package org.wso2.carbon.identity.oauth2.token.handler.clientauth.mutualtls;

import com.google.gson.JsonArray;
import com.google.gson.JsonElement;
import com.google.gson.JsonParser;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.jose.util.Resource;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.Serializable;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.xml.bind.DatatypeConverter;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.bean.OAuthClientAuthnContext;
import org.wso2.carbon.identity.oauth2.client.authentication.AbstractOAuthClientAuthenticator;
import org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnException;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.mutualtls.cache.MutualTLSJWKSCache;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.mutualtls.cache.MutualTLSJWKSCacheEntry;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.mutualtls.cache.MutualTLSJWKSCacheKey;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.mutualtls.utils.MutualTLSUtil;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/handler/clientauth/mutualtls/MutualTLSClientAuthenticator.class */
public class MutualTLSClientAuthenticator extends AbstractOAuthClientAuthenticator {
    private static final Log log = LogFactory.getLog(MutualTLSClientAuthenticator.class);
    private static final String X5T = "x5t";
    private static final String X5C = "x5c";
    private static final String X509 = "X.509";
    private static final String HTTP_CONNECTION_TIMEOUT_XPATH = "JWTValidatorConfigs.JWKSEndpoint.HTTPConnectionTimeout";
    private static final String HTTP_READ_TIMEOUT_XPATH = "JWTValidatorConfigs.JWKSEndpoint.HTTPReadTimeout";
    private static final String KEYS = "keys";
    private static final String JWKS_URI = "jwksURI";

    public boolean authenticateClient(HttpServletRequest httpServletRequest, Map<String, List> map, OAuthClientAuthnContext oAuthClientAuthnContext) throws OAuthClientAuthnException {
        X509Certificate x509Certificate;
        if (StringUtils.isEmpty(oAuthClientAuthnContext.getClientId())) {
            String clientId = getClientId(httpServletRequest, map, oAuthClientAuthnContext);
            if (!StringUtils.isNotBlank(clientId)) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Mutual TLS authenticator cannot handle this request. Client id is not available in body params or valid certificate not found in request attributes.");
                return false;
            }
            oAuthClientAuthnContext.setClientId(clientId);
        }
        try {
            if (log.isDebugEnabled()) {
                log.debug("Authenticating client : " + oAuthClientAuthnContext.getClientId() + " with public certificate.");
            }
            Object attribute = httpServletRequest.getAttribute(MutualTLSUtil.JAVAX_SERVLET_REQUEST_CERTIFICATE);
            if (attribute instanceof X509Certificate[]) {
                x509Certificate = ((X509Certificate[]) attribute)[0];
            } else {
                if (!(attribute instanceof X509Certificate)) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("Could not find client certificate in required format for client: " + oAuthClientAuthnContext.getClientId());
                    return false;
                }
                x509Certificate = (X509Certificate) attribute;
            }
            String tenantDomainOfOauthApp = OAuth2Util.getTenantDomainOfOauthApp(oAuthClientAuthnContext.getClientId());
            ServiceProvider serviceProvider = OAuth2Util.getServiceProvider(oAuthClientAuthnContext.getClientId(), tenantDomainOfOauthApp);
            if (MutualTLSUtil.isJwksUriConfigured(serviceProvider)) {
                if (log.isDebugEnabled()) {
                    log.debug("Public certificate not configured for Service Provider with client_id: " + oAuthClientAuthnContext.getClientId() + " of tenantDomain: " + tenantDomainOfOauthApp + ". Fetching the jwks endpoint for validating request certificate");
                }
                return authenticate(getJWKSEndpointOfSP(serviceProvider, oAuthClientAuthnContext.getClientId()), x509Certificate);
            }
            if (log.isDebugEnabled()) {
                log.debug("Public certificate configured for Service Provider with client_id: " + oAuthClientAuthnContext.getClientId() + " of tenantDomain: " + tenantDomainOfOauthApp + ". Using public certificate  for validating request certificate");
            }
            return authenticate((X509Certificate) OAuth2Util.getX509CertOfOAuthApp(oAuthClientAuthnContext.getClientId(), tenantDomainOfOauthApp), x509Certificate);
        } catch (IdentityOAuth2Exception e) {
            throw new OAuthClientAuthnException("server_error", "Error occurred while retrieving public certificate of client ID: " + oAuthClientAuthnContext.getClientId(), e);
        } catch (InvalidOAuthClientException e2) {
            throw new OAuthClientAuthnException("invalid_client", "Error occurred while retrieving tenant domain for the client ID: " + oAuthClientAuthnContext.getClientId(), e2);
        }
    }

