package com.yahoo.athenz.auth.impl;

import com.yahoo.athenz.auth.AuthorityConsts;
import com.yahoo.athenz.auth.util.AthenzUtils;
import com.yahoo.athenz.auth.util.Crypto;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;

/* loaded from: input_file:com/yahoo/athenz/auth/impl/CertificateIdentityParser.class */
public class CertificateIdentityParser {
    public static final String JAVAX_CERT_ATTR = "javax.servlet.request.X509Certificate";
    public static final String ZTS_CERT_ROLE_URI = "athenz://role/";
    public static final String EMPTY_CERT_ERR_MSG = "No certificate available in request";
    private Set<String> excludedPrincipalSet;
    private boolean excludeRoleCertificates;

    public CertificateIdentityParser(Set<String> set, boolean z) {
        this.excludedPrincipalSet = null;
        this.excludedPrincipalSet = set;
        this.excludeRoleCertificates = z;
    }

    public CertificateIdentity parse(HttpServletRequest httpServletRequest) throws CertificateIdentityException {
        return parse((X509Certificate[]) httpServletRequest.getAttribute(JAVAX_CERT_ATTR));
    }

    public CertificateIdentity parse(X509Certificate[] x509CertificateArr) throws CertificateIdentityException {
        if (x509CertificateArr == null || x509CertificateArr[0] == null) {
            throw new CertificateIdentityException(EMPTY_CERT_ERR_MSG);
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        String extractX509CertCommonName = Crypto.extractX509CertCommonName(x509Certificate);
        if (extractX509CertCommonName == null || extractX509CertCommonName.isEmpty()) {
            throw new CertificateIdentityException("Certificate principal is empty");
        }
        if (this.excludedPrincipalSet != null && this.excludedPrincipalSet.contains(extractX509CertCommonName)) {
            throw new CertificateIdentityException("Principal is excluded");
        }
        ArrayList arrayList = null;
        if (extractX509CertCommonName.indexOf(AuthorityConsts.ROLE_SEP) != -1) {
            if (this.excludeRoleCertificates) {
                throw new CertificateIdentityException("Role Certificates not allowed");
            }
            arrayList = new ArrayList();
            arrayList.add(extractX509CertCommonName);
            List<String> extractX509CertEmails = Crypto.extractX509CertEmails(x509Certificate);
            if (extractX509CertEmails.isEmpty()) {
                throw new CertificateIdentityException("Invalid role cert, no email SAN entry");
            }
            String str = extractX509CertEmails.get(0);
            int indexOf = str.indexOf(64);
            if (indexOf == -1) {
                throw new CertificateIdentityException("Invalid role cert, invalid email SAN entry");
            }
            extractX509CertCommonName = str.substring(0, indexOf);
        }
        for (String str2 : Crypto.extractX509CertURIs(x509Certificate)) {
            if (str2.toLowerCase().startsWith(ZTS_CERT_ROLE_URI)) {
                if (arrayList == null) {
                    arrayList = new ArrayList();
                }
                String substring = str2.substring(ZTS_CERT_ROLE_URI.length());
                int indexOf2 = substring.indexOf(47);
                if (indexOf2 == -1) {
                    throw new CertificateIdentityException("Invalid role cert, invalid uri SAN entry");
                }
                arrayList.add(substring.substring(0, indexOf2) + AuthorityConsts.ROLE_SEP + substring.substring(indexOf2 + 1));
            }
        }
        if (this.excludeRoleCertificates && arrayList != null) {
            throw new CertificateIdentityException("Role Certificates not allowed");
        }
        String[] splitPrincipalName = AthenzUtils.splitPrincipalName(extractX509CertCommonName);
        if (splitPrincipalName == null) {
            throw new CertificateIdentityException("Principal is not a valid service identity");
        }
        return new CertificateIdentity(splitPrincipalName[0], splitPrincipalName[1], arrayList, x509Certificate);
    }
}
