package uk.gov.ida.saml.metadata;

import com.google.common.base.Throwables;
import com.google.inject.Inject;
import java.io.ByteArrayInputStream;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.apache.xml.security.exceptions.Base64DecodingException;
import org.apache.xml.security.utils.Base64;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.KeyDescriptor;
import org.opensaml.security.credential.UsageType;
import org.opensaml.xmlsec.signature.X509Certificate;
import uk.gov.ida.saml.metadata.exceptions.NoKeyConfiguredForEntityException;
import uk.gov.ida.saml.security.SigningKeyStore;

@Deprecated
/* loaded from: input_file:uk/gov/ida/saml/metadata/IdpMetadataPublicKeyStore.class */
public class IdpMetadataPublicKeyStore implements SigningKeyStore {
    private final MetadataResolver metadataResolver;

    @Inject
    public IdpMetadataPublicKeyStore(MetadataResolver metadataResolver) {
        this.metadataResolver = metadataResolver;
    }

    public List<PublicKey> getVerifyingKeysForEntity(String str) {
        Optional<EntityDescriptor> entityDescriptor = getEntityDescriptor(str);
        if (entityDescriptor.isPresent()) {
            List<PublicKey> publicKeys = getPublicKeys(entityDescriptor.get(), UsageType.SIGNING);
            if (!publicKeys.isEmpty()) {
                return publicKeys;
            }
        }
        throw new NoKeyConfiguredForEntityException(str);
    }

    private List<PublicKey> getPublicKeys(EntityDescriptor entityDescriptor, UsageType usageType) {
        return (List) Optional.ofNullable(entityDescriptor.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol")).map(iDPSSODescriptor -> {
            return getPublicKeys(iDPSSODescriptor, usageType);
        }).orElse(Collections.emptyList());
    }

    private List<PublicKey> getPublicKeys(IDPSSODescriptor iDPSSODescriptor, UsageType usageType) {
        return (List) iDPSSODescriptor.getKeyDescriptors().stream().filter(keyDescriptor -> {
            return keyDescriptor.getUse().equals(usageType);
        }).flatMap(this::getPublicKeys).collect(Collectors.collectingAndThen(Collectors.toList(), (v0) -> {
            return List.copyOf(v0);
        }));
    }

    private Stream<PublicKey> getPublicKeys(KeyDescriptor keyDescriptor) {
        return keyDescriptor.getKeyInfo().getX509Datas().stream().flatMap(x509Data -> {
            return x509Data.getX509Certificates().stream();
        }).map(this::getPublicKey);
    }

    private PublicKey getPublicKey(X509Certificate x509Certificate) {
        try {
            return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.decode(x509Certificate.getValue()))).getPublicKey();
        } catch (Base64DecodingException | CertificateException e) {
            throw Throwables.propagate(e);
        }
    }

    private Optional<EntityDescriptor> getEntityDescriptor(String str) {
        try {
            return Optional.ofNullable((EntityDescriptor) this.metadataResolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion(str)})));
        } catch (ResolverException e) {
            throw Throwables.propagate(e);
        }
    }
}
