package org.pac4j.http.credentials.authenticator;

import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Collection;
import java.util.List;
import java.util.Optional;
import java.util.regex.Matcher;
import javax.security.auth.x500.X500Principal;
import org.pac4j.core.context.CallContext;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.credentials.authenticator.Authenticator;
import org.pac4j.core.exception.CredentialsException;
import org.pac4j.core.profile.UserProfile;
import org.pac4j.core.profile.definition.CommonProfileDefinition;
import org.pac4j.http.credentials.X509Credentials;
import org.pac4j.http.profile.X509Profile;

/* loaded from: input_file:BOOT-INF/lib/pac4j-http-6.0.2.jar:org/pac4j/http/credentials/authenticator/X509Authenticator.class */
public class X509Authenticator extends AbstractRegexpAuthenticator implements Authenticator {
    public X509Authenticator() {
        setRegexpPattern("CN=(.*?)(?:,|$)");
    }

    public X509Authenticator(String str) {
        setRegexpPattern(str);
    }

    @Override // org.pac4j.core.util.InitializableObject
    protected void internalInit(boolean z) {
        setProfileDefinitionIfUndefined(new CommonProfileDefinition(objArr -> {
            return new X509Profile();
        }));
    }

    @Override // org.pac4j.core.credentials.authenticator.Authenticator
    public Optional<Credentials> validate(CallContext callContext, Credentials credentials) {
        init();
        X509Certificate certificate = ((X509Credentials) credentials).getCertificate();
        if (certificate == null) {
            throw new CredentialsException("No X509 certificate");
        }
        Principal subjectDN = certificate.getSubjectDN();
        if (subjectDN == null) {
            throw new CredentialsException("No X509 principal");
        }
        String name = subjectDN.getName();
        this.logger.debug("subjectDN: {}", name);
        if (name == null) {
            throw new CredentialsException("No X509 subjectDN");
        }
        Matcher matcher = this.pattern.matcher(name);
        if (!matcher.find()) {
            throw new CredentialsException("No matching for pattern: " + this.regexpPattern + " in subjectDN: " + name);
        }
        if (matcher.groupCount() != 1) {
            throw new CredentialsException("Too many matches for pattern: " + this.regexpPattern + " in subjectDN: " + name);
        }
        String group = matcher.group(1);
        UserProfile newProfile = getProfileDefinition().newProfile(new Object[0]);
        newProfile.setId(group);
        try {
            newProfile.addAttribute("x509-certificate", Base64.getEncoder().encodeToString(certificate.getEncoded()));
            newProfile.addAttribute("x509-subjectDN", name);
            newProfile.addAttribute("x509-notAfter", certificate.getNotAfter());
            newProfile.addAttribute("x509-notBefore", certificate.getNotBefore());
            newProfile.addAttribute("x509-sigAlgName", certificate.getSigAlgName());
            newProfile.addAttribute("x509-sigAlgOid", certificate.getSigAlgOID());
            extractExtensionFromCertificate(newProfile, certificate, "x509-sanEmail", 1);
            extractExtensionFromCertificate(newProfile, certificate, "x509-sanDNS", 2);
            extractExtensionFromCertificate(newProfile, certificate, "x509-sanURI", 6);
            extractExtensionFromCertificate(newProfile, certificate, "x509-sanIP", 7);
            extractExtensionFromCertificate(newProfile, certificate, "x509-sanRegisteredID", 8);
            extractExtensionFromCertificate(newProfile, certificate, "x509-sanDirectory", 9);
            Principal issuerDN = certificate.getIssuerDN();
            if (issuerDN != null) {
                newProfile.addAttribute("x509-issuer", issuerDN.getName());
            }
            X500Principal issuerX500Principal = certificate.getIssuerX500Principal();
            if (issuerX500Principal != null) {
                newProfile.addAttribute("x509-issuerX500", issuerX500Principal.getName());
            }
            this.logger.debug("profile: {}", newProfile);
            credentials.setUserProfile(newProfile);
            return Optional.of(credentials);
        } catch (Exception e) {
            throw new CredentialsException("Unable to encode the certificate", e);
        }
    }

    protected void extractExtensionFromCertificate(UserProfile userProfile, X509Certificate x509Certificate, String str, int i) {
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames != null) {
                List list = subjectAlternativeNames.stream().filter(list2 -> {
                    return list2.size() == 2;
                }).filter(list3 -> {
                    return list3.get(0).equals(Integer.valueOf(i));
                }).map(list4 -> {
                    return list4.get(1).toString();
                }).toList();
                if (!list.isEmpty()) {
                    userProfile.addAttribute(str, list);
                }
            }
        } catch (Exception e) {
            this.logger.debug("Unable to extract extension", (Throwable) e);
        }
    }
}
