package org.jolokia.jvmagent.security;

import com.sun.net.httpserver.Authenticator;
import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpPrincipal;
import com.sun.net.httpserver.HttpsExchange;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.security.auth.x500.X500Principal;
import org.jolokia.jvmagent.JolokiaServerConfig;

/* JADX WARN: Classes with same name are omitted:
  input_file:hawtio.war:WEB-INF/lib/jolokia-jvm-1.4.0.redhat-1-agent.jar:org/jolokia/jvmagent/security/ClientCertAuthenticator.class
 */
/* loaded from: input_file:hawtio.war:WEB-INF/lib/hawtio-local-jvm-mbean-1.4.0.redhat-630329.jar:jolokia-jvm-1.4.0.redhat-1-agent.jar:org/jolokia/jvmagent/security/ClientCertAuthenticator.class */
public class ClientCertAuthenticator extends Authenticator {
    static final String CLIENTAUTH_OID = "1.3.6.1.5.5.7.3.2";
    private final boolean useSslClientAuthentication;
    private final List<LdapName> allowedPrincipals;
    private final boolean extendedClientCheck;

    public ClientCertAuthenticator(JolokiaServerConfig jolokiaServerConfig) {
        this.useSslClientAuthentication = jolokiaServerConfig.useSslClientAuthentication();
        this.allowedPrincipals = parseAllowedPrincipals(jolokiaServerConfig);
        this.extendedClientCheck = jolokiaServerConfig.getExtendedClientCheck();
    }

    public Authenticator.Result authenticate(HttpExchange httpExchange) {
        if (!(httpExchange instanceof HttpsExchange)) {
            return new Authenticator.Failure(500);
        }
        try {
            HttpsExchange httpsExchange = (HttpsExchange) httpExchange;
            X509Certificate clientCert = getClientCert(httpsExchange);
            if (clientCert == null) {
                return new Authenticator.Failure(401);
            }
            checkCertForClientUsage(clientCert);
            checkCertForAllowedPrincipals(httpsExchange);
            String str = "";
            try {
                str = httpsExchange.getSSLSession().getPeerPrincipal().getName();
            } catch (SSLPeerUnverifiedException e) {
            }
            return new Authenticator.Success(new HttpPrincipal(str, "ssl"));
        } catch (SecurityException e2) {
            return new Authenticator.Failure(403);
        }
    }

    private X509Certificate getClientCert(HttpsExchange httpsExchange) {
        try {
            Certificate[] peerCertificates = httpsExchange.getSSLSession().getPeerCertificates();
            if (peerCertificates == null || peerCertificates.length <= 0) {
                return null;
            }
            return (X509Certificate) peerCertificates[0];
        } catch (SSLPeerUnverifiedException e) {
            throw new SecurityException("SSL Peer couldn't be verified");
        }
    }

    private void checkCertForClientUsage(X509Certificate x509Certificate) {
        try {
            if (!this.extendedClientCheck || (x509Certificate.getExtendedKeyUsage() != null && x509Certificate.getExtendedKeyUsage().contains(CLIENTAUTH_OID))) {
            } else {
                throw new SecurityException("No extended key usage available");
            }
        } catch (CertificateParsingException e) {
            throw new SecurityException("Can't parse client cert");
        }
    }

    private void checkCertForAllowedPrincipals(HttpsExchange httpsExchange) {
        if (this.allowedPrincipals != null) {
            try {
                X500Principal x500Principal = (X500Principal) httpsExchange.getSSLSession().getPeerPrincipal();
                Set<Rdn> principalRdns = getPrincipalRdns(x500Principal);
                boolean z = false;
                Iterator<LdapName> it = this.allowedPrincipals.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    } else if (principalRdns.containsAll(it.next().getRdns())) {
                        z = true;
                        break;
                    }
                }
                if (z) {
                } else {
                    throw new SecurityException("Principal " + x500Principal + " not allowed");
                }
            } catch (ClassCastException e) {
                throw new SecurityException("Internal: Invalid Principal class provided " + e);
            } catch (SSLPeerUnverifiedException e2) {
                throw new SecurityException("SSLPeer unverified");
            }
        }
    }

    private Set<Rdn> getPrincipalRdns(X500Principal x500Principal) {
        try {
            return new HashSet(new LdapName(x500Principal.getName()).getRdns());
        } catch (InvalidNameException e) {
            throw new SecurityException("Cannot parse '" + x500Principal + "' as LDAP name");
        }
    }

    private List<LdapName> parseAllowedPrincipals(JolokiaServerConfig jolokiaServerConfig) {
        List<String> clientPrincipals = jolokiaServerConfig.getClientPrincipals();
        if (clientPrincipals == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (String str : clientPrincipals) {
            try {
                arrayList.add(new LdapName(str));
            } catch (InvalidNameException e) {
                throw new IllegalArgumentException("Principal '" + str + "' cannot be parsed as X500 RDNs");
            }
        }
        return arrayList;
    }
}
