package org.keycloak.keys;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.keycloak.common.crypto.CryptoIntegration;
import org.keycloak.common.util.CertificateUtils;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.common.util.KeystoreUtil;
import org.keycloak.component.ComponentModel;
import org.keycloak.crypto.KeyStatus;
import org.keycloak.crypto.KeyUse;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.crypto.RsaesOaepCekManagementProviderFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;

/* loaded from: input_file:org/keycloak/keys/JavaKeystoreKeyProvider.class */
public class JavaKeystoreKeyProvider implements KeyProvider {
    private final KeyStatus status;
    private final ComponentModel model;
    private final KeyWrapper key;
    private final String algorithm;

    public JavaKeystoreKeyProvider(RealmModel realmModel, ComponentModel componentModel) {
        this.model = componentModel;
        this.status = KeyStatus.from(componentModel.get(Attributes.ACTIVE_KEY, true), componentModel.get(Attributes.ENABLED_KEY, true));
        this.algorithm = componentModel.get(Attributes.ALGORITHM_KEY, KeyUse.ENC.name().equals(componentModel.get(Attributes.KEY_USE)) ? RsaesOaepCekManagementProviderFactory.ID : "RS256");
        if (componentModel.hasNote(KeyWrapper.class.getName())) {
            this.key = (KeyWrapper) componentModel.getNote(KeyWrapper.class.getName());
        } else {
            this.key = loadKey(realmModel, componentModel);
            componentModel.setNote(KeyWrapper.class.getName(), this.key);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public KeyWrapper loadKey(RealmModel realmModel, ComponentModel componentModel) {
        KeyWrapper loadECKey;
        String str = componentModel.get(JavaKeystoreKeyProviderFactory.KEYSTORE_KEY);
        try {
            FileInputStream fileInputStream = new FileInputStream(str);
            try {
                KeyStore loadKeyStore = loadKeyStore(fileInputStream, str);
                String str2 = componentModel.get(JavaKeystoreKeyProviderFactory.KEY_ALIAS_KEY);
                String str3 = this.algorithm;
                boolean z = -1;
                switch (str3.hashCode()) {
                    case 66245349:
                        if (str3.equals("ES256")) {
                            z = 6;
                            break;
                        }
                        break;
                    case 66246401:
                        if (str3.equals("ES384")) {
                            z = 7;
                            break;
                        }
                        break;
                    case 66248104:
                        if (str3.equals("ES512")) {
                            z = 8;
                            break;
                        }
                        break;
                    case 76404080:
                        if (str3.equals("PS256")) {
                            z = false;
                            break;
                        }
                        break;
                    case 76405132:
                        if (str3.equals("PS384")) {
                            z = true;
                            break;
                        }
                        break;
                    case 76406835:
                        if (str3.equals("PS512")) {
                            z = 2;
                            break;
                        }
                        break;
                    case 78251122:
                        if (str3.equals("RS256")) {
                            z = 3;
                            break;
                        }
                        break;
                    case 78252174:
                        if (str3.equals("RS384")) {
                            z = 4;
                            break;
                        }
                        break;
                    case 78253877:
                        if (str3.equals("RS512")) {
                            z = 5;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                    case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                    case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                    case true:
                    case true:
                    case true:
                        loadECKey = loadRSAKey(realmModel, componentModel, loadKeyStore, str2);
                        break;
                    case true:
                    case true:
                    case true:
                        loadECKey = loadECKey(realmModel, componentModel, loadKeyStore, str2);
                        break;
                    default:
                        throw new RuntimeException(String.format("Keys for algorithm %s are not supported.", this.algorithm));
                }
                KeyWrapper keyWrapper = loadECKey;
                fileInputStream.close();
                return keyWrapper;
            } catch (Throwable th) {
                try {
                    fileInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } catch (FileNotFoundException e) {
            throw new RuntimeException("File not found on server. " + e.getMessage(), e);
        } catch (IOException e2) {
            throw new RuntimeException("IO error on server. " + e2.getMessage(), e2);
        } catch (KeyStoreException e3) {
            throw new RuntimeException("KeyStore error on server. " + e3.getMessage(), e3);
        } catch (NoSuchAlgorithmException e4) {
            throw new RuntimeException("Algorithm not available on server. " + e4.getMessage(), e4);
        } catch (UnrecoverableKeyException e5) {
            throw new RuntimeException("Keystore on server can not be recovered. " + e5.getMessage(), e5);
        } catch (CertificateException e6) {
            throw new RuntimeException("Certificate error on server. " + e6.getMessage(), e6);
        } catch (GeneralSecurityException e7) {
            throw new RuntimeException("Invalid certificate chain. Check the order of certificates.", e7);
        }
    }

