package org.keycloak.authentication.authenticators.x509;

import jakarta.ws.rs.core.Response;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.function.Function;
import org.apache.commons.codec.binary.Hex;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.authenticators.x509.CertificateValidator;
import org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel;
import org.keycloak.common.crypto.CryptoIntegration;
import org.keycloak.common.crypto.UserIdentityExtractor;
import org.keycloak.common.crypto.UserIdentityExtractorProvider;
import org.keycloak.crypto.HashException;
import org.keycloak.crypto.SHA256HashProviderFactory;
import org.keycloak.jose.jws.crypto.HashUtils;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.protocol.ProtocolMapperUtils;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.x509.X509ClientCertificateLookup;
import org.keycloak.userprofile.DeclarativeUserProfileProvider;

/* loaded from: input_file:org/keycloak/authentication/authenticators/x509/AbstractX509ClientCertificateAuthenticator.class */
public abstract class AbstractX509ClientCertificateAuthenticator implements Authenticator {
    public static final String DEFAULT_ATTRIBUTE_NAME = "usercertificate";
    protected static ServicesLogger logger = ServicesLogger.LOGGER;
    public static final String REGULAR_EXPRESSION = "x509-cert-auth.regular-expression";
    public static final String ENABLE_CRL = "x509-cert-auth.crl-checking-enabled";
    public static final String ENABLE_OCSP = "x509-cert-auth.ocsp-checking-enabled";
    public static final String OCSP_FAIL_OPEN = "x509-cert-auth.ocsp-fail-open";
    public static final String ENABLE_CRLDP = "x509-cert-auth.crldp-checking-enabled";
    public static final String CANONICAL_DN = "x509-cert-auth.canonical-dn-enabled";
    public static final String TIMESTAMP_VALIDATION = "x509-cert-auth.timestamp-validation-enabled";
    public static final String SERIALNUMBER_HEX = "x509-cert-auth.serialnumber-hex-enabled";
    public static final String CRL_RELATIVE_PATH = "x509-cert-auth.crl-relative-path";
    public static final String OCSPRESPONDER_URI = "x509-cert-auth.ocsp-responder-uri";
    public static final String OCSPRESPONDER_CERTIFICATE = "x509-cert-auth.ocsp-responder-certificate";
    public static final String MAPPING_SOURCE_SELECTION = "x509-cert-auth.mapping-source-selection";
    public static final String MAPPING_SOURCE_CERT_SUBJECTDN = "Match SubjectDN using regular expression";
    public static final String MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL = "Subject's e-mail";
    public static final String MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL = "Subject's Alternative Name E-mail";
    public static final String MAPPING_SOURCE_CERT_SUBJECTALTNAME_OTHERNAME = "Subject's Alternative Name otherName (UPN)";
    public static final String MAPPING_SOURCE_CERT_SUBJECTDN_CN = "Subject's Common Name";
    public static final String MAPPING_SOURCE_CERT_ISSUERDN = "Match IssuerDN using regular expression";
    public static final String MAPPING_SOURCE_CERT_SERIALNUMBER = "Certificate Serial Number";
    public static final String MAPPING_SOURCE_CERT_SHA256_THUMBPRINT = "SHA-256 Thumbprint";
    public static final String MAPPING_SOURCE_CERT_SERIALNUMBER_ISSUERDN = "Certificate Serial Number and IssuerDN";
    public static final String MAPPING_SOURCE_CERT_CERTIFICATE_PEM = "Full Certificate in PEM format";
    public static final String USER_MAPPER_SELECTION = "x509-cert-auth.mapper-selection";
    public static final String USER_ATTRIBUTE_MAPPER = "Custom Attribute Mapper";
    public static final String USERNAME_EMAIL_MAPPER = "Username or Email";
    public static final String CUSTOM_ATTRIBUTE_NAME = "x509-cert-auth.mapper-selection.user-attribute-name";
    public static final String CERTIFICATE_KEY_USAGE = "x509-cert-auth.keyusage";
    public static final String CERTIFICATE_EXTENDED_KEY_USAGE = "x509-cert-auth.extendedkeyusage";
    public static final String CERTIFICATE_POLICY = "x509-cert-auth.certificate-policy";
    public static final String CERTIFICATE_POLICY_MODE = "x509-cert-auth.certificate-policy-mode";
    public static final String CERTIFICATE_POLICY_MODE_ALL = "All";
    public static final String CERTIFICATE_POLICY_MODE_ANY = "Any";
    static final String DEFAULT_MATCH_ALL_EXPRESSION = "(.*?)(?:$)";
    public static final String CONFIRMATION_PAGE_DISALLOWED = "x509-cert-auth.confirmation-page-disallowed";
    public static final String REVALIDATE_CERTIFICATE = "x509-cert-auth.revalidate-certificate-enabled";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/AbstractX509ClientCertificateAuthenticator$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$MappingSourceType;
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$IdentityMapperType = new int[X509AuthenticatorConfigModel.IdentityMapperType.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$IdentityMapperType[X509AuthenticatorConfigModel.IdentityMapperType.USER_ATTRIBUTE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$IdentityMapperType[X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            $SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$MappingSourceType = new int[X509AuthenticatorConfigModel.MappingSourceType.values().length];
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$MappingSourceType[X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN.ordinal()] = 1;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$MappingSourceType[X509AuthenticatorConfigModel.MappingSourceType.ISSUERDN.ordinal()] = 2;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$MappingSourceType[X509AuthenticatorConfigModel.MappingSourceType.SERIALNUMBER.ordinal()] = 3;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$MappingSourceType[X509AuthenticatorConfigModel.MappingSourceType.SHA256_THUMBPRINT.ordinal()] = 4;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$MappingSourceType[X509AuthenticatorConfigModel.MappingSourceType.SERIALNUMBER_ISSUERDN.ordinal()] = 5;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$MappingSourceType[X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_CN.ordinal()] = 6;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$MappingSourceType[X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL.ordinal()] = 7;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$MappingSourceType[X509AuthenticatorConfigModel.MappingSourceType.SUBJECTALTNAME_EMAIL.ordinal()] = 8;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$MappingSourceType[X509AuthenticatorConfigModel.MappingSourceType.SUBJECTALTNAME_OTHERNAME.ordinal()] = 9;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$MappingSourceType[X509AuthenticatorConfigModel.MappingSourceType.CERTIFICATE_PEM.ordinal()] = 10;
            } catch (NoSuchFieldError e12) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/AbstractX509ClientCertificateAuthenticator$CertificateValidatorConfigBuilder.class */
    protected static class CertificateValidatorConfigBuilder {
        protected CertificateValidatorConfigBuilder() {
        }

