package org.wildfly.security.http.impl;

import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.callback.AuthenticationCompleteCallback;
import org.wildfly.security.auth.callback.EvidenceVerifyCallback;
import org.wildfly.security.auth.callback.SecurityIdentityCallback;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.evidence.X509PeerCertificateChainEvidence;
import org.wildfly.security.http.HttpAuthenticationException;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.http.HttpServerAuthenticationMechanism;
import org.wildfly.security.http.HttpServerRequest;
import org.wildfly.security.ssl.SSLUtils;

/* loaded from: input_file:org/wildfly/security/http/impl/ClientCertAuthenticationMechanism.class */
public class ClientCertAuthenticationMechanism implements HttpServerAuthenticationMechanism {
    private final CallbackHandler callbackHandler;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ClientCertAuthenticationMechanism(CallbackHandler callbackHandler) {
        this.callbackHandler = callbackHandler;
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public String getMechanismName() {
        return HttpConstants.CLIENT_CERT_NAME;
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public void evaluateRequest(HttpServerRequest httpServerRequest) throws HttpAuthenticationException {
        SSLSession sSLSession = httpServerRequest.getSSLSession();
        if (sSLSession == null) {
            httpServerRequest.noAuthenticationInProgress();
            return;
        }
        SecurityIdentity securityIdentity = (SecurityIdentity) sSLSession.getValue(SSLUtils.SSL_SESSION_IDENTITY_KEY);
        if (securityIdentity != null) {
            httpServerRequest.authenticationComplete(securityIdentity);
            return;
        }
        try {
            Certificate[] peerCertificates = sSLSession.getPeerCertificates();
            X509Certificate[] x509CertificateArr = new X509Certificate[peerCertificates.length];
            for (int i = 0; i < peerCertificates.length; i++) {
                if (!(peerCertificates[i] instanceof X509Certificate)) {
                    httpServerRequest.noAuthenticationInProgress();
                    return;
                }
                x509CertificateArr[i] = (X509Certificate) peerCertificates[i];
            }
            EvidenceVerifyCallback evidenceVerifyCallback = new EvidenceVerifyCallback(new X509PeerCertificateChainEvidence(x509CertificateArr));
            boolean z = false;
            try {
                this.callbackHandler.handle(new Callback[]{evidenceVerifyCallback});
                z = evidenceVerifyCallback.isVerified();
            } catch (IOException e) {
                throw new HttpAuthenticationException(e);
            } catch (UnsupportedCallbackException e2) {
            }
            try {
                if (!z) {
                    this.callbackHandler.handle(new Callback[]{AuthenticationCompleteCallback.FAILED});
                    httpServerRequest.authenticationFailed(ElytronMessages.log.authenticationFailed(HttpConstants.CLIENT_CERT_NAME));
                } else {
                    SecurityIdentityCallback securityIdentityCallback = new SecurityIdentityCallback();
                    this.callbackHandler.handle(new Callback[]{AuthenticationCompleteCallback.SUCCEEDED, securityIdentityCallback});
                    httpServerRequest.authenticationComplete(securityIdentityCallback.getSecurityIdentity());
                }
            } catch (IOException | UnsupportedCallbackException e3) {
                throw new HttpAuthenticationException(e3);
            }
        } catch (SSLPeerUnverifiedException e4) {
            ElytronMessages.log.trace("Peer not verified.");
            httpServerRequest.noAuthenticationInProgress();
        }
    }
}
