package org.jasig.cas.adaptors.x509.authentication.handler.support;

import java.security.Principal;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Set;
import java.util.regex.Pattern;
import javax.validation.constraints.NotNull;
import org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentials;
import org.jasig.cas.authentication.handler.AuthenticationException;
import org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler;
import org.jasig.cas.authentication.principal.Credentials;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jasig/cas/adaptors/x509/authentication/handler/support/X509CredentialsAuthenticationHandler.class */
public class X509CredentialsAuthenticationHandler extends AbstractPreAndPostProcessingAuthenticationHandler {
    private static final int DEFAULT_MAXPATHLENGTH = 1;
    private static final boolean DEFAULT_MAXPATHLENGTH_ALLOW_UNSPECIFIED = false;
    private static final boolean DEFAULT_CHECK_KEYUSAGE = false;
    private static final boolean DEFAULT_REQUIRE_KEYUSAGE = false;
    private static final Pattern DEFAULT_SUBJECT_DN_PATTERN = Pattern.compile(".*");

    @NotNull
    private Pattern regExTrustedIssuerDnPattern;
    private final Logger log = LoggerFactory.getLogger(getClass());
    private int maxPathLength = DEFAULT_MAXPATHLENGTH;
    private boolean maxPathLength_allowUnspecified = false;
    private boolean checkKeyUsage = false;
    private boolean requireKeyUsage = false;

    @NotNull
    private Pattern regExSubjectDnPattern = DEFAULT_SUBJECT_DN_PATTERN;

    protected final boolean doAuthentication(Credentials credentials) throws AuthenticationException {
        X509CertificateCredentials x509CertificateCredentials = (X509CertificateCredentials) credentials;
        X509Certificate[] certificates = x509CertificateCredentials.getCertificates();
        X509Certificate x509Certificate = null;
        boolean z = false;
        for (int length = certificates.length - DEFAULT_MAXPATHLENGTH; length >= 0; length--) {
            X509Certificate x509Certificate2 = certificates[length];
            try {
                Principal issuerDN = x509Certificate2.getIssuerDN();
                boolean z2 = false;
                if (this.log.isDebugEnabled()) {
                    this.log.debug("--examining cert[" + x509Certificate2.getSerialNumber().toString() + "] " + x509Certificate2.getSubjectDN() + "\" from issuer \"" + issuerDN.getName() + "\"");
                }
                x509Certificate2.checkValidity();
                this.log.debug("certificate is valid");
                if (isCertificateFromTrustedIssuer(issuerDN)) {
                    z = DEFAULT_MAXPATHLENGTH;
                    this.log.debug("certificate was issued by trusted issuer");
                }
                int basicConstraints = x509Certificate2.getBasicConstraints();
                if (basicConstraints != -1) {
                    this.log.debug("this is a CA certificate");
                    if (basicConstraints == Integer.MAX_VALUE && !this.maxPathLength_allowUnspecified) {
                        if (!this.log.isWarnEnabled()) {
                            return false;
                        }
                        this.log.warn("authentication failed; cert pathLength not specified and unlimited/unspecified not allowed by config [see maxPathLength_allow_unlimited]");
                        return false;
                    }
                    if (basicConstraints > this.maxPathLength && basicConstraints < Integer.MAX_VALUE) {
                        if (!this.log.isWarnEnabled()) {
                            return false;
                        }
                        this.log.warn("authentication failed; cert pathLength [" + basicConstraints + "] is more than allowed by config [" + this.maxPathLength + "]");
                        return false;
                    }
                } else {
                    z2 = DEFAULT_MAXPATHLENGTH;
                    this.log.debug("this is an end-user certificate");
                }
                if (issuerDN != null && z2 && doesCertificateSubjectDnMatchPattern(x509Certificate2.getSubjectDN()) && (!this.checkKeyUsage || (this.checkKeyUsage && doesCertificateKeyUsageMatch(x509Certificate2)))) {
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("cert[" + x509Certificate2.getSerialNumber().toString() + "] ok, setting as credentials candidate");
                    }
                    x509Certificate = x509Certificate2;
                }
            } catch (CertificateExpiredException unused) {
                this.log.warn("authentication failed; certficiate expired [" + x509Certificate2.toString() + "]");
                x509Certificate = null;
            } catch (CertificateNotYetValidException unused2) {
                this.log.warn("authentication failed; certficate not yet valid [" + x509Certificate2.toString() + "]");
                x509Certificate = null;
            }
        }
        if (x509Certificate != null && z) {
            if (this.log.isInfoEnabled()) {
                this.log.info("authentication OK; SSL client authentication data meets criteria for cert[" + x509Certificate.getSerialNumber().toString() + "]");
            }
            x509CertificateCredentials.setCertificate(x509Certificate);
            return true;
        }
        if (!this.log.isInfoEnabled()) {
            return false;
        }
        if (z) {
            this.log.info("authentication failed; SSL client authentication data doesn't meet criteria");
            return false;
        }
        this.log.info("client cert did not have trusted issuer pattern \"" + this.regExTrustedIssuerDnPattern.pattern() + "\" in chain; authentication failed");
        return false;
    }

