package org.picketbox.core.authentication.impl;

import java.io.IOException;
import java.io.StringReader;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.Properties;
import org.picketbox.core.PicketBoxPrincipal;
import org.picketbox.core.authentication.AuthenticationInfo;
import org.picketbox.core.authentication.AuthenticationResult;
import org.picketbox.core.authentication.credential.CertificateCredential;
import org.picketbox.core.authentication.credential.UserCredential;
import org.picketbox.core.authorization.ent.Entitlement;
import org.picketbox.core.config.AuthenticationConfiguration;
import org.picketbox.core.config.ClientCertConfiguration;
import org.picketbox.core.exceptions.AuthenticationException;
import org.picketlink.idm.credential.Credentials;
import org.picketlink.idm.credential.internal.X509CertificateCredentials;

/* loaded from: input_file:org/picketbox/core/authentication/impl/CertificateAuthenticationMechanism.class */
public class CertificateAuthenticationMechanism extends AbstractAuthenticationMechanism {
    @Override // org.picketbox.core.authentication.AuthenticationMechanism
    public List<AuthenticationInfo> getAuthenticationInfo() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new AuthenticationInfo("Certificate authentication service.", "A authentication service using certificates.", CertificateCredential.class));
        return arrayList;
    }

    @Override // org.picketbox.core.authentication.impl.AbstractAuthenticationMechanism
    protected Principal doAuthenticate(UserCredential userCredential, AuthenticationResult authenticationResult) throws AuthenticationException {
        X509CertificateCredentials credential = ((CertificateCredential) userCredential).getCredential();
        String userName = getUserName(credential.getCertificate().getValue());
        PicketBoxPrincipal picketBoxPrincipal = null;
        if (isUseCertificateValidation()) {
            getIdentityManager().validateCredentials(credential);
            if (credential.getStatus().equals(Credentials.Status.VALID)) {
                picketBoxPrincipal = new PicketBoxPrincipal(userName);
            }
        } else if (getIdentityManager().getUser(userName) != null) {
            picketBoxPrincipal = new PicketBoxPrincipal(userName);
        }
        if (picketBoxPrincipal == null) {
            invalidCredentials(authenticationResult);
        }
        return picketBoxPrincipal;
    }

    private String getUserName(X509Certificate x509Certificate) {
        String name = getCertificatePrincipal(x509Certificate).getName();
        if (isUseCNAsPrincipal()) {
            Properties properties = new Properties();
            try {
                properties.load(new StringReader(name.replaceAll(Entitlement.COMMA, "\n")));
            } catch (IOException e) {
                e.printStackTrace();
            }
            name = properties.getProperty("CN");
        }
        return name;
    }

    private Principal getCertificatePrincipal(X509Certificate x509Certificate) {
        Principal subjectDN = x509Certificate.getSubjectDN();
        if (subjectDN == null) {
            subjectDN = x509Certificate.getIssuerDN();
        }
        return subjectDN;
    }

    public boolean isUseCertificateValidation() {
        ClientCertConfiguration clientCertAuthenticationConfig = getClientCertAuthenticationConfig();
        if (clientCertAuthenticationConfig != null) {
            return clientCertAuthenticationConfig.isUseCertificateValidation();
        }
        return false;
    }

    private ClientCertConfiguration getClientCertAuthenticationConfig() {
        AuthenticationConfiguration authentication = getPicketBoxManager().getConfiguration().getAuthentication();
        if (authentication != null) {
            return authentication.getCertConfiguration();
        }
        return null;
    }

    public boolean isUseCNAsPrincipal() {
        ClientCertConfiguration clientCertAuthenticationConfig = getClientCertAuthenticationConfig();
        if (clientCertAuthenticationConfig != null) {
            return clientCertAuthenticationConfig.isUseCNAsPrincipal();
        }
        return false;
    }
}
