package org.xipki.security.util;

import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.security.X509Cert;
import org.xipki.util.LruCache;
import org.xipki.util.StringUtil;
import org.xipki.util.http.XiHttpRequest;

/* loaded from: input_file:WEB-INF/lib/security-6.3.1.jar:org/xipki/security/util/TlsHelper.class */
public class TlsHelper {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) TlsHelper.class);
    private static final LruCache<String, X509Cert> clientCerts = new LruCache<>(50);
    private static final LruCache<Reference, X509Cert> clientCerts0 = new LruCache<>(50);
    private static final int PROXY_MODE_GENERAL = 1;
    private static final int PROXY_MODE_NO = 0;
    private static final int reverseProxyMode;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/security-6.3.1.jar:org/xipki/security/util/TlsHelper$Reference.class */
    public static class Reference {
        private final Object obj;

        Reference(Object obj) {
            this.obj = obj;
        }

        public int hashCode() {
            return this.obj.hashCode();
        }

        public boolean equals(Object obj) {
            return (obj instanceof Reference) && this.obj == ((Reference) obj).obj;
        }
    }

    public static X509Cert getTlsClientCert(XiHttpRequest xiHttpRequest) throws IOException {
        if (reverseProxyMode == 0) {
            X509Certificate[] certificateChain = xiHttpRequest.getCertificateChain();
            if (certificateChain == null || certificateChain.length < 1) {
                return null;
            }
            X509Certificate x509Certificate = certificateChain[0];
            Reference reference = new Reference(x509Certificate);
            X509Cert x509Cert = clientCerts0.get(reference);
            if (x509Cert == null) {
                x509Cert = new X509Cert(x509Certificate);
                clientCerts0.put(reference, x509Cert);
            }
            return x509Cert;
        }
        String header = xiHttpRequest.getHeader("SSL_CLIENT_VERIFY");
        LOG.debug("SSL_CLIENT_VERIFY: '{}'", header);
        if (StringUtil.isBlank(header) || !"SUCCESS".equalsIgnoreCase(header.trim())) {
            return null;
        }
        String header2 = xiHttpRequest.getHeader("SSL_CLIENT_CERT");
        if (header2 == null || header2.length() < 100) {
            LOG.error("SSL_CLIENT_CERT: '{}'", header2);
            return null;
        }
        X509Cert x509Cert2 = clientCerts.get(header2);
        if (x509Cert2 != null) {
            return x509Cert2;
        }
        try {
            X509Cert parseCert = X509Util.parseCert(StringUtil.toUtf8Bytes(header2));
            clientCerts.put(header2, parseCert);
            return parseCert;
        } catch (CertificateException e) {
            LOG.error("SSL_CLIENT_CERT: '{}'", header2);
            throw new IOException("could not parse Certificate", e);
        }
    }

    static {
        String property = System.getProperty("org.xipki.reverseproxy.mode");
        if (property != null && !property.trim().isEmpty()) {
            property = property.trim().toUpperCase();
        }
        if (property == null || "NO".equals(property)) {
            reverseProxyMode = 0;
        } else if ("APACHE".equals(property) || "NGINX".equals(property) || "GENERAL".equals(property)) {
            reverseProxyMode = 1;
        } else {
            LOG.error("ignored invalid value of property {}: {} is not one of [NO, GENERAL, APACHE, NGINX]", "org.xipki.reverseproxy.mode", property);
            reverseProxyMode = 0;
        }
        LOG.info("set reverseProxyMode to {}", Integer.valueOf(reverseProxyMode));
    }
}