    private KeyStore loadKeyStore(FileInputStream fileInputStream, String str) throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException {
        KeyStore keyStore = KeyStore.getInstance(KeystoreUtil.getKeystoreType(this.model.get(JavaKeystoreKeyProviderFactory.KEYSTORE_TYPE_KEY), str, "JKS"));
        keyStore.load(fileInputStream, this.model.get(JavaKeystoreKeyProviderFactory.KEYSTORE_PASSWORD_KEY).toCharArray());
        return keyStore;
    }

    private KeyWrapper loadECKey(RealmModel realmModel, ComponentModel componentModel, KeyStore keyStore, String str) throws GeneralSecurityException {
        ECPrivateKey eCPrivateKey = (ECPrivateKey) keyStore.getKey(str, componentModel.get(JavaKeystoreKeyProviderFactory.KEY_PASSWORD_KEY).toCharArray());
        AbstractEcdsaKeyProviderFactory.convertECDomainParmNistRepToSecRep(AbstractEcdsaKeyProviderFactory.convertAlgorithmToECDomainParmNistRep(this.algorithm));
        KeyPair keyPair = new KeyPair(CryptoIntegration.getProvider().getEcdsaCryptoProvider().getPublicFromPrivate(eCPrivateKey), eCPrivateKey);
        return createKeyWrapper(keyPair, getCertificate(keyStore, keyPair, str, realmModel.getName()), loadCertificateChain(keyStore, str), "EC");
    }

    private X509Certificate getCertificate(KeyStore keyStore, KeyPair keyPair, String str, String str2) throws KeyStoreException {
        X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(str);
        if (x509Certificate == null) {
            x509Certificate = CertificateUtils.generateV1SelfSignedCertificate(keyPair, str2);
        }
        return x509Certificate;
    }

    private KeyWrapper loadRSAKey(RealmModel realmModel, ComponentModel componentModel, KeyStore keyStore, String str) throws GeneralSecurityException {
        PrivateKey privateKey = (PrivateKey) keyStore.getKey(str, componentModel.get(JavaKeystoreKeyProviderFactory.KEY_PASSWORD_KEY).toCharArray());
        KeyPair keyPair = new KeyPair(KeyUtils.extractPublicKey(privateKey), privateKey);
        return createKeyWrapper(keyPair, getCertificate(keyStore, keyPair, str, realmModel.getName()), loadCertificateChain(keyStore, str), "RSA");
    }

    private List<X509Certificate> loadCertificateChain(KeyStore keyStore, String str) throws GeneralSecurityException {
        List<X509Certificate> list = (List) Optional.ofNullable(keyStore.getCertificateChain(str)).map(certificateArr -> {
            Stream stream = Arrays.stream(certificateArr);
            Class<X509Certificate> cls = X509Certificate.class;
            Objects.requireNonNull(X509Certificate.class);
            return (List) stream.map((v1) -> {
                return r1.cast(v1);
            }).collect(Collectors.toList());
        }).orElseGet(Collections::emptyList);
        validateCertificateChain(list);
        return list;
    }

    private KeyWrapper createKeyWrapper(KeyPair keyPair, X509Certificate x509Certificate, List<X509Certificate> list, String str) {
        KeyUse valueOf = KeyUse.valueOf(this.model.get(Attributes.KEY_USE, KeyUse.SIG.getSpecName()).toUpperCase());
        KeyWrapper keyWrapper = new KeyWrapper();
        keyWrapper.setProviderId(this.model.getId());
        keyWrapper.setProviderPriority(this.model.get(Attributes.PRIORITY_KEY, 0L));
        keyWrapper.setKid(this.model.get("kid") != null ? this.model.get("kid") : KeyUtils.createKeyId(keyPair.getPublic()));
        keyWrapper.setUse(valueOf);
        keyWrapper.setType(str);
        keyWrapper.setAlgorithm(this.algorithm);
        keyWrapper.setStatus(this.status);
        keyWrapper.setPrivateKey(keyPair.getPrivate());
        keyWrapper.setPublicKey(keyPair.getPublic());
        keyWrapper.setCertificate(x509Certificate);
        if (!list.isEmpty()) {
            if (x509Certificate != null && !x509Certificate.equals(list.get(0))) {
                list.add(0, x509Certificate);
            }
            keyWrapper.setCertificateChain(list);
        }
        return keyWrapper;
    }

    private void validateCertificateChain(List<X509Certificate> list) throws GeneralSecurityException {
        if (list == null || list.isEmpty()) {
            return;
        }
        HashSet hashSet = new HashSet();
        hashSet.add(new TrustAnchor(list.get(list.size() - 1), null));
        PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
        pKIXParameters.setRevocationEnabled(false);
        CertPathValidator.getInstance(CertPathValidator.getDefaultType()).validate(CertificateFactory.getInstance("X.509").generateCertPath(list), pKIXParameters);
    }

    public Stream<KeyWrapper> getKeysStream() {
        return Stream.of(this.key);
    }
}
