package org.keycloak.keys;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.EdECPrivateKey;
import java.security.interfaces.RSAPrivateCrtKey;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.crypto.SecretKey;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.common.util.KeystoreUtil;
import org.keycloak.component.ComponentModel;
import org.keycloak.crypto.EcdhEsA128KwCekManagementProviderFactory;
import org.keycloak.crypto.EcdhEsA192KwCekManagementProviderFactory;
import org.keycloak.crypto.EcdhEsA256KwCekManagementProviderFactory;
import org.keycloak.crypto.EcdhEsCekManagementProviderFactory;
import org.keycloak.crypto.JavaAlgorithm;
import org.keycloak.crypto.KeyStatus;
import org.keycloak.crypto.KeyUse;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.crypto.RsaesOaep256CekManagementProviderFactory;
import org.keycloak.crypto.RsaesOaepCekManagementProviderFactory;
import org.keycloak.crypto.RsaesPkcs1CekManagementProviderFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.ProtocolMapperUtils;
import org.keycloak.protocol.oidc.OIDCProviderConfig;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;
import org.keycloak.vault.VaultTranscriber;

/* loaded from: input_file:org/keycloak/keys/JavaKeystoreKeyProvider.class */
public class JavaKeystoreKeyProvider implements KeyProvider {
    private final KeyStatus status;
    private final ComponentModel model;
    private final VaultTranscriber vault;
    private final KeyWrapper key;
    private final String algorithm;

