package org.opensaml.security.x509.tls.impl;

import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import javax.annotation.Nonnull;
import javax.net.ssl.X509TrustManager;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.X509Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/opensaml-security-impl-4.0.0.jar:org/opensaml/security/x509/tls/impl/ThreadLocalX509TrustManager.class */
public class ThreadLocalX509TrustManager implements X509TrustManager {
    private Logger log = LoggerFactory.getLogger((Class<?>) ThreadLocalX509TrustManager.class);

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        performTrustEval(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        performTrustEval(x509CertificateArr, str);
    }

    protected void performTrustEval(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("Certificate chain was null or empty");
        }
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("AuthType was null or empty");
        }
        if (!ThreadLocalX509TrustEngineContext.haveCurrent()) {
            throw new CertificateException("Trust of X509Certificate could not be established, ThreadLocalX509TrustEngineContext is not populated");
        }
        if (performTrustEval(x509CertificateArr, ThreadLocalX509TrustEngineContext.getTrustEngine(), ThreadLocalX509TrustEngineContext.getCriteria())) {
            ThreadLocalX509TrustEngineContext.setTrusted(true);
            return;
        }
        ThreadLocalX509TrustEngineContext.setTrusted(false);
        if (ThreadLocalX509TrustEngineContext.isFailureFatal().booleanValue()) {
            this.log.debug("Credential evaluated as untrusted, failure indicated as fatal");
            throw new CertificateException("Trust engine could not establish trust of presented TLS credential");
        }
        this.log.debug("Credential evaluated as untrusted, failure indicated as non-fatal");
    }

    protected boolean performTrustEval(@Nonnull X509Certificate[] x509CertificateArr, @Nonnull TrustEngine<? super X509Credential> trustEngine, @Nonnull CriteriaSet criteriaSet) throws CertificateException {
        this.log.debug("Attempting to evaluate server TLS credential against supplied TrustEngine and CriteriaSet");
        X509Credential extractCredential = extractCredential(x509CertificateArr);
        this.log.trace("Saw trust engine of type: {}", trustEngine.getClass().getName());
        try {
            if (trustEngine.validate(extractCredential, criteriaSet)) {
                this.log.debug("Credential evaluated as trusted");
                return true;
            }
            this.log.debug("Credential evaluated as untrusted");
            return false;
        } catch (Throwable th) {
            this.log.error("Fatal trust engine error evaluating credential", th);
            return false;
        }
    }

    @Nonnull
    protected X509Credential extractCredential(@NotEmpty @Nonnull X509Certificate[] x509CertificateArr) throws CertificateException {
        List asList = Arrays.asList(x509CertificateArr);
        BasicX509Credential basicX509Credential = new BasicX509Credential((X509Certificate) asList.get(0));
        basicX509Credential.setEntityCertificateChain(asList);
        return basicX509Credential;
    }
}
