package org.apache.catalina.authenticator;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import org.apache.catalina.Container;
import org.apache.catalina.Context;
import org.apache.catalina.Engine;
import org.apache.catalina.Host;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Connector;
import org.apache.catalina.connector.Request;
import org.apache.coyote.ActionCode;
import org.apache.coyote.UpgradeProtocol;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.net.SSLHostConfig;

/* loaded from: input_file:WEB-INF/lib/tomcat-embed-core-10.1.8.jar:org/apache/catalina/authenticator/SSLAuthenticator.class */
public class SSLAuthenticator extends AuthenticatorBase {
    private final Log log = LogFactory.getLog((Class<?>) SSLAuthenticator.class);

    @Override // org.apache.catalina.authenticator.AuthenticatorBase
    protected boolean doAuthenticate(Request request, HttpServletResponse httpServletResponse) throws IOException {
        if (checkForCachedAuthentication(request, httpServletResponse, false)) {
            return true;
        }
        if (this.containerLog.isDebugEnabled()) {
            this.containerLog.debug(" Looking up certificates");
        }
        X509Certificate[] requestCertificates = getRequestCertificates(request);
        if (requestCertificates == null || requestCertificates.length < 1) {
            if (this.containerLog.isDebugEnabled()) {
                this.containerLog.debug("  No certificates included with this request");
            }
            httpServletResponse.sendError(401, sm.getString("authenticator.certificates"));
            return false;
        }
        Principal authenticate = this.context.getRealm().authenticate(requestCertificates);
        if (authenticate != null) {
            register(request, httpServletResponse, authenticate, HttpServletRequest.CLIENT_CERT_AUTH, null, null);
            return true;
        }
        if (this.containerLog.isDebugEnabled()) {
            this.containerLog.debug("  Realm.authenticate() returned false");
        }
        httpServletResponse.sendError(401, sm.getString("authenticator.unauthorized"));
        return false;
    }

    @Override // org.apache.catalina.authenticator.AuthenticatorBase
    protected String getAuthMethod() {
        return HttpServletRequest.CLIENT_CERT_AUTH;
    }

    @Override // org.apache.catalina.authenticator.AuthenticatorBase
    protected boolean isPreemptiveAuthPossible(Request request) {
        X509Certificate[] requestCertificates = getRequestCertificates(request);
        return requestCertificates != null && requestCertificates.length > 0;
    }

    protected X509Certificate[] getRequestCertificates(Request request) throws IllegalStateException {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) request.getAttribute("jakarta.servlet.request.X509Certificate");
        if (x509CertificateArr == null || x509CertificateArr.length < 1) {
            try {
                request.getCoyoteRequest().action(ActionCode.REQ_SSL_CERTIFICATE, null);
                x509CertificateArr = (X509Certificate[]) request.getAttribute("jakarta.servlet.request.X509Certificate");
            } catch (IllegalStateException e) {
            }
        }
        return x509CertificateArr;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.catalina.authenticator.AuthenticatorBase, org.apache.catalina.valves.ValveBase, org.apache.catalina.util.LifecycleBase
    public synchronized void startInternal() throws LifecycleException {
        super.startInternal();
        Container container = getContainer();
        if (container instanceof Context) {
            Context context = (Context) container;
            Container parent = context.getParent();
            if (parent instanceof Host) {
                Host host = (Host) parent;
                Container parent2 = host.getParent();
                if (parent2 instanceof Engine) {
                    for (Connector connector : ((Engine) parent2).getService().findConnectors()) {
                        UpgradeProtocol[] findUpgradeProtocols = connector.findUpgradeProtocols();
                        int length = findUpgradeProtocols.length;
                        int i = 0;
                        while (true) {
                            if (i >= length) {
                                break;
                            }
                            if ("h2".equals(findUpgradeProtocols[i].getAlpnName())) {
                                this.log.warn(sm.getString("sslAuthenticatorValve.http2", context.getName(), host.getName(), connector));
                                break;
                            }
                            i++;
                        }
                        for (SSLHostConfig sSLHostConfig : connector.findSslHostConfigs()) {
                            if (!sSLHostConfig.isTls13RenegotiationAvailable()) {
                                String[] enabledProtocols = sSLHostConfig.getEnabledProtocols();
                                if (enabledProtocols == null) {
                                    enabledProtocols = (String[]) sSLHostConfig.getProtocols().toArray(new String[0]);
                                }
                                for (String str : enabledProtocols) {
                                    if (org.apache.tomcat.util.net.Constants.SSL_PROTO_TLSv1_3.equals(str)) {
                                        this.log.warn(sm.getString("sslAuthenticatorValve.tls13", context.getName(), host.getName(), connector));
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
