package eu.unicore.services.rest.security;

import de.fzj.unicore.wsrflite.Kernel;
import de.fzj.unicore.wsrflite.KernelInjectable;
import eu.unicore.security.SecurityTokens;
import eu.unicore.security.wsutil.CXFUtils;
import eu.unicore.util.Log;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.codec.binary.Base64;
import org.apache.cxf.message.Message;
import org.apache.http.NameValuePair;
import org.apache.http.message.BasicHeaderValueParser;
import org.apache.log4j.Logger;

/* loaded from: input_file:eu/unicore/services/rest/security/X509Authenticator.class */
public class X509Authenticator implements IAuthenticator, KernelInjectable {
    private static final Logger logger = Log.getLogger("unicore.security", X509Authenticator.class);
    private Kernel kernel;
    private boolean validate = true;
    private boolean haveGateway = true;

    @Override // eu.unicore.services.rest.security.IAuthenticator
    public final Collection<String> getAuthSchemes() {
        return Collections.emptySet();
    }

    public void setValidate(boolean z) {
        this.validate = z;
    }

    public void setKernel(Kernel kernel) {
        this.kernel = kernel;
    }

    @Override // eu.unicore.services.rest.security.IAuthenticator
    public boolean authenticate(Message message, SecurityTokens securityTokens) {
        return !this.haveGateway ? extractFromTLS(message, securityTokens) : extractFromGWHeader(message, securityTokens);
    }

    protected boolean extractFromTLS(Message message, SecurityTokens securityTokens) {
        X509Certificate[] sSLCerts = CXFUtils.getSSLCerts(message);
        if (sSLCerts == null) {
            return false;
        }
        String name = sSLCerts[0].getSubjectX500Principal().getName();
        securityTokens.setUser(sSLCerts);
        securityTokens.setUserName(name);
        securityTokens.setConsignor(sSLCerts);
        securityTokens.setConsignorTrusted(true);
        if (!logger.isDebugEnabled()) {
            return true;
        }
        logger.debug("Authenticated X.509 certificate (TLS): <" + name + ">");
        return true;
    }

    protected boolean extractFromGWHeader(Message message, SecurityTokens securityTokens) {
        String header;
        HttpServletRequest httpServletRequest = (HttpServletRequest) message.get("HTTP.REQUEST");
        if (httpServletRequest == null || (header = httpServletRequest.getHeader("X-UNICORE-Consignor")) == null) {
            return false;
        }
        String str = null;
        String str2 = null;
        for (NameValuePair nameValuePair : BasicHeaderValueParser.parseParameters(header, new BasicHeaderValueParser())) {
            if ("DN".equals(nameValuePair.getName())) {
                str = nameValuePair.getValue();
            }
            if ("DSIG".equals(nameValuePair.getName())) {
                str2 = nameValuePair.getValue();
            }
        }
        if (str == null || str2 == null) {
            return false;
        }
        if (this.validate && !isValid(str, str2)) {
            return true;
        }
        securityTokens.setUserName(str);
        securityTokens.setConsignorTrusted(true);
        if (!logger.isDebugEnabled()) {
            return true;
        }
        logger.debug("Authenticated X.509 certificate (via Gateway): <" + str + ">");
        return true;
    }

    private boolean isValid(String str, String str2) {
        try {
            PublicKey publicKey = this.kernel.getContainerSecurityConfiguration().getGatewayCertificate().getPublicKey();
            Signature signature = Signature.getInstance("RSA".equalsIgnoreCase(publicKey.getAlgorithm()) ? "SHA1withRSA" : "SHA1withDSA");
            signature.initVerify(publicKey);
            signature.update(hash(str.getBytes()));
            boolean verify = signature.verify(Base64.decodeBase64(str2.getBytes()));
            if (!verify && logger.isDebugEnabled()) {
                logger.debug("Got invalid signature for DN <" + str + ">");
            }
            return verify;
        } catch (Exception e) {
            Log.logException("Error verifying signature", e, logger);
            return false;
        }
    }

    private byte[] hash(byte[] bArr) throws GeneralSecurityException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
        messageDigest.update(bArr);
        return messageDigest.digest();
    }
}
