package se.litsec.opensaml.saml2.metadata.provider;

import java.security.KeyStore;
import java.security.KeyStoreException;
import java.util.Collection;
import java.util.Collections;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.httpclient.HttpClientSupport;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.apache.commons.lang.Validate;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ssl.StrictHostnameVerifier;
import org.apache.http.impl.client.HttpClientBuilder;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.metadata.resolver.filter.MetadataFilter;
import org.opensaml.saml.metadata.resolver.impl.FileBackedHTTPMetadataResolver;
import org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver;
import org.opensaml.security.httpclient.HttpClientSecurityParameters;
import org.opensaml.security.httpclient.impl.SecurityEnhancedTLSSocketFactory;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.security.x509.impl.BasicPKIXValidationInformation;
import org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator;
import org.opensaml.security.x509.impl.PKIXX509CredentialTrustEngine;
import org.opensaml.security.x509.impl.StaticPKIXValidationInformationResolver;
import org.opensaml.security.x509.impl.X509CredentialNameEvaluator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.litsec.opensaml.utils.KeyStoreUtils;

/* loaded from: input_file:se/litsec/opensaml/saml2/metadata/provider/HTTPMetadataProvider.class */
public class HTTPMetadataProvider extends AbstractMetadataProvider {
    private Logger log;
    private HTTPMetadataResolver metadataResolver;
    private HttpClientSecurityParameters tlsSecurityParameters;

    public HTTPMetadataProvider(String str, String str2) throws ResolverException {
        this(str, str2, createDefaultHttpClient(), null);
    }

    public HTTPMetadataProvider(String str, String str2, HttpClientSecurityParameters httpClientSecurityParameters) throws ResolverException {
        this(str, str2, createDefaultHttpClient(), httpClientSecurityParameters);
    }

    public HTTPMetadataProvider(String str, String str2, HttpClient httpClient, HttpClientSecurityParameters httpClientSecurityParameters) throws ResolverException {
        this.log = LoggerFactory.getLogger(HTTPMetadataProvider.class);
        Validate.notEmpty(str, "metadataUrl must be set");
        Validate.notNull(httpClient, "httpClient must not be null");
        this.metadataResolver = str2 != null ? new FileBackedHTTPMetadataResolver(httpClient, str, str2) : new HTTPMetadataResolver(httpClient, str);
        if (httpClientSecurityParameters != null) {
            this.tlsSecurityParameters = httpClientSecurityParameters;
            return;
        }
        this.log.info("Loading TLS trust store from system properties ...");
        try {
            KeyStore loadSystemTrustStore = KeyStoreUtils.loadSystemTrustStore();
            this.tlsSecurityParameters = new HttpClientSecurityParameters();
            this.tlsSecurityParameters.setTLSTrustEngine(createTlsTrustEngine(loadSystemTrustStore));
            this.tlsSecurityParameters.setHostnameVerifier(new StrictHostnameVerifier());
        } catch (KeyStoreException e) {
            this.log.error("Failed to load system trust store", e);
            throw new ResolverException("Failed to load system trust store", e);
        }
    }

    public static HttpClient createDefaultHttpClient() {
        return HttpClientBuilder.create().useSystemProperties().setSSLSocketFactory(new SecurityEnhancedTLSSocketFactory(HttpClientSupport.buildNoTrustTLSSocketFactory())).build();
    }

    @Override // se.litsec.opensaml.saml2.metadata.provider.MetadataProvider
    public String getID() {
        return this.metadataResolver.getMetadataURI();
    }

    @Override // se.litsec.opensaml.saml2.metadata.provider.MetadataProvider
    public MetadataResolver getMetadataResolver() {
        return this.metadataResolver;
    }

    @Override // se.litsec.opensaml.saml2.metadata.provider.AbstractMetadataProvider
    protected void createMetadataResolver(boolean z, boolean z2, MetadataFilter metadataFilter) throws ResolverException {
        this.metadataResolver.setId(getID());
        this.metadataResolver.setFailFastInitialization(z2);
        this.metadataResolver.setRequireValidMetadata(z);
        this.metadataResolver.setParserPool(XMLObjectProviderRegistrySupport.getParserPool());
        this.metadataResolver.setMetadataFilter(metadataFilter);
        this.metadataResolver.setHttpClientSecurityParameters(this.tlsSecurityParameters);
    }

    public static TrustEngine<? super X509Credential> createTlsTrustEngine(KeyStore keyStore) throws KeyStoreException {
        return new PKIXX509CredentialTrustEngine(new StaticPKIXValidationInformationResolver(Collections.singletonList(new BasicPKIXValidationInformation(KeyStoreUtils.getCertificateEntries(keyStore), (Collection) null, (Integer) null)), Collections.emptySet()), new CertPathPKIXTrustEvaluator(), (X509CredentialNameEvaluator) null);
    }

    @Override // se.litsec.opensaml.saml2.metadata.provider.AbstractMetadataProvider
    protected void initializeMetadataResolver() throws ComponentInitializationException {
        this.metadataResolver.initialize();
    }

    @Override // se.litsec.opensaml.saml2.metadata.provider.AbstractMetadataProvider
    protected void destroyMetadataResolver() {
        if (this.metadataResolver != null) {
            this.metadataResolver.destroy();
        }
    }
}
