package org.keycloak.keys;

import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.crypto.SecretKey;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.jose.jws.AlgorithmType;
import org.keycloak.keys.KeyMetadata;
import org.keycloak.models.KeyManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;

/* loaded from: input_file:org/keycloak/keys/DefaultKeyManager.class */
public class DefaultKeyManager implements KeyManager {
    private static final Logger logger = Logger.getLogger(DefaultKeyManager.class);
    private final KeycloakSession session;
    private final Map<String, List<KeyProvider>> providersMap = new HashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/keys/DefaultKeyManager$ProviderComparator.class */
    public class ProviderComparator implements Comparator<ComponentModel> {
        private ProviderComparator() {
        }

        @Override // java.util.Comparator
        public int compare(ComponentModel componentModel, ComponentModel componentModel2) {
            int compare = Long.compare(componentModel2.get(Attributes.PRIORITY_KEY, 0L), componentModel.get(Attributes.PRIORITY_KEY, 0L));
            return compare != 0 ? compare : componentModel.getId().compareTo(componentModel2.getId());
        }
    }

    public DefaultKeyManager(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public KeyManager.ActiveRsaKey getActiveRsaKey(RealmModel realmModel) {
        Iterator<KeyProvider> it = getProviders(realmModel).iterator();
        while (it.hasNext()) {
            RsaKeyProvider rsaKeyProvider = (KeyProvider) it.next();
            if (rsaKeyProvider.getType().equals(AlgorithmType.RSA)) {
                RsaKeyProvider rsaKeyProvider2 = rsaKeyProvider;
                if (rsaKeyProvider2.getKid() != null && rsaKeyProvider2.getPrivateKey() != null) {
                    if (logger.isTraceEnabled()) {
                        logger.tracev("Active key realm={0} kid={1}", realmModel.getName(), rsaKeyProvider.getKid());
                    }
                    String kid = rsaKeyProvider.getKid();
                    return new KeyManager.ActiveRsaKey(kid, rsaKeyProvider2.getPrivateKey(), rsaKeyProvider2.getPublicKey(kid), rsaKeyProvider2.getCertificate(kid));
                }
            }
        }
        throw new RuntimeException("Failed to get RSA keys");
    }

    public KeyManager.ActiveHmacKey getActiveHmacKey(RealmModel realmModel) {
        Iterator<KeyProvider> it = getProviders(realmModel).iterator();
        while (it.hasNext()) {
            HmacKeyProvider hmacKeyProvider = (KeyProvider) it.next();
            if (hmacKeyProvider.getType().equals(AlgorithmType.HMAC)) {
                HmacKeyProvider hmacKeyProvider2 = hmacKeyProvider;
                if (hmacKeyProvider2.getKid() != null && hmacKeyProvider2.getSecretKey() != null) {
                    if (logger.isTraceEnabled()) {
                        logger.tracev("Active secret realm={0} kid={1}", realmModel.getName(), hmacKeyProvider.getKid());
                    }
                    return new KeyManager.ActiveHmacKey(hmacKeyProvider.getKid(), hmacKeyProvider2.getSecretKey());
                }
            }
        }
        throw new RuntimeException("Failed to get keys");
    }

    public KeyManager.ActiveAesKey getActiveAesKey(RealmModel realmModel) {
        Iterator<KeyProvider> it = getProviders(realmModel).iterator();
        while (it.hasNext()) {
            AesKeyProvider aesKeyProvider = (KeyProvider) it.next();
            if (aesKeyProvider.getType().equals(AlgorithmType.AES)) {
                AesKeyProvider aesKeyProvider2 = aesKeyProvider;
                if (aesKeyProvider2.getKid() != null && aesKeyProvider2.getSecretKey() != null) {
                    if (logger.isTraceEnabled()) {
                        logger.tracev("Active AES Key realm={0} kid={1}", realmModel.getName(), aesKeyProvider.getKid());
                    }
                    return new KeyManager.ActiveAesKey(aesKeyProvider.getKid(), aesKeyProvider2.getSecretKey());
                }
            }
        }
        throw new RuntimeException("Failed to get keys");
    }

