package org.opensaml.security.messaging.impl;

import com.google.common.base.Strings;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.codec.Base64Support;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.messaging.ClientTLSSecurityParametersContext;
import org.opensaml.security.messaging.ServletRequestX509CredentialAdapter;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.security.x509.X509Support;
import org.opensaml.security.x509.tls.CertificateNameOptions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-324.zip:modules/system/layers/fuse/org/opensaml/3.1/opensaml-security-impl-3.1.1.jar:org/opensaml/security/messaging/impl/BaseClientCertAuthSecurityHandler.class */
public abstract class BaseClientCertAuthSecurityHandler extends BaseTrustEngineSecurityHandler<X509Credential> {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(BaseClientCertAuthSecurityHandler.class);

    @Nullable
    private CertificateNameOptions certNameOptions;

    @NonnullAfterInit
    private HttpServletRequest httpServletRequest;

    @NonnullAfterInit
    public HttpServletRequest getHttpServletRequest() {
        return this.httpServletRequest;
    }

    public void setHttpServletRequest(@Nonnull HttpServletRequest httpServletRequest) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.httpServletRequest = (HttpServletRequest) Constraint.isNotNull(httpServletRequest, "HttpServletRequest cannot be null");
    }

    @Nullable
    protected CertificateNameOptions getCertificateNameOptions() {
        return this.certNameOptions;
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.httpServletRequest == null) {
            throw new ComponentInitializationException("HttpServletRequest cannot be null");
        }
    }

    @Override // org.opensaml.security.messaging.impl.BaseTrustEngineSecurityHandler
    @Nullable
    protected TrustEngine<? super X509Credential> resolveTrustEngine(@Nonnull MessageContext messageContext) {
        ClientTLSSecurityParametersContext clientTLSSecurityParametersContext = (ClientTLSSecurityParametersContext) messageContext.getSubcontext(ClientTLSSecurityParametersContext.class);
        if (clientTLSSecurityParametersContext == null || clientTLSSecurityParametersContext.getValidationParameters() == null) {
            return null;
        }
        return clientTLSSecurityParametersContext.getValidationParameters().getX509TrustEngine();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.security.messaging.impl.BaseTrustEngineSecurityHandler
    public boolean doPreInvoke(@Nonnull MessageContext messageContext) throws MessageHandlerException {
        if (!super.doPreInvoke(messageContext)) {
            return false;
        }
        ClientTLSSecurityParametersContext clientTLSSecurityParametersContext = (ClientTLSSecurityParametersContext) messageContext.getSubcontext(ClientTLSSecurityParametersContext.class);
        if (clientTLSSecurityParametersContext != null && !clientTLSSecurityParametersContext.isEvaluateClientCertificate()) {
            this.log.debug("{} ClientTLSSecurityParametersContext signals to not perform client TLS cert evaluation", getLogPrefix());
            return false;
        }
        if (clientTLSSecurityParametersContext == null || clientTLSSecurityParametersContext.getValidationParameters() == null || clientTLSSecurityParametersContext.getValidationParameters().getCertificateNameOptions() == null) {
            throw new MessageHandlerException("CertificateNameOptions was not available from the MessageContext");
        }
        this.certNameOptions = clientTLSSecurityParametersContext.getValidationParameters().getCertificateNameOptions();
        return true;
    }

    protected void doInvoke(@Nonnull MessageContext messageContext) throws MessageHandlerException {
        try {
            ServletRequestX509CredentialAdapter servletRequestX509CredentialAdapter = new ServletRequestX509CredentialAdapter(getHttpServletRequest());
            if (this.log.isDebugEnabled()) {
                try {
                    this.log.debug("{} Attempting to authenticate inbound connection that presented the certificate:", getLogPrefix());
                    this.log.debug(Base64Support.encode(servletRequestX509CredentialAdapter.getEntityCertificate().getEncoded(), false));
                } catch (CertificateEncodingException e) {
                }
            }
            doEvaluate(servletRequestX509CredentialAdapter, messageContext);
        } catch (SecurityException e2) {
            this.log.debug("{} HttpServletRequest did not contain a peer credential, skipping client certificate authentication", getLogPrefix());
        }
    }

