package org.keycloak.services.resources.admin;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Type;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.plugins.providers.multipart.InputPart;
import org.jboss.resteasy.plugins.providers.multipart.MultipartFormDataInput;
import org.jboss.resteasy.spi.NotAcceptableException;
import org.jboss.resteasy.spi.NotFoundException;
import org.keycloak.common.util.PemUtils;
import org.keycloak.common.util.StreamUtil;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.jose.jwk.JSONWebKeySet;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.utils.JWKSUtils;
import org.keycloak.representations.KeyStoreConfig;
import org.keycloak.representations.idm.CertificateRepresentation;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.util.CertificateInfoHelper;
import org.keycloak.util.JsonSerialization;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/services/resources/admin/ClientAttributeCertificateResource.class */
public class ClientAttributeCertificateResource {
    public static final String CERTIFICATE_PEM = "Certificate PEM";
    public static final String PUBLIC_KEY_PEM = "Public Key PEM";
    public static final String JSON_WEB_KEY_SET = "JSON Web Key Set";
    protected RealmModel realm;
    private RealmAuth auth;
    protected ClientModel client;
    protected KeycloakSession session;
    protected AdminEventBuilder adminEvent;
    protected String attributePrefix;

    public ClientAttributeCertificateResource(RealmModel realmModel, RealmAuth realmAuth, ClientModel clientModel, KeycloakSession keycloakSession, String str, AdminEventBuilder adminEventBuilder) {
        this.realm = realmModel;
        this.auth = realmAuth;
        this.client = clientModel;
        this.session = keycloakSession;
        this.attributePrefix = str;
        this.adminEvent = adminEventBuilder.resource(ResourceType.CLIENT);
    }

    @GET
    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    public CertificateRepresentation getKeyInfo() {
        this.auth.requireView();
        if (this.client == null) {
            throw new NotFoundException("Could not find client");
        }
        return CertificateInfoHelper.getCertificateFromClient(this.client, this.attributePrefix);
    }

    @NoCache
    @Path("generate")
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public CertificateRepresentation generate() {
        this.auth.requireManage();
        if (this.client == null) {
            throw new NotFoundException("Could not find client");
        }
        CertificateRepresentation generateKeyPairCertificate = KeycloakModelUtils.generateKeyPairCertificate(this.client.getClientId());
        CertificateInfoHelper.updateClientModelCertificateInfo(this.client, generateKeyPairCertificate, this.attributePrefix);
        this.adminEvent.operation(OperationType.ACTION).resourcePath(this.session.getContext().getUri()).representation(generateKeyPairCertificate).success();
        return generateKeyPairCertificate;
    }

    @Path("upload")
    @Consumes({"multipart/form-data"})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public CertificateRepresentation uploadJks(@Context UriInfo uriInfo, MultipartFormDataInput multipartFormDataInput) throws IOException {
        this.auth.requireManage();
        if (this.client == null) {
            throw new NotFoundException("Could not find client");
        }
        CertificateRepresentation certFromRequest = getCertFromRequest(uriInfo, multipartFormDataInput);
        try {
            CertificateInfoHelper.updateClientModelCertificateInfo(this.client, certFromRequest, this.attributePrefix);
            this.adminEvent.operation(OperationType.ACTION).resourcePath(this.session.getContext().getUri()).representation(certFromRequest).success();
            return certFromRequest;
        } catch (IllegalStateException e) {
            throw new ErrorResponseException("certificate-not-found", "Certificate or key with given alias not found in the keystore", Response.Status.BAD_REQUEST);
        }
    }

