package org.keycloak.authentication.authenticators.x509;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.security.cert.CRLException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import javax.naming.NamingException;
import javax.naming.directory.InitialDirContext;
import javax.security.auth.x500.X500Principal;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.util.EntityUtils;
import org.bouncycastle.asn1.x509.CertificatePolicies;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.keycloak.authentication.authenticators.x509.OCSPUtils;
import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.common.util.Time;
import org.keycloak.connections.httpclient.HttpClientProvider;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.processing.core.util.XMLSignatureUtil;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.truststore.TruststoreProvider;
import org.keycloak.userprofile.DeclarativeUserProfileProvider;
import org.keycloak.utils.CRLUtils;

/* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator.class */
public class CertificateValidator {
    private static final ServicesLogger logger = ServicesLogger.LOGGER;
    KeycloakSession session;
    X509Certificate[] _certChain;
    int _keyUsageBits;
    List<String> _extendedKeyUsage;
    List<String> _certificatePolicy;
    String _certificatePolicyMode;
    boolean _crlCheckingEnabled;
    boolean _crldpEnabled;
    CRLLoaderImpl _crlLoader;
    boolean _ocspEnabled;
    boolean _ocspFailOpen;
    OCSPChecker ocspChecker;
    boolean _timestampValidationEnabled;
    boolean _trustValidationEnabled;

    /* renamed from: org.keycloak.authentication.authenticators.x509.CertificateValidator$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$authentication$authenticators$x509$CertificateValidator$KeyUsageBits = new int[KeyUsageBits.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$CertificateValidator$KeyUsageBits[KeyUsageBits.CRLSIGN.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$CertificateValidator$KeyUsageBits[KeyUsageBits.DATA_ENCIPHERMENT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$CertificateValidator$KeyUsageBits[KeyUsageBits.DECIPHER_ONLY.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$CertificateValidator$KeyUsageBits[KeyUsageBits.DIGITAL_SIGNATURE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$CertificateValidator$KeyUsageBits[KeyUsageBits.ENCIPHERMENT_ONLY.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$CertificateValidator$KeyUsageBits[KeyUsageBits.KEY_AGREEMENT.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$CertificateValidator$KeyUsageBits[KeyUsageBits.KEY_ENCIPHERMENT.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$CertificateValidator$KeyUsageBits[KeyUsageBits.KEYCERTSIGN.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$CertificateValidator$KeyUsageBits[KeyUsageBits.NON_REPUDIATION.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$BouncyCastleOCSPChecker.class */
    public static class BouncyCastleOCSPChecker extends OCSPChecker {
        private final KeycloakSession session;
        private final String responderUri;
        private final X509Certificate responderCert;

        BouncyCastleOCSPChecker(KeycloakSession keycloakSession, String str, X509Certificate x509Certificate) {
            this.session = keycloakSession;
            this.responderUri = str;
            this.responderCert = x509Certificate;
        }

        @Override // org.keycloak.authentication.authenticators.x509.CertificateValidator.OCSPChecker
        public OCSPUtils.OCSPRevocationStatus check(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertPathValidatorException {
            OCSPUtils.OCSPRevocationStatus check;
            if (this.responderUri == null || this.responderUri.trim().length() == 0) {
                check = OCSPUtils.check(this.session, x509Certificate, x509Certificate2);
            } else {
                try {
                    URI uri = new URI(this.responderUri);
                    CertificateValidator.logger.tracef("Responder URI \"%s\" will be used to verify revocation status of the certificate using OCSP with responderCert=%s", uri.toString(), this.responderCert);
                    check = OCSPUtils.check(this.session, x509Certificate, x509Certificate2, uri, this.responderCert, (Date) null);
                } catch (URISyntaxException e) {
                    throw new CertPathValidatorException(String.format("Unable to check certificate revocation status using OCSP.\n%s", e.getMessage()), e);
                }
            }
            return check;
        }
    }

    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$CRLFileLoader.class */
    public static class CRLFileLoader extends CRLLoaderImpl {
        private final KeycloakSession session;
        private final String cRLPath;
        private final LdapContext ldapContext;

        public CRLFileLoader(KeycloakSession keycloakSession, String str) {
            this.session = keycloakSession;
            this.cRLPath = str;
            this.ldapContext = new LdapContext();
        }

        public CRLFileLoader(KeycloakSession keycloakSession, String str, LdapContext ldapContext) {
            this.session = keycloakSession;
            this.cRLPath = str;
            this.ldapContext = ldapContext;
            if (ldapContext == null) {
                throw new NullPointerException("Context cannot be null");
            }
        }

