package org.keycloak.services.resources.admin;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.hibernate.hql.internal.classic.ParserHelper;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.plugins.providers.multipart.InputPart;
import org.jboss.resteasy.plugins.providers.multipart.MultipartFormDataInput;
import org.jboss.resteasy.spi.NotAcceptableException;
import org.jboss.resteasy.spi.NotFoundException;
import org.keycloak.common.util.PemUtils;
import org.keycloak.events.admin.OperationType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.CertificateRepresentation;
import org.keycloak.services.ErrorResponseException;

/* loaded from: input_file:WEB-INF/lib/keycloak-services-1.7.0.Final.jar:org/keycloak/services/resources/admin/ClientAttributeCertificateResource.class */
public class ClientAttributeCertificateResource {
    public static final String PRIVATE_KEY = "private.key";
    public static final String X509CERTIFICATE = "certificate";
    protected RealmModel realm;
    private RealmAuth auth;
    protected ClientModel client;
    protected KeycloakSession session;
    protected AdminEventBuilder adminEvent;
    protected String attributePrefix;
    protected String privateAttribute;
    protected String certificateAttribute;

    /* loaded from: input_file:WEB-INF/lib/keycloak-services-1.7.0.Final.jar:org/keycloak/services/resources/admin/ClientAttributeCertificateResource$KeyStoreConfig.class */
    public static class KeyStoreConfig {
        protected Boolean realmCertificate;
        protected String storePassword;
        protected String keyPassword;
        protected String keyAlias;
        protected String realmAlias;
        protected String format;

        public Boolean isRealmCertificate() {
            return this.realmCertificate;
        }

        public void setRealmCertificate(Boolean bool) {
            this.realmCertificate = bool;
        }

        public String getStorePassword() {
            return this.storePassword;
        }

        public void setStorePassword(String str) {
            this.storePassword = str;
        }

        public String getKeyPassword() {
            return this.keyPassword;
        }

        public void setKeyPassword(String str) {
            this.keyPassword = str;
        }

        public String getKeyAlias() {
            return this.keyAlias;
        }

        public void setKeyAlias(String str) {
            this.keyAlias = str;
        }

        public String getRealmAlias() {
            return this.realmAlias;
        }

        public void setRealmAlias(String str) {
            this.realmAlias = str;
        }

        public String getFormat() {
            return this.format;
        }

        public void setFormat(String str) {
            this.format = str;
        }
    }

    public ClientAttributeCertificateResource(RealmModel realmModel, RealmAuth realmAuth, ClientModel clientModel, KeycloakSession keycloakSession, String str, AdminEventBuilder adminEventBuilder) {
        this.realm = realmModel;
        this.auth = realmAuth;
        this.client = clientModel;
        this.session = keycloakSession;
        this.attributePrefix = str;
        this.privateAttribute = str + ParserHelper.PATH_SEPARATORS + PRIVATE_KEY;
        this.certificateAttribute = str + ParserHelper.PATH_SEPARATORS + X509CERTIFICATE;
        this.adminEvent = adminEventBuilder;
    }

    @GET
    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    public CertificateRepresentation getKeyInfo() {
        CertificateRepresentation certificateRepresentation = new CertificateRepresentation();
        certificateRepresentation.setCertificate(this.client.getAttribute(this.certificateAttribute));
        certificateRepresentation.setPrivateKey(this.client.getAttribute(this.privateAttribute));
        return certificateRepresentation;
    }

    @NoCache
    @Path("generate")
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public CertificateRepresentation generate() {
        this.auth.requireManage();
        CertificateRepresentation generateKeyPairCertificate = KeycloakModelUtils.generateKeyPairCertificate(this.client.getClientId());
        this.client.setAttribute(this.privateAttribute, generateKeyPairCertificate.getPrivateKey());
        this.client.setAttribute(this.certificateAttribute, generateKeyPairCertificate.getCertificate());
        this.adminEvent.operation(OperationType.ACTION).resourcePath(this.session.getContext().getUri()).representation(generateKeyPairCertificate).success();
        return generateKeyPairCertificate;
    }

