package org.keycloak.protocol.oidc.client.authentication;

import java.security.KeyPair;
import java.security.PublicKey;
import java.util.Map;
import java.util.UUID;
import org.keycloak.OAuth2Constants;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.common.util.KeystoreUtil;
import org.keycloak.common.util.Time;
import org.keycloak.crypto.AsymmetricSignatureSignerContext;
import org.keycloak.crypto.JavaAlgorithm;
import org.keycloak.crypto.KeyUse;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.crypto.SignatureSignerContext;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.representations.adapters.config.AdapterConfig;

/* loaded from: input_file:BOOT-INF/lib/keycloak-core-22.0.4.jar:org/keycloak/protocol/oidc/client/authentication/JWTClientCredentialsProvider.class */
public class JWTClientCredentialsProvider implements ClientCredentialsProvider {
    public static final String PROVIDER_ID = "jwt";
    private KeyPair keyPair;
    private SignatureSignerContext sigCtx;
    private int tokenTimeout;

    @Override // org.keycloak.protocol.oidc.client.authentication.ClientCredentialsProvider
    public String getId() {
        return "jwt";
    }

    public void setupKeyPair(KeyPair keyPair) {
        setupKeyPair(keyPair, "RS256");
    }

    public void setupKeyPair(KeyPair keyPair, String str) {
        String algorithm = keyPair.getPublic().getAlgorithm();
        boolean z = -1;
        switch (algorithm.hashCode()) {
            case 2206:
                if (algorithm.equals("EC")) {
                    z = true;
                    break;
                }
                break;
            case 81440:
                if (algorithm.equals("RSA")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (!JavaAlgorithm.isRSAJavaAlgorithm(str)) {
                    throw new RuntimeException("Invalid algorithm for a RSA KeyPair: " + str);
                }
                break;
            case true:
                if (!JavaAlgorithm.isECJavaAlgorithm(str)) {
                    throw new RuntimeException("Invalid algorithm for a EC KeyPair: " + str);
                }
                break;
            default:
                throw new RuntimeException("Invalid KeyPair algorithm: " + keyPair.getPublic().getAlgorithm());
        }
        KeyWrapper keyWrapper = new KeyWrapper();
        keyWrapper.setKid(KeyUtils.createKeyId(keyPair.getPublic()));
        keyWrapper.setAlgorithm(str);
        keyWrapper.setPrivateKey(keyPair.getPrivate());
        keyWrapper.setPublicKey(keyPair.getPublic());
        keyWrapper.setType(keyPair.getPublic().getAlgorithm());
        keyWrapper.setUse(KeyUse.SIG);
        this.keyPair = keyPair;
        this.sigCtx = new AsymmetricSignatureSignerContext(keyWrapper);
    }

    public void setTokenTimeout(int i) {
        this.tokenTimeout = i;
    }

    protected int getTokenTimeout() {
        return this.tokenTimeout;
    }

    public PublicKey getPublicKey() {
        return this.keyPair.getPublic();
    }

    @Override // org.keycloak.protocol.oidc.client.authentication.ClientCredentialsProvider
    public void init(AdapterConfig adapterConfig, Object obj) {
        if (!(obj instanceof Map)) {
            throw new RuntimeException("Configuration of jwt credentials is missing or incorrect for client '" + adapterConfig.getResource() + "'. Check your adapter configuration");
        }
        Map<String, Object> map = (Map) obj;
        String str = (String) map.get("client-keystore-file");
        if (str == null) {
            throw new RuntimeException("Missing parameter client-keystore-file in configuration of jwt for client " + adapterConfig.getResource());
        }
        String str2 = (String) map.get("client-keystore-type");
        KeystoreUtil.KeystoreFormat valueOf = str2 == null ? KeystoreUtil.KeystoreFormat.JKS : Enum.valueOf(KeystoreUtil.KeystoreFormat.class, str2.toUpperCase());
        String str3 = (String) map.get("client-keystore-password");
        if (str3 == null) {
            throw new RuntimeException("Missing parameter client-keystore-password in configuration of jwt for client " + adapterConfig.getResource());
        }
        String str4 = (String) map.get("client-key-password");
        if (str4 == null) {
            str4 = str3;
        }
        String str5 = (String) map.get("client-key-alias");
        if (str5 == null) {
            str5 = adapterConfig.getResource();
        }
        setupKeyPair(KeystoreUtil.loadKeyPairFromKeystore(str, str3, str4, str5, valueOf), (String) map.getOrDefault("algorithm", "RS256"));
        this.tokenTimeout = asInt(map, "token-timeout", 10).intValue();
    }

    private Integer asInt(Map<String, Object> map, String str, int i) {
        Object obj = map.get(str);
        if (obj == null) {
            return Integer.valueOf(i);
        }
        if (obj instanceof String) {
            return Integer.valueOf(Integer.parseInt(obj.toString()));
        }
        if (obj instanceof Number) {
            return Integer.valueOf(((Number) obj).intValue());
        }
        throw new IllegalArgumentException("Can't parse " + str + " from the config. Value is " + obj);
    }

    @Override // org.keycloak.protocol.oidc.client.authentication.ClientCredentialsProvider
    public void setClientCredentials(AdapterConfig adapterConfig, Map<String, String> map, Map<String, String> map2) {
        String createSignedRequestToken = createSignedRequestToken(adapterConfig.getResource(), adapterConfig.getRealmInfoUrl());
        map2.put(OAuth2Constants.CLIENT_ASSERTION_TYPE, OAuth2Constants.CLIENT_ASSERTION_TYPE_JWT);
        map2.put(OAuth2Constants.CLIENT_ASSERTION, createSignedRequestToken);
    }

    public String createSignedRequestToken(String str, String str2) {
        return new JWSBuilder().jsonContent(createRequestToken(str, str2)).sign(this.sigCtx);
    }

    protected JsonWebToken createRequestToken(String str, String str2) {
        JsonWebToken jsonWebToken = new JsonWebToken();
        jsonWebToken.id(UUID.randomUUID().toString());
        jsonWebToken.issuer(str);
        jsonWebToken.subject(str);
        jsonWebToken.audience(str2);
        int currentTime = Time.currentTime();
        jsonWebToken.issuedAt(currentTime);
        jsonWebToken.expiration(currentTime + this.tokenTimeout);
        jsonWebToken.notBefore(currentTime);
        return jsonWebToken;
    }
}
