package org.apache.shiro.web.filter.authc;

import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.Reader;
import java.io.StringReader;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.x509.X509AuthenticationToken;
import org.apache.shiro.codec.Base64;
import org.apache.shiro.codec.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/shiro/web/filter/authc/ForwardedX509AuthenticationFilter.class */
public class ForwardedX509AuthenticationFilter extends AuthenticatingFilter {
    private static final Logger LOGGER = LoggerFactory.getLogger(ForwardedX509AuthenticationFilter.class);
    private static final String SSL_CLIENT_VERIFY = "X-SSL-Client-Verify";
    private static final String SSL_CLIENT_CERT = "X-SSL-Client-Cert";
    private static final String SSL_CLIENT_S_DN = "X-SSL-Client-S-DN";
    private static final String SSL_CLIENT_I_DN = "X-SSL-Client-I-DN";
    private static final String SSL_CLIENT_M_SERIAL = "X-SSL-Client-M-Serial";
    private boolean useCertificate = false;
    private boolean useSubjectDN = false;
    private boolean useIssuerDN = false;
    private boolean useSerialNumber = false;
    private static final String PEM_BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
    private static final String PEM_END_CERT = "-----END CERTIFICATE-----";
    private static final String TEMP_BEGIN_CERT = "-----BEGIN_CERTIFICATE-----";
    private static final String TEMP_END_CERT = "-----END_CERTIFICATE-----";
    private static final String PEM_BEGIN = "-----BEGIN";
    private static final String PEM_END = "-----END";

    protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
        return executeLogin(servletRequest, servletResponse);
    }

    protected AuthenticationToken createToken(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (!this.useCertificate && !this.useSubjectDN && !this.useIssuerDN && !this.useSerialNumber) {
            throw new AuthenticationException("ForwardedX509AuthenticationFilter is set up to use no forwarded header, you certainly missed a configuration step");
        }
        if (this.useCertificate) {
            X509Certificate[] x509CertificateArr = null;
            String header = httpServletRequest.getHeader(SSL_CLIENT_CERT);
            if (notEmpty(header)) {
                x509CertificateArr = readX509CertificateChainFromPEM(rebuildPEMBundleFromHttpHeader(header));
            }
            if (x509CertificateArr == null) {
                throw new AuthenticationException("Set up to use X-SSL-Client-Cert header but it was either empty or unparseable");
            }
            return new X509AuthenticationToken(x509CertificateArr, getHost(servletRequest));
        }
        X500Principal x500Principal = null;
        X500Principal x500Principal2 = null;
        String str = null;
        if (this.useSubjectDN) {
            String header2 = httpServletRequest.getHeader(SSL_CLIENT_S_DN);
            if (notEmpty(header2)) {
                x500Principal = readX500PrincipalFromString(header2);
            }
        }
        if (this.useIssuerDN) {
            String header3 = httpServletRequest.getHeader(SSL_CLIENT_I_DN);
            if (notEmpty(header3)) {
                x500Principal2 = readX500PrincipalFromString(header3);
            }
        }
        if (this.useSerialNumber) {
            String header4 = httpServletRequest.getHeader(SSL_CLIENT_M_SERIAL);
            if (notEmpty(header4)) {
                str = readHexSerialNumberFromString(header4);
            }
        }
        if (x500Principal == null && x500Principal2 == null && isEmpty(str)) {
            throw new AuthenticationException("All set up forwarded headers were empty");
        }
        return new X509AuthenticationToken(x500Principal, x500Principal2, str, getHost(servletRequest));
    }

    private static boolean isEmpty(String str) {
        return !notEmpty(str);
    }

    private static boolean notEmpty(String str) {
        return str != null && str.length() > 1;
    }

    private String rebuildPEMBundleFromHttpHeader(String str) {
        return str.replaceAll(PEM_BEGIN_CERT, TEMP_BEGIN_CERT).replaceAll(PEM_END_CERT, TEMP_END_CERT).replaceAll("\\s", "\n").replaceAll(TEMP_BEGIN_CERT, PEM_BEGIN_CERT).replaceAll(TEMP_END_CERT, PEM_END_CERT);
    }

    private X509Certificate[] readX509CertificateChainFromPEM(String str) {
        try {
            List<X509Certificate> loadPEMBundle = loadPEMBundle(new StringReader(str));
            if (loadPEMBundle.isEmpty()) {
                return null;
            }
            return (X509Certificate[]) loadPEMBundle.toArray(new X509Certificate[loadPEMBundle.size()]);
        } catch (IOException e) {
            LOGGER.warn("Unparseable PEM X509Certificate, will use null and continue. Here is the PEM:\n{}", str, e);
            return null;
        } catch (CertificateException e2) {
            LOGGER.warn("Unparseable PEM X509Certificate, will use null and continue. Here is the PEM:\n{}", str, e2);
            return null;
        }
    }

    private static List<X509Certificate> loadPEMBundle(Reader reader) throws IOException, CertificateException {
        BufferedReader bufferedReader = null;
        try {
            BufferedReader bufferedReader2 = new BufferedReader(reader);
            String readLine = bufferedReader2.readLine();
            if (!readLine.startsWith(PEM_BEGIN)) {
                throw new CertificateException("Malformed PEM X.509 Certificate Bundle");
            }
            ArrayList arrayList = new ArrayList();
            boolean z = false;
            boolean z2 = true;
            StringBuilder sb = new StringBuilder();
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            while (readLine != null) {
                if (readLine.length() > 0) {
                    if (readLine.startsWith(PEM_BEGIN)) {
                        if (z || !z2) {
                            throw new CertificateException("Malformed PEM X.509 Certificate Bundle");
                        }
                        z = true;
                        z2 = false;
                        sb = new StringBuilder();
                    } else if (readLine.startsWith(PEM_END)) {
                        if (!z && z2) {
                            throw new CertificateException("Malformed PEM X.509 Certificate Bundle");
                        }
                        z = false;
                        z2 = true;
                        arrayList.add((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(Base64.decode(sb.toString()))));
                    } else if (z && !z2) {
                        sb.append(readLine);
                    }
                }
                readLine = bufferedReader2.readLine();
            }
            if (z || !z2) {
                throw new CertificateException("Malformed PEM X.509 Certificate Bundle");
            }
            if (bufferedReader2 != null) {
                try {
                    bufferedReader2.close();
                } catch (IOException e) {
                }
            }
            return arrayList;
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    bufferedReader.close();
                } catch (IOException e2) {
                }
            }
            throw th;
        }
    }

    private X500Principal readX500PrincipalFromString(String str) {
        try {
            return new X500Principal(str);
        } catch (IllegalArgumentException e) {
            LOGGER.warn("Unparseable DN in header string, will use null and continue. Here is the header string: {}", str, e);
            return null;
        }
    }

    private String readHexSerialNumberFromString(String str) {
        return Hex.encodeToString(Hex.decode(str));
    }

    public void setUseCertificate(boolean z) {
        this.useCertificate = z;
    }

    public void setUseIssuerDN(boolean z) {
        this.useIssuerDN = z;
    }

    public void setUseSerialNumber(boolean z) {
        this.useSerialNumber = z;
    }

    public void setUseSubjectDN(boolean z) {
        this.useSubjectDN = z;
    }
}