    public boolean canAuthenticate(HttpServletRequest httpServletRequest, Map<String, List> map, OAuthClientAuthnContext oAuthClientAuthnContext) {
        if (clientIdExistsAsParam(map) && validCertExistsAsAttribute(httpServletRequest)) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Client ID exists in request body parameters and a valid certificate found in request attributes. Hence returning true.");
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("Mutual TLS authenticator cannot handle this request. Client id is not available in body params or valid certificate not found in request attributes.");
        return false;
    }

    public String getClientId(HttpServletRequest httpServletRequest, Map<String, List> map, OAuthClientAuthnContext oAuthClientAuthnContext) throws OAuthClientAuthnException {
        oAuthClientAuthnContext.setClientId((String) getBodyParameters(map).get("client_id"));
        return oAuthClientAuthnContext.getClientId();
    }

    private boolean clientIdExistsAsParam(Map<String, List> map) {
        return StringUtils.isNotEmpty((String) getBodyParameters(map).get("client_id"));
    }

    private boolean validCertExistsAsAttribute(HttpServletRequest httpServletRequest) {
        Object attribute = httpServletRequest.getAttribute(MutualTLSUtil.JAVAX_SERVLET_REQUEST_CERTIFICATE);
        return (attribute instanceof X509Certificate[]) || (attribute instanceof X509Certificate);
    }

    protected boolean authenticate(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws OAuthClientAuthnException {
        boolean z = false;
        try {
            if (StringUtils.equals(MutualTLSUtil.getThumbPrint(x509Certificate, null), MutualTLSUtil.getThumbPrint(x509Certificate2, null))) {
                if (log.isDebugEnabled()) {
                    log.debug("Client certificate thumbprint matched with the registered certificate thumbprint.");
                }
                z = true;
            } else if (log.isDebugEnabled()) {
                log.debug("Client Authentication failed. Client certificate thumbprint did not match with the registered certificate thumbprint.");
            }
            return z;
        } catch (CertificateEncodingException e) {
            throw new OAuthClientAuthnException("invalid_grant", "Error occurred while generating certificate thumbprint. Error: " + e.getMessage(), e);
        }
    }

    private boolean authenticate(URL url, X509Certificate x509Certificate) throws OAuthClientAuthnException {
        try {
            return isAuthenticated(getResourceContent(url), x509Certificate);
        } catch (IOException e) {
            throw new OAuthClientAuthnException("server_error", "Error occurred while opening HTTP connection for the JWKS URL : " + url, e);
        } catch (CertificateException e2) {
            throw new OAuthClientAuthnException("server_error", "Error occurred while parsing certificate retrieved from JWKS endpoint ", e2);
        }
    }

    private boolean isAuthenticated(JsonArray jsonArray, X509Certificate x509Certificate) throws CertificateException, OAuthClientAuthnException {
        Iterator it = jsonArray.iterator();
        while (it.hasNext()) {
            JsonElement jsonElement = (JsonElement) it.next();
            JsonElement jsonElement2 = jsonElement.getAsJsonObject().get(X5T);
            if (jsonElement2 != null && jsonElement2.getAsString().equals(MutualTLSUtil.getThumbPrint(x509Certificate, null))) {
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug("Client authentication successful using the attribute: x5t");
                return true;
            }
            JsonElement jsonElement3 = jsonElement.getAsJsonObject().get(X5C);
            if (jsonElement3 != null && authenticate((X509Certificate) CertificateFactory.getInstance(X509).generateCertificate(new ByteArrayInputStream(DatatypeConverter.parseBase64Binary(jsonElement3.getAsString()))), x509Certificate)) {
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug("Client authentication successful using the attribute: x5c");
                return true;
            }
        }
        return false;
    }