        @Override // org.keycloak.authentication.authenticators.x509.CertificateValidator.CRLLoaderImpl
        public Collection<X509CRL> getX509CRLs() throws GeneralSecurityException {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            Collection<X509CRL> collection = null;
            if (this.cRLPath != null) {
                if (this.cRLPath.startsWith("http") || this.cRLPath.startsWith("https")) {
                    try {
                        collection = loadFromURI(certificateFactory, new URI(this.cRLPath));
                    } catch (URISyntaxException e) {
                        CertificateValidator.logger.error(e.getMessage());
                    }
                } else if (this.cRLPath.startsWith("ldap")) {
                    try {
                        collection = loadCRLFromLDAP(certificateFactory, new URI(this.cRLPath));
                    } catch (URISyntaxException e2) {
                        CertificateValidator.logger.error(e2.getMessage());
                    }
                } else {
                    collection = loadCRLFromFile(certificateFactory, this.cRLPath);
                }
            }
            if (collection == null || collection.size() == 0) {
                throw new GeneralSecurityException(String.format("Unable to load CRL from \"%s\"", this.cRLPath));
            }
            return collection;
        }

        private Collection<X509CRL> loadFromURI(CertificateFactory certificateFactory, URI uri) throws GeneralSecurityException {
            try {
                CertificateValidator.logger.debugf("Loading CRL from %s", uri.toString());
                CloseableHttpClient httpClient = this.session.getProvider(HttpClientProvider.class).getHttpClient();
                HttpGet httpGet = new HttpGet(uri);
                httpGet.setHeader("Pragma", "no-cache");
                httpGet.setHeader("Cache-Control", "no-cache, no-store");
                CloseableHttpResponse execute = httpClient.execute(httpGet);
                try {
                    try {
                        Set singleton = Collections.singleton(loadFromStream(certificateFactory, execute.getEntity().getContent()));
                        EntityUtils.consumeQuietly(execute.getEntity());
                        if (execute != null) {
                            execute.close();
                        }
                        return singleton;
                    } finally {
                    }
                } catch (Throwable th) {
                    EntityUtils.consumeQuietly(execute.getEntity());
                    throw th;
                }
            } catch (IOException e) {
                CertificateValidator.logger.errorf(e.getMessage(), new Object[0]);
                return Collections.emptyList();
            }
        }

        private Collection<X509CRL> loadCRLFromLDAP(CertificateFactory certificateFactory, URI uri) throws GeneralSecurityException {
            Hashtable hashtable = new Hashtable(2);
            hashtable.put("java.naming.factory.initial", this.ldapContext.getLdapFactoryClassName());
            hashtable.put("java.naming.provider.url", uri.toString());
            try {
                InitialDirContext initialDirContext = new InitialDirContext(hashtable);
                try {
                    byte[] bArr = (byte[]) initialDirContext.getAttributes("").get("certificateRevocationList;binary").get();
                    if (bArr == null || bArr.length == 0) {
                        throw new CertificateException(String.format("Failed to download CRL from \"%s\"", uri.toString()));
                    }
                    Set singleton = Collections.singleton(loadFromStream(certificateFactory, new ByteArrayInputStream(bArr)));
                    initialDirContext.close();
                    return singleton;
                } catch (Throwable th) {
                    initialDirContext.close();
                    throw th;
                }
            } catch (IOException e) {
                CertificateValidator.logger.error(e.getMessage());
                return Collections.emptyList();
            } catch (NamingException e2) {
                CertificateValidator.logger.error(e2.getMessage());
                return Collections.emptyList();
            }
        }

        private Collection<X509CRL> loadCRLFromFile(CertificateFactory certificateFactory, String str) throws GeneralSecurityException {
            try {
                String property = System.getProperty("jboss.server.config.dir");
                if (property != null) {
                    File file = new File(property + File.separator + str);
                    if (file.isFile()) {
                        CertificateValidator.logger.debugf("Loading CRL from %s", file.getAbsolutePath());
                        if (!file.canRead()) {
                            throw new IOException(String.format("Unable to read CRL from \"%s\"", file.getAbsolutePath()));
                        }
                        FileInputStream fileInputStream = new FileInputStream(file.getAbsolutePath());
                        try {
                            Set singleton = Collections.singleton(loadFromStream(certificateFactory, fileInputStream));
                            fileInputStream.close();
                            return singleton;
                        } finally {
                        }
                    }
                }
            } catch (IOException e) {
                CertificateValidator.logger.errorf(e.getMessage(), new Object[0]);
            }
            return Collections.emptyList();
        }

        private X509CRL loadFromStream(CertificateFactory certificateFactory, InputStream inputStream) throws IOException, CRLException {
            DataInputStream dataInputStream = new DataInputStream(inputStream);
            X509CRL x509crl = (X509CRL) certificateFactory.generateCRL(dataInputStream);
            dataInputStream.close();
            return x509crl;
        }
    }

    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$CRLListLoader.class */
    public static class CRLListLoader extends CRLLoaderImpl {
        private final List<CRLLoaderImpl> delegates;

        public CRLListLoader(KeycloakSession keycloakSession, String str) {
            this.delegates = (List) Arrays.stream(Constants.CFG_DELIMITER_PATTERN.split(str)).map(str2 -> {
                return new CRLFileLoader(keycloakSession, str2);
            }).collect(Collectors.toList());
        }