    public PublicKey getRsaPublicKey(RealmModel realmModel, String str) {
        PublicKey publicKey;
        if (str == null) {
            logger.warnv("KID is null, can't find public key", realmModel.getName(), str);
            return null;
        }
        Iterator<KeyProvider> it = getProviders(realmModel).iterator();
        while (it.hasNext()) {
            RsaKeyProvider rsaKeyProvider = (KeyProvider) it.next();
            if (rsaKeyProvider.getType().equals(AlgorithmType.RSA) && (publicKey = rsaKeyProvider.getPublicKey(str)) != null) {
                if (logger.isTraceEnabled()) {
                    logger.tracev("Found public key realm={0} kid={1}", realmModel.getName(), str);
                }
                return publicKey;
            }
        }
        if (!logger.isTraceEnabled()) {
            return null;
        }
        logger.tracev("Failed to find public key realm={0} kid={1}", realmModel.getName(), str);
        return null;
    }

    public Certificate getRsaCertificate(RealmModel realmModel, String str) {
        X509Certificate certificate;
        if (str == null) {
            logger.warnv("KID is null, can't find public key", realmModel.getName(), str);
            return null;
        }
        Iterator<KeyProvider> it = getProviders(realmModel).iterator();
        while (it.hasNext()) {
            RsaKeyProvider rsaKeyProvider = (KeyProvider) it.next();
            if (rsaKeyProvider.getType().equals(AlgorithmType.RSA) && (certificate = rsaKeyProvider.getCertificate(str)) != null) {
                if (logger.isTraceEnabled()) {
                    logger.tracev("Found certificate realm={0} kid={1}", realmModel.getName(), str);
                }
                return certificate;
            }
        }
        if (!logger.isTraceEnabled()) {
            return null;
        }
        logger.tracev("Failed to find certificate realm={0} kid={1}", realmModel.getName(), str);
        return null;
    }

    public SecretKey getHmacSecretKey(RealmModel realmModel, String str) {
        SecretKey secretKey;
        if (str == null) {
            logger.warnv("KID is null, can't find secret key", realmModel.getName(), str);
            return null;
        }
        Iterator<KeyProvider> it = getProviders(realmModel).iterator();
        while (it.hasNext()) {
            HmacKeyProvider hmacKeyProvider = (KeyProvider) it.next();
            if (hmacKeyProvider.getType().equals(AlgorithmType.HMAC) && (secretKey = hmacKeyProvider.getSecretKey(str)) != null) {
                if (logger.isTraceEnabled()) {
                    logger.tracev("Found secret key realm={0} kid={1}", realmModel.getName(), str);
                }
                return secretKey;
            }
        }
        if (!logger.isTraceEnabled()) {
            return null;
        }
        logger.tracev("Failed to find secret key realm={0} kid={1}", realmModel.getName(), str);
        return null;
    }

    public SecretKey getAesSecretKey(RealmModel realmModel, String str) {
        SecretKey secretKey;
        if (str == null) {
            logger.warnv("KID is null, can't find aes key", realmModel.getName(), str);
            return null;
        }
        Iterator<KeyProvider> it = getProviders(realmModel).iterator();
        while (it.hasNext()) {
            AesKeyProvider aesKeyProvider = (KeyProvider) it.next();
            if (aesKeyProvider.getType().equals(AlgorithmType.AES) && (secretKey = aesKeyProvider.getSecretKey(str)) != null) {
                if (logger.isTraceEnabled()) {
                    logger.tracev("Found AES key realm={0} kid={1}", realmModel.getName(), str);
                }
                return secretKey;
            }
        }
        if (!logger.isTraceEnabled()) {
            return null;
        }
        logger.tracev("Failed to find AES key realm={0} kid={1}", realmModel.getName(), str);
        return null;
    }