    @Path("upload")
    @Consumes({MediaType.MULTIPART_FORM_DATA})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public CertificateRepresentation uploadJks(@Context UriInfo uriInfo, MultipartFormDataInput multipartFormDataInput) throws IOException {
        CertificateRepresentation certFromRequest = getCertFromRequest(uriInfo, multipartFormDataInput);
        if (certFromRequest.getPrivateKey() != null) {
            this.client.setAttribute(this.privateAttribute, certFromRequest.getPrivateKey());
        } else {
            if (certFromRequest.getCertificate() == null) {
                throw new ErrorResponseException("certificate-not-found", "Certificate or key with given alias not found in the keystore", Response.Status.BAD_REQUEST);
            }
            this.client.removeAttribute(this.privateAttribute);
        }
        if (certFromRequest.getCertificate() != null) {
            this.client.setAttribute(this.certificateAttribute, certFromRequest.getCertificate());
        }
        this.adminEvent.operation(OperationType.ACTION).resourcePath(this.session.getContext().getUri()).representation(certFromRequest).success();
        return certFromRequest;
    }

    @Path("upload-certificate")
    @Consumes({MediaType.MULTIPART_FORM_DATA})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public CertificateRepresentation uploadJksCertificate(@Context UriInfo uriInfo, MultipartFormDataInput multipartFormDataInput) throws IOException {
        CertificateRepresentation certFromRequest = getCertFromRequest(uriInfo, multipartFormDataInput);
        if (certFromRequest.getCertificate() == null) {
            throw new ErrorResponseException("certificate-not-found", "Certificate with given alias not found in the keystore", Response.Status.BAD_REQUEST);
        }
        this.client.setAttribute(this.certificateAttribute, certFromRequest.getCertificate());
        this.adminEvent.operation(OperationType.ACTION).resourcePath(this.session.getContext().getUri()).representation(certFromRequest).success();
        return certFromRequest;
    }

    private CertificateRepresentation getCertFromRequest(UriInfo uriInfo, MultipartFormDataInput multipartFormDataInput) throws IOException {
        this.auth.requireManage();
        Map<String, List<InputPart>> formDataMap = multipartFormDataInput.getFormDataMap();
        List<InputPart> list = formDataMap.get("file");
        String bodyAsString = formDataMap.get("keystoreFormat").get(0).getBodyAsString();
        String bodyAsString2 = formDataMap.get("keyAlias").get(0).getBodyAsString();
        List<InputPart> list2 = formDataMap.get("keyPassword");
        char[] charArray = list2 != null ? list2.get(0).getBodyAsString().toCharArray() : null;
        List<InputPart> list3 = formDataMap.get("storePassword");
        char[] charArray2 = list3 != null ? list3.get(0).getBodyAsString().toCharArray() : null;
        PrivateKey privateKey = null;
        try {
            KeyStore keyStore = bodyAsString.equals("JKS") ? KeyStore.getInstance("JKS") : KeyStore.getInstance(bodyAsString, BouncyCastleProvider.PROVIDER_NAME);
            keyStore.load((InputStream) list.get(0).getBody(InputStream.class, null), charArray2);
            try {
                privateKey = (PrivateKey) keyStore.getKey(bodyAsString2, charArray);
            } catch (Exception e) {
            }
            X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(bodyAsString2);
            CertificateRepresentation certificateRepresentation = new CertificateRepresentation();
            if (privateKey != null) {
                certificateRepresentation.setPrivateKey(KeycloakModelUtils.getPemFromKey(privateKey));
            }
            if (x509Certificate != null) {
                certificateRepresentation.setCertificate(KeycloakModelUtils.getPemFromCertificate(x509Certificate));
            }
            return certificateRepresentation;
        } catch (Exception e2) {
            throw new RuntimeException(e2);
        }
    }