        @Override // org.keycloak.authentication.authenticators.x509.CertificateValidator.CRLLoaderImpl
        public Collection<X509CRL> getX509CRLs() throws GeneralSecurityException {
            LinkedList linkedList = new LinkedList();
            Iterator<CRLLoaderImpl> it = this.delegates.iterator();
            while (it.hasNext()) {
                linkedList.addAll(it.next().getX509CRLs());
            }
            return linkedList;
        }
    }

    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$CRLLoaderImpl.class */
    public static abstract class CRLLoaderImpl {
        public abstract Collection<X509CRL> getX509CRLs() throws GeneralSecurityException;
    }

    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$CRLLoaderProxy.class */
    public static class CRLLoaderProxy extends CRLLoaderImpl {
        private final X509CRL _crl;

        public CRLLoaderProxy(X509CRL x509crl) {
            this._crl = x509crl;
        }

        @Override // org.keycloak.authentication.authenticators.x509.CertificateValidator.CRLLoaderImpl
        public Collection<X509CRL> getX509CRLs() throws GeneralSecurityException {
            return Collections.singleton(this._crl);
        }
    }

    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$CertificateValidatorBuilder.class */
    public static class CertificateValidatorBuilder {
        KeycloakSession session;
        String _certificatePolicyMode;
        boolean _crlCheckingEnabled;
        boolean _crldpEnabled;
        CRLLoaderImpl _crlLoader;
        boolean _ocspEnabled;
        boolean _ocspFailOpen;
        String _responderUri;
        X509Certificate _responderCert;
        boolean _timestampValidationEnabled;
        boolean _trustValidationEnabled;
        List<String> _extendedKeyUsage = new LinkedList();
        List<String> _certificatePolicy = new LinkedList();
        int _keyUsageBits = 0;

        /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$CertificateValidatorBuilder$CertificatePolicyValidationBuilder.class */
        public class CertificatePolicyValidationBuilder {
            CertificateValidatorBuilder _parent;

            protected CertificatePolicyValidationBuilder(CertificateValidatorBuilder certificateValidatorBuilder) {
                this._parent = certificateValidatorBuilder;
            }

            public CertificatePolicyValidationBuilder mode(String str) {
                CertificateValidatorBuilder.this._certificatePolicyMode = str;
                return this;
            }

            public CertificateValidatorBuilder parse(String str) {
                if (str == null || str.trim().length() == 0) {
                    return this._parent;
                }
                for (String str2 : str.split("[,;:]")) {
                    CertificateValidatorBuilder.this._certificatePolicy.add(str2.trim());
                }
                return this._parent;
            }
        }

        /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$CertificateValidatorBuilder$ExtendedKeyUsageValidationBuilder.class */
        public class ExtendedKeyUsageValidationBuilder {
            CertificateValidatorBuilder _parent;

            protected ExtendedKeyUsageValidationBuilder(CertificateValidatorBuilder certificateValidatorBuilder) {
                this._parent = certificateValidatorBuilder;
            }

            public CertificateValidatorBuilder parse(String str) {
                if (str == null || str.trim().length() == 0) {
                    return this._parent;
                }
                for (String str2 : str.split("[,;:]")) {
                    CertificateValidatorBuilder.this._extendedKeyUsage.add(str2.trim());
                }
                return this._parent;
            }
        }

        /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$CertificateValidatorBuilder$KeyUsageValidationBuilder.class */
        public class KeyUsageValidationBuilder {
            CertificateValidatorBuilder _parent;

            KeyUsageValidationBuilder(CertificateValidatorBuilder certificateValidatorBuilder) {
                this._parent = certificateValidatorBuilder;
            }

            public KeyUsageValidationBuilder enableDigitalSignatureBit() {
                CertificateValidatorBuilder.this._keyUsageBits |= 1 << KeyUsageBits.DIGITAL_SIGNATURE.getInt();
                return this;
            }

            public KeyUsageValidationBuilder enablecRLSignBit() {
                CertificateValidatorBuilder.this._keyUsageBits |= 1 << KeyUsageBits.CRLSIGN.getInt();
                return this;
            }

            public KeyUsageValidationBuilder enableDataEncriphermentBit() {
                CertificateValidatorBuilder.this._keyUsageBits |= 1 << KeyUsageBits.DATA_ENCIPHERMENT.getInt();
                return this;
            }

            public KeyUsageValidationBuilder enableDecipherOnlyBit() {
                CertificateValidatorBuilder.this._keyUsageBits |= 1 << KeyUsageBits.DECIPHER_ONLY.getInt();
                return this;
            }

            public KeyUsageValidationBuilder enableEnciphermentOnlyBit() {
                CertificateValidatorBuilder.this._keyUsageBits |= 1 << KeyUsageBits.ENCIPHERMENT_ONLY.getInt();
                return this;
            }

            public KeyUsageValidationBuilder enableKeyAgreementBit() {
                CertificateValidatorBuilder.this._keyUsageBits |= 1 << KeyUsageBits.KEY_AGREEMENT.getInt();
                return this;
            }

