package com.helger.pd.indexer.clientcert;

import com.helger.commons.collection.ArrayHelper;
import com.helger.commons.collection.impl.CommonsArrayList;
import com.helger.commons.collection.impl.CommonsHashMap;
import com.helger.commons.collection.impl.ICommonsList;
import com.helger.commons.datetime.PDTFactory;
import com.helger.commons.exception.InitializationException;
import com.helger.pd.settings.PDConfiguredTrustStore;
import com.helger.pd.settings.PDServerConfiguration;
import com.helger.security.keystore.KeyStoreHelper;
import java.security.cert.CRL;
import java.security.cert.X509Certificate;
import java.time.LocalDateTime;
import java.util.Arrays;
import java.util.Iterator;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.Immutable;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.security.auth.x500.X500Principal;
import javax.servlet.http.HttpServletRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Immutable
/* loaded from: input_file:com/helger/pd/indexer/clientcert/ClientCertificateValidator.class */
public final class ClientCertificateValidator {
    public static final String INSECURE_DEBUG_CLIENT = "insecure-debug-client";
    private static final Logger s_aLogger = LoggerFactory.getLogger(ClientCertificateValidator.class);
    private static final ClientCertificateValidator s_aInstance = new ClientCertificateValidator();
    private static boolean s_bIsCheckDisabled;
    private static ICommonsList<X509Certificate> s_aPeppolSMPRootCerts;
    private static final ICommonsList<X500Principal> s_aSearchIssuers;

    public static void allowAllForTests(boolean z) {
        s_bIsCheckDisabled = z;
    }

    private static void _initCertificateIssuers() {
        Iterator it = PDServerConfiguration.getAllClientCertIssuer().iterator();
        while (it.hasNext()) {
            s_aSearchIssuers.add(new X500Principal((String) it.next()));
        }
        if (!s_aSearchIssuers.isEmpty()) {
            s_aLogger.info("The following client certificate issuer(s) are valid: " + s_aSearchIssuers);
        } else {
            if (!s_bIsCheckDisabled) {
                throw new InitializationException("The configuration file is missing the entry for the client certificate issuer");
            }
            s_aLogger.warn("The configuration file contains no entry for the client certificate issuer");
        }
    }

    private static void _initCerts() {
        for (PDConfiguredTrustStore pDConfiguredTrustStore : PDServerConfiguration.getAllTrustStores()) {
            try {
                X509Certificate x509Certificate = (X509Certificate) KeyStoreHelper.loadKeyStoreDirect(pDConfiguredTrustStore.getType(), pDConfiguredTrustStore.getPath(), pDConfiguredTrustStore.getPassword()).getCertificate(pDConfiguredTrustStore.getAlias());
                if (x509Certificate == null) {
                    throw new InitializationException("Failed to resolve alias '" + pDConfiguredTrustStore.getAlias() + "' in trust store '" + pDConfiguredTrustStore.getPath() + "'!");
                }
                s_aPeppolSMPRootCerts.add(x509Certificate);
                s_aLogger.info("Root certificate loaded successfully from trust store '" + pDConfiguredTrustStore.getPath() + "' with alias '" + pDConfiguredTrustStore.getAlias() + "'; root certificate serial=" + x509Certificate.getSerialNumber().toString(16) + "; root certficate issuer=" + x509Certificate.getIssuerX500Principal().getName());
            } catch (Throwable th) {
                String str = "Failed to read trust store from '" + pDConfiguredTrustStore.getPath() + "'";
                s_aLogger.error(str);
                throw new InitializationException(str, th);
            }
        }
        if (s_aPeppolSMPRootCerts.isEmpty()) {
            if (!s_bIsCheckDisabled) {
                throw new InitializationException("Server configuration contains no trusted root certificate configuration!");
            }
            s_aLogger.warn("Server configuration contains no trusted root certificate configuration!");
        }
    }

    private ClientCertificateValidator() {
    }

    @Nullable
    private static String _verifyCertificate(@Nonnull X509Certificate x509Certificate, @Nonnull X509Certificate x509Certificate2, @Nonnull Iterable<? extends CRL> iterable, @Nullable LocalDateTime localDateTime) {
        if (x509Certificate.hasUnsupportedCriticalExtension()) {
            return "Certificate has unsupported critical extension";
        }
        try {
            x509Certificate.verify(x509Certificate2.getPublicKey());
            try {
                if (localDateTime != null) {
                    x509Certificate.checkValidity(PDTFactory.createDate(localDateTime));
                } else {
                    x509Certificate.checkValidity();
                }
                if (iterable == null) {
                    return null;
                }
                for (CRL crl : iterable) {
                    if (crl.isRevoked(x509Certificate)) {
                        return "Certificate is revoked according to " + crl.toString();
                    }
                }
                return null;
            } catch (Exception e) {
                return e.getMessage();
            }
        } catch (Exception e2) {
            return e2.getMessage();
        }
    }

