package org.keycloak.protocol.oidc.utils;

import jakarta.ws.rs.core.Response;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.regex.Pattern;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.SecretGenerator;
import org.keycloak.crypto.SHA256HashProviderFactory;
import org.keycloak.events.EventBuilder;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.cors.Cors;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;

/* loaded from: input_file:org/keycloak/protocol/oidc/utils/PkceUtils.class */
public class PkceUtils {
    private static final Logger logger = Logger.getLogger(PkceUtils.class);
    private static final Pattern VALID_CODE_VERIFIER_PATTERN = Pattern.compile("^[0-9a-zA-Z\\-\\.~_]+$");

    public static String generateCodeVerifier() {
        return Base64Url.encode(SecretGenerator.getInstance().randomBytes(64));
    }

    public static String encodeCodeChallenge(String str, String str2) {
        try {
            boolean z = -1;
            switch (str2.hashCode()) {
                case 2522400:
                    if (str2.equals(OIDCLoginProtocol.PKCE_METHOD_S256)) {
                        z = false;
                        break;
                    }
                    break;
                case 106748362:
                    if (str2.equals(OIDCLoginProtocol.PKCE_METHOD_PLAIN)) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return generateS256CodeChallenge(str);
                case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                default:
                    return str;
            }
        } catch (Exception e) {
            return null;
        }
        return null;
    }

    public static String generateS256CodeChallenge(String str) throws Exception {
        MessageDigest messageDigest = MessageDigest.getInstance(SHA256HashProviderFactory.ID);
        messageDigest.update(str.getBytes(StandardCharsets.ISO_8859_1));
        return Base64Url.encode(messageDigest.digest());
    }

    public static boolean validateCodeChallenge(String str, String str2, String str3) {
        try {
            boolean z = -1;
            switch (str3.hashCode()) {
                case 2522400:
                    if (str3.equals(OIDCLoginProtocol.PKCE_METHOD_S256)) {
                        z = true;
                        break;
                    }
                    break;
                case 106748362:
                    if (str3.equals(OIDCLoginProtocol.PKCE_METHOD_PLAIN)) {
                        z = false;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return str.equals(str2);
                case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                    return generateS256CodeChallenge(str).equals(str2);
                default:
                    return false;
            }
        } catch (Exception e) {
            return false;
        }
    }

    public static void checkParamsForPkceEnforcedClient(String str, String str2, String str3, String str4, String str5, EventBuilder eventBuilder, Cors cors) {
        if (str != null) {
            verifyCodeVerifier(str, str2, str3, str4, str5, eventBuilder, cors);
        } else {
            eventBuilder.detail("reason", "PKCE code verifier not specified");
            eventBuilder.error("code_verifier_missing");
            throw new CorsErrorResponseException(cors, "invalid_grant", "PKCE code verifier not specified", Response.Status.BAD_REQUEST);
        }
    }

