package org.eclipse.jetty.security.authentication;

import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jetty.http.security.B64Code;
import org.eclipse.jetty.security.Authentication;
import org.eclipse.jetty.security.DefaultAuthentication;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.server.UserIdentity;

/* loaded from: input_file:org/eclipse/jetty/security/authentication/ClientCertAuthenticator.class */
public class ClientCertAuthenticator extends LoginAuthenticator {
    @Override // org.eclipse.jetty.security.Authenticator
    public String getAuthMethod() {
        return "CLIENT_CERT";
    }

    @Override // org.eclipse.jetty.security.Authenticator
    public Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        X509Certificate[] x509CertificateArr = (X509Certificate[]) ((HttpServletRequest) servletRequest).getAttribute("javax.servlet.request.X509Certificate");
        if (x509CertificateArr != null) {
            try {
                if (x509CertificateArr.length != 0 && x509CertificateArr[0] != null) {
                    Principal subjectDN = x509CertificateArr[0].getSubjectDN();
                    if (subjectDN == null) {
                        subjectDN = x509CertificateArr[0].getIssuerDN();
                    }
                    UserIdentity login = this._loginService.login(subjectDN == null ? "clientcert" : subjectDN.getName(), B64Code.encode(x509CertificateArr[0].getSignature()));
                    if (login != null) {
                        return new DefaultAuthentication(Authentication.Status.SUCCESS, "CLIENT-CERT", login);
                    }
                    if (!z) {
                        return DefaultAuthentication.SUCCESS_UNAUTH_RESULTS;
                    }
                    httpServletResponse.sendError(403, "The provided client certificate does not correspond to a trusted user.");
                    return DefaultAuthentication.SEND_FAILURE_RESULTS;
                }
            } catch (IOException e) {
                throw new ServerAuthException(e.getMessage());
            }
        }
        httpServletResponse.sendError(403, "A client certificate is required for accessing this web application but the server's listener is not configured for mutual authentication (or the client did not provide a certificate).");
        return DefaultAuthentication.SEND_FAILURE_RESULTS;
    }

    @Override // org.eclipse.jetty.security.Authenticator
    public Authentication.Status secureResponse(ServletRequest servletRequest, ServletResponse servletResponse, boolean z, Authentication authentication) throws ServerAuthException {
        return Authentication.Status.SUCCESS;
    }
}
