package org.keycloak.keys;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.keycloak.common.util.CertificateUtils;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.component.ComponentModel;
import org.keycloak.crypto.KeyUse;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.models.RealmModel;

/* loaded from: input_file:org/keycloak/keys/JavaKeystoreKeyProvider.class */
public class JavaKeystoreKeyProvider extends AbstractRsaKeyProvider {
    public JavaKeystoreKeyProvider(RealmModel realmModel, ComponentModel componentModel) {
        super(realmModel, componentModel);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.keycloak.keys.AbstractRsaKeyProvider
    public KeyWrapper loadKey(RealmModel realmModel, ComponentModel componentModel) {
        try {
            FileInputStream fileInputStream = new FileInputStream(componentModel.get(JavaKeystoreKeyProviderFactory.KEYSTORE_KEY));
            Throwable th = null;
            try {
                try {
                    KeyStore keyStore = KeyStore.getInstance("JKS");
                    keyStore.load(fileInputStream, componentModel.get(JavaKeystoreKeyProviderFactory.KEYSTORE_PASSWORD_KEY).toCharArray());
                    String str = componentModel.get(JavaKeystoreKeyProviderFactory.KEY_ALIAS_KEY);
                    PrivateKey privateKey = (PrivateKey) keyStore.getKey(str, componentModel.get(JavaKeystoreKeyProviderFactory.KEY_PASSWORD_KEY).toCharArray());
                    KeyPair keyPair = new KeyPair(KeyUtils.extractPublicKey(privateKey), privateKey);
                    X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(str);
                    if (x509Certificate == null) {
                        x509Certificate = CertificateUtils.generateV1SelfSignedCertificate(keyPair, realmModel.getName());
                    }
                    KeyWrapper createKeyWrapper = createKeyWrapper(keyPair, x509Certificate, loadCertificateChain(keyStore, str), KeyUse.valueOf(componentModel.get(Attributes.KEY_USE, KeyUse.SIG.getSpecName()).toUpperCase()));
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    return createKeyWrapper;
                } finally {
                }
            } catch (Throwable th3) {
                if (fileInputStream != null) {
                    if (th != null) {
                        try {
                            fileInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        fileInputStream.close();
                    }
                }
                throw th3;
            }
        } catch (FileNotFoundException e) {
            throw new RuntimeException("File not found on server. " + e.getMessage(), e);
        } catch (IOException e2) {
            throw new RuntimeException("IO error on server. " + e2.getMessage(), e2);
        } catch (KeyStoreException e3) {
            throw new RuntimeException("KeyStore error on server. " + e3.getMessage(), e3);
        } catch (NoSuchAlgorithmException e4) {
            throw new RuntimeException("Algorithm not available on server. " + e4.getMessage(), e4);
        } catch (UnrecoverableKeyException e5) {
            throw new RuntimeException("Keystore on server can not be recovered. " + e5.getMessage(), e5);
        } catch (CertificateException e6) {
            throw new RuntimeException("Certificate error on server. " + e6.getMessage(), e6);
        } catch (GeneralSecurityException e7) {
            throw new RuntimeException("Invalid certificate chain. Check the order of certificates.", e7);
        }
    }

    private List<X509Certificate> loadCertificateChain(KeyStore keyStore, String str) throws GeneralSecurityException {
        List<X509Certificate> list = (List) Optional.ofNullable(keyStore.getCertificateChain(str)).map(certificateArr -> {
            Stream stream = Arrays.stream(certificateArr);
            Class<X509Certificate> cls = X509Certificate.class;
            X509Certificate.class.getClass();
            return (List) stream.map((v1) -> {
                return r1.cast(v1);
            }).collect(Collectors.toList());
        }).orElseGet(Collections::emptyList);
        validateCertificateChain(list);
        return list;
    }

    private void validateCertificateChain(List<X509Certificate> list) throws GeneralSecurityException {
        if (list == null || list.isEmpty()) {
            return;
        }
        HashSet hashSet = new HashSet();
        hashSet.add(new TrustAnchor(list.get(list.size() - 1), null));
        PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
        pKIXParameters.setRevocationEnabled(false);
        CertPathValidator.getInstance(CertPathValidator.getDefaultType()).validate(CertificateFactory.getInstance("X.509").generateCertPath(list), pKIXParameters);
    }
}
