package org.dspace.authenticate;

import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.sql.SQLException;
import java.util.Enumeration;
import java.util.StringTokenizer;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.dspace.authorize.AuthorizeException;
import org.dspace.core.ConfigurationManager;
import org.dspace.core.Context;
import org.dspace.core.LogManager;
import org.dspace.eperson.EPerson;

/* loaded from: input_file:org/dspace/authenticate/X509Authentication.class */
public class X509Authentication implements AuthenticationMethod {
    private static Logger log = Logger.getLogger(X509Authentication.class);
    private static PublicKey caPublicKey;
    private static KeyStore caCertKeyStore;

    private static String getEmail(X509Certificate x509Certificate) throws SQLException {
        String name;
        Principal subjectDN = x509Certificate.getSubjectDN();
        if (subjectDN == null || (name = subjectDN.getName()) == null) {
            return null;
        }
        StringTokenizer stringTokenizer = new StringTokenizer(name, ",");
        while (stringTokenizer.hasMoreTokens()) {
            int length = "emailaddress=".length();
            String nextToken = stringTokenizer.nextToken();
            if (nextToken.toLowerCase().startsWith("emailaddress=")) {
                if (nextToken.length() <= length) {
                    return null;
                }
                return nextToken.substring(length).toLowerCase();
            }
        }
        return null;
    }

    private static boolean isValid(Context context, X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            return false;
        }
        try {
            x509Certificate.checkValidity();
            if (caPublicKey != null) {
                try {
                    x509Certificate.verify(caPublicKey);
                    return true;
                } catch (GeneralSecurityException e) {
                    log.info(LogManager.getHeader(context, "authentication", "X.509 Certificate FAILED SIGNATURE check: " + e.toString()));
                }
            }
            if (caCertKeyStore == null) {
                return false;
            }
            try {
                Enumeration<String> aliases = caCertKeyStore.aliases();
                while (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    if (caCertKeyStore.isCertificateEntry(nextElement)) {
                        try {
                            x509Certificate.verify(caCertKeyStore.getCertificate(nextElement).getPublicKey());
                            return true;
                        } catch (CertificateException e2) {
                        }
                    }
                }
                log.info(LogManager.getHeader(context, "authentication", "Keystore method FAILED SIGNATURE check on client cert."));
                return false;
            } catch (GeneralSecurityException e3) {
                log.info(LogManager.getHeader(context, "authentication", "X.509 Certificate FAILED SIGNATURE check: " + e3.toString()));
                return false;
            }
        } catch (CertificateException e4) {
            log.info(LogManager.getHeader(context, "authentication", "X.509 Certificate is EXPIRED or PREMATURE: " + e4.toString()));
            return false;
        }
    }

    @Override // org.dspace.authenticate.AuthenticationMethod
    public boolean canSelfRegister(Context context, HttpServletRequest httpServletRequest, String str) throws SQLException {
        return ConfigurationManager.getBooleanProperty("authentication.x509.autoregister");
    }

    @Override // org.dspace.authenticate.AuthenticationMethod
    public void initEPerson(Context context, HttpServletRequest httpServletRequest, EPerson ePerson) throws SQLException {
    }

    @Override // org.dspace.authenticate.AuthenticationMethod
    public boolean allowSetPassword(Context context, HttpServletRequest httpServletRequest, String str) throws SQLException {
        return false;
    }

    @Override // org.dspace.authenticate.AuthenticationMethod
    public boolean isImplicit() {
        return true;
    }

    @Override // org.dspace.authenticate.AuthenticationMethod
    public int[] getSpecialGroups(Context context, HttpServletRequest httpServletRequest) {
        return new int[0];
    }

    @Override // org.dspace.authenticate.AuthenticationMethod
    public int authenticate(Context context, String str, String str2, String str3, HttpServletRequest httpServletRequest) throws SQLException {
        X509Certificate[] x509CertificateArr = null;
        if (httpServletRequest != null) {
            x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            return 5;
        }
        try {
            if (!isValid(context, x509CertificateArr[0])) {
                log.warn(LogManager.getHeader(context, "authenticate", "type=x509certificate, status=BAD_CREDENTIALS (not valid)"));
                return 2;
            }
            String email = getEmail(x509CertificateArr[0]);
            EPerson ePerson = null;
            if (email != null) {
                ePerson = EPerson.findByEmail(context, email);
            }
            if (ePerson != null) {
                if (!ePerson.canLogIn()) {
                    log.warn(LogManager.getHeader(context, "authenticate", "type=x509certificate, email=" + email + ", canLogIn=false, rejecting."));
                    return 5;
                }
                log.info(LogManager.getHeader(context, "login", "type=x509certificate"));
                context.setCurrentUser(ePerson);
                return 1;
            }
            if (email == null || !canSelfRegister(context, httpServletRequest, null)) {
                log.warn(LogManager.getHeader(context, "authenticate", "type=cert_but_no_record, cannot auto-register"));
                return 4;
            }
            log.info(LogManager.getHeader(context, "autoregister", "from=x.509, email=" + email));
            context.setIgnoreAuthorization(true);
            EPerson create = EPerson.create(context);
            create.setEmail(email);
            create.setCanLogIn(true);
            AuthenticationManager.initEPerson(context, httpServletRequest, create);
            create.update();
            context.commit();
            context.setIgnoreAuthorization(false);
            context.setCurrentUser(create);
            return 1;
        } catch (AuthorizeException e) {
            log.warn(LogManager.getHeader(context, "authorize_exception", ""), e);
            return 5;
        }
    }

    @Override // org.dspace.authenticate.AuthenticationMethod
    public String loginPageURL(Context context, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return null;
    }

    @Override // org.dspace.authenticate.AuthenticationMethod
    public String loginPageTitle(Context context) {
        return null;
    }

    static {
        caPublicKey = null;
        caCertKeyStore = null;
        String property = ConfigurationManager.getProperty("authentication.x509.keystore.path");
        String property2 = ConfigurationManager.getProperty("authentication.x509.keystore.password");
        String property3 = ConfigurationManager.getProperty("authentication.x509.ca.cert");
        if (property3 == null) {
            property3 = ConfigurationManager.getProperty("webui.cert.ca");
        }
        if (property != null) {
            if (property2 == null) {
                property2 = "";
            }
            try {
                KeyStore keyStore = KeyStore.getInstance("JKS");
                keyStore.load(new FileInputStream(property), property2.toCharArray());
                caCertKeyStore = keyStore;
            } catch (IOException e) {
                log.error("X509Authentication: Failed to load CA keystore, file=" + property + ", error=" + e.toString());
            } catch (GeneralSecurityException e2) {
                log.error("X509Authentication: Failed to extract CA keystore, file=" + property + ", error=" + e2.toString());
            }
        }
        if (property3 != null) {
            try {
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new BufferedInputStream(new FileInputStream(property3)));
                if (x509Certificate != null) {
                    caPublicKey = x509Certificate.getPublicKey();
                }
            } catch (IOException e3) {
                log.error("X509Authentication: Failed to load CA cert, file=" + property3 + ", error=" + e3.toString());
            } catch (CertificateException e4) {
                log.error("X509Authentication: Failed to extract CA cert, file=" + property3 + ", error=" + e4.toString());
            }
        }
    }
}