            public KeyUsageValidationBuilder enableKeyEnciphermentBit() {
                CertificateValidatorBuilder.this._keyUsageBits |= 1 << KeyUsageBits.KEY_ENCIPHERMENT.getInt();
                return this;
            }

            public KeyUsageValidationBuilder enableKeyCertSign() {
                CertificateValidatorBuilder.this._keyUsageBits |= 1 << KeyUsageBits.KEYCERTSIGN.getInt();
                return this;
            }

            public KeyUsageValidationBuilder enableNonRepudiationBit() {
                CertificateValidatorBuilder.this._keyUsageBits |= 1 << KeyUsageBits.NON_REPUDIATION.getInt();
                return this;
            }

            public CertificateValidatorBuilder back() {
                return this._parent;
            }

            /* JADX INFO: Access modifiers changed from: package-private */
            /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
            /* JADX WARN: Failed to find 'out' block for switch in B:11:0x0043. Please report as an issue. */
            public CertificateValidatorBuilder parse(String str) {
                if (str == null || str.trim().length() == 0) {
                    return this._parent;
                }
                for (String str2 : str.split("[,]")) {
                    try {
                        switch (AnonymousClass1.$SwitchMap$org$keycloak$authentication$authenticators$x509$CertificateValidator$KeyUsageBits[KeyUsageBits.parse(str2.trim()).ordinal()]) {
                            case DeclarativeUserProfileProvider.PROVIDER_PRIORITY /* 1 */:
                                enablecRLSignBit();
                                break;
                            case 2:
                                enableDataEncriphermentBit();
                                break;
                            case AuthenticationSessionManager.AUTH_SESSION_COOKIE_LIMIT /* 3 */:
                                enableDecipherOnlyBit();
                                break;
                            case 4:
                                enableDigitalSignatureBit();
                                break;
                            case 5:
                                enableEnciphermentOnlyBit();
                                break;
                            case 6:
                                enableKeyAgreementBit();
                                break;
                            case 7:
                                enableKeyEnciphermentBit();
                                break;
                            case 8:
                                enableKeyCertSign();
                                break;
                            case 9:
                                enableNonRepudiationBit();
                                break;
                        }
                    } catch (IllegalArgumentException e) {
                        CertificateValidator.logger.warnf("Unable to parse key usage bit: \"%s\"", str2);
                    } catch (IndexOutOfBoundsException e2) {
                        CertificateValidator.logger.warnf("Invalid key usage bit: \"%s\"", str2);
                    }
                }
                return this._parent;
            }
        }

        /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$CertificateValidatorBuilder$RevocationStatusCheckBuilder.class */
        public class RevocationStatusCheckBuilder {
            CertificateValidatorBuilder _parent;

            /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$CertificateValidatorBuilder$RevocationStatusCheckBuilder$GotCRL.class */
            public class GotCRL {
                public GotCRL() {
                }

                public GotCRLDP cRLDPEnabled(boolean z) {
                    CertificateValidatorBuilder.this._crldpEnabled = z;
                    return new GotCRLDP();
                }
            }

            /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$CertificateValidatorBuilder$RevocationStatusCheckBuilder$GotCRLDP.class */
            public class GotCRLDP {
                public GotCRLDP() {
                }

                public GotCRLRelativePath cRLrelativePath(String str) {
                    if (str != null) {
                        CertificateValidatorBuilder.this._crlLoader = new CRLListLoader(CertificateValidatorBuilder.this.session, str);
                    }
                    return new GotCRLRelativePath();
                }

                public GotCRLRelativePath cRLLoader(CRLLoaderImpl cRLLoaderImpl) {
                    if (cRLLoaderImpl != null) {
                        CertificateValidatorBuilder.this._crlLoader = cRLLoaderImpl;
                    }
                    return new GotCRLRelativePath();
                }
            }

            /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$CertificateValidatorBuilder$RevocationStatusCheckBuilder$GotCRLRelativePath.class */
            public class GotCRLRelativePath {
                public GotCRLRelativePath() {
                }

                public GotOCSP oCSPEnabled(boolean z) {
                    CertificateValidatorBuilder.this._ocspEnabled = z;
                    return new GotOCSP();
                }
            }

            /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$CertificateValidatorBuilder$RevocationStatusCheckBuilder$GotOCSP.class */
            public class GotOCSP {
                public GotOCSP() {
                }

                public GotOCSPFailOpen oCSPFailOpen(boolean z) {
                    CertificateValidatorBuilder.this._ocspFailOpen = z;
                    return new GotOCSPFailOpen();
                }
            }

