package org.keycloak.services.util;

import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.common.util.Base64Url;
import org.keycloak.models.KeycloakSession;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.x509.X509ClientCertificateLookup;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-11.0.2.jar:org/keycloak/services/util/MtlsHoKTokenUtil.class */
public class MtlsHoKTokenUtil {
    protected static final Logger logger = Logger.getLogger((Class<?>) MtlsHoKTokenUtil.class);
    private static final String DIGEST_ALG = "SHA-256";
    public static final String CERT_VERIFY_ERROR_DESC = "Client certificate missing, or its thumbprint and one in the refresh token did NOT match";

    public static AccessToken.CertConf bindTokenWithClientCertificate(HttpRequest httpRequest, KeycloakSession keycloakSession) {
        X509Certificate[] certificateChain = getCertificateChain(httpRequest, keycloakSession);
        if (certificateChain == null || certificateChain.length < 1) {
            logger.warnf("no client certificate available.", new Object[0]);
            return null;
        }
        try {
            String certificateThumbprintInSHA256DERX509Base64UrlEncoded = getCertificateThumbprintInSHA256DERX509Base64UrlEncoded(certificateChain[0]);
            if (logger.isTraceEnabled()) {
                dumpCertInfo(certificateChain);
            }
            AccessToken.CertConf certConf = new AccessToken.CertConf();
            certConf.setCertThumbprint(certificateThumbprintInSHA256DERX509Base64UrlEncoded);
            return certConf;
        } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
            logger.warnf("give up issuing hok token. %s", e);
            return null;
        }
    }

    public static boolean verifyTokenBindingWithClientCertificate(AccessToken accessToken, HttpRequest httpRequest, KeycloakSession keycloakSession) {
        if (accessToken == null) {
            logger.warnf("token is null", new Object[0]);
            return false;
        }
        if (accessToken.getCertConf() == null) {
            logger.warnf("bearer token received instead of hok token.", new Object[0]);
            return false;
        }
        X509Certificate[] certificateChain = getCertificateChain(httpRequest, keycloakSession);
        if (certificateChain == null || certificateChain.length < 1) {
            logger.warnf("missing client certificate.", new Object[0]);
            return false;
        }
        String certThumbprint = accessToken.getCertConf().getCertThumbprint();
        logger.tracef("hok token cnf-x5t#s256 = %s", certThumbprint);
        try {
            String certificateThumbprintInSHA256DERX509Base64UrlEncoded = getCertificateThumbprintInSHA256DERX509Base64UrlEncoded(certificateChain[0]);
            if (logger.isTraceEnabled()) {
                dumpCertInfo(certificateChain);
            }
            if (MessageDigest.isEqual(certThumbprint.getBytes(), certificateThumbprintInSHA256DERX509Base64UrlEncoded.getBytes())) {
                return true;
            }
            logger.warnf("certificate's thumbprint and one in the refresh token did not match.", new Object[0]);
            return false;
        } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
            logger.warnf("client certificate exception. %s", e);
            return false;
        }
    }

    private static X509Certificate[] getCertificateChain(HttpRequest httpRequest, KeycloakSession keycloakSession) {
        try {
            X509ClientCertificateLookup x509ClientCertificateLookup = (X509ClientCertificateLookup) keycloakSession.getProvider(X509ClientCertificateLookup.class);
            if (x509ClientCertificateLookup != null) {
                return x509ClientCertificateLookup.getCertificateChain(httpRequest);
            }
            logger.errorv("\"{0}\" Spi is not available, did you forget to update the configuration?", X509ClientCertificateLookup.class);
            return null;
        } catch (GeneralSecurityException e) {
            logger.error(e.getMessage(), e);
            return null;
        }
    }

    private static String getCertificateThumbprintInSHA256DERX509Base64UrlEncoded(X509Certificate x509Certificate) throws NoSuchAlgorithmException, CertificateEncodingException {
        byte[] encoded = x509Certificate.getEncoded();
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
        messageDigest.update(encoded);
        return Base64Url.encode(messageDigest.digest());
    }

    private static void dumpCertInfo(X509Certificate[] x509CertificateArr) throws CertificateEncodingException {
        logger.tracef(":: Try Holder of Key Token", new Object[0]);
        logger.tracef(":: # of x509 Client Certificate in Certificate Chain = %d", x509CertificateArr.length);
        for (int i = 0; i < x509CertificateArr.length; i++) {
            logger.tracef(":: certs[%d] Raw Bytes Counts of first x509 Client Certificate in Certificate Chain = %d", i, x509CertificateArr[i].toString().length());
            logger.tracef(":: certs[%d] Raw Bytes String of first x509 Client Certificate in Certificate Chain = %s", i, (Object) x509CertificateArr[i].toString());
            logger.tracef(":: certs[%d] DER Dump Bytes of first x509 Client Certificate in Certificate Chain = %d", i, x509CertificateArr[i].getEncoded().length);
            String str = null;
            try {
                str = getCertificateThumbprintInSHA256DERX509Base64UrlEncoded(x509CertificateArr[i]);
            } catch (Exception e) {
            }
            logger.tracef(":: certs[%d] Base64URL Encoded SHA-256 Hash of DER formatted first x509 Client Certificate in Certificate Chain = %s", i, (Object) str);
            logger.tracef(":: certs[%d] DER Dump Bytes of first x509 Client Certificate TBScertificate in Certificate Chain = %d", i, x509CertificateArr[i].getTBSCertificate().length);
            logger.tracef(":: certs[%d] Signature Algorithm of first x509 Client Certificate in Certificate Chain = %s", i, (Object) x509CertificateArr[i].getSigAlgName());
            logger.tracef(":: certs[%d] Certfication Type of first x509 Client Certificate in Certificate Chain = %s", i, (Object) x509CertificateArr[i].getType());
            logger.tracef(":: certs[%d] Issuer DN of first x509 Client Certificate in Certificate Chain = %s", i, (Object) x509CertificateArr[i].getIssuerDN().getName());
            logger.tracef(":: certs[%d] Subject DN of first x509 Client Certificate in Certificate Chain = %s", i, (Object) x509CertificateArr[i].getSubjectDN().getName());
        }
    }
}
