package uk.gov.ida.saml.security;

import java.security.KeyStore;
import java.security.cert.X509Certificate;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriterion;
import org.opensaml.security.x509.X509Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import uk.gov.ida.common.shared.security.verification.CertificateChainValidator;
import uk.gov.ida.common.shared.security.verification.CertificateValidity;
import uk.gov.ida.common.shared.security.verification.exceptions.CertificateChainValidationException;

/* loaded from: input_file:uk/gov/ida/saml/security/CertificateChainEvaluableCriterion.class */
public class CertificateChainEvaluableCriterion implements EvaluableCredentialCriterion {
    private final CertificateChainValidator certificateChainValidator;
    private final KeyStore keyStore;
    private final Logger log = LoggerFactory.getLogger(CertificateChainEvaluableCriterion.class);

    public CertificateChainEvaluableCriterion(CertificateChainValidator certificateChainValidator, KeyStore keyStore) {
        this.certificateChainValidator = certificateChainValidator;
        this.keyStore = keyStore;
    }

    public boolean apply(Credential credential) {
        if (credential == null) {
            this.log.error("Credential target was null");
            return Boolean.FALSE.booleanValue();
        }
        if (!(credential instanceof X509Credential)) {
            this.log.info("Credential is not an X509Credential, can not evaluate X509CertSelector criteria");
            return Boolean.FALSE.booleanValue();
        }
        X509Certificate entityCertificate = ((X509Credential) credential).getEntityCertificate();
        if (entityCertificate == null) {
            this.log.info("X509Credential did not contain an entity certificate, can not evaluate X509CertSelector criteria");
            return Boolean.FALSE.booleanValue();
        }
        try {
            CertificateValidity validate = this.certificateChainValidator.validate(entityCertificate, this.keyStore);
            if (validate.isValid()) {
                return Boolean.TRUE.booleanValue();
            }
            validate.getException().ifPresent(certPathValidatorException -> {
                this.log.info(certPathValidatorException.getMessage());
            });
            return Boolean.FALSE.booleanValue();
        } catch (CertificateChainValidationException e) {
            this.log.info(e.getMessage());
            return Boolean.FALSE.booleanValue();
        }
    }
}
