package com.wso2.openbanking.accelerator.identity.token.validators;

import com.wso2.openbanking.accelerator.common.exception.OpenBankingException;
import com.wso2.openbanking.accelerator.common.util.CertificateUtils;
import com.wso2.openbanking.accelerator.identity.token.util.TokenFilterException;
import com.wso2.openbanking.accelerator.identity.util.IdentityCommonConstants;
import com.wso2.openbanking.accelerator.identity.util.IdentityCommonUtil;
import java.security.cert.X509Certificate;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:com/wso2/openbanking/accelerator/identity/token/validators/MTLSCertificateValidator.class */
public class MTLSCertificateValidator implements OBIdentityFilterValidator {
    private static final Log log = LogFactory.getLog(MTLSCertificateValidator.class);
    private static final String CERT_EXPIRED_ERROR = "Certificate with the serial number %s issued by the CA %s is expired";

    @Override // com.wso2.openbanking.accelerator.identity.token.validators.OBIdentityFilterValidator
    public void validate(ServletRequest servletRequest, String str) throws TokenFilterException, ServletException {
        String header = ((HttpServletRequest) servletRequest).getHeader(IdentityCommonUtil.getMTLSAuthHeader());
        if (header != null) {
            try {
                X509Certificate parseCertificate = CertificateUtils.parseCertificate(header);
                if (CertificateUtils.isExpired(parseCertificate)) {
                    log.error(String.format(CERT_EXPIRED_ERROR, parseCertificate.getSerialNumber(), parseCertificate.getIssuerDN().toString()));
                    throw new TokenFilterException(401, "Invalid mutual TLS request. Client certificate is expired", String.format(CERT_EXPIRED_ERROR, parseCertificate.getSerialNumber(), parseCertificate.getIssuerDN().toString()));
                }
                log.debug("Client certificate expiry validation completed successfully");
            } catch (OpenBankingException e) {
                log.error("Invalid mutual TLS request. Client certificate is invalid", e);
                throw new TokenFilterException(401, IdentityCommonConstants.OAUTH2_INVALID_CLIENT_MESSAGE, e.getMessage());
            }
        }
    }
}