        static CertificateValidator.CertificateValidatorBuilder fromConfig(KeycloakSession keycloakSession, X509AuthenticatorConfigModel x509AuthenticatorConfigModel) throws Exception {
            return new CertificateValidator.CertificateValidatorBuilder().session(keycloakSession).keyUsage().parse(x509AuthenticatorConfigModel.getKeyUsage()).extendedKeyUsage().parse(x509AuthenticatorConfigModel.getExtendedKeyUsage()).certificatePolicy().mode(x509AuthenticatorConfigModel.getCertificatePolicyMode().getMode()).parse(x509AuthenticatorConfigModel.getCertificatePolicy()).revocation().cRLEnabled(x509AuthenticatorConfigModel.getCRLEnabled()).cRLDPEnabled(x509AuthenticatorConfigModel.getCRLDistributionPointEnabled()).cRLrelativePath(x509AuthenticatorConfigModel.getCRLRelativePath()).oCSPEnabled(x509AuthenticatorConfigModel.getOCSPEnabled()).oCSPFailOpen(x509AuthenticatorConfigModel.getOCSPFailOpen()).oCSPResponseCertificate(x509AuthenticatorConfigModel.getOCSPResponderCertificate()).oCSPResponderURI(x509AuthenticatorConfigModel.getOCSPResponder()).trustValidation().enabled(x509AuthenticatorConfigModel.getRevalidateCertificateEnabled()).timestampValidation().enabled(x509AuthenticatorConfigModel.isCertValidationEnabled());
        }
    }

