package org.keycloak.protocol.saml;

import java.security.PrivateKey;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.xml.security.encryption.EncryptedData;
import org.apache.xml.security.encryption.EncryptedKey;
import org.apache.xml.security.encryption.EncryptionMethod;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.content.KeyName;
import org.keycloak.common.util.DerUtils;
import org.keycloak.crypto.KeyUse;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.saml.processing.core.util.XMLEncryptionUtil;

/* loaded from: input_file:org/keycloak/protocol/saml/SAMLDecryptionKeysLocator.class */
public class SAMLDecryptionKeysLocator implements XMLEncryptionUtil.DecryptionKeyLocator {
    private final KeycloakSession session;
    private final RealmModel realm;
    private final String requestedAlgorithm;

    public SAMLDecryptionKeysLocator(KeycloakSession keycloakSession, RealmModel realmModel, String str) {
        this.session = keycloakSession;
        this.realm = realmModel;
        this.requestedAlgorithm = str;
    }

    private List<String> getKeyNames(KeyInfo keyInfo) {
        LinkedList linkedList = new LinkedList();
        for (int i = 0; i < keyInfo.lengthKeyName(); i++) {
            try {
                KeyName itemKeyName = keyInfo.itemKeyName(i);
                if (itemKeyName != null) {
                    linkedList.add(itemKeyName.getKeyName());
                }
            } catch (XMLSecurityException e) {
                throw new IllegalStateException("Cannot load keyNames from document", e);
            }
        }
        return linkedList;
    }

    private Predicate<KeyWrapper> hasMatchingAlgorithm(String str) {
        SAMLEncryptionAlgorithms forXMLEncIdentifier = SAMLEncryptionAlgorithms.forXMLEncIdentifier(str);
        if (forXMLEncIdentifier == null) {
            throw new IllegalStateException("Keycloak does not support encryption keys for given algorithm: " + str);
        }
        return keyWrapper -> {
            return Objects.equals(keyWrapper.getAlgorithmOrDefault(), forXMLEncIdentifier.getKeycloakIdentifier());
        };
    }

    public List<PrivateKey> getKeys(EncryptedData encryptedData) {
        KeyInfo keyInfo = encryptedData.getKeyInfo();
        if (keyInfo == null) {
            throw new IllegalStateException("EncryptedData does not contain KeyInfo");
        }
        Stream filter = this.session.keys().getKeysStream(this.realm).filter(keyWrapper -> {
            return keyWrapper.getStatus().isEnabled() && KeyUse.ENC.equals(keyWrapper.getUse());
        });
        if (this.requestedAlgorithm != null && !this.requestedAlgorithm.trim().isEmpty()) {
            filter = filter.filter(keyWrapper2 -> {
                return Objects.equals(keyWrapper2.getAlgorithmOrDefault(), this.requestedAlgorithm);
            });
        }
        if (keyInfo.containsKeyName()) {
            List<String> keyNames = getKeyNames(keyInfo);
            filter = filter.filter(keyWrapper3 -> {
                return keyNames.contains(keyWrapper3.getKid());
            });
        }
        try {
            EncryptedKey itemEncryptedKey = keyInfo.itemEncryptedKey(0);
            if (itemEncryptedKey != null) {
                EncryptionMethod encryptionMethod = itemEncryptedKey.getEncryptionMethod();
                if (encryptionMethod == null) {
                    throw new IllegalArgumentException("KeyInfo does not contain encryption method");
                }
                String algorithm = encryptionMethod.getAlgorithm();
                if (algorithm == null) {
                    throw new IllegalArgumentException("Not able to find algorithm for given encryption method");
                }
                filter = filter.filter(hasMatchingAlgorithm(algorithm));
            }
            return (List) filter.map((v0) -> {
                return v0.getPrivateKey();
            }).map((v0) -> {
                return v0.getEncoded();
            }).map(bArr -> {
                try {
                    return DerUtils.decodePrivateKey(bArr);
                } catch (Exception e) {
                    throw new RuntimeException("Could not decode private key.", e);
                }
            }).collect(Collectors.toList());
        } catch (XMLSecurityException e) {
            throw new IllegalArgumentException("EncryptedData does not contain KeyInfo ", e);
        }
    }
}
