package org.keycloak.services.x509;

import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilderException;
import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Objects;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.common.crypto.CryptoIntegration;
import org.keycloak.common.util.PemException;
import org.keycloak.common.util.PemUtils;
import org.keycloak.http.HttpRequest;
import org.keycloak.protocol.docker.installation.compose.DockerCertFileUtils;

/* loaded from: input_file:org/keycloak/services/x509/NginxProxySslClientCertificateLookup.class */
public class NginxProxySslClientCertificateLookup extends AbstractClientCertificateFromHttpHeadersLookup {
    private static final Logger log = Logger.getLogger(NginxProxySslClientCertificateLookup.class);
    private final boolean isTruststoreLoaded;
    private final Set<X509Certificate> trustedRootCerts;
    private final Set<X509Certificate> intermediateCerts;

    public NginxProxySslClientCertificateLookup(String str, String str2, int i, Set<X509Certificate> set, Set<X509Certificate> set2, boolean z) {
        super(str, str2, i);
        Objects.requireNonNull(set, "requireNonNull intermediateCerts");
        Objects.requireNonNull(set2, "requireNonNull trustedRootCerts");
        this.intermediateCerts = set;
        this.trustedRootCerts = set2;
        this.isTruststoreLoaded = z;
        if (this.isTruststoreLoaded) {
            return;
        }
        log.warn("Keycloak Truststore is null or empty, but it's required for NGINX x509cert-lookup provider");
        log.warn("   see Keycloak documentation here : https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore");
    }

    private static String removeBeginEnd(String str) {
        return str.replace(DockerCertFileUtils.BEGIN_CERT, "").replace(DockerCertFileUtils.END_CERT, "").replace("\r\n", "").replace("\n", "").trim();
    }

    @Override // org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
    protected X509Certificate decodeCertificateFromPem(String str) throws PemException {
        if (str == null) {
            log.warn("End user TLS Certificate is NULL! ");
            return null;
        }
        try {
            str = URLDecoder.decode(str, "UTF-8");
        } catch (UnsupportedEncodingException e) {
            log.error("Cannot URL decode the end user TLS Certificate : " + str, e);
        }
        if (str.startsWith(DockerCertFileUtils.BEGIN_CERT)) {
            str = removeBeginEnd(str);
        }
        return PemUtils.decodeCertificate(str);
    }

    @Override // org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup, org.keycloak.services.x509.X509ClientCertificateLookup
    public X509Certificate[] getCertificateChain(HttpRequest httpRequest) throws GeneralSecurityException {
        ArrayList arrayList = new ArrayList();
        X509Certificate certificateFromHttpHeader = getCertificateFromHttpHeader(httpRequest, this.sslClientCertHttpHeader);
        if (certificateFromHttpHeader != null) {
            log.debugf("End user certificate found : Subject DN=[%s]  SerialNumber=[%s]", certificateFromHttpHeader.getSubjectX500Principal(), certificateFromHttpHeader.getSerialNumber());
            X509Certificate[] buildChain = buildChain(certificateFromHttpHeader);
            if (buildChain == null || buildChain.length == 0) {
                log.info("Impossible to rebuild end user cert chain : client certificate authentication will fail.");
                arrayList.add(certificateFromHttpHeader);
            } else {
                for (X509Certificate x509Certificate : buildChain) {
                    arrayList.add(x509Certificate);
                    log.debugf("Rebuilded user cert chain DN : %s", x509Certificate.getSubjectX500Principal());
                }
            }
        }
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[0]);
    }

    private X509Certificate[] buildChain(X509Certificate x509Certificate) {
        X509Certificate[] x509CertificateArr = new X509Certificate[0];
        try {
            try {
                try {
                } catch (CertPathBuilderException e) {
                    if (log.isEnabled(Logger.Level.TRACE)) {
                        log.debug(e.getLocalizedMessage(), e);
                    } else {
                        log.warn(e.getLocalizedMessage());
                    }
                    if (this.isTruststoreLoaded) {
                        this.intermediateCerts.remove(x509Certificate);
                    }
                }
            } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException e2) {
                log.error(e2.getLocalizedMessage(), e2);
                if (this.isTruststoreLoaded) {
                    this.intermediateCerts.remove(x509Certificate);
                }
            }
            if (!this.isTruststoreLoaded) {
                log.warn("Keycloak Truststore is null, but it is required !");
                log.warn("  see https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore");
                if (this.isTruststoreLoaded) {
                    this.intermediateCerts.remove(x509Certificate);
                }
                return x509CertificateArr;
            }
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509Certificate);
            HashSet hashSet = new HashSet();
            Iterator<X509Certificate> it = this.trustedRootCerts.iterator();
            while (it.hasNext()) {
                hashSet.add(new TrustAnchor(it.next(), null));
            }
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.setExplicitPolicyRequired(false);
            pKIXBuilderParameters.setAnyPolicyInhibited(false);
            pKIXBuilderParameters.setPolicyQualifiersRejected(false);
            pKIXBuilderParameters.setMaxPathLength(this.certificateChainLength);
            this.intermediateCerts.add(x509Certificate);
            pKIXBuilderParameters.addCertStore(CryptoIntegration.getProvider().getCertStore(new CollectionCertStoreParameters(this.intermediateCerts)));
            CertPath certPath = CryptoIntegration.getProvider().getCertPathBuilder().build(pKIXBuilderParameters).getCertPath();
            log.debug("Certification path building OK, and contains " + certPath.getCertificates().size() + " X509 Certificates");
            x509CertificateArr = convertCertPathToX509CertArray(certPath);
            if (this.isTruststoreLoaded) {
                this.intermediateCerts.remove(x509Certificate);
            }
            return x509CertificateArr;
        } catch (Throwable th) {
            if (this.isTruststoreLoaded) {
                this.intermediateCerts.remove(x509Certificate);
            }
            throw th;
        }
    }

    private X509Certificate[] convertCertPathToX509CertArray(CertPath certPath) {
        X509Certificate[] x509CertificateArr = new X509Certificate[0];
        if (certPath == null) {
            return x509CertificateArr;
        }
        ArrayList arrayList = new ArrayList();
        for (Certificate certificate : certPath.getCertificates()) {
            if (certificate instanceof X509Certificate) {
                arrayList.add((X509Certificate) certificate);
            }
        }
        return (X509Certificate[]) arrayList.toArray(x509CertificateArr);
    }
}