    public static void checkParamsForPkceNotEnforcedClient(String str, String str2, String str3, String str4, String str5, EventBuilder eventBuilder, Cors cors) {
        if (str2 != null && str == null) {
            eventBuilder.detail("reason", "PKCE code verifier not specified");
            eventBuilder.error("code_verifier_missing");
            throw new CorsErrorResponseException(cors, "invalid_grant", "PKCE code verifier not specified", Response.Status.BAD_REQUEST);
        }
        if (str2 == null && str != null) {
            eventBuilder.detail("reason", "PKCE code verifier specified but challenge not present in authorization");
            eventBuilder.error("invalid_code_verifier");
            throw new CorsErrorResponseException(cors, "invalid_grant", "PKCE code verifier specified but challenge not present in authorization", Response.Status.BAD_REQUEST);
        }
        if (str2 != null) {
            verifyCodeVerifier(str, str2, str3, str4, str5, eventBuilder, cors);
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:13:0x00a9  */
    /* JADX WARN: Removed duplicated region for block: B:15:0x00d8  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public static void verifyCodeVerifier(java.lang.String r7, java.lang.String r8, java.lang.String r9, java.lang.String r10, java.lang.String r11, org.keycloak.events.EventBuilder r12, org.keycloak.services.cors.Cors r13) {
        /*
            r0 = r7
            boolean r0 = isValidPkceCodeVerifier(r0)
            if (r0 != 0) goto L36
            java.lang.String r0 = "Invalid code verifier"
            r14 = r0
            r0 = r14
            java.lang.String r0 = "PKCE verification failed: " + r0
            r15 = r0
            r0 = r12
            java.lang.String r1 = "reason"
            r2 = r14
            org.keycloak.events.EventBuilder r0 = r0.detail(r1, r2)
            r0 = r12
            java.lang.String r1 = "invalid_code_verifier"
            r0.error(r1)
            org.keycloak.services.CorsErrorResponseException r0 = new org.keycloak.services.CorsErrorResponseException
            r1 = r0
            r2 = r13
            java.lang.String r3 = "invalid_grant"
            r4 = r15
            jakarta.ws.rs.core.Response$Status r5 = jakarta.ws.rs.core.Response.Status.BAD_REQUEST
            r1.<init>(r2, r3, r4, r5)
            throw r0
        L36:
            org.jboss.logging.Logger r0 = org.keycloak.protocol.oidc.utils.PkceUtils.logger
            java.lang.String r1 = "PKCE supporting Client, codeVerifier = %s"
            r2 = r7
            r0.debugf(r1, r2)
            r0 = r7
            r14 = r0
            r0 = r9
            if (r0 == 0) goto L61
            r0 = r9
            java.lang.String r1 = "S256"
            boolean r0 = r0.equals(r1)     // Catch: java.lang.Exception -> L6f
            if (r0 == 0) goto L61
            org.jboss.logging.Logger r0 = org.keycloak.protocol.oidc.utils.PkceUtils.logger     // Catch: java.lang.Exception -> L6f
            java.lang.String r1 = "PKCE codeChallengeMethod = %s"
            r2 = r9
            r0.debugf(r1, r2)     // Catch: java.lang.Exception -> L6f
            r0 = r7
            java.lang.String r0 = generateS256CodeChallenge(r0)     // Catch: java.lang.Exception -> L6f
            r14 = r0
            goto L6c
        L61:
            org.jboss.logging.Logger r0 = org.keycloak.protocol.oidc.utils.PkceUtils.logger     // Catch: java.lang.Exception -> L6f
            java.lang.String r1 = "PKCE codeChallengeMethod is plain"
            r0.debug(r1)     // Catch: java.lang.Exception -> L6f
            r0 = r7
            r14 = r0
        L6c:
            goto La0
        L6f:
            r15 = move-exception
            java.lang.String r0 = "Unsupported algorithm specified"
            r16 = r0
            r0 = r16
            java.lang.String r0 = "PKCE verification failed: " + r0
            r17 = r0
            r0 = r12
            java.lang.String r1 = "reason"
            r2 = r16
            org.keycloak.events.EventBuilder r0 = r0.detail(r1, r2)
            r0 = r12
            java.lang.String r1 = "pkce_verification_failed"
            r0.error(r1)
            org.keycloak.services.CorsErrorResponseException r0 = new org.keycloak.services.CorsErrorResponseException
            r1 = r0
            r2 = r13
            java.lang.String r3 = "invalid_grant"
            r4 = r17
            jakarta.ws.rs.core.Response$Status r5 = jakarta.ws.rs.core.Response.Status.BAD_REQUEST
            r1.<init>(r2, r3, r4, r5)
            throw r0
        La0:
            r0 = r8
            r1 = r14
            boolean r0 = r0.equals(r1)
            if (r0 != 0) goto Ld8
            java.lang.String r0 = "Code mismatch"
            r15 = r0
            r0 = r15
            java.lang.String r0 = "PKCE verification failed: " + r0
            r16 = r0
            r0 = r12
            java.lang.String r1 = "reason"
            r2 = r15
            org.keycloak.events.EventBuilder r0 = r0.detail(r1, r2)
            r0 = r12
            java.lang.String r1 = "pkce_verification_failed"
            r0.error(r1)
            org.keycloak.services.CorsErrorResponseException r0 = new org.keycloak.services.CorsErrorResponseException
            r1 = r0
            r2 = r13
            java.lang.String r3 = "invalid_grant"
            r4 = r16
            jakarta.ws.rs.core.Response$Status r5 = jakarta.ws.rs.core.Response.Status.BAD_REQUEST
            r1.<init>(r2, r3, r4, r5)
            throw r0
        Ld8:
            org.jboss.logging.Logger r0 = org.keycloak.protocol.oidc.utils.PkceUtils.logger
            java.lang.String r1 = "PKCE verification success. codeVerifierEncoded = %s, codeChallenge = %s"
            r2 = r14
            r3 = r8
            r0.debugf(r1, r2, r3)
            return
        */
        throw new UnsupportedOperationException("Method not decompiled: org.keycloak.protocol.oidc.utils.PkceUtils.verifyCodeVerifier(java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, org.keycloak.events.EventBuilder, org.keycloak.services.cors.Cors):void");
    }

    private static boolean isValidPkceCodeVerifier(String str) {
        if (str.length() < 43) {
            logger.debugf(" Error: PKCE codeVerifier length under lower limit , codeVerifier = %s", str);
            return false;
        }
        if (str.length() <= 128) {
            return VALID_CODE_VERIFIER_PATTERN.matcher(str).matches();
        }
        logger.debugf(" Error: PKCE codeVerifier length over upper limit , codeVerifier = %s", str);
        return false;
    }
}
