package org.keycloak.keys.loader;

import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Map;
import org.jboss.logging.Logger;
import org.keycloak.authentication.authenticators.client.JWTClientAuthenticator;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.crypto.KeyUse;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.keys.PublicKeyLoader;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelException;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.utils.JWKSHttpUtils;
import org.keycloak.representations.idm.CertificateRepresentation;
import org.keycloak.services.util.CertificateInfoHelper;
import org.keycloak.services.util.ResolveRelative;
import org.keycloak.util.JWKSUtils;

/* loaded from: input_file:org/keycloak/keys/loader/ClientPublicKeyLoader.class */
public class ClientPublicKeyLoader implements PublicKeyLoader {
    private static final Logger logger = Logger.getLogger(ClientPublicKeyLoader.class);
    private final KeycloakSession session;
    private final ClientModel client;

    public ClientPublicKeyLoader(KeycloakSession keycloakSession, ClientModel clientModel) {
        this.session = keycloakSession;
        this.client = clientModel;
    }

    public Map<String, KeyWrapper> loadKeys() throws Exception {
        OIDCAdvancedConfigWrapper fromClientModel = OIDCAdvancedConfigWrapper.fromClientModel(this.client);
        if (fromClientModel.isUseJwksUrl()) {
            return JWKSUtils.getKeyWrappersForUse(JWKSHttpUtils.sendJwksRequest(this.session, ResolveRelative.resolveRelativeUri(this.session.getContext().getUri().getRequestUri(), this.client.getRootUrl(), fromClientModel.getJwksUrl())), JWK.Use.SIG);
        }
        try {
            KeyWrapper signatureValidationKey = getSignatureValidationKey(CertificateInfoHelper.getCertificateFromClient(this.client, JWTClientAuthenticator.ATTR_PREFIX));
            return Collections.singletonMap(signatureValidationKey.getKid(), signatureValidationKey);
        } catch (ModelException e) {
            logger.warnf(e, "Unable to retrieve publicKey for verify signature of client '%s' . Error details: %s", this.client.getClientId(), e.getMessage());
            return Collections.emptyMap();
        }
    }

    private static KeyWrapper getSignatureValidationKey(CertificateRepresentation certificateRepresentation) throws ModelException {
        KeyWrapper keyWrapper = new KeyWrapper();
        String certificate = certificateRepresentation.getCertificate();
        String publicKey = certificateRepresentation.getPublicKey();
        if (certificate == null && publicKey == null) {
            throw new ModelException("Client doesn't have certificate or publicKey configured");
        }
        if (certificate != null && publicKey != null) {
            throw new ModelException("Client has both publicKey and certificate configured");
        }
        keyWrapper.setAlgorithm("RS256");
        keyWrapper.setType("RSA");
        keyWrapper.setUse(KeyUse.SIG);
        if (certificate != null) {
            X509Certificate certificate2 = KeycloakModelUtils.getCertificate(certificate);
            keyWrapper.setKid(certificateRepresentation.getKid() != null ? certificateRepresentation.getKid() : KeyUtils.createKeyId(certificate2.getPublicKey()));
            keyWrapper.setVerifyKey(certificate2.getPublicKey());
            keyWrapper.setCertificate(certificate2);
        } else {
            PublicKey publicKey2 = KeycloakModelUtils.getPublicKey(publicKey);
            keyWrapper.setKid(certificateRepresentation.getKid() != null ? certificateRepresentation.getKid() : KeyUtils.createKeyId(publicKey2));
            keyWrapper.setVerifyKey(publicKey2);
        }
        return keyWrapper;
    }
}
