package org.wildfly.security.auth.realm.ldap;

import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.function.Supplier;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.security.auth.x500.X500Principal;
import org.wildfly.common.iteration.ByteIterator;
import org.wildfly.security.auth.SupportLevel;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.evidence.Evidence;
import org.wildfly.security.evidence.X509PeerCertificateChainEvidence;
import org.wildfly.security.util.LdapUtil;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:m2repo/org/wildfly/security/wildfly-elytron-realm-ldap/1.10.4.Final/wildfly-elytron-realm-ldap-1.10.4.Final.jar:org/wildfly/security/auth/realm/ldap/X509EvidenceVerifier.class */
public class X509EvidenceVerifier implements EvidenceVerifier {
    private final List<CertificateVerifier> certificateVerifiers;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:m2repo/org/wildfly/security/wildfly-elytron-realm-ldap/1.10.4.Final/wildfly-elytron-realm-ldap-1.10.4.Final.jar:org/wildfly/security/auth/realm/ldap/X509EvidenceVerifier$CertificateVerifier.class */
    public interface CertificateVerifier {
        default void addRequiredLdapAttributes(Collection<String> collection) {
        }

        default void addBinaryLdapAttributes(Collection<String> collection) {
        }

        boolean verifyCertificate(X509Certificate x509Certificate, Attributes attributes) throws NamingException, RealmUnavailableException;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:m2repo/org/wildfly/security/wildfly-elytron-realm-ldap/1.10.4.Final/wildfly-elytron-realm-ldap-1.10.4.Final.jar:org/wildfly/security/auth/realm/ldap/X509EvidenceVerifier$DigestCertificateVerifier.class */
    public static class DigestCertificateVerifier implements CertificateVerifier {
        final String ldapAttribute;
        final String algorithm;

        /* JADX INFO: Access modifiers changed from: package-private */
        public DigestCertificateVerifier(String str, String str2) {
            this.ldapAttribute = str;
            this.algorithm = str2;
        }

        @Override // org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier.CertificateVerifier
        public void addRequiredLdapAttributes(Collection<String> collection) {
            collection.add(this.ldapAttribute);
        }

        @Override // org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier.CertificateVerifier
        public boolean verifyCertificate(X509Certificate x509Certificate, Attributes attributes) throws NamingException, RealmUnavailableException {
            Attribute attribute = attributes.get(this.ldapAttribute);
            if (attribute == null) {
                return false;
            }
            int size = attribute.size();
            try {
                String drainToString = ByteIterator.ofBytes(MessageDigest.getInstance(this.algorithm).digest(x509Certificate.getEncoded())).hexEncode(true).drainToString();
                for (int i = 0; i < size; i++) {
                    Object obj = attribute.get(i);
                    if (obj != null && drainToString.equalsIgnoreCase((String) obj)) {
                        return true;
                    }
                }
                return false;
            } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
                throw new RealmUnavailableException(e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:m2repo/org/wildfly/security/wildfly-elytron-realm-ldap/1.10.4.Final/wildfly-elytron-realm-ldap-1.10.4.Final.jar:org/wildfly/security/auth/realm/ldap/X509EvidenceVerifier$EncodedCertificateVerifier.class */
    public static class EncodedCertificateVerifier implements CertificateVerifier {
        final String ldapAttribute;

        /* JADX INFO: Access modifiers changed from: package-private */
        public EncodedCertificateVerifier(String str) {
            this.ldapAttribute = str;
        }

        @Override // org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier.CertificateVerifier
        public void addRequiredLdapAttributes(Collection<String> collection) {
            collection.add(this.ldapAttribute);
        }

        @Override // org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier.CertificateVerifier
        public void addBinaryLdapAttributes(Collection<String> collection) {
            collection.add(this.ldapAttribute);
        }

        @Override // org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier.CertificateVerifier
        public boolean verifyCertificate(X509Certificate x509Certificate, Attributes attributes) throws NamingException, RealmUnavailableException {
            Attribute binaryAttribute = LdapUtil.getBinaryAttribute(attributes, this.ldapAttribute);
            if (binaryAttribute == null) {
                return false;
            }
            int size = binaryAttribute.size();
            for (int i = 0; i < size; i++) {
                try {
                    Object obj = binaryAttribute.get(i);
                    if (obj != null && Arrays.equals(x509Certificate.getEncoded(), (byte[]) obj)) {
                        return true;
                    }
                } catch (CertificateEncodingException e) {
                    throw new RealmUnavailableException(e);
                }
            }
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:m2repo/org/wildfly/security/wildfly-elytron-realm-ldap/1.10.4.Final/wildfly-elytron-realm-ldap-1.10.4.Final.jar:org/wildfly/security/auth/realm/ldap/X509EvidenceVerifier$SerialNumberCertificateVerifier.class */
    public static class SerialNumberCertificateVerifier implements CertificateVerifier {
        final String ldapAttribute;

