package org.keycloak.protocol.saml;

import java.security.Key;
import java.security.KeyManagementException;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.util.Iterator;
import java.util.function.Predicate;
import org.keycloak.crypto.KeyUse;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.keys.PublicKeyLoader;
import org.keycloak.keys.PublicKeyStorageProvider;
import org.keycloak.rotation.KeyLocator;

/* loaded from: input_file:org/keycloak/protocol/saml/SamlMetadataKeyLocator.class */
public class SamlMetadataKeyLocator implements KeyLocator {
    private final String modelKey;
    private final PublicKeyLoader loader;
    private final PublicKeyStorageProvider keyStorage;
    private final KeyUse use;

    public SamlMetadataKeyLocator(String str, PublicKeyLoader publicKeyLoader, KeyUse keyUse, PublicKeyStorageProvider publicKeyStorageProvider) {
        this.modelKey = str;
        this.loader = publicKeyLoader;
        this.keyStorage = publicKeyStorageProvider;
        this.use = keyUse;
    }

    public Key getKey(String str) throws KeyManagementException {
        KeyWrapper firstPublicKey;
        if (str == null || (firstPublicKey = this.keyStorage.getFirstPublicKey(this.modelKey, sameKidPredicate(str), this.loader)) == null) {
            return null;
        }
        return firstPublicKey.getPublicKey();
    }

    public Key getKey(Key key) throws KeyManagementException {
        KeyWrapper firstPublicKey;
        if (key == null || (firstPublicKey = this.keyStorage.getFirstPublicKey(this.modelKey, sameKeyPredicate(key), this.loader)) == null) {
            return null;
        }
        return firstPublicKey.getPublicKey();
    }

    public void refreshKeyCache() {
        this.keyStorage.reloadKeys(this.modelKey, this.loader);
    }

    public Iterator<Key> iterator() {
        return this.keyStorage.getKeys(this.modelKey, this.loader).stream().filter(keyWrapper -> {
            return isSameUse(keyWrapper) && isValidCertificate(keyWrapper);
        }).map((v0) -> {
            return v0.getPublicKey();
        }).iterator();
    }

    private Predicate<KeyWrapper> sameKidPredicate(String str) {
        return keyWrapper -> {
            return isSameKid(keyWrapper, str);
        };
    }

    private boolean isSameKid(KeyWrapper keyWrapper, String str) {
        String kid = keyWrapper.getKid();
        return kid != null && kid.equals(str) && isSameUse(keyWrapper) && isValidCertificate(keyWrapper);
    }

    private Predicate<KeyWrapper> sameKeyPredicate(Key key) {
        return keyWrapper -> {
            return isSameKey(keyWrapper, key);
        };
    }

    private boolean isSameKey(KeyWrapper keyWrapper, Key key) {
        Key publicKey = keyWrapper.getPublicKey();
        return publicKey != null && isSameUse(keyWrapper) && key.getAlgorithm().equals(publicKey.getAlgorithm()) && MessageDigest.isEqual(publicKey.getEncoded(), key.getEncoded()) && isValidCertificate(keyWrapper);
    }

    private boolean isSameUse(KeyWrapper keyWrapper) {
        if (keyWrapper == null) {
            return false;
        }
        return keyWrapper.getUse() == null || keyWrapper.getUse().equals(this.use);
    }

    private boolean isValidCertificate(KeyWrapper keyWrapper) {
        if (keyWrapper == null || keyWrapper.getCertificate() == null) {
            return false;
        }
        try {
            keyWrapper.getCertificate().checkValidity();
            return true;
        } catch (CertificateException e) {
            return false;
        }
    }
}