    public List<RsaKeyMetadata> getRsaKeys(RealmModel realmModel, boolean z) {
        LinkedList linkedList = new LinkedList();
        for (KeyProvider keyProvider : getProviders(realmModel)) {
            if (keyProvider instanceof RsaKeyProvider) {
                if (z) {
                    linkedList.addAll(keyProvider.getKeyMetadata());
                } else {
                    keyProvider.getKeyMetadata().stream().filter(rsaKeyMetadata -> {
                        return rsaKeyMetadata.getStatus() != KeyMetadata.Status.DISABLED;
                    }).forEach(rsaKeyMetadata2 -> {
                        linkedList.add(rsaKeyMetadata2);
                    });
                }
            }
        }
        return linkedList;
    }

    public List<SecretKeyMetadata> getHmacKeys(RealmModel realmModel, boolean z) {
        LinkedList linkedList = new LinkedList();
        for (KeyProvider keyProvider : getProviders(realmModel)) {
            if (keyProvider instanceof HmacKeyProvider) {
                if (z) {
                    linkedList.addAll(keyProvider.getKeyMetadata());
                } else {
                    keyProvider.getKeyMetadata().stream().filter(secretKeyMetadata -> {
                        return secretKeyMetadata.getStatus() != KeyMetadata.Status.DISABLED;
                    }).forEach(secretKeyMetadata2 -> {
                        linkedList.add(secretKeyMetadata2);
                    });
                }
            }
        }
        return linkedList;
    }

    public List<SecretKeyMetadata> getAesKeys(RealmModel realmModel, boolean z) {
        LinkedList linkedList = new LinkedList();
        for (KeyProvider keyProvider : getProviders(realmModel)) {
            if (keyProvider instanceof AesKeyProvider) {
                if (z) {
                    linkedList.addAll(keyProvider.getKeyMetadata());
                } else {
                    keyProvider.getKeyMetadata().stream().filter(secretKeyMetadata -> {
                        return secretKeyMetadata.getStatus() != KeyMetadata.Status.DISABLED;
                    }).forEach(secretKeyMetadata2 -> {
                        linkedList.add(secretKeyMetadata2);
                    });
                }
            }
        }
        return linkedList;
    }

    private List<KeyProvider> getProviders(RealmModel realmModel) {
        List<KeyProvider> list = this.providersMap.get(realmModel.getId());
        if (list == null) {
            list = new LinkedList();
            LinkedList<ComponentModel> linkedList = new LinkedList(realmModel.getComponents(realmModel.getId(), KeyProvider.class.getName()));
            linkedList.sort(new ProviderComparator());
            boolean z = false;
            boolean z2 = false;
            boolean z3 = false;
            for (ComponentModel componentModel : linkedList) {
                try {
                    RsaKeyProvider create = this.session.getKeycloakSessionFactory().getProviderFactory(KeyProvider.class, componentModel.getProviderId()).create(this.session, componentModel);
                    this.session.enlistForClose(create);
                    list.add(create);
                    if (create.getType().equals(AlgorithmType.RSA)) {
                        RsaKeyProvider rsaKeyProvider = create;
                        if (rsaKeyProvider.getKid() != null && rsaKeyProvider.getPrivateKey() != null) {
                            z = true;
                        }
                    } else if (create.getType().equals(AlgorithmType.HMAC)) {
                        HmacKeyProvider hmacKeyProvider = (HmacKeyProvider) create;
                        if (hmacKeyProvider.getKid() != null && hmacKeyProvider.getSecretKey() != null) {
                            z2 = true;
                        }
                    } else if (create.getType().equals(AlgorithmType.AES)) {
                        AesKeyProvider aesKeyProvider = (AesKeyProvider) create;
                        if (aesKeyProvider.getKid() != null && aesKeyProvider.getSecretKey() != null) {
                            z3 = true;
                        }
                    }
                } catch (Throwable th) {
                    logger.errorv(th, "Failed to load provider {0}", componentModel.getId());
                }
            }
            if (!z) {
                list.add(new FailsafeRsaKeyProvider());
            }
            if (!z2) {
                list.add(new FailsafeHmacKeyProvider());
            }
            if (!z3) {
                list.add(new FailsafeAesKeyProvider());
            }
            this.providersMap.put(realmModel.getId(), list);
        }
        return list;
    }
}
