package eu.unicore.security.consignor;

import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.unicore.samly2.exceptions.SAMLValidationException;
import eu.unicore.samly2.trust.SimpleTrustChecker;
import eu.unicore.samly2.validators.AssertionValidator;
import java.security.cert.X509Certificate;
import xmlbeans.org.oasis.saml2.assertion.AssertionDocument;
import xmlbeans.org.oasis.saml2.assertion.AssertionType;

/* loaded from: input_file:eu/unicore/security/consignor/ConsignorValidator.class */
public class ConsignorValidator extends AssertionValidator {
    private X509Certificate issuerCert;

    public ConsignorValidator(X509Certificate x509Certificate) {
        super((String) null, (String) null, (String) null, 180000L, new SimpleTrustChecker(x509Certificate, true));
        this.issuerCert = x509Certificate;
    }

    public void validate(AssertionDocument assertionDocument) throws SAMLValidationException {
        super.validate(assertionDocument);
        AssertionType assertion = assertionDocument.getAssertion();
        if (assertion.getSubject().getNameID() == null || assertion.getSubject().getNameID().isNil()) {
            throw new SAMLValidationException("Assertion must have its Subject/NameID set");
        }
        if (!"urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName".equals(assertion.getSubject().getNameID().getFormat())) {
            throw new SAMLValidationException("Assertion Subject must be of DN format");
        }
        if (!"urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName".equals(assertion.getIssuer().getFormat())) {
            throw new SAMLValidationException("Assertion Issuer must be of DN format");
        }
        if (!X500NameUtils.equal(this.issuerCert.getSubjectX500Principal(), assertion.getIssuer().getStringValue())) {
            throw new SAMLValidationException("Issuer of assertion is not equal to the expected one: " + X500NameUtils.getReadableForm(assertion.getIssuer().getStringValue()));
        }
    }
}
