package org.apache.catalina.authenticator;

import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.connector.Request;
import org.apache.coyote.ActionCode;

/* loaded from: input_file:lib/tomcat-embed-core-8.0-SNAPSHOT.jar:org/apache/catalina/authenticator/SSLAuthenticator.class */
public class SSLAuthenticator extends AuthenticatorBase {
    @Override // org.apache.catalina.authenticator.AuthenticatorBase, org.apache.catalina.Authenticator
    public boolean authenticate(Request request, HttpServletResponse httpServletResponse) throws IOException {
        Principal userPrincipal = request.getUserPrincipal();
        if (userPrincipal != null) {
            if (this.containerLog.isDebugEnabled()) {
                this.containerLog.debug("Already authenticated '" + userPrincipal.getName() + "'");
            }
            String str = (String) request.getNote(Constants.REQ_SSOID_NOTE);
            if (str == null) {
                return true;
            }
            associate(str, request.getSessionInternal(true));
            return true;
        }
        if (this.containerLog.isDebugEnabled()) {
            this.containerLog.debug(" Looking up certificates");
        }
        X509Certificate[] x509CertificateArr = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
        if (x509CertificateArr == null || x509CertificateArr.length < 1) {
            try {
                request.getCoyoteRequest().action(ActionCode.REQ_SSL_CERTIFICATE, null);
                x509CertificateArr = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
            } catch (IllegalStateException e) {
                httpServletResponse.sendError(401, sm.getString("authenticator.certificates"));
                return false;
            }
        }
        if (x509CertificateArr == null || x509CertificateArr.length < 1) {
            if (this.containerLog.isDebugEnabled()) {
                this.containerLog.debug("  No certificates included with this request");
            }
            httpServletResponse.sendError(401, sm.getString("authenticator.certificates"));
            return false;
        }
        Principal authenticate = this.context.getRealm().authenticate(x509CertificateArr);
        if (authenticate != null) {
            register(request, httpServletResponse, authenticate, HttpServletRequest.CLIENT_CERT_AUTH, null, null);
            return true;
        }
        if (this.containerLog.isDebugEnabled()) {
            this.containerLog.debug("  Realm.authenticate() returned false");
        }
        httpServletResponse.sendError(401, sm.getString("authenticator.unauthorized"));
        return false;
    }

    @Override // org.apache.catalina.authenticator.AuthenticatorBase
    protected String getAuthMethod() {
        return HttpServletRequest.CLIENT_CERT_AUTH;
    }
}
