package org.apereo.cas.adaptors.x509.authentication.handler.support;

import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Set;
import java.util.regex.Pattern;
import javax.security.auth.login.FailedLoginException;
import org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential;
import org.apereo.cas.adaptors.x509.authentication.revocation.checker.NoOpRevocationChecker;
import org.apereo.cas.adaptors.x509.authentication.revocation.checker.RevocationChecker;
import org.apereo.cas.adaptors.x509.util.CertUtils;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.DefaultHandlerResult;
import org.apereo.cas.authentication.HandlerResult;
import org.apereo.cas.authentication.PreventedException;
import org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/adaptors/x509/authentication/handler/support/X509CredentialsAuthenticationHandler.class */
public class X509CredentialsAuthenticationHandler extends AbstractPreAndPostProcessingAuthenticationHandler {
    private static final String KEY_USAGE_OID = "2.5.29.15";
    private static final Logger LOGGER = LoggerFactory.getLogger(X509CredentialsAuthenticationHandler.class);
    private final Pattern regExTrustedIssuerDnPattern;
    private final int maxPathLength;
    private final boolean maxPathLengthAllowUnspecified;
    private final boolean checkKeyUsage;
    private final boolean requireKeyUsage;
    private final Pattern regExSubjectDnPattern;
    private final RevocationChecker revocationChecker;

    public X509CredentialsAuthenticationHandler(Pattern pattern, int i, boolean z, boolean z2, boolean z3, Pattern pattern2, RevocationChecker revocationChecker) {
        this.regExTrustedIssuerDnPattern = pattern;
        this.maxPathLength = i;
        this.maxPathLengthAllowUnspecified = z;
        this.checkKeyUsage = z2;
        this.requireKeyUsage = z3;
        this.regExSubjectDnPattern = pattern2;
        if (revocationChecker == null) {
            throw new IllegalArgumentException("Revocation checker is not configured");
        }
        this.revocationChecker = revocationChecker;
    }

    public X509CredentialsAuthenticationHandler(Pattern pattern) {
        this(pattern, new NoOpRevocationChecker());
    }

    public X509CredentialsAuthenticationHandler(Pattern pattern, boolean z, Pattern pattern2) {
        this(pattern, Integer.MAX_VALUE, z, false, false, pattern2, new NoOpRevocationChecker());
    }

    public X509CredentialsAuthenticationHandler(Pattern pattern, boolean z, boolean z2, boolean z3) {
        this(pattern, Integer.MAX_VALUE, z, z2, z3, null, new NoOpRevocationChecker());
    }

    public X509CredentialsAuthenticationHandler(Pattern pattern, RevocationChecker revocationChecker) {
        this(pattern, Integer.MAX_VALUE, false, false, false, null, revocationChecker);
    }

    public boolean supports(Credential credential) {
        return credential != null && X509CertificateCredential.class.isAssignableFrom(credential.getClass());
    }

    protected HandlerResult doAuthentication(Credential credential) throws GeneralSecurityException, PreventedException {
        X509CertificateCredential x509CertificateCredential = (X509CertificateCredential) credential;
        X509Certificate[] certificates = x509CertificateCredential.getCertificates();
        X509Certificate x509Certificate = null;
        boolean z = false;
        for (int length = certificates.length - 1; length >= 0; length--) {
            X509Certificate x509Certificate2 = certificates[length];
            LOGGER.debug("Evaluating [{}]", CertUtils.toString(x509Certificate2));
            validate(x509Certificate2);
            if (!z) {
                z = isCertificateFromTrustedIssuer(x509Certificate2);
            }
            if (x509Certificate2.getBasicConstraints() < 0) {
                LOGGER.debug("Found valid client certificate");
                x509Certificate = x509Certificate2;
            } else {
                LOGGER.debug("Found valid CA certificate");
            }
        }
        if (!z || x509Certificate == null) {
            LOGGER.warn("Either client certificate could not be determined, or a trusted issuer could not be located");
            throw new FailedLoginException();
        }
        x509CertificateCredential.setCertificate(x509Certificate);
        return new DefaultHandlerResult(this, x509CertificateCredential, this.principalFactory.createPrincipal(x509CertificateCredential.getId()));
    }

    private void validate(X509Certificate x509Certificate) throws GeneralSecurityException {
        x509Certificate.checkValidity();
        this.revocationChecker.check(x509Certificate);
        int basicConstraints = x509Certificate.getBasicConstraints();
        if (basicConstraints < 0) {
            if (!isCertificateAllowed(x509Certificate)) {
                throw new FailedLoginException("Certificate subject does not match pattern " + this.regExSubjectDnPattern.pattern());
            }
            if (this.checkKeyUsage && !isValidKeyUsage(x509Certificate)) {
                throw new FailedLoginException("Certificate keyUsage constraint forbids SSL client authentication.");
            }
            return;
        }
        if (basicConstraints == Integer.MAX_VALUE && !this.maxPathLengthAllowUnspecified) {
            throw new FailedLoginException("Unlimited certificate path length not allowed by configuration.");
        }
        if (basicConstraints > this.maxPathLength && basicConstraints < Integer.MAX_VALUE) {
            throw new FailedLoginException(String.format("Certificate path length %s exceeds maximum value %s.", Integer.valueOf(basicConstraints), Integer.valueOf(this.maxPathLength)));
        }
    }

    private boolean isValidKeyUsage(X509Certificate x509Certificate) {
        boolean z;
        LOGGER.debug("Checking certificate keyUsage extension");
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null) {
            LOGGER.warn("Configuration specifies checkKeyUsage but keyUsage extension not found in certificate.");
            return !this.requireKeyUsage;
        }
        if (isCritical(x509Certificate, KEY_USAGE_OID) || this.requireKeyUsage) {
            LOGGER.debug("KeyUsage extension is marked critical or required by configuration.");
            z = keyUsage[0];
        } else {
            LOGGER.debug("KeyUsage digitalSignature=%s, Returning true since keyUsage validation not required by configuration.");
            z = true;
        }
        return z;
    }

    private static boolean isCritical(X509Certificate x509Certificate, String str) {
        Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs == null || criticalExtensionOIDs.isEmpty()) {
            return false;
        }
        return criticalExtensionOIDs.contains(str);
    }

    private boolean isCertificateAllowed(X509Certificate x509Certificate) {
        return doesNameMatchPattern(x509Certificate.getSubjectDN(), this.regExSubjectDnPattern);
    }

    private boolean isCertificateFromTrustedIssuer(X509Certificate x509Certificate) {
        return doesNameMatchPattern(x509Certificate.getIssuerDN(), this.regExTrustedIssuerDnPattern);
    }

    private boolean doesNameMatchPattern(Principal principal, Pattern pattern) {
        if (pattern == null) {
            return true;
        }
        String name = principal.getName();
        boolean matches = pattern.matcher(name).matches();
        LOGGER.debug("[{}] matches [{}] == [{}]", new Object[]{pattern.pattern(), name, Boolean.valueOf(matches)});
        return matches;
    }
}
