package org.xipki.http.servlet;

import io.netty.handler.codec.http.HttpRequest;
import io.netty.util.CharsetUtil;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Base64;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;

/* loaded from: input_file:org/xipki/http/servlet/TlsHelper.class */
public class TlsHelper {
    private static CertificateFactory cf;
    private static final SimpleLruCache<String, X509Certificate> clientCerts;

    public static X509Certificate getTlsClientCert(HttpRequest httpRequest, SSLSession sSLSession, SslReverseProxyMode sslReverseProxyMode) throws IOException {
        Certificate[] certificateArr;
        String str;
        if (sslReverseProxyMode == SslReverseProxyMode.NONE || sslReverseProxyMode == null) {
            if (sSLSession == null) {
                return null;
            }
            try {
                certificateArr = sSLSession.getPeerCertificates();
            } catch (SSLPeerUnverifiedException e) {
                certificateArr = null;
            }
            Certificate certificate = (certificateArr == null || certificateArr.length < 1) ? null : certificateArr[0];
            if (certificate != null) {
                return (X509Certificate) certificate;
            }
        } else if (sslReverseProxyMode != SslReverseProxyMode.APACHE) {
            throw new IllegalStateException("Should not reach here, unknown SslReverseProxyMode " + sslReverseProxyMode);
        }
        String str2 = httpRequest.headers().get("SSL_CLIENT_VERIFY");
        if (str2 == null || str2.isEmpty() || !"SUCCESS".equalsIgnoreCase(str2.trim()) || (str = httpRequest.headers().get("SSL_CLIENT_CERT")) == null || str.isEmpty()) {
            return null;
        }
        X509Certificate x509Certificate = clientCerts.get(str);
        if (x509Certificate != null) {
            return x509Certificate;
        }
        try {
            X509Certificate x509Certificate2 = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(str.replace("-----BEGIN CERTIFICATE-----", "").replace("-----END CERTIFICATE-----", "").getBytes(CharsetUtil.US_ASCII))));
            clientCerts.put(str, x509Certificate2);
            return x509Certificate2;
        } catch (CertificateException e2) {
            throw new IOException("could not parse Certificate", e2);
        }
    }

    static {
        try {
            cf = CertificateFactory.getInstance("X509");
            clientCerts = new SimpleLruCache<>(100);
        } catch (Exception e) {
            throw new IllegalStateException(e);
        }
    }
}
