadLocalX509TrustEngineContext.setTrusted(false);
        if (ThreadLocalX509TrustEngineContext.isFailureFatal().booleanValue()) {
            LOG.debug("Credential evaluated as untrusted, failure indicated as fatal");
            throw new CertificateException("Trust engine could not establish trust of presented TLS credential");
        }
        LOG.debug("Credential evaluated as untrusted, failure indicated as non-fatal");
    }

    private static boolean performTrustEval(@Nonnull X509Certificate[] x509CertificateArr, @Nonnull TrustEngine<? super X509Credential> trustEngine, @Nonnull CriteriaSet criteriaSet) throws CertificateException {
        LOG.debug("Attempting to evaluate server TLS credential against supplied TrustEngine and CriteriaSet");
        X509Credential extractCredential = extractCredential(x509CertificateArr);
        LOG.trace("Saw trust engine of type: {}", trustEngine.getClass().getName());
        try {
            if (trustEngine.validate(extractCredential, criteriaSet)) {
                LOG.debug("Credential evaluated as trusted");
                return true;
            }
            LOG.debug("Credential evaluated as untrusted");
            return false;
        } catch (Throwable th) {
            LOG.error("Fatal trust engine error evaluating credential", th);
            return false;
        }
    }

    @Nonnull
    private static X509Credential extractCredential(@NotEmpty @Nonnull X509Certificate[] x509CertificateArr) throws CertificateException {
        List asList = Arrays.asList(x509CertificateArr);
        BasicX509Credential basicX509Credential = new BasicX509Credential((X509Certificate) asList.get(0));
        basicX509Credential.setEntityCertificateChain(asList);
        return basicX509Credential;
    }
}
