package com.zimbra.cs.service.authenticator;

import com.zimbra.common.account.Key;
import com.zimbra.common.localconfig.DebugConfig;
import com.zimbra.common.localconfig.LC;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.ByteUtil;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AccountServiceException;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.service.authenticator.ClientCertPrincipalMap;
import com.zimbra.cs.service.authenticator.SSOAuthenticator;
import com.zimbra.cs.util.CertValidationUtil;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.nio.charset.Charset;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Set;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import sun.misc.BASE64Encoder;
import sun.security.x509.X509CertImpl;

/* loaded from: input_file:com/zimbra/cs/service/authenticator/ClientCertAuthenticator.class */
public class ClientCertAuthenticator extends SSOAuthenticator {
    static final String LOG_PREFIX = "certauth - ";

    public ClientCertAuthenticator(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        super(httpServletRequest, httpServletResponse);
    }

    @Override // com.zimbra.cs.service.authenticator.SSOAuthenticator
    public String getAuthType() {
        return "ClientCert";
    }

    @Override // com.zimbra.cs.service.authenticator.SSOAuthenticator
    public SSOAuthenticator.ZimbraPrincipal authenticate() throws ServiceException {
        SSOAuthenticator.ZimbraPrincipal apply;
        X509Certificate cert = getCert();
        if (DebugConfig.certAuthCaptureClientCertificate) {
            captureClientCert(cert);
        }
        for (ClientCertPrincipalMap.Rule rule : new ClientCertPrincipalMap(this.req).getRules()) {
            try {
                ZimbraLog.account.debug("certauth - Attempting rule " + rule.getName());
                apply = rule.apply(cert);
            } catch (ServiceException e) {
                ZimbraLog.account.debug("certauth - Rule " + rule.getName() + " not matched", e);
            }
            if (apply != null) {
                return apply;
            }
            ZimbraLog.account.debug("certauth - Rule " + rule.getName() + " not matched");
        }
        throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(cert.toString(), "ClientCertAuthenticator - no matching Zimbra principal from client certificate.", (Throwable) null);
    }

    private void captureClientCert(X509Certificate x509Certificate) {
        FileOutputStream fileOutputStream = null;
        OutputStreamWriter outputStreamWriter = null;
        try {
            try {
                File file = new File(LC.zimbra_tmp_directory.value() + "/clientcert." + new SimpleDateFormat("yyyyMMdd-HHmmss.S").format(new Date()));
                byte[] encoded = x509Certificate.getEncoded();
                fileOutputStream = new FileOutputStream(file);
                outputStreamWriter = new OutputStreamWriter(fileOutputStream, Charset.forName("UTF-8"));
                outputStreamWriter.write("-----BEGIN CERTIFICATE-----\n");
                outputStreamWriter.write(new BASE64Encoder().encode(encoded));
                outputStreamWriter.write("\n-----END CERTIFICATE-----\n");
                outputStreamWriter.flush();
                ByteUtil.closeWriter(outputStreamWriter);
                ByteUtil.closeStream(fileOutputStream);
            } catch (IOException e) {
                ZimbraLog.account.debug("certauth - unable to capture cert", e);
                ByteUtil.closeWriter(outputStreamWriter);
                ByteUtil.closeStream(fileOutputStream);
            } catch (CertificateEncodingException e2) {
                ZimbraLog.account.debug("certauth - unable to capture cert", e2);
                ByteUtil.closeWriter(outputStreamWriter);
                ByteUtil.closeStream(fileOutputStream);
            }
        } catch (Throwable th) {
            ByteUtil.closeWriter(outputStreamWriter);
            ByteUtil.closeStream(fileOutputStream);
            throw th;
        }
    }

    private X509Certificate getCert() throws ServiceException {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) this.req.getAttribute("javax.servlet.request.X509Certificate");
        if (x509CertificateArr == null || x509CertificateArr.length == 0 || x509CertificateArr[0] == null) {
            throw SSOAuthenticator.SSOAuthenticatorServiceException.NO_CLIENT_CERTIFICATE();
        }
        validateClientCert(x509CertificateArr);
        return x509CertificateArr[0];
    }

    public static Account getAccountByX509SubjectDN(String str) throws ServiceException {
        Object value;
        try {
            for (Rdn rdn : new LdapName(str).getRdns()) {
                if ("EMAILADDRESS".equals(rdn.getType()) && (value = rdn.getValue()) != null) {
                    String obj = value.toString();
                    Account account = Provisioning.getInstance().get(Key.AccountBy.name, obj);
                    if (account != null) {
                        return account;
                    }
                    ZimbraLog.account.debug("certauth - account not found: " + obj);
                }
            }
            return null;
        } catch (InvalidNameException e) {
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED("ClientCertAuthenticator - invalid X509 subject: " + str, (Throwable) e);
        }
    }

    private String getSubjectDNForLogging(X509Certificate x509Certificate) {
        return CertValidationUtil.getSubjectDN(x509Certificate);
    }

    private void validateClientCert(X509Certificate[] x509CertificateArr) throws ServiceException {
        String str = null;
        try {
            boolean isMailSSLClientCertOCSPEnabled = Provisioning.getInstance().getLocalServer().isMailSSLClientCertOCSPEnabled();
            Set<TrustAnchor> loadTrustedAnchors = isMailSSLClientCertOCSPEnabled ? CertValidationUtil.loadTrustedAnchors(LC.client_ssl_truststore_password.value().toCharArray(), LC.client_ssl_truststore.value()) : null;
            for (X509Certificate x509Certificate : x509CertificateArr) {
                str = getSubjectDNForLogging(x509Certificate);
                CertValidationUtil.validateCertificate(x509Certificate, isMailSSLClientCertOCSPEnabled, loadTrustedAnchors);
            }
        } catch (FileNotFoundException e) {
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(str, "mailboxd keystore can't be found", e);
        } catch (IOException e2) {
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(str, "received IOException", e2);
        } catch (InvalidAlgorithmParameterException e3) {
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(str, "received InvalidAlgorithmParameter while obtaining instance of certpath validator", e3);
        } catch (KeyStoreException e4) {
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(str, "received KeyStoreException while loading KeyStore", e4);
        } catch (NoSuchAlgorithmException e5) {
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(str, "received NoSuchAlgorithmException while obtaining instance of certpath validator", e5);
        } catch (CertPathValidatorException e6) {
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(str, "received CertPathValidatorException" + e6.getMessage(), e6);
        } catch (CertificateExpiredException e7) {
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(str, "client certificate expired", e7);
        } catch (CertificateNotYetValidException e8) {
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(str, "client certificate not yet valid", e8);
        } catch (CertificateException e9) {
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(str, "can't generate certpath for client certificate", e9);
        }
    }

    private boolean IsAIAInfoPresent(X509Certificate x509Certificate) {
        try {
            return X509CertImpl.toImpl(x509Certificate).getAuthorityInfoAccessExtension() != null;
        } catch (CertificateException e) {
            return false;
        }
    }
}