            /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$CertificateValidatorBuilder$RevocationStatusCheckBuilder$GotOCSPFailOpen.class */
            public class GotOCSPFailOpen {
                public GotOCSPFailOpen() {
                }

                public GotOCSPFailOpen oCSPResponseCertificate(String str) {
                    if (str != null && !str.isEmpty()) {
                        try {
                            CertificateValidatorBuilder.this._responderCert = XMLSignatureUtil.getX509CertificateFromKeyInfoString(str);
                            CertificateValidatorBuilder.this._responderCert.checkValidity();
                        } catch (CertificateException e) {
                            CertificateValidator.logger.warnf("Ignoring invalid certificate: %s", CertificateValidatorBuilder.this._responderCert);
                            CertificateValidatorBuilder.this._responderCert = null;
                        } catch (ProcessingException e2) {
                            throw new RuntimeException((Throwable) e2);
                        }
                    }
                    return new GotOCSPFailOpen();
                }

                public CertificateValidatorBuilder oCSPResponderURI(String str) {
                    CertificateValidatorBuilder.this._responderUri = str;
                    return RevocationStatusCheckBuilder.this._parent;
                }
            }

            protected RevocationStatusCheckBuilder(CertificateValidatorBuilder certificateValidatorBuilder) {
                this._parent = certificateValidatorBuilder;
            }

            public GotCRL cRLEnabled(boolean z) {
                CertificateValidatorBuilder.this._crlCheckingEnabled = z;
                return new GotCRL();
            }
        }

        /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$CertificateValidatorBuilder$TimestampValidationBuilder.class */
        public class TimestampValidationBuilder {
            CertificateValidatorBuilder _parent;

            protected TimestampValidationBuilder(CertificateValidatorBuilder certificateValidatorBuilder) {
                this._parent = certificateValidatorBuilder;
            }

            public CertificateValidatorBuilder enabled(boolean z) {
                CertificateValidatorBuilder.this._timestampValidationEnabled = z;
                return this._parent;
            }
        }

        /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$CertificateValidatorBuilder$TrustValidationBuilder.class */
        public class TrustValidationBuilder {
            CertificateValidatorBuilder _parent;

            protected TrustValidationBuilder(CertificateValidatorBuilder certificateValidatorBuilder) {
                this._parent = certificateValidatorBuilder;
            }

            public CertificateValidatorBuilder enabled(boolean z) {
                CertificateValidatorBuilder.this._trustValidationEnabled = z;
                return this._parent;
            }
        }

        public CertificateValidatorBuilder session(KeycloakSession keycloakSession) {
            this.session = keycloakSession;
            return this;
        }

        public KeyUsageValidationBuilder keyUsage() {
            return new KeyUsageValidationBuilder(this);
        }

        public ExtendedKeyUsageValidationBuilder extendedKeyUsage() {
            return new ExtendedKeyUsageValidationBuilder(this);
        }

        public CertificatePolicyValidationBuilder certificatePolicy() {
            return new CertificatePolicyValidationBuilder(this);
        }

        public RevocationStatusCheckBuilder revocation() {
            return new RevocationStatusCheckBuilder(this);
        }

        public TimestampValidationBuilder timestampValidation() {
            return new TimestampValidationBuilder(this);
        }

        public TrustValidationBuilder trustValidation() {
            return new TrustValidationBuilder(this);
        }

        public CertificateValidator build(X509Certificate[] x509CertificateArr) {
            if (this._crlLoader == null) {
                this._crlLoader = new CRLFileLoader(this.session, "");
            }
            return new CertificateValidator(x509CertificateArr, this._keyUsageBits, this._extendedKeyUsage, this._certificatePolicy, this._certificatePolicyMode, this._crlCheckingEnabled, this._crldpEnabled, this._crlLoader, this._ocspEnabled, this._ocspFailOpen, new BouncyCastleOCSPChecker(this.session, this._responderUri, this._responderCert), this.session, this._timestampValidationEnabled, this._trustValidationEnabled);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$KeyUsageBits.class */
    public enum KeyUsageBits {
        DIGITAL_SIGNATURE(0, "digitalSignature"),
        NON_REPUDIATION(1, "nonRepudiation"),
        KEY_ENCIPHERMENT(2, "keyEncipherment"),
        DATA_ENCIPHERMENT(3, "dataEncipherment"),
        KEY_AGREEMENT(4, "keyAgreement"),
        KEYCERTSIGN(5, "keyCertSign"),
        CRLSIGN(6, "cRLSign"),
        ENCIPHERMENT_ONLY(7, "encipherOnly"),
        DECIPHER_ONLY(8, "decipherOnly");

        private int value;
        private String name;

        KeyUsageBits(int i, String str) {
            if (i < 0 || i > 8) {
                throw new IllegalArgumentException("value");
            }
            if (str == null || str.trim().length() == 0) {
                throw new IllegalArgumentException("name");
            }
            this.value = i;
            this.name = str.trim();
        }

        public int getInt() {
            return this.value;
        }

        public String getName() {
            return this.name;
        }

        public static KeyUsageBits parse(String str) throws IllegalArgumentException, IndexOutOfBoundsException {
            if (str == null || str.trim().length() == 0) {
                throw new IllegalArgumentException("name");
            }
            for (KeyUsageBits keyUsageBits : values()) {
                if (keyUsageBits.getName().equalsIgnoreCase(str)) {
                    return keyUsageBits;
                }
            }
            throw new IndexOutOfBoundsException("name");
        }

        public static KeyUsageBits fromValue(int i) throws IndexOutOfBoundsException {
            if (i < 0 || i > 8) {
                throw new IndexOutOfBoundsException("value");
            }
            for (KeyUsageBits keyUsageBits : values()) {
                if (keyUsageBits.getInt() == i) {
                    return keyUsageBits;
                }
            }
            throw new IndexOutOfBoundsException("value");
        }
    }

