package org.opensaml.ws.security.provider;

import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.opensaml.ws.message.MessageContext;
import org.opensaml.ws.security.SecurityPolicyException;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.security.trust.TrustEngine;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.security.x509.X509Util;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/opensaml-2.6.4.wso2v5.jar:org/opensaml/ws/security/provider/ClientCertAuthRule.class
 */
/* loaded from: input_file:WEB-INF/lib/openws-1.5.4.jar:org/opensaml/ws/security/provider/ClientCertAuthRule.class */
public class ClientCertAuthRule extends BaseTrustEngineRule<X509Credential> {
    private final Logger log;
    private CertificateNameOptions certNameOptions;

    public ClientCertAuthRule(TrustEngine<X509Credential> trustEngine, CertificateNameOptions certificateNameOptions) {
        super(trustEngine);
        this.log = LoggerFactory.getLogger(ClientCertAuthRule.class);
        this.certNameOptions = certificateNameOptions;
    }

    @Override // org.opensaml.ws.security.SecurityPolicyRule
    public void evaluate(MessageContext messageContext) throws SecurityPolicyException {
        Credential peerCredential = messageContext.getInboundMessageTransport().getPeerCredential();
        if (peerCredential == null) {
            this.log.info("Inbound message transport did not contain a peer credential, skipping client certificate authentication");
            return;
        }
        if (!(peerCredential instanceof X509Credential)) {
            this.log.info("Inbound message transport did not contain an X509Credential, skipping client certificate authentication");
            return;
        }
        X509Credential x509Credential = (X509Credential) peerCredential;
        if (this.log.isDebugEnabled()) {
            try {
                this.log.debug("Attempting to authenticate inbound connection that presented the certificate:");
                this.log.debug(Base64.encodeBytes(x509Credential.getEntityCertificate().getEncoded()));
            } catch (CertificateEncodingException e) {
            }
        }
        doEvaluate(x509Credential, messageContext);
    }

    protected CertificateNameOptions getCertificateNameOptions() {
        return this.certNameOptions;
    }

    protected void doEvaluate(X509Credential x509Credential, MessageContext messageContext) throws SecurityPolicyException {
        String certificatePresenterEntityID = getCertificatePresenterEntityID(messageContext);
        if (certificatePresenterEntityID != null) {
            this.log.debug("Attempting client certificate authentication using context presenter entity ID: {}", certificatePresenterEntityID);
            if (!evaluate(x509Credential, certificatePresenterEntityID, messageContext)) {
                this.log.error("Authentication via client certificate failed for context presenter entity ID {}", certificatePresenterEntityID);
                throw new SecurityPolicyException("Client certificate authentication failed for context presenter entity ID");
            }
            this.log.info("Authentication via client certificate succeeded for context presenter entity ID: {}", certificatePresenterEntityID);
            messageContext.getInboundMessageTransport().setAuthenticated(true);
            return;
        }
        String evaluateCertificateNameDerivedPresenters = evaluateCertificateNameDerivedPresenters(x509Credential, messageContext);
        if (evaluateCertificateNameDerivedPresenters != null) {
            this.log.info("Authentication via client certificate succeeded for certificate-derived presenter entity ID {}", evaluateCertificateNameDerivedPresenters);
            setAuthenticatedCertificatePresenterEntityID(messageContext, evaluateCertificateNameDerivedPresenters);
            messageContext.getInboundMessageTransport().setAuthenticated(true);
        } else {
            String evaluateDerivedPresenters = evaluateDerivedPresenters(x509Credential, messageContext);
            if (evaluateDerivedPresenters != null) {
                this.log.info("Authentication via client certificate succeeded for derived presenter entity ID {}", evaluateDerivedPresenters);
                setAuthenticatedCertificatePresenterEntityID(messageContext, evaluateDerivedPresenters);
                messageContext.getInboundMessageTransport().setAuthenticated(true);
            }
        }
    }

    protected String getCertificatePresenterEntityID(MessageContext messageContext) {
        return messageContext.getInboundMessageIssuer();
    }

    protected void setAuthenticatedCertificatePresenterEntityID(MessageContext messageContext, String str) {
        messageContext.setInboundMessageIssuer(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.ws.security.provider.BaseTrustEngineRule
    public CriteriaSet buildCriteriaSet(String str, MessageContext messageContext) throws SecurityPolicyException {
        CriteriaSet criteriaSet = new CriteriaSet();
        if (!DatatypeHelper.isEmpty(str)) {
            criteriaSet.add(new EntityIDCriteria(str));
        }
        criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
        return criteriaSet;
    }

    protected String evaluateDerivedIssuers(X509Credential x509Credential, MessageContext messageContext) throws SecurityPolicyException {
        return evaluateDerivedPresenters(x509Credential, messageContext);
    }

