package org.jasig.portal.security.provider.saml;

import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.security.KeyException;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import org.apache.commons.codec.binary.Base64;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.params.HttpParams;
import org.opensaml.xml.security.SecurityHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/delegated-saml-authentication-1.1.2.jar:org/jasig/portal/security/provider/saml/PublicKeyVerifyingSSLSocketFactory.class */
public class PublicKeyVerifyingSSLSocketFactory extends SSLSocketFactory {
    protected final Logger logger;
    private final PublicKey publicKey;

    public PublicKeyVerifyingSSLSocketFactory(SSLContext sSLContext, String str) throws KeyException {
        super(sSLContext);
        this.logger = LoggerFactory.getLogger(getClass());
        this.publicKey = SecurityHelper.decodePublicKey(Base64.decodeBase64(str.getBytes()), null);
    }

    @Override // org.apache.http.conn.ssl.SSLSocketFactory, org.apache.http.conn.scheme.SocketFactory
    public Socket connectSocket(Socket socket, String str, int i, InetAddress inetAddress, int i2, HttpParams httpParams) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) super.connectSocket(socket, str, i, inetAddress, i2, httpParams);
        if (this.publicKey != null) {
            this.logger.debug("Verifying SSL Socket to {}:{} against configured public key {}", new Object[]{str, Integer.valueOf(i), this.publicKey});
            Certificate[] peerCertificates = sSLSocket.getSession().getPeerCertificates();
            boolean z = false;
            int i3 = 0;
            while (true) {
                if (i3 >= peerCertificates.length) {
                    break;
                }
                PublicKey publicKey = ((X509Certificate) peerCertificates[i3]).getPublicKey();
                if (publicKey.equals(this.publicKey)) {
                    this.logger.debug("Validated public key against server key: {}", publicKey);
                    z = true;
                    break;
                }
                this.logger.debug("server key doesn't match public key: {} ", publicKey);
                i3++;
            }
            if (!z) {
                sSLSocket.close();
                throw new IOException("Unable to verify the server's public key");
            }
        }
        return sSLSocket;
    }
}
