package org.keycloak.services.x509;

import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.common.util.PemException;
import org.keycloak.common.util.PemUtils;

/* loaded from: input_file:org/keycloak/services/x509/NginxProxyTrustedClientCertificateLookup.class */
public class NginxProxyTrustedClientCertificateLookup extends AbstractClientCertificateFromHttpHeadersLookup {
    private static final Logger log = Logger.getLogger(NginxProxyTrustedClientCertificateLookup.class);

    public NginxProxyTrustedClientCertificateLookup(String str, String str2, int i) {
        super(str, str2, i);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
    public X509Certificate getCertificateFromHttpHeader(HttpRequest httpRequest, String str) throws GeneralSecurityException {
        X509Certificate certificateFromHttpHeader = super.getCertificateFromHttpHeader(httpRequest, str);
        if (certificateFromHttpHeader == null) {
            return null;
        }
        String headerValue = getHeaderValue(httpRequest, "ssl-client-verify");
        if ("SUCCESS".equals(headerValue)) {
            return certificateFromHttpHeader;
        }
        log.warn("nginx could not verify the certificate: ssl-client-verify: " + headerValue);
        return null;
    }

    @Override // org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
    protected X509Certificate decodeCertificateFromPem(String str) throws PemException {
        if (str == null) {
            log.warn("End user TLS Certificate is NULL! ");
            return null;
        }
        try {
            str = URLDecoder.decode(str, "UTF-8");
        } catch (UnsupportedEncodingException e) {
            log.error("Cannot URL decode the end user TLS Certificate : " + str, e);
        }
        return PemUtils.decodeCertificate(str);
    }
}