    @NoCache
    @Path("/download")
    @Consumes({MediaType.APPLICATION_JSON})
    @POST
    @Produces({"application/octet-stream"})
    public byte[] getKeystore(KeyStoreConfig keyStoreConfig) {
        this.auth.requireView();
        if (keyStoreConfig.getFormat() != null && !keyStoreConfig.getFormat().equals("JKS") && !keyStoreConfig.getFormat().equals("PKCS12")) {
            throw new NotAcceptableException("Only support jks or pkcs12 format.");
        }
        String attribute = this.client.getAttribute(this.privateAttribute);
        String attribute2 = this.client.getAttribute(this.certificateAttribute);
        if (attribute == null && attribute2 == null) {
            throw new NotFoundException("keypair not generated for client");
        }
        if (attribute != null && keyStoreConfig.getKeyPassword() == null) {
            throw new ErrorResponseException("password-missing", "Need to specify a key password for jks download", Response.Status.BAD_REQUEST);
        }
        if (keyStoreConfig.getStorePassword() == null) {
            throw new ErrorResponseException("password-missing", "Need to specify a store password for jks download", Response.Status.BAD_REQUEST);
        }
        return getKeystore(keyStoreConfig, attribute, attribute2);
    }

    @NoCache
    @Path("/generate-and-download")
    @Consumes({MediaType.APPLICATION_JSON})
    @POST
    @Produces({"application/octet-stream"})
    public byte[] generateAndGetKeystore(KeyStoreConfig keyStoreConfig) {
        this.auth.requireManage();
        if (keyStoreConfig.getFormat() != null && !keyStoreConfig.getFormat().equals("JKS") && !keyStoreConfig.getFormat().equals("PKCS12")) {
            throw new NotAcceptableException("Only support jks or pkcs12 format.");
        }
        if (keyStoreConfig.getKeyPassword() == null) {
            throw new ErrorResponseException("password-missing", "Need to specify a key password for jks generation and download", Response.Status.BAD_REQUEST);
        }
        if (keyStoreConfig.getStorePassword() == null) {
            throw new ErrorResponseException("password-missing", "Need to specify a store password for jks generation and download", Response.Status.BAD_REQUEST);
        }
        CertificateRepresentation generateKeyPairCertificate = KeycloakModelUtils.generateKeyPairCertificate(this.client.getClientId());
        byte[] keystore = getKeystore(keyStoreConfig, generateKeyPairCertificate.getPrivateKey(), generateKeyPairCertificate.getCertificate());
        this.client.setAttribute(this.certificateAttribute, generateKeyPairCertificate.getCertificate());
        this.adminEvent.operation(OperationType.ACTION).resourcePath(this.session.getContext().getUri()).representation(generateKeyPairCertificate).success();
        return keystore;
    }

    private byte[] getKeystore(KeyStoreConfig keyStoreConfig, String str, String str2) {
        try {
            String format = keyStoreConfig.getFormat();
            KeyStore keyStore = format.equals("JKS") ? KeyStore.getInstance("JKS") : KeyStore.getInstance(format, BouncyCastleProvider.PROVIDER_NAME);
            keyStore.load(null, null);
            String keyAlias = keyStoreConfig.getKeyAlias();
            if (keyAlias == null) {
                keyAlias = this.client.getClientId();
            }
            if (str != null) {
                keyStore.setKeyEntry(keyAlias, PemUtils.decodePrivateKey(str), keyStoreConfig.getKeyPassword().trim().toCharArray(), new Certificate[]{PemUtils.decodeCertificate(str2)});
            } else {
                keyStore.setCertificateEntry(keyAlias, PemUtils.decodeCertificate(str2));
            }
            if (keyStoreConfig.isRealmCertificate() == null || keyStoreConfig.isRealmCertificate().booleanValue()) {
                X509Certificate certificate = this.realm.getCertificate();
                if (certificate == null) {
                    KeycloakModelUtils.generateRealmCertificate(this.realm);
                    certificate = this.realm.getCertificate();
                }
                String realmAlias = keyStoreConfig.getRealmAlias();
                if (realmAlias == null) {
                    realmAlias = this.realm.getName();
                }
                keyStore.setCertificateEntry(realmAlias, certificate);
            }
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            keyStore.store(byteArrayOutputStream, keyStoreConfig.getStorePassword().trim().toCharArray());
            byteArrayOutputStream.flush();
            byteArrayOutputStream.close();
            return byteArrayOutputStream.toByteArray();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
