package com.vmware.vapi.internal.saml;

import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathBuilderResult;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.xml.crypto.AlgorithmMethod;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.KeySelectorException;
import javax.xml.crypto.KeySelectorResult;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/vmware/vapi/internal/saml/X509TrustChainKeySelector.class */
public class X509TrustChainKeySelector extends KeySelector {
    private static final String BUILDER_PROVIDER_PKIX = "PKIX";
    private static final String CERTSTORE_PROVIDER_COLLECTION = "Collection";
    private static final String UNRECOGNIZED_DS_KEYINFO = "Unrecognized <ds:KeyInfo> element";
    private final Logger _log = LoggerFactory.getLogger(X509TrustChainKeySelector.class);
    private final Set<TrustAnchor> _trustAnchors;

    public X509TrustChainKeySelector(X509Certificate... x509CertificateArr) {
        checkCtorArgsNotNull(x509CertificateArr);
        this._trustAnchors = new HashSet();
        for (X509Certificate x509Certificate : x509CertificateArr) {
            this._trustAnchors.add(new TrustAnchor(x509Certificate, null));
        }
    }

    public KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose purpose, AlgorithmMethod algorithmMethod, XMLCryptoContext xMLCryptoContext) throws KeySelectorException {
        if (purpose != KeySelector.Purpose.VERIFY) {
            this._log.warn("Incorrect usage: this selector only returns verification keys");
            return fixedKeyResult(null);
        }
        List<X509Certificate> extractCertificateList = extractCertificateList(keyInfo);
        if (extractCertificateList.isEmpty()) {
            return this._trustAnchors.size() == 1 ? fixedKeyResult(this._trustAnchors.iterator().next().getTrustedCert().getPublicKey()) : fixedKeyResult(null);
        }
        X509Certificate x509Certificate = extractCertificateList.get(0);
        return verifyTrustedPathExists(x509Certificate, extractCertificateList) ? fixedKeyResult(x509Certificate.getPublicKey()) : fixedKeyResult(null);
    }

    private List<X509Certificate> extractCertificateList(KeyInfo keyInfo) {
        if (keyInfo == null) {
            return Collections.emptyList();
        }
        if (keyInfo.getContent().size() != 1 || !(keyInfo.getContent().get(0) instanceof X509Data)) {
            this._log.info("Unrecognized <ds:KeyInfo> element: should have just one child of type <ds:X509Data>");
            return Collections.emptyList();
        }
        List content = ((X509Data) keyInfo.getContent().get(0)).getContent();
        ArrayList arrayList = new ArrayList();
        for (Object obj : content) {
            if (obj instanceof X509Certificate) {
                arrayList.add((X509Certificate) obj);
            }
        }
        return arrayList;
    }

    private boolean verifyTrustedPathExists(X509Certificate x509Certificate, Collection<X509Certificate> collection) throws KeySelectorException {
        try {
            CertPathBuilder certPathBuilder = CertPathBuilder.getInstance(BUILDER_PROVIDER_PKIX);
            CertStore certStore = CertStore.getInstance(CERTSTORE_PROVIDER_COLLECTION, new CollectionCertStoreParameters(collection));
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509Certificate);
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(this._trustAnchors, x509CertSelector);
            pKIXBuilderParameters.addCertStore(certStore);
            pKIXBuilderParameters.setRevocationEnabled(false);
            CertPathBuilderResult build = certPathBuilder.build(pKIXBuilderParameters);
            if (!this._log.isDebugEnabled()) {
                return true;
            }
            dumpPathBuilderResult((PKIXCertPathBuilderResult) build);
            return true;
        } catch (CertPathBuilderException e) {
            this._log.info("Failed to find trusted path to signing certificate <" + x509Certificate.getSubjectX500Principal().getName() + ">", e);
            return false;
        } catch (GeneralSecurityException e2) {
            this._log.error("Couldnt't create standard security object. Possibly non-compliant underlying Java implementation.", e2);
            throw new KeySelectorException("Couldnt't create standard security object. Possibly non-compliant underlying Java implementation.", e2);
        }
    }

    private KeySelectorResult fixedKeyResult(final Key key) {
        return new KeySelectorResult() { // from class: com.vmware.vapi.internal.saml.X509TrustChainKeySelector.1
            public Key getKey() {
                return key;
            }
        };
    }

    private void dumpPathBuilderResult(PKIXCertPathBuilderResult pKIXCertPathBuilderResult) {
        StringBuilder sb = new StringBuilder("Trusted path found: ");
        Iterator<? extends Certificate> it = pKIXCertPathBuilderResult.getCertPath().getCertificates().iterator();
        while (it.hasNext()) {
            sb.append('<').append(((X509Certificate) it.next()).getSubjectX500Principal().getName()).append("> -> ");
        }
        sb.append('<').append(pKIXCertPathBuilderResult.getTrustAnchor().getTrustedCert().getSubjectX500Principal().getName()).append('>');
        this._log.debug(sb.toString());
    }

    private static void checkCtorArgsNotNull(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("Expected one or more trusted certificates, but got null");
        }
        for (X509Certificate x509Certificate : x509CertificateArr) {
            if (x509Certificate == null) {
                throw new IllegalArgumentException("Expected certificate, but got null");
            }
        }
    }
}
