package org.opensaml.xmlsec.signature.support.impl;

import com.google.common.base.Strings;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.xmlsec.SignatureValidationParameters;
import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCriterion;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.opensaml.xmlsec.signature.support.SignatureValidationParametersCriterion;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/opensaml-xmlsec-impl-3.4.3.jar:org/opensaml/xmlsec/signature/support/impl/BaseSignatureTrustEngine.class */
public abstract class BaseSignatureTrustEngine<TrustBasisType> implements SignatureTrustEngine {
    private final Logger log = LoggerFactory.getLogger((Class<?>) BaseSignatureTrustEngine.class);
    private final KeyInfoCredentialResolver keyInfoCredentialResolver;

    public BaseSignatureTrustEngine(@Nonnull KeyInfoCredentialResolver keyInfoCredentialResolver) {
        this.keyInfoCredentialResolver = (KeyInfoCredentialResolver) Constraint.isNotNull(keyInfoCredentialResolver, "KeyInfo credential resolver cannot be null");
    }

    @Override // org.opensaml.xmlsec.signature.support.SignatureTrustEngine
    @Nullable
    public KeyInfoCredentialResolver getKeyInfoResolver() {
        return this.keyInfoCredentialResolver;
    }

    @Override // org.opensaml.security.trust.TrustEngine
    public final boolean validate(@Nonnull Signature signature, @Nullable CriteriaSet criteriaSet) throws SecurityException {
        checkParams(signature, criteriaSet);
        SignatureValidationParametersCriterion signatureValidationParametersCriterion = (SignatureValidationParametersCriterion) criteriaSet.get(SignatureValidationParametersCriterion.class);
        if (signatureValidationParametersCriterion != null) {
            this.log.debug("Performing signature algorithm whitelist/blacklist validation using params from CriteriaSet");
            try {
                new SignatureAlgorithmValidator(signatureValidationParametersCriterion.getSignatureValidationParameters()).validate(signature);
            } catch (SignatureException e) {
                this.log.warn("XML signature failed algorithm whitelist/blacklist validation");
                return false;
            }
        }
        return doValidate(signature, criteriaSet);
    }

    protected abstract boolean doValidate(@Nonnull Signature signature, @Nullable CriteriaSet criteriaSet) throws SecurityException;

    @Override // org.opensaml.xmlsec.signature.support.SignatureTrustEngine
    public final boolean validate(@Nonnull byte[] bArr, @Nonnull byte[] bArr2, @Nonnull String str, @Nullable CriteriaSet criteriaSet, @Nullable Credential credential) throws SecurityException {
        checkParamsRaw(bArr, bArr2, str, criteriaSet);
        SignatureValidationParametersCriterion signatureValidationParametersCriterion = (SignatureValidationParametersCriterion) criteriaSet.get(SignatureValidationParametersCriterion.class);
        if (signatureValidationParametersCriterion != null) {
            this.log.debug("Performing signature algorithm whitelist/blacklist validation using params from CriteriaSet");
            SignatureValidationParameters signatureValidationParameters = signatureValidationParametersCriterion.getSignatureValidationParameters();
            if (!AlgorithmSupport.validateAlgorithmURI(str, signatureValidationParameters.getWhitelistedAlgorithms(), signatureValidationParameters.getBlacklistedAlgorithms())) {
                this.log.warn("Simple/raw signature failed algorithm whitelist/blacklist validation");
                return false;
            }
        }
        return doValidate(bArr, bArr2, str, criteriaSet, credential);
    }

    protected abstract boolean doValidate(@Nonnull byte[] bArr, @Nonnull byte[] bArr2, @Nonnull String str, @Nullable CriteriaSet criteriaSet, @Nullable Credential credential) throws SecurityException;

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean validate(@Nonnull Signature signature, @Nullable TrustBasisType trustbasistype) throws SecurityException {
        this.log.debug("Attempting to verify signature and establish trust using KeyInfo-derived credentials");
        if (signature.getKeyInfo() != null) {
            try {
                for (Credential credential : getKeyInfoResolver().resolve(new CriteriaSet(new KeyInfoCriterion(signature.getKeyInfo())))) {
                    if (verifySignature(signature, credential)) {
                        this.log.debug("Successfully verified signature using KeyInfo-derived credential");
                        this.log.debug("Attempting to establish trust of KeyInfo-derived credential");
                        if (evaluateTrust(credential, trustbasistype)) {
                            this.log.debug("Successfully established trust of KeyInfo-derived credential");
                            return true;
                        }
                        this.log.debug("Failed to establish trust of KeyInfo-derived credential");
                    }
                }
            } catch (ResolverException e) {
                throw new SecurityException("Error resolving KeyInfo from KeyInfoResolver", e);
            }
        } else {
            this.log.debug("Signature contained no KeyInfo element, could not resolve verification credentials");
        }
        this.log.debug("Failed to verify signature and/or establish trust using any KeyInfo-derived credentials");
        return false;
    }

    protected abstract boolean evaluateTrust(@Nonnull Credential credential, @Nullable TrustBasisType trustbasistype) throws SecurityException;

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean verifySignature(@Nonnull Signature signature, @Nonnull Credential credential) {
        try {
            SignatureValidator.validate(signature, credential);
            this.log.debug("Signature validation using candidate credential was successful");
            return true;
        } catch (SignatureException e) {
            this.log.debug("Signature validation using candidate validation credential failed", (Throwable) e);
            return false;
        }
    }

    protected void checkParams(@Nonnull Signature signature, @Nonnull CriteriaSet criteriaSet) throws SecurityException {
        if (signature == null) {
            throw new SecurityException("Signature cannot be null");
        }
        if (criteriaSet == null) {
            throw new SecurityException("Trust basis criteria set cannot be null");
        }
        if (criteriaSet.isEmpty()) {
            throw new SecurityException("Trust basis criteria set cannot be empty");
        }
    }

    protected void checkParamsRaw(@Nonnull byte[] bArr, @Nonnull byte[] bArr2, @Nonnull String str, @Nonnull CriteriaSet criteriaSet) throws SecurityException {
        if (bArr == null || bArr.length == 0) {
            throw new SecurityException("Signature byte array cannot be null or empty");
        }
        if (bArr2 == null || bArr2.length == 0) {
            throw new SecurityException("Content byte array cannot be null or empty");
        }
        if (Strings.isNullOrEmpty(str)) {
            throw new SecurityException("Signature algorithm cannot be null or empty");
        }
        if (criteriaSet == null) {
            throw new SecurityException("Trust basis criteria set cannot be null");
        }
        if (criteriaSet.isEmpty()) {
            throw new SecurityException("Trust basis criteria set cannot be empty");
        }
    }
}
