package org.wso2.carbon.identity.oauth2.token.bindings.impl;

import com.nimbusds.jose.util.X509CertUtils;
import java.io.ByteArrayInputStream;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.OAuth2Constants;
import org.wso2.carbon.identity.oauth2.OAuthSystemClientException;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.token.bindings.TokenBinding;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.model.Constants;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/bindings/impl/CertificateBasedTokenBinder.class */
public class CertificateBasedTokenBinder extends AbstractTokenBinder {
    private static final Log log = LogFactory.getLog(CertificateBasedTokenBinder.class);

    public String getBindingType() {
        return OAuth2Constants.TokenBinderType.CERTIFICATE_BASED_TOKEN_BINDER;
    }

    public List<String> getSupportedGrantTypes() {
        return (List) OAuthServerConfiguration.getInstance().getSupportedGrantTypes().keySet().stream().collect(Collectors.toList());
    }

    public String getDisplayName() {
        return "Certificate Based";
    }

    public String getDescription() {
        return "Bind the TLS certificate to the token.";
    }

    @Override // org.wso2.carbon.identity.oauth2.token.bindings.TokenBinder
    public String getOrGenerateTokenBindingValue(HttpServletRequest httpServletRequest) throws OAuthSystemException {
        return null;
    }

    @Override // org.wso2.carbon.identity.oauth2.token.bindings.TokenBinder
    public String getTokenBindingValue(HttpServletRequest httpServletRequest) throws OAuthSystemException {
        String generateCnfHashValue = generateCnfHashValue(httpServletRequest);
        if (StringUtils.isNotBlank(generateCnfHashValue)) {
            return generateCnfHashValue;
        }
        throw new OAuthSystemClientException("Error occurred while generating cnf hash value.");
    }

    @Override // org.wso2.carbon.identity.oauth2.token.bindings.impl.AbstractTokenBinder, org.wso2.carbon.identity.oauth2.token.bindings.TokenBinder
    public Optional<String> getTokenBindingValue(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) {
        return Optional.ofNullable(generateCnfHashValue(oAuth2AccessTokenReqDTO.getHttpServletRequestWrapper()));
    }

    @Override // org.wso2.carbon.identity.oauth2.token.bindings.TokenBinder
    public void setTokenBindingValueForResponse(HttpServletResponse httpServletResponse, String str) {
    }

    @Override // org.wso2.carbon.identity.oauth2.token.bindings.TokenBinder
    public void clearTokenBindingElements(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
    }

    @Override // org.wso2.carbon.identity.oauth2.token.bindings.TokenBinder
    public boolean isValidTokenBinding(Object obj, String str) {
        String generateCnfHashValue = generateCnfHashValue((HttpServletRequest) obj);
        if (StringUtils.isNotBlank(generateCnfHashValue)) {
            return StringUtils.equals(str, OAuth2Util.getTokenBindingReference(generateCnfHashValue));
        }
        return false;
    }

    @Override // org.wso2.carbon.identity.oauth2.token.bindings.TokenBinder
    public boolean isValidTokenBinding(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, String str) {
        try {
            Optional<TokenBinding> bindingFromRefreshToken = OAuthTokenPersistenceFactory.getInstance().getTokenBindingMgtDAO().getBindingFromRefreshToken(oAuth2AccessTokenReqDTO.getRefreshToken(), OAuth2Util.isHashEnabled());
            String generateCnfHashValue = generateCnfHashValue(oAuth2AccessTokenReqDTO.getHttpServletRequestWrapper());
            if (bindingFromRefreshToken.isPresent() && OAuth2Constants.TokenBinderType.CERTIFICATE_BASED_TOKEN_BINDER.equals(bindingFromRefreshToken.get().getBindingType()) && StringUtils.isNotBlank(generateCnfHashValue) && StringUtils.equals(generateCnfHashValue, bindingFromRefreshToken.get().getBindingValue())) {
                if (StringUtils.equals(str, bindingFromRefreshToken.get().getBindingReference())) {
                    return true;
                }
            }
            return false;
        } catch (IdentityOAuth2Exception e) {
            return false;
        }
    }

    private String generateCnfHashValue(HttpServletRequest httpServletRequest) {
        X509Certificate x509Certificate = null;
        String header = httpServletRequest.getHeader((String) Optional.ofNullable(IdentityUtil.getProperty("MutualTLS.ClientCertificateHeader")).orElse("CONFIG_NOT_FOUND"));
        Object orElse = Optional.ofNullable(httpServletRequest.getAttribute("javax.servlet.request.X509Certificate")).orElse(null);
        if (StringUtils.isNotBlank(header)) {
            try {
                x509Certificate = parseCertificate(header);
            } catch (UnsupportedEncodingException | CertificateException e) {
                if (!log.isDebugEnabled()) {
                    return null;
                }
                log.debug("Error occurred while extracting the certificate from the request header.", e);
                return null;
            }
        } else if (orElse instanceof X509Certificate) {
            x509Certificate = (X509Certificate) orElse;
        } else if ((orElse instanceof X509Certificate[]) && ((X509Certificate[]) orElse).length > 0) {
            x509Certificate = (X509Certificate) Arrays.asList((X509Certificate[]) orElse).get(0);
        }
        if (x509Certificate != null) {
            return X509CertUtils.computeSHA256Thumbprint(x509Certificate).toString();
        }
        if (!log.isDebugEnabled()) {
            return null;
        }
        log.debug("TLS certificate not found in the request.");
        return null;
    }

    private X509Certificate parseCertificate(String str) throws CertificateException, UnsupportedEncodingException {
        byte[] decode;
        try {
            decode = Base64.getDecoder().decode(sanitizeCertificate(str));
        } catch (IllegalArgumentException e) {
            log.debug("Error while base64 decoding the certificate. Trying URL decoding first.");
            decode = Base64.getDecoder().decode(sanitizeCertificate(URLDecoder.decode(str, StandardCharsets.UTF_8.name())));
        }
        return (X509Certificate) CertificateFactory.getInstance(Constants.X509).generateCertificate(new ByteArrayInputStream(decode));
    }

    private String sanitizeCertificate(String str) {
        return StringUtils.trim(str).replaceAll("-----BEGIN CERTIFICATE-----", "").replaceAll("-----END CERTIFICATE-----", "").replaceAll("\\s", "").replace("\\n", "");
    }
}
