package uk.gov.ida.saml.metadata;

import com.google.common.base.Throwables;
import java.io.ByteArrayInputStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Provider;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter;
import org.opensaml.security.x509.impl.BasicPKIXValidationInformation;
import org.opensaml.xmlsec.SignatureValidationParameters;
import org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider;
import org.opensaml.xmlsec.signature.support.SignatureValidationParametersCriterion;
import org.opensaml.xmlsec.signature.support.impl.PKIXSignatureTrustEngine;

/* loaded from: input_file:uk/gov/ida/saml/metadata/PKIXSignatureValidationFilterProvider.class */
public class PKIXSignatureValidationFilterProvider implements Provider<SignatureValidationFilter> {
    public static final int CERTIFICATE_CHAIN_DEPTH = 0;
    public static final List<String> WHITELISTED_ALGORITHMS = Arrays.asList("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmlenc#sha512", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1");
    private KeyStore metadataTrustStore;

    @Inject
    public PKIXSignatureValidationFilterProvider(@Named("metadataTruststore") KeyStore keyStore) {
        Security.addProvider(new BouncyCastleProvider());
        this.metadataTrustStore = keyStore;
    }

    /* renamed from: get, reason: merged with bridge method [inline-methods] */
    public SignatureValidationFilter m84get() {
        BasicPKIXValidationInformation basicPKIXValidationInformation = null;
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            ArrayList list = Collections.list(this.metadataTrustStore.aliases());
            ArrayList arrayList = new ArrayList();
            Iterator it = list.iterator();
            while (it.hasNext()) {
                arrayList.add((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(this.metadataTrustStore.getCertificate((String) it.next()).getEncoded())));
            }
            basicPKIXValidationInformation = new BasicPKIXValidationInformation(arrayList, Collections.emptyList(), 0);
        } catch (KeyStoreException | CertificateException e) {
            Throwables.propagate(e);
        }
        PKIXSignatureTrustEngine pKIXSignatureTrustEngine = new PKIXSignatureTrustEngine(new NamelessPKIXValidationInformationResolver(Arrays.asList(basicPKIXValidationInformation)), new BasicProviderKeyInfoCredentialResolver(Arrays.asList(new InlineX509DataProvider())));
        SignatureValidationParameters signatureValidationParameters = new SignatureValidationParameters();
        signatureValidationParameters.setWhitelistedAlgorithms(WHITELISTED_ALGORITHMS);
        SignatureValidationFilter signatureValidationFilter = new SignatureValidationFilter(pKIXSignatureTrustEngine);
        signatureValidationFilter.setDefaultCriteria(new CriteriaSet(new Criterion[]{new SignatureValidationParametersCriterion(signatureValidationParameters)}));
        signatureValidationFilter.setRequireSignedRoot(true);
        return signatureValidationFilter;
    }
}