    public void setTrustedIssuerDnPattern(String str) {
        this.regExTrustedIssuerDnPattern = Pattern.compile(str);
    }

    public void setMaxPathLength(int i) {
        this.maxPathLength = i;
    }

    public void setMaxPathLengthAllowUnspecified(boolean z) {
        this.maxPathLength_allowUnspecified = z;
    }

    public void setCheckKeyUsage(boolean z) {
        this.checkKeyUsage = z;
    }

    public void setRequireKeyUsage(boolean z) {
        this.requireKeyUsage = z;
    }

    public void setSubjectDnPattern(String str) {
        this.regExSubjectDnPattern = Pattern.compile(str);
    }

    private boolean doesCertificateKeyUsageMatch(X509Certificate x509Certificate) {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null) {
            this.log.warn("isKeyUsageRequired?: " + this.requireKeyUsage + "; keyUsage not found.");
            return !this.requireKeyUsage;
        }
        this.log.debug("keyUsage extension found: examing...");
        if (!isExtensionMarkedCritical(x509Certificate, "2.5.29.15") && !this.requireKeyUsage) {
            this.log.debug("match ok; keyUsage extension not critical and not required so not checked");
            return true;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("extension is marked critical in cert OR required by config[critical=" + isExtensionMarkedCritical(x509Certificate, "2.5.29.15") + ";required=" + this.requireKeyUsage + "]");
        }
        if (keyUsage[0]) {
            this.log.debug("match ok; keyUsage extension OK");
            return true;
        }
        if (!this.log.isWarnEnabled() || !this.requireKeyUsage) {
            return false;
        }
        this.log.warn("match error; required/critical keyUsage extension fails[critical=" + isExtensionMarkedCritical(x509Certificate, "2.5.29.15") + ";required=" + this.requireKeyUsage + "]");
        return false;
    }

    private boolean isExtensionMarkedCritical(X509Certificate x509Certificate, String str) {
        Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs == null || criticalExtensionOIDs.isEmpty()) {
            return false;
        }
        return criticalExtensionOIDs.contains(str);
    }

    private boolean doesCertificateSubjectDnMatchPattern(Principal principal) {
        return doesNameMatchPattern(principal, this.regExSubjectDnPattern);
    }

    private boolean isCertificateFromTrustedIssuer(Principal principal) {
        return doesNameMatchPattern(principal, this.regExTrustedIssuerDnPattern);
    }

    private boolean doesNameMatchPattern(Principal principal, Pattern pattern) {
        boolean matches = pattern.matcher(principal.getName()).matches();
        if (this.log.isDebugEnabled()) {
            this.log.debug("Pattern Match: " + matches + " [" + principal.getName() + "] against [" + pattern.pattern() + "].");
        }
        return matches;
    }

    public boolean supports(Credentials credentials) {
        return credentials != null && X509CertificateCredentials.class.isAssignableFrom(credentials.getClass());
    }
}
