package org.cesecore.keybind.impl;

import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.cesecore.config.AvailableExtendedKeyUsagesConfiguration;
import org.cesecore.config.CesecoreConfiguration;
import org.cesecore.keybind.CertificateImportException;
import org.cesecore.keybind.InternalKeyBindingBase;
import org.cesecore.keybind.InternalKeyBindingProperty;
import org.cesecore.util.CertTools;

/* loaded from: input_file:org/cesecore/keybind/impl/AuthenticationKeyBinding.class */
public class AuthenticationKeyBinding extends InternalKeyBindingBase {
    private static final long serialVersionUID = 1;
    private static final Logger log = Logger.getLogger(AuthenticationKeyBinding.class);
    public static final String IMPLEMENTATION_ALIAS = "AuthenticationKeyBinding";
    public static final String PROPERTY_PROTOCOL_AND_CIPHER_SUITE = "protocolAndCipherSuite";

    public AuthenticationKeyBinding() {
        String[] availableCipherSuites = CesecoreConfiguration.getAvailableCipherSuites();
        addProperty(new InternalKeyBindingProperty<>(PROPERTY_PROTOCOL_AND_CIPHER_SUITE, availableCipherSuites[0], availableCipherSuites));
    }

    public String[] getSupportedProtocols() {
        return getSelectedProtocolOrSuite(0);
    }

    public String[] getSupportedCipherTextSuites() {
        return getSelectedProtocolOrSuite(1);
    }

    private String[] getSelectedProtocolOrSuite(int i) {
        String str = (String) getProperty(PROPERTY_PROTOCOL_AND_CIPHER_SUITE).getValue();
        String[] split = str.split(";");
        if (log.isDebugEnabled() && i == 0) {
            log.debug("Configured cipher suite for this AuthenticationKeyBinding: " + str);
        }
        return split.length == 2 ? new String[]{split[i]} : new String[0];
    }

    @Override // org.cesecore.keybind.InternalKeyBinding
    public String getImplementationAlias() {
        return IMPLEMENTATION_ALIAS;
    }

    @Override // org.cesecore.keybind.InternalKeyBindingBase, org.cesecore.internal.UpgradeableDataHashMap, org.cesecore.internal.IUpgradeableData
    public float getLatestVersion() {
        return 1.0f;
    }

    @Override // org.cesecore.keybind.InternalKeyBindingBase, org.cesecore.keybind.InternalKeyBinding
    public void assertCertificateCompatability(Certificate certificate, AvailableExtendedKeyUsagesConfiguration availableExtendedKeyUsagesConfiguration) throws CertificateImportException {
        if (!isClientSSLCertificate(certificate, availableExtendedKeyUsagesConfiguration)) {
            throw new CertificateImportException("Not a vlid Client SSL authentication certificate.");
        }
    }

    @Override // org.cesecore.keybind.InternalKeyBindingBase
    protected void upgrade(float f, float f2) {
    }

    public static boolean isClientSSLCertificate(Certificate certificate, AvailableExtendedKeyUsagesConfiguration availableExtendedKeyUsagesConfiguration) {
        if (certificate == null) {
            log.debug("No certificate provided.");
            return false;
        }
        if (!(certificate instanceof X509Certificate)) {
            log.debug("Only X509 supported.");
            return false;
        }
        try {
            X509Certificate x509Certificate = (X509Certificate) certificate;
            log.debug("SubjectDN: " + CertTools.getSubjectDN(x509Certificate) + " IssuerDN: " + CertTools.getIssuerDN(x509Certificate));
            boolean[] keyUsage = x509Certificate.getKeyUsage();
            log.debug("Key usages: " + Arrays.toString(keyUsage));
            if (keyUsage != null) {
                log.debug("Key usage (digitalSignature): " + x509Certificate.getKeyUsage()[0]);
                log.debug("Key usage (keyEncipherment): " + x509Certificate.getKeyUsage()[2]);
            }
            if (x509Certificate.getExtendedKeyUsage() == null) {
                log.debug("No EKU to verify.");
                return false;
            }
            for (String str : x509Certificate.getExtendedKeyUsage()) {
                log.debug("EKU: " + str + " (" + availableExtendedKeyUsagesConfiguration.getAllEKUOidsAndNames().get(str) + ")");
            }
            if (!x509Certificate.getExtendedKeyUsage().contains(KeyPurposeId.id_kp_clientAuth.getId())) {
                log.debug("Extended Key Usage 1.3.6.1.5.5.7.3.2 (EKU_PKIX_CLIENTAUTH) is required.");
                return false;
            }
            if (!x509Certificate.getKeyUsage()[0]) {
                log.debug("Key usage digitalSignature is required.");
                return false;
            }
            if (x509Certificate.getKeyUsage()[2]) {
                return true;
            }
            log.debug("Key usage keyEncipherment is required.");
            return false;
        } catch (CertificateParsingException e) {
            log.debug(e.getMessage());
            return false;
        }
    }
}