    public JavaKeystoreKeyProvider(RealmModel realmModel, ComponentModel componentModel, VaultTranscriber vaultTranscriber) {
        this.model = componentModel;
        this.vault = vaultTranscriber;
        this.status = KeyStatus.from(componentModel.get(Attributes.ACTIVE_KEY, true), componentModel.get(Attributes.ENABLED_KEY, true));
        this.algorithm = componentModel.get("algorithm", KeyUse.ENC.name().equalsIgnoreCase(componentModel.get(Attributes.KEY_USE)) ? RsaesOaepCekManagementProviderFactory.ID : "RS256");
        KeyWrapper retrieveKeyFromNotes = KeyNoteUtils.retrieveKeyFromNotes(componentModel, KeyWrapper.class.getName());
        if (retrieveKeyFromNotes == null) {
            retrieveKeyFromNotes = loadKey(realmModel, componentModel);
            KeyNoteUtils.attachKeyNotes(componentModel, KeyWrapper.class.getName(), retrieveKeyFromNotes);
        }
        this.key = retrieveKeyFromNotes;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public KeyWrapper loadKey(RealmModel realmModel, ComponentModel componentModel) {
        KeyWrapper loadOctKey;
        String str = componentModel.get(JavaKeystoreKeyProviderFactory.KEYSTORE_KEY);
        try {
            FileInputStream fileInputStream = new FileInputStream(str);
            try {
                KeyStore loadKeyStore = loadKeyStore(fileInputStream, str);
                String str2 = componentModel.get(JavaKeystoreKeyProviderFactory.KEY_ALIAS_KEY);
                String str3 = this.algorithm;
                boolean z = -1;
                switch (str3.hashCode()) {
                    case -1868738169:
                        if (str3.equals(RsaesPkcs1CekManagementProviderFactory.ID)) {
                            z = 7;
                            break;
                        }
                        break;
                    case -1203612487:
                        if (str3.equals(EcdhEsCekManagementProviderFactory.ID)) {
                            z = 12;
                            break;
                        }
                        break;
                    case -890830960:
                        if (str3.equals(RsaesOaep256CekManagementProviderFactory.ID)) {
                            z = 8;
                            break;
                        }
                        break;
                    case -565207670:
                        if (str3.equals(RsaesOaepCekManagementProviderFactory.ID)) {
                            z = 6;
                            break;
                        }
                        break;
                    case 64687:
                        if (str3.equals("AES")) {
                            z = 17;
                            break;
                        }
                        break;
                    case 66245349:
                        if (str3.equals("ES256")) {
                            z = 9;
                            break;
                        }
                        break;
                    case 66246401:
                        if (str3.equals("ES384")) {
                            z = 10;
                            break;
                        }
                        break;
                    case 66248104:
                        if (str3.equals("ES512")) {
                            z = 11;
                            break;
                        }
                        break;
                    case 66770035:
                        if (str3.equals("EdDSA")) {
                            z = 16;
                            break;
                        }
                        break;
                    case 69015912:
                        if (str3.equals("HS256")) {
                            z = 18;
                            break;
                        }
                        break;
                    case 69016964:
                        if (str3.equals("HS384")) {
                            z = 19;
                            break;
                        }
                        break;
                    case 69018667:
                        if (str3.equals("HS512")) {
                            z = 20;
                            break;
                        }
                        break;
                    case 76404080:
                        if (str3.equals("PS256")) {
                            z = false;
                            break;
                        }
                        break;
                    case 76405132:
                        if (str3.equals("PS384")) {
                            z = true;
                            break;
                        }
                        break;
                    case 76406835:
                        if (str3.equals("PS512")) {
                            z = 2;
                            break;
                        }
                        break;
                    case 78251122:
                        if (str3.equals("RS256")) {
                            z = 3;
                            break;
                        }
                        break;
                    case 78252174:
                        if (str3.equals("RS384")) {
                            z = 4;
                            break;
                        }
                        break;
                    case 78253877:
                        if (str3.equals("RS512")) {
                            z = 5;
                            break;
                        }
                        break;
                    case 575775572:
                        if (str3.equals(EcdhEsA128KwCekManagementProviderFactory.ID)) {
                            z = 13;
                            break;
                        }
                        break;
                    case 575978343:
                        if (str3.equals(EcdhEsA192KwCekManagementProviderFactory.ID)) {
                            z = 14;
                            break;
                        }
                        break;
                    case 576786544:
                        if (str3.equals(EcdhEsA256KwCekManagementProviderFactory.ID)) {
                            z = 15;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case OIDCProviderConfig.DEFAULT_ADDITIONAL_REQ_PARAMS_FAIL_FAST /* 0 */:
                    case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                    case true:
                    case true:
                    case true:
                    case true:
                        loadOctKey = loadRSAKey(loadKeyStore, str2, KeyUse.SIG);
                        break;
                    case true:
                    case true:
                    case true:
                        loadOctKey = loadRSAKey(loadKeyStore, str2, KeyUse.ENC);
                        break;
                    case true:
                    case true:
                    case true:
                        loadOctKey = loadECKey(loadKeyStore, str2, KeyUse.SIG);
                        break;
                    case true:
                    case true:
                    case true:
                    case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 15 */:
                        loadOctKey = loadECKey(loadKeyStore, str2, KeyUse.ENC);
                        break;
                    case true:
                        loadOctKey = loadEdDSAKey(loadKeyStore, str2, KeyUse.SIG);
                        break;
                    case true:
                        loadOctKey = loadOctKey(loadKeyStore, str2, JavaAlgorithm.getJavaAlgorithm(this.algorithm), KeyUse.ENC);
                        break;
                    case true:
                    case true:
                    case ProtocolMapperUtils.PRIORITY_HARDCODED_ROLE_MAPPER /* 20 */:
                        loadOctKey = loadOctKey(loadKeyStore, str2, JavaAlgorithm.getJavaAlgorithm(this.algorithm), KeyUse.SIG);
                        break;
                    default:
                        throw new RuntimeException(String.format("Keys for algorithm %s are not supported.", this.algorithm));
                }
                KeyWrapper keyWrapper = loadOctKey;
                fileInputStream.close();
                return keyWrapper;
            } catch (Throwable th) {
                try {
                    fileInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } catch (FileNotFoundException e) {
            throw new RuntimeException("File not found on server. " + e.getMessage(), e);
        } catch (IOException e2) {
            throw new RuntimeException("IO error on server. " + e2.getMessage(), e2);
        } catch (KeyStoreException e3) {
            throw new RuntimeException("KeyStore error on server. " + e3.getMessage(), e3);
        } catch (NoSuchAlgorithmException e4) {
            throw new RuntimeException("Algorithm not available on server. " + e4.getMessage(), e4);
        } catch (UnrecoverableKeyException e5) {
            throw new RuntimeException("Key in the keystore cannot be recovered. " + e5.getMessage(), e5);
        } catch (CertificateException e6) {
            throw new RuntimeException("Certificate error on server. " + e6.getMessage(), e6);
        } catch (GeneralSecurityException e7) {
            throw new RuntimeException("Invalid certificate chain. Check the order of certificates.", e7);
        }
    }

