package won.node.springsecurity;

import java.io.ByteArrayInputStream;
import java.io.UnsupportedEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import javax.servlet.http.HttpServletRequest;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
import org.springframework.security.web.authentication.preauth.x509.SubjectDnX509PrincipalExtractor;
import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
import won.protocol.vocabulary.WONCRYPT;

/* loaded from: input_file:WEB-INF/lib/won-node-0.2.jar:won/node/springsecurity/ReverseProxyCompatibleX509AuthenticationFilter.class */
public class ReverseProxyCompatibleX509AuthenticationFilter extends AbstractPreAuthenticatedProcessingFilter {
    private final boolean behindProxy;
    private X509PrincipalExtractor principalExtractor = new SubjectDnX509PrincipalExtractor();

    public ReverseProxyCompatibleX509AuthenticationFilter(boolean z) {
        this.behindProxy = z;
    }

    @Override // org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter
    protected Object getPreAuthenticatedPrincipal(HttpServletRequest httpServletRequest) {
        X509Certificate extractClientCertificate = extractClientCertificate(httpServletRequest);
        if (extractClientCertificate == null) {
            return null;
        }
        return this.principalExtractor.extractPrincipal(extractClientCertificate);
    }

    @Override // org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter
    protected Object getPreAuthenticatedCredentials(HttpServletRequest httpServletRequest) {
        return extractClientCertificate(httpServletRequest);
    }

    private X509Certificate extractClientCertificate(HttpServletRequest httpServletRequest) {
        X509Certificate[] x509CertificateArr;
        if (this.behindProxy) {
            try {
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                String header = httpServletRequest.getHeader(WONCRYPT.CLIENT_CERTIFICATE_HEADER);
                if (header == null) {
                    throw new AuthenticationCredentialsNotFoundException("No HTTP header 'X-Client-Certificate' set that contains client authentication certificate! If property 'client.authentication.behind.proxy' is set to true, this header must be set by the reverse proxy!");
                }
                String replaceAll = header.replaceAll("(?<!-----BEGIN|-----END)\\s+", System.lineSeparator()).replaceAll("\\t+", System.lineSeparator());
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("found this certificate in the X-Client-Certificate header: " + header);
                    this.logger.debug("found this certificate in the X-Client-Certificate header (after whitespace replacement): " + replaceAll);
                }
                X509Certificate[] x509CertificateArr2 = new X509Certificate[1];
                try {
                    x509CertificateArr2[0] = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(replaceAll.getBytes("ISO-8859-11")));
                    x509CertificateArr = x509CertificateArr2;
                } catch (UnsupportedEncodingException e) {
                    throw new AuthenticationCredentialsNotFoundException("could not extract certificate from request with encoding ISO-8859-11", e);
                } catch (CertificateException e2) {
                    throw new AuthenticationCredentialsNotFoundException("could not extract certificate from request", e2);
                }
            } catch (CertificateException e3) {
                throw new InternalAuthenticationServiceException("could not extract certificate from request", e3);
            }
        } else {
            x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
            if (x509CertificateArr == null) {
                throw new AuthenticationCredentialsNotFoundException("Client certificate attribute is null! Check if you are behind a proxy server that takes care about the client authentication already. If so, set the property 'client.authentication.behind.proxy' to true and make sure the proxy sets the HTTP header 'X-Client-Certificate' appropriately to the sent client certificate");
            }
        }
        return x509CertificateArr[0];
    }

    public void setPrincipalExtractor(X509PrincipalExtractor x509PrincipalExtractor) {
        this.principalExtractor = x509PrincipalExtractor;
    }
}