    protected void doEvaluate(@Nonnull X509Credential x509Credential, @Nonnull MessageContext messageContext) throws MessageHandlerException {
        String certificatePresenterEntityID = getCertificatePresenterEntityID(messageContext);
        if (certificatePresenterEntityID != null) {
            this.log.debug("{} Attempting client certificate authentication using context presenter entity ID: {}", getLogPrefix(), certificatePresenterEntityID);
            if (!evaluate(x509Credential, certificatePresenterEntityID, messageContext)) {
                this.log.error("{} Authentication via client certificate failed for context presenter entity ID: {}", getLogPrefix(), certificatePresenterEntityID);
                throw new MessageHandlerException("Client certificate authentication failed for context presenter entity ID");
            }
            this.log.debug("{} Authentication via client certificate succeeded for context presenter entity ID: {}", getLogPrefix(), certificatePresenterEntityID);
            setAuthenticatedState(messageContext, true);
            return;
        }
        String evaluateCertificateNameDerivedPresenters = evaluateCertificateNameDerivedPresenters(x509Credential, messageContext);
        if (evaluateCertificateNameDerivedPresenters != null) {
            this.log.debug("{} Authentication via client certificate succeeded for certificate-derived presenter entity ID: {}", getLogPrefix(), evaluateCertificateNameDerivedPresenters);
            setAuthenticatedCertificatePresenterEntityID(messageContext, evaluateCertificateNameDerivedPresenters);
            setAuthenticatedState(messageContext, true);
        } else {
            String evaluateDerivedPresenters = evaluateDerivedPresenters(x509Credential, messageContext);
            if (evaluateDerivedPresenters != null) {
                this.log.debug("{} Authentication via client certificate succeeded for derived presenter entity ID: {}", getLogPrefix(), evaluateDerivedPresenters);
                setAuthenticatedCertificatePresenterEntityID(messageContext, evaluateDerivedPresenters);
                setAuthenticatedState(messageContext, true);
            }
        }
    }

    @Nullable
    protected abstract String getCertificatePresenterEntityID(@Nonnull MessageContext messageContext);

    protected abstract void setAuthenticatedCertificatePresenterEntityID(@Nonnull MessageContext messageContext, @Nullable String str);

    protected abstract void setAuthenticatedState(@Nonnull MessageContext messageContext, boolean z);

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.security.messaging.impl.BaseTrustEngineSecurityHandler
    @Nullable
    public CriteriaSet buildCriteriaSet(@Nullable String str, @Nonnull MessageContext messageContext) throws MessageHandlerException {
        CriteriaSet criteriaSet = new CriteriaSet();
        if (!Strings.isNullOrEmpty(str)) {
            criteriaSet.add(new EntityIdCriterion(str));
        }
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        return criteriaSet;
    }

    @Nullable
    protected String evaluateDerivedPresenters(@Nonnull X509Credential x509Credential, @Nonnull MessageContext messageContext) throws MessageHandlerException {
        return null;
    }

    @Nullable
    protected String evaluateCertificateNameDerivedPresenters(@Nullable X509Credential x509Credential, @Nonnull MessageContext messageContext) throws MessageHandlerException {
        String evaluateSubjectCommonName;
        String evaluateSubjectAltNames;
        String evaluateSubjectDN;
        if (getCertificateNameOptions().evaluateSubjectDN() && (evaluateSubjectDN = evaluateSubjectDN(x509Credential, messageContext)) != null) {
            return evaluateSubjectDN;
        }
        if (!getCertificateNameOptions().getSubjectAltNames().isEmpty() && (evaluateSubjectAltNames = evaluateSubjectAltNames(x509Credential, messageContext)) != null) {
            return evaluateSubjectAltNames;
        }
        if (!getCertificateNameOptions().evaluateSubjectCommonName() || (evaluateSubjectCommonName = evaluateSubjectCommonName(x509Credential, messageContext)) == null) {
            return null;
        }
        return evaluateSubjectCommonName;
    }

