package se.litsec.eidas.opensaml.metadata;

import com.google.common.collect.ImmutableList;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.impl.AbstractCredentialResolver;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignaturePrevalidator;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:se/litsec/eidas/opensaml/metadata/MetadataServiceListSignatureValidator.class */
public class MetadataServiceListSignatureValidator {
    private final Logger log = LoggerFactory.getLogger(MetadataServiceListSignatureValidator.class);
    private SignaturePrevalidator signatureProfileValidator = new SAMLSignatureProfileValidator();
    private SignatureTrustEngine signatureTrustEngine = new ExplicitKeySignatureTrustEngine(new StaticCertificateResolver(), DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());

    /* loaded from: input_file:se/litsec/eidas/opensaml/metadata/MetadataServiceListSignatureValidator$StaticCertificateResolver.class */
    private static class StaticCertificateResolver extends AbstractCredentialResolver {
        private StaticCertificateResolver() {
        }

        public Iterable<Credential> resolve(CriteriaSet criteriaSet) throws ResolverException {
            ArrayList arrayList = new ArrayList();
            Iterator it = criteriaSet.iterator();
            while (it.hasNext()) {
                Criterion criterion = (Criterion) it.next();
                if (criterion instanceof X509CertificateCriterion) {
                    arrayList.add(((X509CertificateCriterion) criterion).getCertificate());
                }
            }
            return ImmutableList.copyOf(arrayList);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:se/litsec/eidas/opensaml/metadata/MetadataServiceListSignatureValidator$X509CertificateCriterion.class */
    public static class X509CertificateCriterion implements Criterion {
        private X509Credential certificate;

        public X509CertificateCriterion(X509Certificate x509Certificate) {
            this.certificate = new BasicX509Credential(x509Certificate);
        }

        public X509Credential getCertificate() {
            return this.certificate;
        }
    }

    public void validateSignature(MetadataServiceList metadataServiceList, X509Certificate x509Certificate) throws SignatureException {
        Signature signature = metadataServiceList.getSignature();
        if (signature == null) {
            this.log.warn("Metadata service list is not signed");
            throw new SignatureException("Metadata service list has no signature");
        }
        try {
            this.signatureProfileValidator.validate(signature);
            try {
                if (this.signatureTrustEngine.validate(signature, new CriteriaSet(new Criterion[]{new X509CertificateCriterion(x509Certificate)}))) {
                    this.log.debug("Signature on MetadataServiceList successfully verified");
                } else {
                    this.log.warn("Signature validation failed");
                    throw new SignatureException("Signature validation failed");
                }
            } catch (SecurityException e) {
                String format = String.format("A problem was encountered evaluating the signature: %s", e.getMessage());
                this.log.warn(format);
                throw new SignatureException(format, e);
            }
        } catch (SignatureException e2) {
            this.log.warn("Signature failed pre-validation: " + e2.getMessage());
            throw e2;
        }
    }
}