    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$LdapContext.class */
    public static class LdapContext {
        private final String ldapFactoryClassName;

        public LdapContext() {
            this.ldapFactoryClassName = "com.sun.jndi.ldap.LdapCtxFactory";
        }

        public LdapContext(String str) {
            this.ldapFactoryClassName = str;
        }

        public String getLdapFactoryClassName() {
            return this.ldapFactoryClassName;
        }
    }

    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidator$OCSPChecker.class */
    public static abstract class OCSPChecker {
        public abstract OCSPUtils.OCSPRevocationStatus check(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertPathValidatorException;
    }

    public CertificateValidator() {
    }

    protected CertificateValidator(X509Certificate[] x509CertificateArr, int i, List<String> list, List<String> list2, String str, boolean z, boolean z2, CRLLoaderImpl cRLLoaderImpl, boolean z3, boolean z4, OCSPChecker oCSPChecker, KeycloakSession keycloakSession, boolean z5, boolean z6) {
        this._certChain = x509CertificateArr;
        this._keyUsageBits = i;
        this._extendedKeyUsage = list;
        this._certificatePolicy = list2;
        this._certificatePolicyMode = str;
        this._crlCheckingEnabled = z;
        this._crldpEnabled = z2;
        this._crlLoader = cRLLoaderImpl;
        this._ocspEnabled = z3;
        this._ocspFailOpen = z4;
        this.ocspChecker = oCSPChecker;
        this.session = keycloakSession;
        this._timestampValidationEnabled = z5;
        this._trustValidationEnabled = z6;
        if (oCSPChecker == null) {
            throw new IllegalArgumentException("ocspChecker");
        }
    }

    private static void validateKeyUsage(X509Certificate[] x509CertificateArr, int i) throws GeneralSecurityException {
        boolean[] keyUsage = x509CertificateArr[0].getKeyUsage();
        if (keyUsage == null) {
            if (i != 0) {
                throw new GeneralSecurityException("Key usage extension is expected, but unavailable.");
            }
            return;
        }
        boolean z = false;
        Set<String> criticalExtensionOIDs = x509CertificateArr[0].getCriticalExtensionOIDs();
        if (criticalExtensionOIDs != null) {
            z = criticalExtensionOIDs.contains("2.5.29.15");
        }
        int i2 = i;
        StringBuilder sb = new StringBuilder();
        int i3 = 0;
        while (i3 < keyUsage.length) {
            boolean z2 = keyUsage[i3];
            if ((i2 & 1) == 1 && !z2) {
                String format = String.format("Key Usage bit '%s' is not set.", KeyUsageBits.fromValue(i3).getName());
                if (sb.length() > 0) {
                    sb.append("\n");
                }
                sb.append(format);
                logger.warn(format);
            }
            i3++;
            i2 >>= 1;
        }
        if (sb.length() > 0 && z) {
            throw new GeneralSecurityException(sb.toString());
        }
    }

    private static void validateExtendedKeyUsage(X509Certificate[] x509CertificateArr, List<String> list) throws GeneralSecurityException {
        if (list == null || list.size() == 0) {
            logger.debug("Extended Key Usage validation is not enabled.");
            return;
        }
        List<String> extendedKeyUsage = x509CertificateArr[0].getExtendedKeyUsage();
        if (extendedKeyUsage == null) {
            throw new GeneralSecurityException("Extended key usage extension is expected, but unavailable");
        }
        Set<String> criticalExtensionOIDs = x509CertificateArr[0].getCriticalExtensionOIDs();
        boolean contains = criticalExtensionOIDs != null ? criticalExtensionOIDs.contains("2.5.29.37") : false;
        LinkedList linkedList = new LinkedList();
        extendedKeyUsage.forEach(str -> {
            linkedList.add(str.toLowerCase());
        });
        for (String str2 : list) {
            if (!linkedList.contains(str2.toLowerCase())) {
                String format = String.format("Extended Key Usage '%s' is missing.", str2);
                if (contains) {
                    throw new GeneralSecurityException(format);
                }
                logger.warn(format);
            }
        }
    }