    public JsonArray getResourceContent(URL url) throws IOException {
        if (url == null) {
            return null;
        }
        Resource resource = null;
        Serializable mutualTLSJWKSCacheKey = new MutualTLSJWKSCacheKey(url.toString());
        MutualTLSJWKSCacheEntry mutualTLSJWKSCacheEntry = (MutualTLSJWKSCacheEntry) MutualTLSJWKSCache.getInstance().getValueFromCache(mutualTLSJWKSCacheKey);
        if (mutualTLSJWKSCacheEntry != null) {
            if (log.isDebugEnabled()) {
                log.debug("Retrieving JWKS for " + url.toString() + " from cache.");
            }
            resource = mutualTLSJWKSCacheEntry.getValue();
            if (log.isDebugEnabled() && resource != null) {
                log.debug("Cache hit for " + url.toString());
            }
        }
        if (resource == null) {
            DefaultResourceRetriever defaultResourceRetriever = new DefaultResourceRetriever(MutualTLSUtil.readHTTPConnectionConfigValue(HTTP_CONNECTION_TIMEOUT_XPATH), MutualTLSUtil.readHTTPConnectionConfigValue(HTTP_READ_TIMEOUT_XPATH));
            if (log.isDebugEnabled()) {
                log.debug("Fetching JWKS from remote endpoint. JWKS URI: " + url);
            }
            resource = defaultResourceRetriever.retrieveResource(url);
            MutualTLSJWKSCache.getInstance().addToCache(mutualTLSJWKSCacheKey, new MutualTLSJWKSCacheEntry(resource));
        }
        if (resource == null) {
            return null;
        }
        JsonParser jsonParser = new JsonParser();
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(resource.getContent().getBytes(StandardCharsets.UTF_8));
        Throwable th = null;
        try {
            InputStreamReader inputStreamReader = new InputStreamReader(byteArrayInputStream);
            Throwable th2 = null;
            try {
                try {
                    JsonElement jsonElement = jsonParser.parse(inputStreamReader).getAsJsonObject().get(KEYS);
                    if (jsonElement != null) {
                        JsonArray asJsonArray = jsonElement.getAsJsonArray();
                        if (inputStreamReader != null) {
                            if (0 != 0) {
                                try {
                                    inputStreamReader.close();
                                } catch (Throwable th3) {
                                    th2.addSuppressed(th3);
                                }
                            } else {
                                inputStreamReader.close();
                            }
                        }
                        return asJsonArray;
                    }
                    if (inputStreamReader != null) {
                        if (0 != 0) {
                            try {
                                inputStreamReader.close();
                            } catch (Throwable th4) {
                                th2.addSuppressed(th4);
                            }
                        } else {
                            inputStreamReader.close();
                        }
                    }
                    if (byteArrayInputStream != null) {
                        if (0 != 0) {
                            try {
                                byteArrayInputStream.close();
                            } catch (Throwable th5) {
                                th.addSuppressed(th5);
                            }
                        } else {
                            byteArrayInputStream.close();
                        }
                    }
                    return null;
                } catch (Throwable th6) {
                    th2 = th6;
                    throw th6;
                }
            } catch (Throwable th7) {
                if (inputStreamReader != null) {
                    if (th2 != null) {
                        try {
                            inputStreamReader.close();
                        } catch (Throwable th8) {
                            th2.addSuppressed(th8);
                        }
                    } else {
                        inputStreamReader.close();
                    }
                }
                throw th7;
            }
        } finally {
            if (byteArrayInputStream != null) {
                if (0 != 0) {
                    try {
                        byteArrayInputStream.close();
                    } catch (Throwable th9) {
                        th.addSuppressed(th9);
                    }
                } else {
                    byteArrayInputStream.close();
                }
            }
        }
    }

    public URL getJWKSEndpointOfSP(ServiceProvider serviceProvider, String str) throws OAuthClientAuthnException {
        String propertyValue = MutualTLSUtil.getPropertyValue(serviceProvider, JWKS_URI);
        if (StringUtils.isEmpty(propertyValue)) {
            throw new OAuthClientAuthnException("jwks endpoint not configured for the service provider for client ID: " + str, "server_error");
        }
        try {
            URL url = new URL(propertyValue);
            if (log.isDebugEnabled()) {
                log.debug("Configured JWKS URI found: " + propertyValue);
            }
            return url;
        } catch (MalformedURLException e) {
            throw new OAuthClientAuthnException("URL might be malformed " + str, "server_error", e);
        }
    }

    public String getName() {
        return getClass().getSimpleName();
    }
}
