package org.keycloak.authentication.authenticators.x509;

import freemarker.template.utility.NullArgumentException;
import java.security.cert.X509Certificate;
import java.util.Optional;
import java.util.function.Function;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.keycloak.common.util.PemUtils;
import org.keycloak.services.ServicesLogger;

/* loaded from: input_file:org/keycloak/authentication/authenticators/x509/UserIdentityExtractor.class */
public abstract class UserIdentityExtractor {
    private static final ServicesLogger logger = ServicesLogger.LOGGER;

    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/UserIdentityExtractor$OrBuilder.class */
    static class OrBuilder {
        UserIdentityExtractor extractor;
        UserIdentityExtractor other;

        OrBuilder(UserIdentityExtractor userIdentityExtractor) {
            this.extractor = userIdentityExtractor;
        }

        public UserIdentityExtractor or(UserIdentityExtractor userIdentityExtractor) {
            return new OrExtractor(this.extractor, userIdentityExtractor);
        }
    }

    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/UserIdentityExtractor$OrExtractor.class */
    static class OrExtractor extends UserIdentityExtractor {
        UserIdentityExtractor extractor;
        UserIdentityExtractor other;

        OrExtractor(UserIdentityExtractor userIdentityExtractor, UserIdentityExtractor userIdentityExtractor2) {
            this.extractor = userIdentityExtractor;
            this.other = userIdentityExtractor2;
            if (this.extractor == null) {
                throw new NullArgumentException("extractor");
            }
            if (this.other == null) {
                throw new NullArgumentException("other");
            }
        }

        @Override // org.keycloak.authentication.authenticators.x509.UserIdentityExtractor
        public Object extractUserIdentity(X509Certificate[] x509CertificateArr) {
            Object extractUserIdentity = this.extractor.extractUserIdentity(x509CertificateArr);
            if (extractUserIdentity == null) {
                extractUserIdentity = this.other.extractUserIdentity(x509CertificateArr);
            }
            return extractUserIdentity;
        }
    }

    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/UserIdentityExtractor$PatternMatcher.class */
    static class PatternMatcher extends UserIdentityExtractor {
        private final String _pattern;
        private final Function<X509Certificate[], String> _f;

        PatternMatcher(String str, Function<X509Certificate[], String> function) {
            this._pattern = str;
            this._f = function;
        }

        @Override // org.keycloak.authentication.authenticators.x509.UserIdentityExtractor
        public Object extractUserIdentity(X509Certificate[] x509CertificateArr) {
            String str = (String) Optional.ofNullable(this._f.apply(x509CertificateArr)).orElseThrow(IllegalArgumentException::new);
            Matcher matcher = Pattern.compile(this._pattern, 2).matcher(str);
            if (!matcher.find()) {
                UserIdentityExtractor.logger.debugf("[PatternMatcher:extract] No matches were found for input \"%s\", pattern=\"%s\"", str, this._pattern);
                return null;
            }
            if (matcher.groupCount() == 1) {
                return matcher.group(1);
            }
            UserIdentityExtractor.logger.debugf("[PatternMatcher:extract] Match produced more than a single group for input \"%s\", pattern=\"%s\"", str, this._pattern);
            return null;
        }
    }

    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/UserIdentityExtractor$SubjectAltNameExtractor.class */
    static class SubjectAltNameExtractor extends UserIdentityExtractor {
        private static final String UPN_OID = "1.3.6.1.4.1.311.20.2.3";
        private final int generalName;

        SubjectAltNameExtractor(int i) {
            this.generalName = i;
        }

        /* JADX WARN: Code restructure failed: missing block: B:42:0x012a, code lost:
        
            continue;
         */
        @Override // org.keycloak.authentication.authenticators.x509.UserIdentityExtractor
        /*
            Code decompiled incorrectly, please refer to instructions dump.
            To view partially-correct add '--show-bad-code' argument
        */
        public java.lang.Object extractUserIdentity(java.security.cert.X509Certificate[] r7) {
            /*
                Method dump skipped, instructions count: 336
                To view this dump add '--comments-level debug' option
            */
            throw new UnsupportedOperationException("Method not decompiled: org.keycloak.authentication.authenticators.x509.UserIdentityExtractor.SubjectAltNameExtractor.extractUserIdentity(java.security.cert.X509Certificate[]):java.lang.Object");
        }

        private ASN1Encodable unwrap(ASN1Encodable aSN1Encodable) {
            while (aSN1Encodable instanceof ASN1TaggedObject) {
                aSN1Encodable = ((ASN1TaggedObject) aSN1Encodable).getObject();
            }
            return aSN1Encodable;
        }
    }

    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/UserIdentityExtractor$X500NameRDNExtractor.class */
    static class X500NameRDNExtractor extends UserIdentityExtractor {
        private ASN1ObjectIdentifier x500NameStyle;
        Function<X509Certificate[], X500Name> x500Name;

        X500NameRDNExtractor(ASN1ObjectIdentifier aSN1ObjectIdentifier, Function<X509Certificate[], X500Name> function) {
            this.x500NameStyle = aSN1ObjectIdentifier;
            this.x500Name = function;
        }

        @Override // org.keycloak.authentication.authenticators.x509.UserIdentityExtractor
        public Object extractUserIdentity(X509Certificate[] x509CertificateArr) {
            RDN[] rDNs;
            if (x509CertificateArr == null || x509CertificateArr.length == 0) {
                throw new IllegalArgumentException();
            }
            X500Name apply = this.x500Name.apply(x509CertificateArr);
            if (apply == null || (rDNs = apply.getRDNs(this.x500NameStyle)) == null || rDNs.length <= 0) {
                return null;
            }
            return IETFUtils.valueToString(rDNs[0].getFirst().getValue());
        }
    }

    public abstract Object extractUserIdentity(X509Certificate[] x509CertificateArr);

    public static UserIdentityExtractor getPatternIdentityExtractor(String str, Function<X509Certificate[], String> function) {
        return new PatternMatcher(str, function);
    }

    public static UserIdentityExtractor getX500NameExtractor(ASN1ObjectIdentifier aSN1ObjectIdentifier, Function<X509Certificate[], X500Name> function) {
        return new X500NameRDNExtractor(aSN1ObjectIdentifier, function);
    }

    public static SubjectAltNameExtractor getSubjectAltNameExtractor(int i) {
        return new SubjectAltNameExtractor(i);
    }

    public static OrBuilder either(UserIdentityExtractor userIdentityExtractor) {
        return new OrBuilder(userIdentityExtractor);
    }

    public static UserIdentityExtractor getCertificatePemIdentityExtractor(X509AuthenticatorConfigModel x509AuthenticatorConfigModel) {
        return new UserIdentityExtractor() { // from class: org.keycloak.authentication.authenticators.x509.UserIdentityExtractor.1
            @Override // org.keycloak.authentication.authenticators.x509.UserIdentityExtractor
            public Object extractUserIdentity(X509Certificate[] x509CertificateArr) {
                if (x509CertificateArr == null || x509CertificateArr.length == 0) {
                    throw new IllegalArgumentException();
                }
                String encodeCertificate = PemUtils.encodeCertificate(x509CertificateArr[0]);
                UserIdentityExtractor.logger.debugf("Using PEM certificate \"%s\" as user identity.", encodeCertificate);
                return encodeCertificate;
            }
        };
    }
}