    private static void validatePolicy(X509Certificate[] x509CertificateArr, List<String> list, String str) throws GeneralSecurityException {
        if (list == null || list.size() == 0) {
            logger.debug("Certificate Policy validation is not enabled.");
            return;
        }
        Extensions extensions = new JcaX509CertificateHolder(x509CertificateArr[0]).getExtensions();
        if (extensions == null) {
            throw new GeneralSecurityException("Certificate Policy validation was expected, but no certificate extensions were found");
        }
        CertificatePolicies fromExtensions = CertificatePolicies.fromExtensions(extensions);
        if (fromExtensions == null) {
            throw new GeneralSecurityException("Certificate Policy validation was expected, but no certificate policy extensions were found");
        }
        LinkedList linkedList = new LinkedList();
        Arrays.stream(fromExtensions.getPolicyInformation()).forEach(policyInformation -> {
            linkedList.add(policyInformation.getPolicyIdentifier().toString().toLowerCase());
        });
        logger.debugf("Certificate policies found: %s", String.join(",", linkedList));
        if (str == AbstractX509ClientCertificateAuthenticator.CERTIFICATE_POLICY_MODE_ANY) {
            if (!list.stream().anyMatch(str2 -> {
                return linkedList.contains(str2.toLowerCase());
            })) {
                throw new GeneralSecurityException(String.format("Certificate Policy check failed: mode = ANY, found = '%s', expected = '%s'.", String.join(",", linkedList), String.join(",", list)));
            }
            return;
        }
        for (String str3 : list) {
            if (!linkedList.contains(str3.toLowerCase())) {
                throw new GeneralSecurityException(String.format("Certificate Policy check failed: mode = ALL, certificate policy '%s' is missing.", str3));
            }
        }
    }

    public CertificateValidator validateKeyUsage() throws GeneralSecurityException {
        validateKeyUsage(this._certChain, this._keyUsageBits);
        return this;
    }

    public CertificateValidator validateExtendedKeyUsage() throws GeneralSecurityException {
        validateExtendedKeyUsage(this._certChain, this._extendedKeyUsage);
        return this;
    }

    public CertificateValidator validatePolicy() throws GeneralSecurityException {
        validatePolicy(this._certChain, this._certificatePolicy, this._certificatePolicyMode);
        return this;
    }

    public CertificateValidator validateTimestamps() throws GeneralSecurityException {
        if (!this._timestampValidationEnabled) {
            return this;
        }
        for (int i = 0; i < this._certChain.length; i++) {
            X509Certificate x509Certificate = this._certChain[i];
            if (x509Certificate.getNotBefore().getTime() > Time.currentTimeMillis()) {
                throw new GeneralSecurityException("certificate with serialnumber '" + x509Certificate.getSerialNumber().toString(16).replaceAll("..(?!$)", "$0 ") + "' is not valid yet: " + x509Certificate.getNotBefore().toString());
            }
            if (x509Certificate.getNotAfter().getTime() < Time.currentTimeMillis()) {
                throw new GeneralSecurityException("certificate with serialnumber '" + x509Certificate.getSerialNumber().toString(16).replaceAll("..(?!$)", "$0 ") + "' has expired on: " + x509Certificate.getNotAfter().toString());
            }
        }
        return this;
    }

    public CertificateValidator validateTrust() throws GeneralSecurityException {
        if (!this._trustValidationEnabled) {
            return this;
        }
        TruststoreProvider provider = this.session.getProvider(TruststoreProvider.class);
        if (provider == null || provider.getTruststore() == null) {
            logger.error("Cannot validate client certificate trust: Truststore not available");
        } else {
            Set set = (Set) provider.getRootCertificates().entrySet().stream().map(entry -> {
                return (X509Certificate) entry.getValue();
            }).collect(Collectors.toSet());
            Set set2 = (Set) provider.getIntermediateCertificates().entrySet().stream().map(entry2 -> {
                return (X509Certificate) entry2.getValue();
            }).collect(Collectors.toSet());
            logger.debugf("Found %d trusted root certs, %d trusted intermediate certs", set.size(), set2.size());
            verifyCertificateTrust(this._certChain, set, set2);
        }
        return this;
    }

    private static PKIXCertPathBuilderResult verifyCertificateTrust(X509Certificate[] x509CertificateArr, Set<X509Certificate> set, Set<X509Certificate> set2) throws GeneralSecurityException {
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509CertificateArr[0]);
        HashSet hashSet = new HashSet();
        Iterator<X509Certificate> it = set.iterator();
        while (it.hasNext()) {
            hashSet.add(new TrustAnchor(it.next(), null));
        }
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
        pKIXBuilderParameters.setRevocationEnabled(false);
        HashSet hashSet2 = new HashSet();
        Iterator<X509Certificate> it2 = set2.iterator();
        while (it2.hasNext()) {
            hashSet2.add(it2.next());
        }
        for (X509Certificate x509Certificate : x509CertificateArr) {
            hashSet2.add(x509Certificate);
        }
        pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(hashSet2), BouncyIntegration.PROVIDER));
        return (PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX", BouncyIntegration.PROVIDER).build(pKIXBuilderParameters);
    }

