package io.undertow.security.impl;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.AuthenticationMechanismFactory;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.IdentityManager;
import io.undertow.security.idm.X509CertificateCredential;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.RenegotiationRequiredException;
import io.undertow.server.SSLSessionInfo;
import io.undertow.server.handlers.form.FormParserFactory;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Map;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.xnio.SslClientAuthMode;

/* JADX WARN: Classes with same name are omitted:
  input_file:m2repo/io/undertow/undertow-core/2.1.3.Final/undertow-core-2.1.3.Final.jar:io/undertow/security/impl/ClientCertAuthenticationMechanism.class
 */
/* loaded from: input_file:m2repo/io/undertow/undertow-core/2.1.6.Final/undertow-core-2.1.6.Final.jar:io/undertow/security/impl/ClientCertAuthenticationMechanism.class */
public class ClientCertAuthenticationMechanism implements AuthenticationMechanism {
    public static final AuthenticationMechanismFactory FACTORY = new Factory();
    public static final String FORCE_RENEGOTIATION = "force_renegotiation";
    private final String name;
    private final IdentityManager identityManager;
    private final boolean forceRenegotiation;

    /* JADX WARN: Classes with same name are omitted:
      input_file:m2repo/io/undertow/undertow-core/2.1.3.Final/undertow-core-2.1.3.Final.jar:io/undertow/security/impl/ClientCertAuthenticationMechanism$Factory.class
     */
    /* loaded from: input_file:m2repo/io/undertow/undertow-core/2.1.6.Final/undertow-core-2.1.6.Final.jar:io/undertow/security/impl/ClientCertAuthenticationMechanism$Factory.class */
    public static final class Factory implements AuthenticationMechanismFactory {
        @Deprecated
        public Factory(IdentityManager identityManager) {
        }

        public Factory() {
        }

        @Override // io.undertow.security.api.AuthenticationMechanismFactory
        public AuthenticationMechanism create(String str, IdentityManager identityManager, FormParserFactory formParserFactory, Map<String, String> map) {
            String str2 = map.get(ClientCertAuthenticationMechanism.FORCE_RENEGOTIATION);
            return new ClientCertAuthenticationMechanism(str, str2 == null ? true : "true".equals(str2), identityManager);
        }
    }

    public ClientCertAuthenticationMechanism() {
        this(true);
    }

    public ClientCertAuthenticationMechanism(boolean z) {
        this("CLIENT_CERT", z);
    }

    public ClientCertAuthenticationMechanism(String str) {
        this(str, true);
    }

    public ClientCertAuthenticationMechanism(String str, boolean z) {
        this(str, z, null);
    }

    public ClientCertAuthenticationMechanism(String str, boolean z, IdentityManager identityManager) {
        this.name = str;
        this.forceRenegotiation = z;
        this.identityManager = identityManager;
    }

    private IdentityManager getIdentityManager(SecurityContext securityContext) {
        return this.identityManager != null ? this.identityManager : securityContext.getIdentityManager();
    }

    @Override // io.undertow.security.api.AuthenticationMechanism
    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        SSLSessionInfo sslSessionInfo = httpServerExchange.getConnection().getSslSessionInfo();
        if (sslSessionInfo != null) {
            try {
                Certificate[] peerCertificates = getPeerCertificates(httpServerExchange, sslSessionInfo, securityContext);
                if (peerCertificates[0] instanceof X509Certificate) {
                    Account verify = getIdentityManager(securityContext).verify(new X509CertificateCredential((X509Certificate) peerCertificates[0]));
                    if (verify != null) {
                        securityContext.authenticationComplete(verify, this.name, false);
                        return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
                    }
                }
            } catch (SSLPeerUnverifiedException e) {
            }
        }
        return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }

    private Certificate[] getPeerCertificates(HttpServerExchange httpServerExchange, SSLSessionInfo sSLSessionInfo, SecurityContext securityContext) throws SSLPeerUnverifiedException {
        try {
            return sSLSessionInfo.getPeerCertificates();
        } catch (RenegotiationRequiredException e) {
            if (this.forceRenegotiation && securityContext.isAuthenticationRequired()) {
                try {
                    sSLSessionInfo.renegotiate(httpServerExchange, SslClientAuthMode.REQUESTED);
                    return sSLSessionInfo.getPeerCertificates();
                } catch (RenegotiationRequiredException e2) {
                    throw new SSLPeerUnverifiedException("");
                } catch (IOException e3) {
                    throw new SSLPeerUnverifiedException("");
                }
            }
            throw new SSLPeerUnverifiedException("");
        }
    }

    @Override // io.undertow.security.api.AuthenticationMechanism
    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        return AuthenticationMechanism.ChallengeResult.NOT_SENT;
    }
}
