package org.keycloak.services.x509;

import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.common.util.PemException;

/* loaded from: input_file:org/keycloak/services/x509/AbstractClientCertificateFromHttpHeadersLookup.class */
public abstract class AbstractClientCertificateFromHttpHeadersLookup implements X509ClientCertificateLookup {
    protected static final Logger logger = Logger.getLogger(AbstractClientCertificateFromHttpHeadersLookup.class);
    protected final String sslClientCertHttpHeader;
    protected final String sslCertChainHttpHeaderPrefix;
    private final int certificateChainLength;

    public AbstractClientCertificateFromHttpHeadersLookup(String str, String str2, int i) {
        if (str == null) {
            throw new IllegalArgumentException("sslClientCertHttpHeader");
        }
        if (i < 0) {
            throw new IllegalArgumentException("certificateChainLength must be greater or equal to zero");
        }
        this.sslClientCertHttpHeader = str;
        this.sslCertChainHttpHeaderPrefix = str2;
        this.certificateChainLength = i;
    }

    public void close() {
    }

    static String getHeaderValue(HttpRequest httpRequest, String str) {
        return (String) httpRequest.getHttpHeaders().getRequestHeaders().getFirst(str);
    }

    private static String trimDoubleQuotes(String str) {
        if (str == null) {
            return null;
        }
        int length = str.length();
        if (length <= 1 || str.charAt(0) != '\"' || str.charAt(length - 1) != '\"') {
            return str;
        }
        logger.trace("Detected a certificate enclosed in double quotes");
        return str.substring(1, length - 1);
    }

    protected abstract X509Certificate decodeCertificateFromPem(String str) throws PemException;

    protected X509Certificate getCertificateFromHttpHeader(HttpRequest httpRequest, String str) throws GeneralSecurityException {
        String trimDoubleQuotes = trimDoubleQuotes(getHeaderValue(httpRequest, str));
        if (trimDoubleQuotes == null || trimDoubleQuotes.trim().length() == 0) {
            logger.warnf("HTTP header \"%s\" is empty", str);
            return null;
        }
        try {
            X509Certificate decodeCertificateFromPem = decodeCertificateFromPem(trimDoubleQuotes);
            if (decodeCertificateFromPem == null) {
                logger.warnf("HTTP header \"%s\" does not contain a valid x.509 certificate\n%s", str, trimDoubleQuotes);
            } else {
                logger.debugf("Found a valid x.509 certificate in \"%s\" HTTP header", str);
            }
            return decodeCertificateFromPem;
        } catch (PemException e) {
            logger.error(e.getMessage(), e);
            throw new GeneralSecurityException((Throwable) e);
        }
    }

    @Override // org.keycloak.services.x509.X509ClientCertificateLookup
    public X509Certificate[] getCertificateChain(HttpRequest httpRequest) throws GeneralSecurityException {
        ArrayList arrayList = new ArrayList();
        X509Certificate certificateFromHttpHeader = getCertificateFromHttpHeader(httpRequest, this.sslClientCertHttpHeader);
        if (certificateFromHttpHeader != null) {
            arrayList.add(certificateFromHttpHeader);
            for (int i = 0; i < this.certificateChainLength; i++) {
                try {
                    X509Certificate certificateFromHttpHeader2 = getCertificateFromHttpHeader(httpRequest, String.format("%s_%s", this.sslCertChainHttpHeaderPrefix, Integer.valueOf(i)));
                    if (certificateFromHttpHeader2 != null) {
                        arrayList.add(certificateFromHttpHeader2);
                    }
                } catch (GeneralSecurityException e) {
                    logger.warn(e.getMessage(), e);
                }
            }
        }
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[0]);
    }
}
