package org.wso2.carbon.identity.oauth2.token.handler.clientauth.mutualtls.handlers;

import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jose.util.X509CertUtils;
import java.io.ByteArrayInputStream;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
import java.util.LinkedList;
import java.util.Optional;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.model.HttpRequestHeader;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.mutualtls.utils.CommonConstants;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/handler/clientauth/mutualtls/handlers/AbstractMTLSTokenBindingGrantHandler.class */
public class AbstractMTLSTokenBindingGrantHandler {
    private static final Log log = LogFactory.getLog(MTLSTokenBindingAuthorizationCodeGrantHandler.class);

    public boolean validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, boolean z) throws IdentityOAuth2Exception {
        HttpRequestHeader[] httpRequestHeaders = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getHttpRequestHeaders();
        String property = IdentityUtil.getProperty(CommonConstants.MTLS_AUTH_HEADER);
        Optional findFirst = Arrays.stream(httpRequestHeaders).filter(httpRequestHeader -> {
            return property.equals(httpRequestHeader.getName());
        }).findFirst();
        String str = (String) oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getoAuthClientAuthnContext().getParameter(CommonConstants.AUTHENTICATOR_TYPE_PARAM);
        if (findFirst.isPresent() && CommonConstants.AUTHENTICATOR_TYPE_MTLS.equals(str)) {
            Base64URL base64URL = null;
            if (log.isDebugEnabled()) {
                log.debug("Client MTLS certificate found: " + findFirst);
            }
            try {
                if (((HttpRequestHeader) findFirst.get()).getValue() != null) {
                    base64URL = X509CertUtils.computeSHA256Thumbprint(parseCertificate(((HttpRequestHeader) findFirst.get()).getValue()[0]));
                }
                if (base64URL != null) {
                    if (log.isDebugEnabled()) {
                        log.debug("Client MTLS certificate thumbprint: " + base64URL);
                    }
                    LinkedList linkedList = new LinkedList(Arrays.asList(oAuthTokenReqMessageContext.getScope()));
                    linkedList.add("x5t#SHA256:" + base64URL.toString());
                    oAuthTokenReqMessageContext.setScope((String[]) linkedList.toArray(new String[linkedList.size()]));
                }
            } catch (CertificateException e) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Error occurred while calculating the thumbprint of the MTLS certificate of the client: " + oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), e);
                return false;
            }
        }
        return z;
    }

    private static X509Certificate parseCertificate(String str) throws CertificateException {
        return (X509Certificate) CertificateFactory.getInstance(CommonConstants.X509).generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(StringUtils.trim(StringUtils.trim(str).replaceAll(CommonConstants.BEGIN_CERT, "").replaceAll(CommonConstants.END_CERT, "")))));
    }
}