    private X509Certificate findCAInTruststore(X500Principal x500Principal) throws GeneralSecurityException {
        TruststoreProvider provider = this.session.getProvider(TruststoreProvider.class);
        if (provider == null || provider.getTruststore() == null) {
            return null;
        }
        X509Certificate x509Certificate = (X509Certificate) provider.getRootCertificates().get(x500Principal);
        if (x509Certificate == null) {
            x509Certificate = (X509Certificate) provider.getIntermediateCertificates().get(x500Principal);
        }
        if (x509Certificate != null) {
            x509Certificate.checkValidity();
        }
        return x509Certificate;
    }

    private void checkRevocationUsingOCSP(X509Certificate[] x509CertificateArr) throws GeneralSecurityException {
        X509Certificate x509Certificate;
        X509Certificate findCAInTruststore;
        if (logger.isDebugEnabled() && x509CertificateArr != null) {
            for (X509Certificate x509Certificate2 : x509CertificateArr) {
                logger.debugf("Certificate: %s", x509Certificate2.getSubjectDN().getName());
            }
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new GeneralSecurityException("No certificates sent");
        }
        if (x509CertificateArr.length > 1) {
            x509Certificate = x509CertificateArr[0];
            findCAInTruststore = x509CertificateArr[1];
        } else {
            x509Certificate = x509CertificateArr[0];
            findCAInTruststore = findCAInTruststore(x509Certificate.getIssuerX500Principal());
            if (findCAInTruststore == null) {
                throw new GeneralSecurityException(String.format("No trusted CA in certificate found: %s. Add it to truststore SPI if valid.", x509Certificate.getIssuerX500Principal()));
            }
        }
        try {
            OCSPUtils.OCSPRevocationStatus check = this.ocspChecker.check(x509Certificate, findCAInTruststore);
            if (check == null) {
                if (!this._ocspFailOpen) {
                    throw new GeneralSecurityException("Unable to check client revocation status using OCSP");
                }
                logger.warnf("Unable to check client revocation status using OCSP - continuing certificate authentication because of fail-open OCSP configuration setting", new Object[0]);
            }
            if (check.getRevocationStatus() == OCSPUtils.RevocationStatus.UNKNOWN) {
                if (!this._ocspFailOpen) {
                    throw new GeneralSecurityException("Unable to determine certificate's revocation status.");
                }
                logger.warnf("Unable to determine certificate's revocation status - continuing certificate authentication because of fail-open OCSP configuration setting", new Object[0]);
            } else if (check.getRevocationStatus() == OCSPUtils.RevocationStatus.REVOKED) {
                throw new GeneralSecurityException("Certificate's been revoked.\n" + check.getRevocationReason().toString() + "\n" + String.format("Revoked on: %s", check.getRevocationTime().toString()));
            }
        } catch (CertPathValidatorException e) {
            if (!this._ocspFailOpen) {
                throw e;
            }
            logger.warnf("Unable to check client revocation status using OCSP - continuing certificate authentication because of fail-open OCSP configuration setting", new Object[0]);
        }
    }

    private static void checkRevocationStatusUsingCRL(X509Certificate[] x509CertificateArr, CRLLoaderImpl cRLLoaderImpl, KeycloakSession keycloakSession) throws GeneralSecurityException {
        Collection<X509CRL> x509CRLs = cRLLoaderImpl.getX509CRLs();
        if (x509CRLs == null || x509CRLs.size() <= 0) {
            return;
        }
        Iterator<X509CRL> it = x509CRLs.iterator();
        while (it.hasNext()) {
            CRLUtils.check(x509CertificateArr, it.next(), keycloakSession);
        }
    }

    private static List<String> getCRLDistributionPoints(X509Certificate x509Certificate) {
        try {
            return CRLUtils.getCRLDistributionPoints(x509Certificate);
        } catch (IOException e) {
            logger.error(e.getMessage());
            return new ArrayList();
        }
    }

    private static void checkRevocationStatusUsingCRLDistributionPoints(X509Certificate[] x509CertificateArr, KeycloakSession keycloakSession) throws GeneralSecurityException {
        List<String> cRLDistributionPoints = getCRLDistributionPoints(x509CertificateArr[0]);
        if (cRLDistributionPoints == null || cRLDistributionPoints.size() == 0) {
            throw new GeneralSecurityException("Could not find any CRL distribution points in the certificate, unable to check the certificate revocation status using CRL/DP.");
        }
        for (String str : cRLDistributionPoints) {
            logger.tracef("CRL Distribution point: \"%s\"", str);
            checkRevocationStatusUsingCRL(x509CertificateArr, new CRLFileLoader(keycloakSession, str), keycloakSession);
        }
    }

    public CertificateValidator checkRevocationStatus() throws GeneralSecurityException {
        if (!this._crlCheckingEnabled && !this._ocspEnabled) {
            return this;
        }
        if (this._crlCheckingEnabled) {
            if (this._crldpEnabled) {
                checkRevocationStatusUsingCRLDistributionPoints(this._certChain, this.session);
            } else {
                checkRevocationStatusUsingCRL(this._certChain, this._crlLoader, this.session);
            }
        }
        if (this._ocspEnabled) {
            checkRevocationUsingOCSP(this._certChain);
        }
        return this;
    }
}
