package org.opensaml.saml.security.impl;

import com.google.common.base.Predicate;
import java.security.Key;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.criterion.RoleDescriptorCriterion;
import org.opensaml.saml.ext.saml2alg.DigestMethod;
import org.opensaml.saml.ext.saml2alg.SigningMethod;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.Extensions;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.security.crypto.KeySupport;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.impl.BasicSignatureSigningParametersResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/ehealth_connector-fatjar-ch-1.7-20180920s.jar:org/opensaml/saml/security/impl/SAMLMetadataSignatureSigningParametersResolver.class */
public class SAMLMetadataSignatureSigningParametersResolver extends BasicSignatureSigningParametersResolver {

    @Nonnull
    private Logger log = LoggerFactory.getLogger((Class<?>) SAMLMetadataSignatureSigningParametersResolver.class);

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.xmlsec.impl.BasicSignatureSigningParametersResolver
    public void resolveAndPopulateCredentialAndSignatureAlgorithm(@Nonnull SignatureSigningParameters signatureSigningParameters, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        if (!criteriaSet.contains(RoleDescriptorCriterion.class)) {
            super.resolveAndPopulateCredentialAndSignatureAlgorithm(signatureSigningParameters, criteriaSet, predicate);
            return;
        }
        List<XMLObject> extensions = getExtensions(((RoleDescriptorCriterion) criteriaSet.get(RoleDescriptorCriterion.class)).getRole(), SigningMethod.DEFAULT_ELEMENT_NAME);
        if (extensions == null || extensions.isEmpty()) {
            super.resolveAndPopulateCredentialAndSignatureAlgorithm(signatureSigningParameters, criteriaSet, predicate);
            return;
        }
        List<Credential> effectiveSigningCredentials = getEffectiveSigningCredentials(criteriaSet);
        Iterator<XMLObject> it = extensions.iterator();
        while (it.hasNext()) {
            SigningMethod signingMethod = (SigningMethod) it.next();
            this.log.trace("Evaluating SAML metadata SigningMethod with algorithm: {}, minKeySize: {}, maxKeySize: {}", signingMethod.getAlgorithm(), signingMethod.getMinKeySize(), signingMethod.getMaxKeySize());
            if (signingMethod.getAlgorithm() != null && getAlgorithmRuntimeSupportedPredicate().apply(signingMethod.getAlgorithm()) && predicate.apply(signingMethod.getAlgorithm())) {
                for (Credential credential : effectiveSigningCredentials) {
                    if (this.log.isTraceEnabled()) {
                        Key extractSigningKey = CredentialSupport.extractSigningKey(credential);
                        this.log.trace("Evaluating credential of type: {}, with length: {}", extractSigningKey != null ? extractSigningKey.getAlgorithm() : "n/a", KeySupport.getKeyLength(extractSigningKey));
                    }
                    if (credentialSupportsSigningMethod(credential, signingMethod)) {
                        this.log.trace("Credential passed eval against SigningMethod");
                        this.log.debug("Resolved signature algorithm URI from SAML metadata SigningMethod: {}", signingMethod.getAlgorithm());
                        signatureSigningParameters.setSigningCredential(credential);
                        signatureSigningParameters.setSignatureAlgorithm(signingMethod.getAlgorithm());
                        return;
                    }
                    this.log.trace("Credential failed eval against SigningMethod");
                }
            }
        }
        this.log.debug("Could not resolve signing credential and algorithm based on SAML metadata, falling back to locally configured algorithms");
        super.resolveAndPopulateCredentialAndSignatureAlgorithm(signatureSigningParameters, criteriaSet, predicate);
    }

    protected boolean credentialSupportsSigningMethod(@Nonnull Credential credential, @NotEmpty @Nonnull SigningMethod signingMethod) {
        if (!credentialSupportsAlgorithm(credential, signingMethod.getAlgorithm())) {
            return false;
        }
        if (signingMethod.getMinKeySize() == null && signingMethod.getMaxKeySize() == null) {
            return true;
        }
        Key extractSigningKey = CredentialSupport.extractSigningKey(credential);
        if (extractSigningKey == null) {
            this.log.warn("Could not extract signing key from credential. Failing evaluation");
            return false;
        }
        Integer keyLength = KeySupport.getKeyLength(extractSigningKey);
        if (keyLength == null) {
            this.log.warn("Could not determine key length of candidate signing credential. Failing evaluation");
            return false;
        }
        if (signingMethod.getMinKeySize() != null && keyLength.intValue() < signingMethod.getMinKeySize().intValue()) {
            this.log.trace("Candidate signing credential does not meet minKeySize requirement");
            return false;
        }
        if (signingMethod.getMaxKeySize() == null || keyLength.intValue() <= signingMethod.getMaxKeySize().intValue()) {
            return true;
        }
        this.log.trace("Candidate signing credential does not meet maxKeySize requirement");
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.xmlsec.impl.BasicSignatureSigningParametersResolver
    @Nullable
    public String resolveReferenceDigestMethod(@Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        if (!criteriaSet.contains(RoleDescriptorCriterion.class)) {
            return super.resolveReferenceDigestMethod(criteriaSet, predicate);
        }
        List<XMLObject> extensions = getExtensions(((RoleDescriptorCriterion) criteriaSet.get(RoleDescriptorCriterion.class)).getRole(), DigestMethod.DEFAULT_ELEMENT_NAME);
        if (extensions == null || extensions.isEmpty()) {
            return super.resolveReferenceDigestMethod(criteriaSet, predicate);
        }
        Iterator<XMLObject> it = extensions.iterator();
        while (it.hasNext()) {
            DigestMethod digestMethod = (DigestMethod) it.next();
            this.log.trace("Evaluating SAML metadata DigestMethod with algorithm: {}", digestMethod.getAlgorithm());
            if (digestMethod.getAlgorithm() != null && getAlgorithmRuntimeSupportedPredicate().apply(digestMethod.getAlgorithm()) && predicate.apply(digestMethod.getAlgorithm())) {
                this.log.debug("Resolved reference digest method algorithm URI from SAML metadata DigestMethod: {}", digestMethod.getAlgorithm());
                return digestMethod.getAlgorithm();
            }
        }
        this.log.debug("Could not resolve signature reference digest method algorithm based on SAML metadata, falling back to locally configured algorithms");
        return super.resolveReferenceDigestMethod(criteriaSet, predicate);
    }

    @Nullable
    protected List<XMLObject> getExtensions(@Nonnull RoleDescriptor roleDescriptor, @Nonnull QName qName) {
        Extensions extensions;
        Extensions extensions2 = roleDescriptor.getExtensions();
        if (extensions2 != null) {
            List<XMLObject> unknownXMLObjects = extensions2.getUnknownXMLObjects(qName);
            if (!unknownXMLObjects.isEmpty()) {
                this.log.trace("Resolved extensions from RoleDescriptor: {}", qName);
                return unknownXMLObjects;
            }
        }
        if (!(roleDescriptor.getParent() instanceof EntityDescriptor) || (extensions = ((EntityDescriptor) roleDescriptor.getParent()).getExtensions()) == null) {
            return null;
        }
        List<XMLObject> unknownXMLObjects2 = extensions.getUnknownXMLObjects(qName);
        if (unknownXMLObjects2.isEmpty()) {
            return null;
        }
        this.log.trace("Resolved extensions from parent EntityDescriptor: {}", qName);
        return unknownXMLObjects2;
    }
}