    private KeyStore loadKeyStore(FileInputStream fileInputStream, String str) throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException {
        KeyStore keyStore = KeyStore.getInstance(KeystoreUtil.getKeystoreType(this.model.get(JavaKeystoreKeyProviderFactory.KEYSTORE_TYPE_KEY), str, "JKS"));
        String str2 = this.model.get(JavaKeystoreKeyProviderFactory.KEYSTORE_PASSWORD_KEY);
        keyStore.load(fileInputStream, ((String) this.vault.getStringSecret(str2).get().orElse(str2)).toCharArray());
        return keyStore;
    }

    private void checkUsage(KeyUse keyUse) throws GeneralSecurityException {
        String str = this.model.get(Attributes.KEY_USE);
        if (str != null && !keyUse.name().equalsIgnoreCase(str)) {
            throw new UnrecoverableKeyException(String.format("Invalid use %s for algorithm %s.", str, this.algorithm));
        }
    }

    private X509Certificate checkCertificate(Certificate certificate) throws GeneralSecurityException {
        if (certificate instanceof X509Certificate) {
            return (X509Certificate) certificate;
        }
        Object[] objArr = new Object[1];
        objArr[0] = certificate != null ? certificate.getType() : null;
        throw new UnrecoverableKeyException(String.format("Invalid %s certificate in the entry.", objArr));
    }

    private <K extends KeyStore.Entry> K checkKeyEntry(KeyStore keyStore, String str, Class<K> cls, KeyUse keyUse) throws GeneralSecurityException {
        checkUsage(keyUse);
        String str2 = this.model.get(JavaKeystoreKeyProviderFactory.KEY_PASSWORD_KEY);
        KeyStore.Entry entry = keyStore.getEntry(str, new KeyStore.PasswordProtection(((String) this.vault.getStringSecret(str2).get().orElse(str2)).toCharArray()));
        if (entry == null) {
            throw new UnrecoverableKeyException(String.format("Alias %s does not exists in the keystore.", str));
        }
        if (cls.isInstance(entry)) {
            return cls.cast(entry);
        }
        throw new UnrecoverableKeyException(String.format("Invalid %s key for alias %s. Key is not %s.", this.algorithm, str, cls.getSimpleName()));
    }

    private <K extends Key> K checkKey(Key key, String str, Class<K> cls, String str2) throws GeneralSecurityException {
        if (cls.isInstance(key) && (str2 == null || str2.equalsIgnoreCase(key.getAlgorithm()))) {
            return cls.cast(key);
        }
        throw new NoSuchAlgorithmException(String.format("Invalid %s key for alias %s. Algorithm is %s.", this.algorithm, str, key.getAlgorithm()));
    }

    private KeyWrapper loadOctKey(KeyStore keyStore, String str, String str2, KeyUse keyUse) throws GeneralSecurityException {
        return createKeyWrapper((SecretKey) checkKey(((KeyStore.SecretKeyEntry) checkKeyEntry(keyStore, str, KeyStore.SecretKeyEntry.class, keyUse)).getSecretKey(), str, SecretKey.class, str2), keyUse);
    }

    private KeyWrapper loadEdDSAKey(KeyStore keyStore, String str, KeyUse keyUse) throws GeneralSecurityException {
        KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) checkKeyEntry(keyStore, str, KeyStore.PrivateKeyEntry.class, keyUse);
        EdECPrivateKey edECPrivateKey = (EdECPrivateKey) checkKey(privateKeyEntry.getPrivateKey(), str, EdECPrivateKey.class, null);
        X509Certificate checkCertificate = checkCertificate(privateKeyEntry.getCertificate());
        try {
            JavaAlgorithm.getJavaAlgorithmForHash("EdDSA", edECPrivateKey.getParams().getName());
            return createKeyWrapper(new KeyPair(checkCertificate.getPublicKey(), edECPrivateKey), checkCertificate, loadCertificateChain(privateKeyEntry), "OKP", keyUse, edECPrivateKey.getParams().getName());
        } catch (RuntimeException e) {
            throw new UnrecoverableKeyException(String.format("Invalid EdDSA curve for alias %s. Curve algorithm is %s.", str, edECPrivateKey.getParams().getName()));
        }
    }