        /* JADX INFO: Access modifiers changed from: package-private */
        public SerialNumberCertificateVerifier(String str) {
            this.ldapAttribute = str;
        }

        @Override // org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier.CertificateVerifier
        public void addRequiredLdapAttributes(Collection<String> collection) {
            collection.add(this.ldapAttribute);
        }

        @Override // org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier.CertificateVerifier
        public boolean verifyCertificate(X509Certificate x509Certificate, Attributes attributes) throws NamingException {
            Attribute attribute = attributes.get(this.ldapAttribute);
            if (attribute == null) {
                return false;
            }
            int size = attribute.size();
            for (int i = 0; i < size; i++) {
                Object obj = attribute.get(i);
                if (obj != null) {
                    if (x509Certificate.getSerialNumber().equals(new BigInteger((String) obj))) {
                        return true;
                    }
                }
            }
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:m2repo/org/wildfly/security/wildfly-elytron-realm-ldap/1.10.4.Final/wildfly-elytron-realm-ldap-1.10.4.Final.jar:org/wildfly/security/auth/realm/ldap/X509EvidenceVerifier$SubjectDnCertificateVerifier.class */
    public static class SubjectDnCertificateVerifier implements CertificateVerifier {
        final String ldapAttribute;

        /* JADX INFO: Access modifiers changed from: package-private */
        public SubjectDnCertificateVerifier(String str) {
            this.ldapAttribute = str;
        }

        @Override // org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier.CertificateVerifier
        public void addRequiredLdapAttributes(Collection<String> collection) {
            collection.add(this.ldapAttribute);
        }

        @Override // org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier.CertificateVerifier
        public boolean verifyCertificate(X509Certificate x509Certificate, Attributes attributes) throws NamingException {
            Attribute attribute = attributes.get(this.ldapAttribute);
            if (attribute == null) {
                return false;
            }
            int size = attribute.size();
            for (int i = 0; i < size; i++) {
                Object obj = attribute.get(i);
                if (obj != null && x509Certificate.getSubjectX500Principal().equals(new X500Principal((String) obj))) {
                    return true;
                }
            }
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509EvidenceVerifier(List<CertificateVerifier> list) {
        this.certificateVerifiers = list;
    }

    @Override // org.wildfly.security.auth.realm.ldap.EvidenceVerifier
    public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
        return cls == X509PeerCertificateChainEvidence.class ? SupportLevel.POSSIBLY_SUPPORTED : SupportLevel.UNSUPPORTED;
    }

    @Override // org.wildfly.security.auth.realm.ldap.EvidenceVerifier
    public IdentityEvidenceVerifier forIdentity(DirContext dirContext, String str, String str2, final Attributes attributes) throws RealmUnavailableException {
        return new IdentityEvidenceVerifier() { // from class: org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier.1
            @Override // org.wildfly.security.auth.realm.ldap.IdentityEvidenceVerifier
            public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str3, Supplier<Provider[]> supplier) throws RealmUnavailableException {
                return cls == X509PeerCertificateChainEvidence.class ? SupportLevel.POSSIBLY_SUPPORTED : SupportLevel.UNSUPPORTED;
            }

            @Override // org.wildfly.security.auth.realm.ldap.IdentityEvidenceVerifier
            public boolean verifyEvidence(Evidence evidence, Supplier<Provider[]> supplier) throws RealmUnavailableException {
                if (!(evidence instanceof X509PeerCertificateChainEvidence)) {
                    return false;
                }
                X509Certificate firstCertificate = ((X509PeerCertificateChainEvidence) evidence).getFirstCertificate();
                try {
                    for (CertificateVerifier certificateVerifier : X509EvidenceVerifier.this.certificateVerifiers) {
                        if (!certificateVerifier.verifyCertificate(firstCertificate, attributes)) {
                            ElytronMessages.log.tracef("X509 client certificate rejected by %s of X509EvidenceVerifier", certificateVerifier);
                            return false;
                        }
                    }
                    ElytronMessages.log.trace("X509 client certificate accepted by X509EvidenceVerifier");
                    return true;
                } catch (NamingException e) {
                    throw new RealmUnavailableException((Throwable) e);
                }
            }
        };
    }

    @Override // org.wildfly.security.auth.realm.ldap.EvidenceVerifier
    public void addRequiredIdentityAttributes(Collection<String> collection) {
        Iterator<CertificateVerifier> it = this.certificateVerifiers.iterator();
        while (it.hasNext()) {
            it.next().addRequiredLdapAttributes(collection);
        }
    }

    @Override // org.wildfly.security.auth.realm.ldap.EvidenceVerifier
    public void addBinaryIdentityAttributes(Collection<String> collection) {
        Iterator<CertificateVerifier> it = this.certificateVerifiers.iterator();
        while (it.hasNext()) {
            it.next().addBinaryLdapAttributes(collection);
        }
    }
}