    @Nullable
    static String getClientUniqueID(@Nonnull X509Certificate x509Certificate) {
        try {
            LdapName ldapName = new LdapName(x509Certificate.getSubjectX500Principal().getName());
            CommonsHashMap commonsHashMap = new CommonsHashMap();
            for (Rdn rdn : ldapName.getRdns()) {
                commonsHashMap.put(rdn.getType(), rdn);
            }
            return new LdapName(new CommonsArrayList(new Rdn[]{(Rdn) commonsHashMap.get("C"), (Rdn) commonsHashMap.get("O"), (Rdn) commonsHashMap.get("CN")})).toString() + ':' + x509Certificate.getSerialNumber().toString(16);
        } catch (Exception e) {
            s_aLogger.error("Failed to parse '" + x509Certificate.getSubjectX500Principal().getName() + "'", e);
            return null;
        }
    }

    @Nonnull
    public static ClientCertificateValidationResult verifyClientCertificate(@Nonnull HttpServletRequest httpServletRequest) {
        if (s_bIsCheckDisabled) {
            if (s_aLogger.isDebugEnabled()) {
                s_aLogger.debug("Client certificate is considered valid because the 'allow all' for tests is set!");
            }
            return ClientCertificateValidationResult.createSuccess(INSECURE_DEBUG_CLIENT);
        }
        Object attribute = httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
        if (attribute == null) {
            s_aLogger.warn("No client certificates present in the request");
            return ClientCertificateValidationResult.createFailure();
        }
        if (!(attribute instanceof X509Certificate[])) {
            throw new IllegalStateException("Request value is not of type X509Certificate[] but of " + attribute.getClass());
        }
        X509Certificate[] x509CertificateArr = (X509Certificate[]) attribute;
        if (ArrayHelper.isEmpty(x509CertificateArr)) {
            s_aLogger.warn("No client certificates passed for validation");
            return ClientCertificateValidationResult.createFailure();
        }
        CommonsArrayList commonsArrayList = new CommonsArrayList();
        LocalDateTime currentLocalDateTime = PDTFactory.getCurrentLocalDateTime();
        X509Certificate x509Certificate = null;
        int length = x509CertificateArr.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            X509Certificate x509Certificate2 = x509CertificateArr[i];
            X500Principal issuerX500Principal = x509Certificate2.getIssuerX500Principal();
            if (s_aSearchIssuers.contains(issuerX500Principal)) {
                s_aLogger.info("  Using the following client certificate issuer for verification: '" + issuerX500Principal + "'");
                x509Certificate = x509Certificate2;
                break;
            }
            i++;
        }
        if (x509Certificate == null) {
            throw new IllegalStateException("Found no client certificate that was issued by one of the " + s_aSearchIssuers.size() + " required issuers. Provided certs are: " + Arrays.toString(x509CertificateArr));
        }
        String clientUniqueID = getClientUniqueID(x509Certificate);
        Iterator it = s_aPeppolSMPRootCerts.iterator();
        while (it.hasNext()) {
            if (_verifyCertificate(x509Certificate, (X509Certificate) it.next(), commonsArrayList, currentLocalDateTime) == null) {
                s_aLogger.info("  Passed client certificate is valid");
                return ClientCertificateValidationResult.createSuccess(clientUniqueID);
            }
        }
        s_aLogger.warn("Client certificate is invalid: " + clientUniqueID);
        return ClientCertificateValidationResult.createFailure();
    }

    static {
        s_bIsCheckDisabled = !PDServerConfiguration.isClientCertificateValidationActive();
        s_aPeppolSMPRootCerts = new CommonsArrayList();
        s_aSearchIssuers = new CommonsArrayList();
        _initCertificateIssuers();
        _initCerts();
    }
}
