package org.opensaml.security.httpclient.impl;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.util.Collections;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSocket;
import net.shibboleth.utilities.java.support.httpclient.HttpClientSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apache.http.HttpHost;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.conn.socket.LayeredConnectionSocketFactory;
import org.apache.http.protocol.HttpContext;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.httpclient.HttpClientSecurityConstants;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.security.x509.TrustedNamesCriterion;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.security.x509.tls.impl.ThreadLocalX509CredentialContext;
import org.opensaml.security.x509.tls.impl.ThreadLocalX509TrustEngineContext;
import org.opensaml.security.x509.tls.impl.ThreadLocalX509TrustEngineSupport;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/opensaml-security-impl-4.2.0.jar:org/opensaml/security/httpclient/impl/SecurityEnhancedTLSSocketFactory.class */
public class SecurityEnhancedTLSSocketFactory implements LayeredConnectionSocketFactory {
    private static final ThreadLocalServerTLSHandler SERVER_TLS_HANDLER = new ThreadLocalServerTLSHandler();
    private static final ThreadLocalClientTLSCredentialHandler CLIENT_TLS_HANDLER = new ThreadLocalClientTLSCredentialHandler();
    private final Logger log = LoggerFactory.getLogger((Class<?>) SecurityEnhancedTLSSocketFactory.class);

    @Nonnull
    private LayeredConnectionSocketFactory wrappedFactory;

    public SecurityEnhancedTLSSocketFactory(@Nonnull LayeredConnectionSocketFactory layeredConnectionSocketFactory) {
        this.wrappedFactory = (LayeredConnectionSocketFactory) Constraint.isNotNull(layeredConnectionSocketFactory, "Socket factory was null");
    }

    @Override // org.apache.http.conn.socket.ConnectionSocketFactory
    public Socket createSocket(HttpContext httpContext) throws IOException {
        this.log.trace("In createSocket");
        return this.wrappedFactory.createSocket(httpContext);
    }

    @Override // org.apache.http.conn.socket.ConnectionSocketFactory
    public Socket connectSocket(int i, Socket socket, HttpHost httpHost, InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2, HttpContext httpContext) throws IOException {
        this.log.trace("In connectSocket");
        try {
            setup(httpContext, httpHost.getHostName());
            Socket connectSocket = this.wrappedFactory.connectSocket(i, socket, httpHost, inetSocketAddress, inetSocketAddress2, httpContext);
            checkAndEvaluateServerTLS(connectSocket);
            teardown(httpContext);
            return connectSocket;
        } catch (Throwable th) {
            teardown(httpContext);
            throw th;
        }
    }

    @Override // org.apache.http.conn.socket.LayeredConnectionSocketFactory
    public Socket createLayeredSocket(Socket socket, String str, int i, HttpContext httpContext) throws IOException {
        this.log.trace("In createLayeredSocket");
        try {
            setup(httpContext, str);
            Socket createLayeredSocket = this.wrappedFactory.createLayeredSocket(socket, str, i, httpContext);
            checkAndEvaluateServerTLS(socket);
            teardown(httpContext);
            return createLayeredSocket;
        } catch (Throwable th) {
            teardown(httpContext);
            throw th;
        }
    }

    protected void checkAndEvaluateServerTLS(@Nonnull Socket socket) throws IOException {
        if (SSLSocket.class.isInstance(socket) && ThreadLocalX509TrustEngineContext.getTrustEngine() != null) {
            if (ThreadLocalX509TrustEngineContext.getTrusted() != null) {
                this.log.trace("Had TrustEngine and was previously evaluated as trusted={}", ThreadLocalX509TrustEngineContext.getTrusted());
            } else {
                this.log.trace("Have TrustEngine but was not previously evaluated, likely due to TLS session resumption. Evaluating now.");
                ThreadLocalX509TrustEngineSupport.evaluate((SSLSocket) SSLSocket.class.cast(socket));
            }
        }
    }

    protected void setup(@Nullable HttpContext httpContext, @Nonnull String str) throws SSLPeerUnverifiedException {
        this.log.trace("Attempting to setup thread-local data for TLS evaluation");
        if (httpContext == null) {
            this.log.trace("HttpContext was null, skipping thread-local setup");
        } else {
            setupServerTLS(httpContext, str);
            setupClientTLS(httpContext);
        }
    }

    protected void setupClientTLS(@Nonnull HttpContext httpContext) {
        X509Credential x509Credential = (X509Credential) httpContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_CLIENT_TLS_CREDENTIAL);
        if (x509Credential == null) {
            this.log.trace("X509Credential not supplied by caller, skipping ThreadLocalX509CredentialContext population");
            return;
        }
        this.log.trace("Loading ThreadLocalX509CredentialContext with client TLS credential: {}", x509Credential);
        if (ThreadLocalX509CredentialContext.haveCurrent()) {
            this.log.trace("ThreadLocalX509CredentialContext was already loaded with client TLS credential, will be overwritten with data from HttpContext");
        }
        ThreadLocalX509CredentialContext.loadCurrent(x509Credential);
    }

    protected void setupServerTLS(@Nonnull HttpContext httpContext, @Nonnull String str) {
        TrustEngine trustEngine = (TrustEngine) httpContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_TRUST_ENGINE);
        if (trustEngine == null) {
            this.log.debug("TrustEngine not supplied by the caller, skipping ThreadLocalX509TrustEngineContext population");
            return;
        }
        CriteriaSet criteriaSet = (CriteriaSet) httpContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_CRITERIA_SET);
        if (criteriaSet == null) {
            this.log.debug("No CriteriaSet supplied by caller, building new instance with signing and trusted names criteria");
            criteriaSet = new CriteriaSet(new UsageCriterion(UsageType.SIGNING));
            criteriaSet.add(new TrustedNamesCriterion(Collections.singleton(str)));
        } else {
            this.log.trace("Saw CriteriaSet: {}", criteriaSet);
        }
        Boolean bool = (Boolean) httpContext.getAttribute(HttpClientSecurityConstants.CONTEXT_KEY_SERVER_TLS_FAILURE_IS_FATAL);
        if (ThreadLocalX509TrustEngineContext.haveCurrent()) {
            this.log.trace("ThreadLocalX509TrustEngineContext was already loaded with trust engine and criteria, will be overwritten with data from HttpContext");
        }
        ThreadLocalX509TrustEngineContext.loadCurrent(trustEngine, criteriaSet, bool);
    }

    protected void teardown(@Nullable HttpContext httpContext) {
        HttpClientContext adapt = HttpClientContext.adapt(httpContext);
        if (ThreadLocalX509TrustEngineContext.haveCurrent()) {
            this.log.trace("Scheduling deferred clearing of thread-local server TLS TrustEngine and CriteriaSet");
            HttpClientSupport.addDynamicContextHandlerLast(adapt, SERVER_TLS_HANDLER, true);
        }
        if (ThreadLocalX509CredentialContext.haveCurrent()) {
            this.log.trace("Scheduling deferred clearing of thread-local client TLS X509Credential");
            HttpClientSupport.addDynamicContextHandlerLast(adapt, CLIENT_TLS_HANDLER, true);
        }
    }
}
