package io.quarkus.oidc.runtime;

import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.quarkus.runtime.util.ClassPathUtils;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Optional;
import java.util.Set;
import org.jboss.logging.Logger;
import org.jose4j.keys.X509Util;

/* loaded from: input_file:io/quarkus/oidc/runtime/TrustStoreUtils.class */
public class TrustStoreUtils {
    private static final Logger LOGGER = Logger.getLogger(TrustStoreUtils.class.getName());

    public static Set<String> getTrustedCertificateThumbprints(Path path, String str, Optional<String> optional, Optional<String> optional2) {
        URL resource = Thread.currentThread().getContextClassLoader().getResource(ClassPathUtils.toResourceName(path));
        if (resource != null) {
            return readTrustStore(path, resource, str, optional, optional2);
        }
        if (!Files.exists(path, new LinkOption[0])) {
            LOGGER.errorf("Keystore %s can not be found on the classpath and the file system", path.toUri());
            throw new RuntimeException();
        }
        try {
            return readTrustStore(path, path.toUri().toURL(), str, optional, optional2);
        } catch (MalformedURLException e) {
            LOGGER.errorf("Keystore %s location is not a valid URL", path.toUri());
            throw new RuntimeException(e);
        }
    }

    private static Set<String> readTrustStore(Path path, URL url, String str, Optional<String> optional, Optional<String> optional2) {
        try {
            InputStream openStream = url.openStream();
            try {
                KeyStore keyStore = KeyStore.getInstance(OidcCommonUtils.getKeyStoreType(optional2, path));
                keyStore.load(openStream, str.toCharArray());
                HashSet hashSet = new HashSet();
                if (optional.isPresent()) {
                    addThumbprints(keyStore, hashSet, optional.get());
                } else {
                    Enumeration<String> aliases = keyStore.aliases();
                    while (aliases.hasMoreElements()) {
                        addThumbprints(keyStore, hashSet, aliases.nextElement());
                    }
                }
                if (hashSet.isEmpty()) {
                    LOGGER.errorf("Keystore %s entries can not be loaded", url.toString());
                    throw new RuntimeException();
                }
                if (openStream != null) {
                    openStream.close();
                }
                return hashSet;
            } catch (Throwable th) {
                if (openStream != null) {
                    try {
                        openStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (IOException e) {
            LOGGER.errorf("Keystore %s can not be loaded", url.toString());
            throw new RuntimeException(e);
        } catch (Exception e2) {
            LOGGER.errorf("Keystore %s entries can not be loaded", url.toString());
            throw new RuntimeException(e2);
        }
    }

    private static void addThumbprints(KeyStore keyStore, Set<String> set, String str) throws Exception {
        KeyStore.Entry entry = keyStore.getEntry(str, null);
        if (entry instanceof KeyStore.TrustedCertificateEntry) {
            set.add(calculateThumprint((X509Certificate) ((KeyStore.TrustedCertificateEntry) entry).getTrustedCertificate()));
        }
    }

    public static String calculateThumprint(X509Certificate x509Certificate) {
        return X509Util.x5tS256(x509Certificate);
    }
}