    @Nullable
    protected String evaluateSubjectCommonName(@Nonnull X509Credential x509Credential, @Nonnull MessageContext messageContext) throws MessageHandlerException {
        this.log.debug("{} Evaluating client cert by deriving presenter as cert CN", getLogPrefix());
        String commonName = getCommonName(x509Credential.getEntityCertificate());
        if (commonName == null) {
            return null;
        }
        if (evaluate(x509Credential, commonName, messageContext)) {
            this.log.debug("{} Authentication succeeded for presenter entity ID derived from CN: {}", getLogPrefix(), commonName);
            return commonName;
        }
        this.log.debug("{} Authentication failed for presenter entity ID derived from CN: {}", getLogPrefix(), commonName);
        return null;
    }

    @Nullable
    protected String evaluateSubjectDN(@Nonnull X509Credential x509Credential, @Nonnull MessageContext messageContext) throws MessageHandlerException {
        this.log.debug("{} Evaluating client cert by deriving presenter as cert subject DN", getLogPrefix());
        String subjectName = getSubjectName(x509Credential.getEntityCertificate());
        if (subjectName == null) {
            return null;
        }
        if (evaluate(x509Credential, subjectName, messageContext)) {
            this.log.debug("{} Authentication succeeded for presenter entity ID derived from subject DN: {}", getLogPrefix(), subjectName);
            return subjectName;
        }
        this.log.debug("{} Authentication failed for presenter entity ID derived from subject DN: {}", getLogPrefix(), subjectName);
        return null;
    }

    @Nullable
    protected String evaluateSubjectAltNames(@Nonnull X509Credential x509Credential, @Nonnull MessageContext messageContext) throws MessageHandlerException {
        this.log.debug("{} Evaluating client cert by deriving presenter from subject alt names", getLogPrefix());
        X509Certificate entityCertificate = x509Credential.getEntityCertificate();
        for (Integer num : getCertificateNameOptions().getSubjectAltNames()) {
            this.log.debug("{} Evaluating alt names of type: {}", getLogPrefix(), num.toString());
            for (String str : getAltNames(entityCertificate, num)) {
                if (evaluate(x509Credential, str, messageContext)) {
                    this.log.debug("{} Authentication succeeded for presenter entity ID derived from subject alt name: {}", getLogPrefix(), str);
                    return str;
                }
                this.log.debug("{} Authentication failed for presenter entity ID derived from subject alt name: {}", getLogPrefix(), str);
            }
        }
        return null;
    }

    @Nullable
    protected String getCommonName(@Nonnull X509Certificate x509Certificate) {
        List<String> commonNames = X509Support.getCommonNames(x509Certificate.getSubjectX500Principal());
        if (commonNames == null || commonNames.isEmpty()) {
            return null;
        }
        String str = commonNames.get(0);
        this.log.debug("{} Extracted common name from certificate: {}", getLogPrefix(), str);
        return str;
    }

    @Nullable
    protected String getSubjectName(@Nonnull X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            return null;
        }
        String name = !Strings.isNullOrEmpty(getCertificateNameOptions().getX500SubjectDNFormat()) ? getCertificateNameOptions().getX500DNHandler().getName(x509Certificate.getSubjectX500Principal(), getCertificateNameOptions().getX500SubjectDNFormat()) : getCertificateNameOptions().getX500DNHandler().getName(x509Certificate.getSubjectX500Principal());
        this.log.debug("{} Extracted subject name from certificate: {}", getLogPrefix(), name);
        return name;
    }

    @NonnullElements
    @Nonnull
    protected List<String> getAltNames(@Nonnull X509Certificate x509Certificate, @Nonnull Integer num) {
        this.log.debug("{} Extracting alt names from certificate of type: {}", getLogPrefix(), num.toString());
        List altNames = X509Support.getAltNames(x509Certificate, new Integer[]{num});
        ArrayList arrayList = new ArrayList();
        for (Object obj : altNames) {
            if (obj instanceof String) {
                arrayList.add((String) obj);
            } else {
                this.log.debug("{} Skipping non-String certificate alt name value", getLogPrefix());
            }
        }
        this.log.debug("{} Extracted alt names from certificate: {}", getLogPrefix(), arrayList.toString());
        return arrayList;
    }
}
