package org.springframework.security.saml.trust.httpclient;

import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.util.ArrayList;
import java.util.LinkedList;
import java.util.Set;
import javax.net.ssl.HostnameVerifier;
import org.apache.commons.httpclient.params.HttpConnectionParams;
import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.x509.BasicPKIXValidationInformation;
import org.opensaml.xml.security.x509.BasicX509CredentialNameEvaluator;
import org.opensaml.xml.security.x509.CertPathPKIXValidationOptions;
import org.opensaml.xml.security.x509.PKIXValidationInformationResolver;
import org.opensaml.xml.security.x509.PKIXX509CredentialTrustEngine;
import org.opensaml.xml.security.x509.StaticPKIXValidationInformationResolver;
import org.opensaml.xml.security.x509.X509Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.saml.key.KeyManager;
import org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator;
import org.springframework.security.saml.trust.X509KeyManager;
import org.springframework.security.saml.trust.X509TrustManager;
import org.springframework.security.saml.util.SAMLUtil;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-core-1.0.9.RELEASE.jar:org/springframework/security/saml/trust/httpclient/TLSProtocolSocketFactory.class */
public class TLSProtocolSocketFactory implements SecureProtocolSocketFactory {
    private static final Logger log = LoggerFactory.getLogger(TLSProtocolSocketFactory.class);
    private KeyManager keyManager;
    private String sslHostnameVerification;
    private Set<String> trustedKeys;
    private SecureProtocolSocketFactory socketFactory = initializeDelegate();

    public TLSProtocolSocketFactory(KeyManager keyManager, Set<String> set, String str) {
        this.sslHostnameVerification = "default";
        this.keyManager = keyManager;
        this.sslHostnameVerification = str;
        this.trustedKeys = set;
    }

    @Override // org.apache.commons.httpclient.protocol.ProtocolSocketFactory
    public Socket createSocket(String str, int i) throws IOException {
        return this.socketFactory.createSocket(str, i);
    }

    @Override // org.apache.commons.httpclient.protocol.ProtocolSocketFactory
    public Socket createSocket(String str, int i, InetAddress inetAddress, int i2) throws IOException {
        return this.socketFactory.createSocket(str, i, inetAddress, i2);
    }

    @Override // org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory
    public Socket createSocket(Socket socket, String str, int i, boolean z) throws IOException {
        return this.socketFactory.createSocket(socket, str, i, z);
    }

    @Override // org.apache.commons.httpclient.protocol.ProtocolSocketFactory
    public Socket createSocket(String str, int i, InetAddress inetAddress, int i2, HttpConnectionParams httpConnectionParams) throws IOException {
        return this.socketFactory.createSocket(str, i, inetAddress, i2, httpConnectionParams);
    }

    protected SecureProtocolSocketFactory initializeDelegate() {
        PKIXX509CredentialTrustEngine pKIXX509CredentialTrustEngine = new PKIXX509CredentialTrustEngine(getPKIXResolver(), new CertPathPKIXTrustEvaluator(new CertPathPKIXValidationOptions()), new BasicX509CredentialNameEvaluator());
        X509KeyManager x509KeyManager = new X509KeyManager((X509Credential) this.keyManager.getDefaultCredential());
        X509TrustManager x509TrustManager = new X509TrustManager(new CriteriaSet(), pKIXX509CredentialTrustEngine);
        return isHostnameVerificationSupported() ? new org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory(x509KeyManager, x509TrustManager, SAMLUtil.getHostnameVerifier(this.sslHostnameVerification)) : new org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory(x509KeyManager, x509TrustManager);
    }

    protected PKIXValidationInformationResolver getPKIXResolver() {
        if (this.trustedKeys == null) {
            this.trustedKeys = this.keyManager.getAvailableCredentials();
        }
        ArrayList arrayList = new ArrayList(this.trustedKeys.size());
        for (String str : this.trustedKeys) {
            log.debug("Adding PKIX trust anchor {} for SSL/TLS verification {}", str);
            arrayList.add(this.keyManager.getCertificate(str));
        }
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicPKIXValidationInformation(arrayList, null, 4));
        return new StaticPKIXValidationInformationResolver(linkedList, null);
    }

    protected boolean isHostnameVerificationSupported() {
        try {
            org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.class.getConstructor(javax.net.ssl.X509KeyManager.class, javax.net.ssl.X509TrustManager.class, HostnameVerifier.class);
            return true;
        } catch (NoSuchMethodException e) {
            log.warn("HostnameVerification is not supported, update your OpenSAML libraries");
            return false;
        }
    }
}
