package org.forgerock.openam.sts.token.validator.disp;

import com.google.inject.Inject;
import com.sun.identity.shared.encode.Base64;
import java.io.IOException;
import java.net.URL;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import javax.inject.Named;
import org.forgerock.openam.sts.HttpURLConnectionWrapper;
import org.forgerock.openam.sts.HttpURLConnectionWrapperFactory;
import org.forgerock.openam.sts.TokenValidationException;
import org.forgerock.openam.sts.config.user.AuthTargetMapping;
import org.slf4j.Logger;

/* loaded from: input_file:org/forgerock/openam/sts/token/validator/disp/CertificateAuthenticationRequestDispatcher.class */
public class CertificateAuthenticationRequestDispatcher implements TokenAuthenticationRequestDispatcher<X509Certificate[]> {
    private final String crestVersionAuthNService;
    private final HttpURLConnectionWrapperFactory httpURLConnectionWrapperFactory;
    private final Logger logger;

    @Inject
    public CertificateAuthenticationRequestDispatcher(@Named("crest_version_authn_service") String str, HttpURLConnectionWrapperFactory httpURLConnectionWrapperFactory, Logger logger) {
        this.crestVersionAuthNService = str;
        this.httpURLConnectionWrapperFactory = httpURLConnectionWrapperFactory;
        this.logger = logger;
    }

    @Override // org.forgerock.openam.sts.token.validator.disp.TokenAuthenticationRequestDispatcher
    public String dispatch(URL url, AuthTargetMapping.AuthTarget authTarget, X509Certificate[] x509CertificateArr) throws TokenValidationException {
        if (x509CertificateArr.length > 1) {
            StringBuilder sb = new StringBuilder("Dealing with more than a single certificate. Their DNs:");
            for (X509Certificate x509Certificate : x509CertificateArr) {
                sb.append("\n").append(x509Certificate.getSubjectDN());
            }
            this.logger.warn(sb.toString());
        }
        return postCertInHeader(url, x509CertificateArr[0], authTarget);
    }

    private String postCertInHeader(URL url, X509Certificate x509Certificate, AuthTargetMapping.AuthTarget authTarget) throws TokenValidationException {
        try {
            String encode = Base64.encode(x509Certificate.getEncoded());
            if (authTarget == null) {
                throw new TokenValidationException(400, "When validatating X509 Certificates, an AuthTarget needs to be configured with a Map containing a String entry referenced by keyx509_token_auth_target_header_key which specifies the header name which will reference the client's X509 Certificate.");
            }
            Object obj = authTarget.getContext().get("x509_token_auth_target_header_key");
            if (!(obj instanceof String)) {
                throw new TokenValidationException(400, "When validatating X509 Certificates, an AuthTarget needs to be configured with a Map containing a String entry referenced by keyx509_token_auth_target_header_key which specifies the header name which will reference the client's X509 Certificate.");
            }
            try {
                HashMap hashMap = new HashMap();
                hashMap.put("Content-Type", "application/json");
                hashMap.put("Accept-API-Version", this.crestVersionAuthNService);
                hashMap.put((String) obj, encode);
                HttpURLConnectionWrapper.ConnectionResult makeInvocation = this.httpURLConnectionWrapperFactory.httpURLConnectionWrapper(url).setRequestHeaders(hashMap).setRequestMethod("POST").makeInvocation();
                int statusCode = makeInvocation.getStatusCode();
                if (statusCode != 200) {
                    throw new TokenValidationException(statusCode, "Non-200 response from posting x509 token to rest authN: " + makeInvocation.getResult());
                }
                return makeInvocation.getResult();
            } catch (IOException e) {
                throw new TokenValidationException(500, "Exception caught posting x509 token to rest authN: " + e, e);
            }
        } catch (CertificateEncodingException e2) {
            throw new TokenValidationException(400, "Could not obtain the base64-encoded representation of the client certificate: " + e2, e2);
        }
    }
}