    private KeyWrapper loadECKey(KeyStore keyStore, String str, KeyUse keyUse) throws GeneralSecurityException {
        KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) checkKeyEntry(keyStore, str, KeyStore.PrivateKeyEntry.class, keyUse);
        ECPrivateKey eCPrivateKey = (ECPrivateKey) checkKey(privateKeyEntry.getPrivateKey(), str, ECPrivateKey.class, null);
        X509Certificate checkCertificate = checkCertificate(privateKeyEntry.getCertificate());
        return createKeyWrapper(new KeyPair(checkCertificate.getPublicKey(), eCPrivateKey), checkCertificate, loadCertificateChain(privateKeyEntry), "EC", keyUse, null);
    }

    private KeyWrapper loadRSAKey(KeyStore keyStore, String str, KeyUse keyUse) throws GeneralSecurityException {
        KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) checkKeyEntry(keyStore, str, KeyStore.PrivateKeyEntry.class, keyUse);
        RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) checkKey(privateKeyEntry.getPrivateKey(), str, RSAPrivateCrtKey.class, null);
        X509Certificate checkCertificate = checkCertificate(privateKeyEntry.getCertificate());
        return createKeyWrapper(new KeyPair(checkCertificate.getPublicKey(), rSAPrivateCrtKey), checkCertificate, loadCertificateChain(privateKeyEntry), "RSA", keyUse, null);
    }

    private List<X509Certificate> loadCertificateChain(KeyStore.PrivateKeyEntry privateKeyEntry) throws GeneralSecurityException {
        return (List) Optional.ofNullable(privateKeyEntry.getCertificateChain()).map(certificateArr -> {
            Stream stream = Arrays.stream(certificateArr);
            Class<X509Certificate> cls = X509Certificate.class;
            Objects.requireNonNull(X509Certificate.class);
            return (List) stream.map((v1) -> {
                return r1.cast(v1);
            }).collect(Collectors.toList());
        }).orElseGet(Collections::emptyList);
    }

    private KeyWrapper createKeyWrapper(KeyPair keyPair, X509Certificate x509Certificate, List<X509Certificate> list, String str, KeyUse keyUse, String str2) {
        KeyWrapper keyWrapper = new KeyWrapper();
        keyWrapper.setProviderId(this.model.getId());
        keyWrapper.setProviderPriority(this.model.get(Attributes.PRIORITY_KEY, 0L));
        keyWrapper.setKid(this.model.get("kid") != null ? this.model.get("kid") : KeyUtils.createKeyId(keyPair.getPublic()));
        keyWrapper.setUse(keyUse);
        keyWrapper.setType(str);
        keyWrapper.setAlgorithm(this.algorithm);
        keyWrapper.setCurve(str2);
        keyWrapper.setStatus(this.status);
        keyWrapper.setPrivateKey(keyPair.getPrivate());
        keyWrapper.setPublicKey(keyPair.getPublic());
        keyWrapper.setCertificate(x509Certificate);
        if (!list.isEmpty()) {
            if (x509Certificate != null && !x509Certificate.equals(list.get(0))) {
                list.add(0, x509Certificate);
            }
            keyWrapper.setCertificateChain(list);
        }
        return keyWrapper;
    }

    private KeyWrapper createKeyWrapper(SecretKey secretKey, KeyUse keyUse) {
        KeyWrapper keyWrapper = new KeyWrapper();
        keyWrapper.setProviderId(this.model.getId());
        keyWrapper.setProviderPriority(this.model.get(Attributes.PRIORITY_KEY, 0L));
        keyWrapper.setKid(this.model.get("kid", KeycloakModelUtils.generateId()));
        keyWrapper.setUse(keyUse);
        keyWrapper.setType("OCT");
        keyWrapper.setAlgorithm(this.algorithm);
        keyWrapper.setStatus(this.status);
        keyWrapper.setSecretKey(secretKey);
        return keyWrapper;
    }

    public Stream<KeyWrapper> getKeysStream() {
        return Stream.of(this.key);
    }
}