    @Path("upload-certificate")
    @Consumes({"multipart/form-data"})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public CertificateRepresentation uploadJksCertificate(@Context UriInfo uriInfo, MultipartFormDataInput multipartFormDataInput) throws IOException {
        this.auth.requireManage();
        if (this.client == null) {
            throw new NotFoundException("Could not find client");
        }
        CertificateRepresentation certFromRequest = getCertFromRequest(uriInfo, multipartFormDataInput);
        certFromRequest.setPrivateKey((String) null);
        try {
            CertificateInfoHelper.updateClientModelCertificateInfo(this.client, certFromRequest, this.attributePrefix);
            this.adminEvent.operation(OperationType.ACTION).resourcePath(this.session.getContext().getUri()).representation(certFromRequest).success();
            return certFromRequest;
        } catch (IllegalStateException e) {
            throw new ErrorResponseException("certificate-not-found", "Certificate or key with given alias not found in the keystore", Response.Status.BAD_REQUEST);
        }
    }

    private CertificateRepresentation getCertFromRequest(UriInfo uriInfo, MultipartFormDataInput multipartFormDataInput) throws IOException {
        this.auth.requireManage();
        CertificateRepresentation certificateRepresentation = new CertificateRepresentation();
        Map formDataMap = multipartFormDataInput.getFormDataMap();
        String bodyAsString = ((InputPart) ((List) formDataMap.get("keystoreFormat")).get(0)).getBodyAsString();
        List list = (List) formDataMap.get("file");
        if (bodyAsString.equals(CERTIFICATE_PEM)) {
            String readString = StreamUtil.readString((InputStream) ((InputPart) list.get(0)).getBody(InputStream.class, (Type) null));
            KeycloakModelUtils.getCertificate(readString);
            certificateRepresentation.setCertificate(readString);
            return certificateRepresentation;
        }
        if (bodyAsString.equals(PUBLIC_KEY_PEM)) {
            String readString2 = StreamUtil.readString((InputStream) ((InputPart) list.get(0)).getBody(InputStream.class, (Type) null));
            KeycloakModelUtils.getPublicKey(readString2);
            certificateRepresentation.setPublicKey(readString2);
            return certificateRepresentation;
        }
        if (bodyAsString.equals(JSON_WEB_KEY_SET)) {
            certificateRepresentation.setPublicKey(KeycloakModelUtils.getPemFromKey(JWKSUtils.getKeyForUse((JSONWebKeySet) JsonSerialization.readValue((InputStream) ((InputPart) list.get(0)).getBody(InputStream.class, (Type) null), JSONWebKeySet.class), JWK.Use.SIG)));
            return certificateRepresentation;
        }
        String bodyAsString2 = ((InputPart) ((List) formDataMap.get("keyAlias")).get(0)).getBodyAsString();
        List list2 = (List) formDataMap.get("keyPassword");
        char[] charArray = list2 != null ? ((InputPart) list2.get(0)).getBodyAsString().toCharArray() : null;
        List list3 = (List) formDataMap.get("storePassword");
        char[] charArray2 = list3 != null ? ((InputPart) list3.get(0)).getBodyAsString().toCharArray() : null;
        PrivateKey privateKey = null;
        try {
            KeyStore keyStore = bodyAsString.equals("JKS") ? KeyStore.getInstance("JKS") : KeyStore.getInstance(bodyAsString, "BC");
            keyStore.load((InputStream) ((InputPart) list.get(0)).getBody(InputStream.class, (Type) null), charArray2);
            try {
                privateKey = (PrivateKey) keyStore.getKey(bodyAsString2, charArray);
            } catch (Exception e) {
            }
            X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(bodyAsString2);
            if (privateKey != null) {
                certificateRepresentation.setPrivateKey(KeycloakModelUtils.getPemFromKey(privateKey));
            }
            if (x509Certificate != null) {
                certificateRepresentation.setCertificate(KeycloakModelUtils.getPemFromCertificate(x509Certificate));
            }
            return certificateRepresentation;
        } catch (Exception e2) {
            throw new RuntimeException(e2);
        }
    }