    protected String evaluateDerivedPresenters(X509Credential x509Credential, MessageContext messageContext) throws SecurityPolicyException {
        return null;
    }

    protected String evaluateCertificateNameDerivedIssuers(X509Credential x509Credential, MessageContext messageContext) throws SecurityPolicyException {
        return evaluateCertificateNameDerivedPresenters(x509Credential, messageContext);
    }

    protected String evaluateCertificateNameDerivedPresenters(X509Credential x509Credential, MessageContext messageContext) throws SecurityPolicyException {
        String evaluateSubjectCommonName;
        String evaluateSubjectAltNames;
        String evaluateSubjectDN;
        if (this.certNameOptions.evaluateSubjectDN() && (evaluateSubjectDN = evaluateSubjectDN(x509Credential, messageContext)) != null) {
            return evaluateSubjectDN;
        }
        if (!this.certNameOptions.getSubjectAltNames().isEmpty() && (evaluateSubjectAltNames = evaluateSubjectAltNames(x509Credential, messageContext)) != null) {
            return evaluateSubjectAltNames;
        }
        if (!this.certNameOptions.evaluateSubjectCommonName() || (evaluateSubjectCommonName = evaluateSubjectCommonName(x509Credential, messageContext)) == null) {
            return null;
        }
        return evaluateSubjectCommonName;
    }

    protected String evaluateSubjectCommonName(X509Credential x509Credential, MessageContext messageContext) throws SecurityPolicyException {
        this.log.debug("Evaluating client cert by deriving presenter as cert CN");
        String commonName = getCommonName(x509Credential.getEntityCertificate());
        if (commonName == null || !evaluate(x509Credential, commonName, messageContext)) {
            return null;
        }
        this.log.info("Authentication succeeded for presenter entity ID derived from CN {}", commonName);
        return commonName;
    }

    protected String evaluateSubjectDN(X509Credential x509Credential, MessageContext messageContext) throws SecurityPolicyException {
        this.log.debug("Evaluating client cert by deriving presenter as cert subject DN");
        String subjectName = getSubjectName(x509Credential.getEntityCertificate());
        if (subjectName == null || !evaluate(x509Credential, subjectName, messageContext)) {
            return null;
        }
        this.log.info("Authentication succeeded for presenter entity ID derived from subject DN {}", subjectName);
        return subjectName;
    }

    protected String evaluateSubjectAltNames(X509Credential x509Credential, MessageContext messageContext) throws SecurityPolicyException {
        this.log.debug("Evaluating client cert by deriving presenter from subject alt names");
        X509Certificate entityCertificate = x509Credential.getEntityCertificate();
        Iterator<Integer> it = this.certNameOptions.getSubjectAltNames().iterator();
        while (it.hasNext()) {
            Integer next = it.next();
            this.log.debug("Evaluating alt names of type: {}", next.toString());
            for (String str : getAltNames(entityCertificate, next)) {
                if (evaluate(x509Credential, str, messageContext)) {
                    this.log.info("Authentication succeeded for presenter entity ID derived from subject alt name {}", str);
                    return str;
                }
            }
        }
        return null;
    }

    protected String getCommonName(X509Certificate x509Certificate) {
        List<String> commonNames = X509Util.getCommonNames(x509Certificate.getSubjectX500Principal());
        if (commonNames == null || commonNames.isEmpty()) {
            return null;
        }
        String str = commonNames.get(0);
        this.log.debug("Extracted common name from certificate: {}", str);
        return str;
    }

    protected String getSubjectName(X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            return null;
        }
        String name = !DatatypeHelper.isEmpty(this.certNameOptions.getX500SubjectDNFormat()) ? this.certNameOptions.getX500DNHandler().getName(x509Certificate.getSubjectX500Principal(), this.certNameOptions.getX500SubjectDNFormat()) : this.certNameOptions.getX500DNHandler().getName(x509Certificate.getSubjectX500Principal());
        this.log.debug("Extracted subject name from certificate: {}", name);
        return name;
    }

    protected List<String> getAltNames(X509Certificate x509Certificate, Integer num) {
        this.log.debug("Extracting alt names from certificate of type: {}", num.toString());
        List altNames = X509Util.getAltNames(x509Certificate, new Integer[]{num});
        ArrayList arrayList = new ArrayList();
        for (Object obj : altNames) {
            if (obj instanceof String) {
                arrayList.add((String) obj);
            } else {
                this.log.debug("Skipping non-String certificate alt name value");
            }
        }
        this.log.debug("Extracted alt names from certificate: {}", arrayList.toString());
        return arrayList;
    }
}
