package org.xipki.ocsp.servlet;

import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.servlet.http.HttpServletRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.security.X509Cert;
import org.xipki.security.util.X509Util;
import org.xipki.util.LruCache;
import org.xipki.util.StringUtil;

/* loaded from: input_file:WEB-INF/classes/org/xipki/ocsp/servlet/TlsHelper.class */
public class TlsHelper {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) TlsHelper.class);
    private static final LruCache<String, X509Cert> clientCerts = new LruCache<>(50);
    private static final String reverseProxyMode;

    public static X509Cert getTlsClientCert(HttpServletRequest httpServletRequest) throws IOException {
        if (reverseProxyMode == null) {
            X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
            if (x509CertificateArr == null || x509CertificateArr.length < 1) {
                return null;
            }
            return new X509Cert(x509CertificateArr[0]);
        }
        if (!"APACHE".equals(reverseProxyMode)) {
            throw new IllegalStateException("unknown reverseProxyMode " + reverseProxyMode);
        }
        String header = httpServletRequest.getHeader("SSL_CLIENT_VERIFY");
        LOG.debug("SSL_CLIENT_VERIFY: '{}'", header);
        if (StringUtil.isBlank(header) || !"SUCCESS".equalsIgnoreCase(header.trim())) {
            return null;
        }
        String header2 = httpServletRequest.getHeader("SSL_CLIENT_CERT");
        if (header2 == null || header2.length() < 100) {
            LOG.error("SSL_CLIENT_CERT: '{}'", header2);
            return null;
        }
        X509Cert x509Cert = clientCerts.get(header2);
        if (x509Cert != null) {
            return x509Cert;
        }
        try {
            X509Cert parseCert = X509Util.parseCert(StringUtil.toUtf8Bytes(header2));
            clientCerts.put(header2, parseCert);
            return parseCert;
        } catch (CertificateException e) {
            LOG.error("SSL_CLIENT_CERT: '{}'", header2);
            throw new IOException("could not parse Certificate", e);
        }
    }

    static {
        String property = System.getProperty("org.xipki.reverseproxy.mode");
        if (property != null && !property.trim().isEmpty()) {
            property = property.trim().toUpperCase();
        }
        if (property == null || "NO".equals(property)) {
            reverseProxyMode = null;
        } else if ("APACHE".equals(property)) {
            reverseProxyMode = "APACHE";
        } else {
            LOG.error("invalid value of property {}: {} is not one of [NO, APACHE]", "org.xipki.reverseproxy.mode", property);
            reverseProxyMode = null;
        }
        LOG.info("set reverseProxyMode to {}", reverseProxyMode);
    }
}