    @NoCache
    @Path("/download")
    @Consumes({MediaType.APPLICATION_JSON})
    @POST
    @Produces({"application/octet-stream"})
    public byte[] getKeystore(KeyStoreConfig keyStoreConfig) {
        this.auth.requireView();
        if (this.client == null) {
            throw new NotFoundException("Could not find client");
        }
        if (keyStoreConfig.getFormat() != null && !keyStoreConfig.getFormat().equals("JKS") && !keyStoreConfig.getFormat().equals("PKCS12")) {
            throw new NotAcceptableException("Only support jks or pkcs12 format.");
        }
        CertificateRepresentation certificateFromClient = CertificateInfoHelper.getCertificateFromClient(this.client, this.attributePrefix);
        String privateKey = certificateFromClient.getPrivateKey();
        String certificate = certificateFromClient.getCertificate();
        if (privateKey == null && certificate == null) {
            throw new NotFoundException("keypair not generated for client");
        }
        if (privateKey != null && keyStoreConfig.getKeyPassword() == null) {
            throw new ErrorResponseException("password-missing", "Need to specify a key password for jks download", Response.Status.BAD_REQUEST);
        }
        if (keyStoreConfig.getStorePassword() == null) {
            throw new ErrorResponseException("password-missing", "Need to specify a store password for jks download", Response.Status.BAD_REQUEST);
        }
        return getKeystore(keyStoreConfig, privateKey, certificate);
    }

    @NoCache
    @Path("/generate-and-download")
    @Consumes({MediaType.APPLICATION_JSON})
    @POST
    @Produces({"application/octet-stream"})
    public byte[] generateAndGetKeystore(KeyStoreConfig keyStoreConfig) {
        this.auth.requireManage();
        if (this.client == null) {
            throw new NotFoundException("Could not find client");
        }
        if (keyStoreConfig.getFormat() != null && !keyStoreConfig.getFormat().equals("JKS") && !keyStoreConfig.getFormat().equals("PKCS12")) {
            throw new NotAcceptableException("Only support jks or pkcs12 format.");
        }
        if (keyStoreConfig.getKeyPassword() == null) {
            throw new ErrorResponseException("password-missing", "Need to specify a key password for jks generation and download", Response.Status.BAD_REQUEST);
        }
        if (keyStoreConfig.getStorePassword() == null) {
            throw new ErrorResponseException("password-missing", "Need to specify a store password for jks generation and download", Response.Status.BAD_REQUEST);
        }
        CertificateRepresentation generateKeyPairCertificate = KeycloakModelUtils.generateKeyPairCertificate(this.client.getClientId());
        byte[] keystore = getKeystore(keyStoreConfig, generateKeyPairCertificate.getPrivateKey(), generateKeyPairCertificate.getCertificate());
        generateKeyPairCertificate.setPrivateKey((String) null);
        CertificateInfoHelper.updateClientModelCertificateInfo(this.client, generateKeyPairCertificate, this.attributePrefix);
        this.adminEvent.operation(OperationType.ACTION).resourcePath(this.session.getContext().getUri()).representation(generateKeyPairCertificate).success();
        return keystore;
    }

    private byte[] getKeystore(KeyStoreConfig keyStoreConfig, String str, String str2) {
        try {
            String format = keyStoreConfig.getFormat();
            KeyStore keyStore = format.equals("JKS") ? KeyStore.getInstance("JKS") : KeyStore.getInstance(format, "BC");
            keyStore.load(null, null);
            String keyAlias = keyStoreConfig.getKeyAlias();
            if (keyAlias == null) {
                keyAlias = this.client.getClientId();
            }
            if (str != null) {
                keyStore.setKeyEntry(keyAlias, PemUtils.decodePrivateKey(str), keyStoreConfig.getKeyPassword().trim().toCharArray(), new Certificate[]{PemUtils.decodeCertificate(str2)});
            } else {
                keyStore.setCertificateEntry(keyAlias, PemUtils.decodeCertificate(str2));
            }
            if (keyStoreConfig.isRealmCertificate() == null || keyStoreConfig.isRealmCertificate().booleanValue()) {
                X509Certificate certificate = this.realm.getCertificate();
                if (certificate == null) {
                    KeycloakModelUtils.generateRealmCertificate(this.realm);
                    certificate = this.realm.getCertificate();
                }
                String realmAlias = keyStoreConfig.getRealmAlias();
                if (realmAlias == null) {
                    realmAlias = this.realm.getName();
                }
                keyStore.setCertificateEntry(realmAlias, certificate);
            }
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            keyStore.store(byteArrayOutputStream, keyStoreConfig.getStorePassword().trim().toCharArray());
            byteArrayOutputStream.flush();
            byteArrayOutputStream.close();
            return byteArrayOutputStream.toByteArray();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
