package org.keycloak.keys.loader;

import java.security.PublicKey;
import java.util.Collections;
import java.util.Map;
import org.jboss.logging.Logger;
import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.common.util.PemUtils;
import org.keycloak.crypto.KeyUse;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.keys.PublicKeyLoader;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.utils.JWKSHttpUtils;
import org.keycloak.social.stackoverflow.StackoverflowIdentityProvider;
import org.keycloak.util.JWKSUtils;

/* loaded from: input_file:org/keycloak/keys/loader/OIDCIdentityProviderPublicKeyLoader.class */
public class OIDCIdentityProviderPublicKeyLoader implements PublicKeyLoader {
    private static final Logger logger = Logger.getLogger(OIDCIdentityProviderPublicKeyLoader.class);
    private final KeycloakSession session;
    private final OIDCIdentityProviderConfig config;

    public OIDCIdentityProviderPublicKeyLoader(KeycloakSession keycloakSession, OIDCIdentityProviderConfig oIDCIdentityProviderConfig) {
        this.session = keycloakSession;
        this.config = oIDCIdentityProviderConfig;
    }

    public Map<String, KeyWrapper> loadKeys() throws Exception {
        if (this.config.isUseJwksUrl()) {
            return JWKSUtils.getKeyWrappersForUse(JWKSHttpUtils.sendJwksRequest(this.session, this.config.getJwksUrl()), JWK.Use.SIG);
        }
        try {
            KeyWrapper savedPublicKey = getSavedPublicKey();
            return savedPublicKey == null ? Collections.emptyMap() : Collections.singletonMap(savedPublicKey.getKid(), savedPublicKey);
        } catch (Exception e) {
            logger.warnf(e, "Unable to retrieve publicKey for verify signature of identityProvider '%s' . Error details: %s", this.config.getAlias(), e.getMessage());
            return Collections.emptyMap();
        }
    }

    protected KeyWrapper getSavedPublicKey() throws Exception {
        KeyWrapper keyWrapper = null;
        if (this.config.getPublicKeySignatureVerifier() == null || this.config.getPublicKeySignatureVerifier().trim().equals(StackoverflowIdentityProvider.DEFAULT_SCOPE)) {
            logger.warnf("No public key saved on identityProvider %s", this.config.getAlias());
        } else {
            PublicKey decodePublicKey = PemUtils.decodePublicKey(this.config.getPublicKeySignatureVerifier());
            keyWrapper = new KeyWrapper();
            String publicKeySignatureVerifierKeyId = this.config.getPublicKeySignatureVerifierKeyId();
            keyWrapper.setKid((publicKeySignatureVerifierKeyId == null || publicKeySignatureVerifierKeyId.trim().isEmpty()) ? KeyUtils.createKeyId(decodePublicKey) : publicKeySignatureVerifierKeyId);
            keyWrapper.setType("RSA");
            keyWrapper.setAlgorithm("RS256");
            keyWrapper.setUse(KeyUse.SIG);
            keyWrapper.setPublicKey(decodePublicKey);
        }
        return keyWrapper;
    }
}
