package org.xipki.http.servlet;

import io.netty.handler.codec.http.HttpRequest;
import io.netty.util.CharsetUtil;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Base64;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;

/* loaded from: classes4.dex */
class ClientCertCache {
    private static CertificateFactory cf;
    private static final SimpleLruCache<String, X509Certificate> clientCerts;

    static {
        try {
            cf = CertificateFactory.getInstance("X509");
            clientCerts = new SimpleLruCache<>(100);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    ClientCertCache() {
    }

    public static X509Certificate getTlsClientCert(HttpRequest httpRequest, SSLSession sSLSession, SslReverseProxyMode sslReverseProxyMode) throws IOException {
        Certificate[] certificateArr;
        String str;
        Base64.Decoder decoder;
        byte[] decode;
        if (sslReverseProxyMode == SslReverseProxyMode.NONE || sslReverseProxyMode == null) {
            if (sSLSession == null) {
                return null;
            }
            try {
                certificateArr = sSLSession.getPeerCertificates();
            } catch (SSLPeerUnverifiedException unused) {
                certificateArr = null;
            }
            Certificate certificate = (certificateArr == null || certificateArr.length < 1) ? null : certificateArr[0];
            if (certificate != null) {
                return (X509Certificate) certificate;
            }
        } else if (sslReverseProxyMode != SslReverseProxyMode.APACHE) {
            throw new RuntimeException("Should not reach here, unknown SslReverseProxyMode " + sslReverseProxyMode);
        }
        String str2 = httpRequest.headers().get("SSL_CLIENT_VERIFY");
        if (str2 == null || str2.isEmpty() || !"SUCCESS".equalsIgnoreCase(str2.trim()) || (str = httpRequest.headers().get("SSL_CLIENT_CERT")) == null || str.isEmpty()) {
            return null;
        }
        SimpleLruCache<String, X509Certificate> simpleLruCache = clientCerts;
        X509Certificate x509Certificate = simpleLruCache.get(str);
        if (x509Certificate != null) {
            return x509Certificate;
        }
        try {
            String replace = str.replace("-----BEGIN CERTIFICATE-----", "").replace("-----END CERTIFICATE-----", "");
            decoder = Base64.getDecoder();
            decode = decoder.decode(replace.getBytes(CharsetUtil.US_ASCII));
            X509Certificate x509Certificate2 = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(decode));
            simpleLruCache.put(str, x509Certificate2);
            return x509Certificate2;
        } catch (CertificateException e) {
            throw new IOException("could not parse Certificate", e);
        }
    }
}
