package org.wildfly.security.auth.realm;

import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.Provider;
import java.security.UnrecoverableEntryException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Enumeration;
import java.util.function.Supplier;
import javax.security.auth.x500.X500Principal;
import org.wildfly.common.Assert;
import org.wildfly.security.auth.SupportLevel;
import org.wildfly.security.auth.principal.NamePrincipal;
import org.wildfly.security.auth.server.RealmIdentity;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityRealm;
import org.wildfly.security.authz.AuthorizationIdentity;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.evidence.Evidence;
import org.wildfly.security.util.ProviderUtil;
import org.wildfly.security.x500.util.X500PrincipalUtil;

/* loaded from: input_file:org/wildfly/security/auth/realm/KeyStoreBackedSecurityRealm.class */
public class KeyStoreBackedSecurityRealm implements SecurityRealm {
    private final Supplier<Provider[]> providers;
    private final KeyStore keyStore;

    /* loaded from: input_file:org/wildfly/security/auth/realm/KeyStoreBackedSecurityRealm$KeyStoreRealmIdentity.class */
    private class KeyStoreRealmIdentity implements RealmIdentity {
        private final String name;

        private KeyStoreRealmIdentity(String str) {
            this.name = str;
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public Principal getRealmIdentityPrincipal() {
            return new NamePrincipal(this.name);
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
            KeyStore.Entry entry = KeyStoreBackedSecurityRealm.this.getEntry(this.name);
            if (entry == null) {
                return SupportLevel.UNSUPPORTED;
            }
            Credential fromKeyStoreEntry = Credential.fromKeyStoreEntry(entry);
            return (fromKeyStoreEntry == null || !fromKeyStoreEntry.matches(cls, str, algorithmParameterSpec)) ? SupportLevel.UNSUPPORTED : SupportLevel.SUPPORTED;
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public <C extends Credential> C getCredential(Class<C> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
            Credential fromKeyStoreEntry;
            Assert.checkNotNullParam("credentialType", cls);
            KeyStore.Entry entry = KeyStoreBackedSecurityRealm.this.getEntry(this.name);
            if (entry == null || (fromKeyStoreEntry = Credential.fromKeyStoreEntry(entry)) == null) {
                return null;
            }
            return (C) fromKeyStoreEntry.castAs(cls, str, algorithmParameterSpec);
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public <C extends Credential> C getCredential(Class<C> cls, String str) throws RealmUnavailableException {
            return (C) getCredential(cls, str, null);
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public <C extends Credential> C getCredential(Class<C> cls) throws RealmUnavailableException {
            return (C) getCredential(cls, null);
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public AuthorizationIdentity getAuthorizationIdentity() {
            return AuthorizationIdentity.EMPTY;
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
            KeyStore.Entry entry = KeyStoreBackedSecurityRealm.this.getEntry(this.name);
            if (entry == null) {
                return SupportLevel.UNSUPPORTED;
            }
            Credential fromKeyStoreEntry = Credential.fromKeyStoreEntry(entry);
            if (fromKeyStoreEntry == null || !fromKeyStoreEntry.canVerify(cls, str)) {
                ElytronMessages.log.tracef("KeyStoreRealm: verification unsupported - unsupported entry type of alias [%s]", this.name);
                return SupportLevel.UNSUPPORTED;
            }
            ElytronMessages.log.tracef("KeyStoreRealm: verification supported using alias [%s]", this.name);
            return SupportLevel.SUPPORTED;
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public boolean verifyEvidence(Evidence evidence) throws RealmUnavailableException {
            KeyStore.Entry entry = KeyStoreBackedSecurityRealm.this.getEntry(this.name);
            if (entry == null) {
                return false;
            }
            Credential fromKeyStoreEntry = Credential.fromKeyStoreEntry(entry);
            if (fromKeyStoreEntry != null && fromKeyStoreEntry.canVerify(evidence) && fromKeyStoreEntry.verify(KeyStoreBackedSecurityRealm.this.providers, evidence)) {
                ElytronMessages.log.tracef("KeyStoreRealm: verification succeed for alias [%s]", this.name);
                return true;
            }
            ElytronMessages.log.tracef("KeyStoreRealm: verification failed - rejected by credential from alias [%s]", this.name);
            return false;
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public boolean exists() throws RealmUnavailableException {
            return KeyStoreBackedSecurityRealm.this.getEntry(this.name) != null;
        }
    }

    public KeyStoreBackedSecurityRealm(KeyStore keyStore) {
        this(keyStore, ProviderUtil.INSTALLED_PROVIDERS);
    }

    public KeyStoreBackedSecurityRealm(KeyStore keyStore, Supplier<Provider[]> supplier) {
        this.keyStore = keyStore;
        this.providers = supplier;
    }

    @Override // org.wildfly.security.auth.server.SecurityRealm
    public RealmIdentity getRealmIdentity(Principal principal) throws RealmUnavailableException {
        if (principal instanceof NamePrincipal) {
            String name = principal.getName();
            ElytronMessages.log.tracef("KeyStoreRealm: obtaining certificate by alias [%s]", name);
            return new KeyStoreRealmIdentity(name);
        }
        X500Principal asX500Principal = X500PrincipalUtil.asX500Principal(principal);
        if (asX500Principal == null) {
            ElytronMessages.log.tracef("KeyStoreRealm: conversion of principal [%s] to X500Principal failed", principal);
            return RealmIdentity.NON_EXISTENT;
        }
        ElytronMessages.log.tracef("KeyStoreRealm: obtaining certificate by X500Principal [%s]", asX500Principal);
        KeyStore keyStore = this.keyStore;
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (keyStore.isCertificateEntry(nextElement)) {
                    Certificate certificate = keyStore.getCertificate(nextElement);
                    if ((certificate instanceof X509Certificate) && asX500Principal.equals(X500PrincipalUtil.asX500Principal(((X509Certificate) certificate).getSubjectX500Principal()))) {
                        ElytronMessages.log.tracef("KeyStoreRealm: certificate found by X500Principal in alias [%s]", nextElement);
                        return new KeyStoreRealmIdentity(nextElement);
                    }
                }
            }
            ElytronMessages.log.tracef("KeyStoreRealm: certificate not found by X500Principal", new Object[0]);
            return RealmIdentity.NON_EXISTENT;
        } catch (KeyStoreException e) {
            throw ElytronMessages.log.failedToReadKeyStore(e);
        }
    }

    @Override // org.wildfly.security.auth.server.SecurityRealm
    public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
        Assert.checkNotNullParam("credentialType", cls);
        return SupportLevel.POSSIBLY_SUPPORTED;
    }

    @Override // org.wildfly.security.auth.server.SecurityRealm
    public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
        Assert.checkNotNullParam("evidenceType", cls);
        return SupportLevel.POSSIBLY_SUPPORTED;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public KeyStore.Entry getEntry(String str) {
        try {
            KeyStore.Entry entry = this.keyStore.getEntry(str, null);
            if (entry == null) {
                ElytronMessages.log.tracef("KeyStoreRealm: alias [%s] does not exist in KeyStore", str);
            }
            return entry;
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException e) {
            ElytronMessages.log.tracef(e, "KeyStoreRealm: Obtaining entry [%s] from KeyStore failed", str);
            return null;
        }
    }
}
