package org.craftercms.engine.util.spring.security.saml2;

import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import org.craftercms.core.util.cache.CacheTemplate;
import org.craftercms.engine.service.context.SiteContext;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.x509.BasicPKIXValidationInformation;
import org.opensaml.xml.security.x509.PKIXValidationInformation;
import org.opensaml.xml.security.x509.PKIXValidationInformationResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.saml.key.KeyManager;

/* loaded from: input_file:org/craftercms/engine/util/spring/security/saml2/CacheAwarePKIXValidationInformationResolver.class */
public class CacheAwarePKIXValidationInformationResolver implements PKIXValidationInformationResolver {
    private static final Logger logger = LoggerFactory.getLogger(CacheAwarePKIXValidationInformationResolver.class);
    protected CacheTemplate cacheTemplate;
    protected KeyManager keyManager;
    protected Set<String> trustedNames;
    protected Set<String> trustedKeys;

    public CacheAwarePKIXValidationInformationResolver(CacheTemplate cacheTemplate, KeyManager keyManager, Set<String> set, Set<String> set2) {
        this.cacheTemplate = cacheTemplate;
        this.keyManager = keyManager;
        this.trustedNames = set;
        this.trustedKeys = set2;
    }

    protected List<PKIXValidationInformation> getInfo() {
        return (List) this.cacheTemplate.getObject(SiteContext.getCurrent().getContext(), () -> {
            if (this.trustedKeys == null) {
                this.trustedKeys = this.keyManager.getAvailableCredentials();
            }
            LinkedList linkedList = new LinkedList();
            for (String str : this.trustedKeys) {
                logger.debug("Adding PKIX trust anchor {} for metadata verification", str);
                X509Certificate certificate = this.keyManager.getCertificate(str);
                if (certificate != null) {
                    linkedList.add(certificate);
                } else {
                    logger.warn("Cannot construct PKIX trust anchor for key with alias {}, key isn't included in the keystore", str);
                }
            }
            LinkedList linkedList2 = new LinkedList();
            linkedList2.add(new BasicPKIXValidationInformation(linkedList, (Collection) null, 4));
            return linkedList2;
        }, new Object[]{"PKIXInfo"});
    }

    public Set<String> resolveTrustedNames(CriteriaSet criteriaSet) throws UnsupportedOperationException {
        HashSet hashSet = new HashSet(this.trustedNames);
        EntityIDCriteria entityIDCriteria = (EntityIDCriteria) criteriaSet.get(EntityIDCriteria.class);
        if (entityIDCriteria != null) {
            hashSet.add(entityIDCriteria.getEntityID());
        }
        return hashSet;
    }

    public boolean supportsTrustedNameResolution() {
        return true;
    }

    public Iterable<PKIXValidationInformation> resolve(CriteriaSet criteriaSet) {
        return getInfo();
    }

    public PKIXValidationInformation resolveSingle(CriteriaSet criteriaSet) {
        List<PKIXValidationInformation> info = getInfo();
        if (info.isEmpty()) {
            return null;
        }
        return info.get(0);
    }
}
