package org.keycloak.truststore;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.security.auth.x500.X500Principal;
import org.jboss.logging.Logger;
import org.keycloak.Config;
import org.keycloak.common.util.KeystoreUtil;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.provider.ProviderConfigurationBuilder;

/* loaded from: input_file:org/keycloak/truststore/FileTruststoreProviderFactory.class */
public class FileTruststoreProviderFactory implements TruststoreProviderFactory {
    private static final Logger log = Logger.getLogger(FileTruststoreProviderFactory.class);
    private TruststoreProvider provider;

    /* loaded from: input_file:org/keycloak/truststore/FileTruststoreProviderFactory$TruststoreCertificatesLoader.class */
    private static class TruststoreCertificatesLoader {
        private Map<X500Principal, X509Certificate> trustedRootCerts = new HashMap();
        private Map<X500Principal, X509Certificate> intermediateCerts = new HashMap();

        public TruststoreCertificatesLoader(KeyStore keyStore) {
            readTruststore(keyStore);
        }

        private void readTruststore(KeyStore keyStore) {
            try {
                Enumeration<String> aliases = keyStore.aliases();
                FileTruststoreProviderFactory.log.trace("Checking " + keyStore.size() + " entries from the truststore.");
                while (aliases.hasMoreElements()) {
                    readTruststoreEntry(keyStore, aliases.nextElement());
                }
            } catch (KeyStoreException e) {
                FileTruststoreProviderFactory.log.error("Error while reading Keycloak truststore " + e.getMessage(), e);
            }
        }

        private void readTruststoreEntry(KeyStore keyStore, String str) {
            try {
                Certificate certificate = keyStore.getCertificate(str);
                if (certificate instanceof X509Certificate) {
                    X509Certificate x509Certificate = (X509Certificate) certificate;
                    if (isSelfSigned(x509Certificate)) {
                        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
                        this.trustedRootCerts.put(subjectX500Principal, x509Certificate);
                        FileTruststoreProviderFactory.log.debug("Trusted root CA found in trustore : alias : " + str + " | Subject DN : " + subjectX500Principal);
                    } else {
                        X500Principal subjectX500Principal2 = x509Certificate.getSubjectX500Principal();
                        this.intermediateCerts.put(subjectX500Principal2, x509Certificate);
                        FileTruststoreProviderFactory.log.debug("Intermediate CA found in trustore : alias : " + str + " | Subject DN : " + subjectX500Principal2);
                    }
                } else {
                    FileTruststoreProviderFactory.log.info("Skipping certificate with alias [" + str + "] from truststore, because it's not an X509Certificate");
                }
            } catch (KeyStoreException | NoSuchAlgorithmException | NoSuchProviderException | CertificateException e) {
                FileTruststoreProviderFactory.log.warnf("Error while reading Keycloak truststore entry [%s]. Exception message: %s", str, e.getMessage(), e);
            }
        }

        private boolean isSelfSigned(X509Certificate x509Certificate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
            try {
                x509Certificate.verify(x509Certificate.getPublicKey());
                FileTruststoreProviderFactory.log.trace("certificate " + x509Certificate.getSubjectDN() + " detected as root CA");
                return true;
            } catch (InvalidKeyException e) {
                FileTruststoreProviderFactory.log.trace("certificate " + x509Certificate.getSubjectDN() + " detected as intermediate CA");
                return false;
            } catch (SignatureException e2) {
                FileTruststoreProviderFactory.log.trace("certificate " + x509Certificate.getSubjectDN() + " detected as intermediate CA");
                return false;
            }
        }
    }

    /* renamed from: create, reason: merged with bridge method [inline-methods] */
    public TruststoreProvider m739create(KeycloakSession keycloakSession) {
        return this.provider;
    }

    public void setProvider(TruststoreProvider truststoreProvider) {
        this.provider = truststoreProvider;
    }

    public void init(Config.Scope scope) {
        char[] charArray;
        HostnameVerificationPolicy valueOf;
        String str = scope.get("file");
        String str2 = scope.get("password");
        String str3 = scope.get("hostname-verification-policy");
        String str4 = scope.get("type");
        if (str == null && str2 == null && str3 == null) {
            return;
        }
        if (str == null) {
            throw new RuntimeException("Attribute 'file' missing in 'truststore':'file' configuration");
        }
        if (str2 == null) {
            throw new RuntimeException("Attribute 'password' missing in 'truststore':'file' configuration");
        }
        String keystoreType = KeystoreUtil.getKeystoreType(str4, str, KeyStore.getDefaultType());
        if (str2 == null) {
            charArray = null;
        } else {
            try {
                charArray = str2.toCharArray();
            } catch (Exception e) {
                throw new RuntimeException("Failed to initialize TruststoreProviderFactory: " + new File(str).getAbsolutePath() + ", truststore type: " + keystoreType, e);
            }
        }
        KeyStore loadStore = loadStore(str, keystoreType, charArray);
        if (str3 == null) {
            valueOf = HostnameVerificationPolicy.WILDCARD;
        } else {
            try {
                valueOf = HostnameVerificationPolicy.valueOf(str3);
            } catch (Exception e2) {
                throw new RuntimeException("Invalid value for 'hostname-verification-policy': " + str3 + " (must be one of: ANY, WILDCARD, STRICT)");
            }
        }
        TruststoreCertificatesLoader truststoreCertificatesLoader = new TruststoreCertificatesLoader(loadStore);
        this.provider = new FileTruststoreProvider(loadStore, valueOf, Collections.unmodifiableMap(truststoreCertificatesLoader.trustedRootCerts), Collections.unmodifiableMap(truststoreCertificatesLoader.intermediateCerts));
        TruststoreProviderSingleton.set(this.provider);
        log.debugf("File truststore provider initialized: %s, Truststore type: %s", new File(str).getAbsolutePath(), keystoreType);
    }

    private KeyStore loadStore(String str, String str2, char[] cArr) throws Exception {
        KeyStore keyStore = KeyStore.getInstance(str2);
        FileInputStream fileInputStream = new FileInputStream(str);
        try {
            keyStore.load(fileInputStream, cArr);
            return keyStore;
        } finally {
            try {
                fileInputStream.close();
            } catch (IOException e) {
            }
        }
    }

    public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
    }

    public void close() {
    }

    public String getId() {
        return "file";
    }

    public List<ProviderConfigProperty> getConfigMetadata() {
        return ProviderConfigurationBuilder.create().property().name("file").type("string").helpText("The file path of the trust store from where the certificates are going to be read from to validate TLS connections.").add().property().name("password").type("string").helpText("The trust store password.").add().property().name("hostname-verification-policy").type("string").helpText("The hostname verification policy.").options((String[]) Arrays.stream(HostnameVerificationPolicy.values()).map((v0) -> {
            return v0.name();
        }).map((v0) -> {
            return v0.toLowerCase();
        }).toArray(i -> {
            return new String[i];
        })).defaultValue(HostnameVerificationPolicy.WILDCARD.name().toLowerCase()).add().property().name("type").type("string").helpText("Type of the truststore. If not provided, the type would be detected based on the truststore file extension or platform default type.").add().build();
    }
}