    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/AbstractX509ClientCertificateAuthenticator$UserIdentityExtractorBuilder.class */
    protected static class UserIdentityExtractorBuilder {
        private static final Function<X509Certificate[], Principal> subject = x509CertificateArr -> {
            return x509CertificateArr[0].getSubjectX500Principal();
        };

        protected UserIdentityExtractorBuilder() {
        }

        private static Function<X509Certificate[], String> getSerialnumberFunc(X509AuthenticatorConfigModel x509AuthenticatorConfigModel) {
            return x509AuthenticatorConfigModel.isSerialnumberHex() ? x509CertificateArr -> {
                return Hex.encodeHexString(x509CertificateArr[0].getSerialNumber().toByteArray());
            } : x509CertificateArr2 -> {
                return x509CertificateArr2[0].getSerialNumber().toString();
            };
        }

        private static Function<X509Certificate[], String> getIssuerDNFunc(X509AuthenticatorConfigModel x509AuthenticatorConfigModel) {
            return x509AuthenticatorConfigModel.isCanonicalDnEnabled() ? x509CertificateArr -> {
                return x509CertificateArr[0].getIssuerX500Principal().getName("CANONICAL");
            } : x509CertificateArr2 -> {
                return x509CertificateArr2[0].getIssuerDN().toString();
            };
        }

        static UserIdentityExtractor fromConfig(X509AuthenticatorConfigModel x509AuthenticatorConfigModel) {
            X509AuthenticatorConfigModel.MappingSourceType mappingSourceType = x509AuthenticatorConfigModel.getMappingSourceType();
            String regularExpression = x509AuthenticatorConfigModel.getRegularExpression();
            UserIdentityExtractor userIdentityExtractor = null;
            UserIdentityExtractorProvider identityExtractorProvider = CryptoIntegration.getProvider().getIdentityExtractorProvider();
            AbstractX509ClientCertificateAuthenticator.logger.debug("UID Source: " + mappingSourceType);
            AbstractX509ClientCertificateAuthenticator.logger.debug("UID Extractor: " + identityExtractorProvider.getClass().getName());
            switch (AnonymousClass1.$SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$MappingSourceType[mappingSourceType.ordinal()]) {
                case DeclarativeUserProfileProvider.PROVIDER_PRIORITY /* 1 */:
                    userIdentityExtractor = identityExtractorProvider.getPatternIdentityExtractor(regularExpression, x509AuthenticatorConfigModel.isCanonicalDnEnabled() ? x509CertificateArr -> {
                        return x509CertificateArr[0].getSubjectX500Principal().getName("CANONICAL");
                    } : x509CertificateArr2 -> {
                        return x509CertificateArr2[0].getSubjectDN().toString();
                    });
                    break;
                case 2:
                    userIdentityExtractor = identityExtractorProvider.getPatternIdentityExtractor(regularExpression, getIssuerDNFunc(x509AuthenticatorConfigModel));
                    break;
                case AuthenticationSessionManager.AUTH_SESSION_COOKIE_LIMIT /* 3 */:
                    userIdentityExtractor = identityExtractorProvider.getPatternIdentityExtractor(AbstractX509ClientCertificateAuthenticator.DEFAULT_MATCH_ALL_EXPRESSION, getSerialnumberFunc(x509AuthenticatorConfigModel));
                    break;
                case 4:
                    userIdentityExtractor = identityExtractorProvider.getPatternIdentityExtractor(AbstractX509ClientCertificateAuthenticator.DEFAULT_MATCH_ALL_EXPRESSION, x509CertificateArr3 -> {
                        try {
                            return Hex.encodeHexString(HashUtils.hash(SHA256HashProviderFactory.ID, x509CertificateArr3[0].getEncoded()));
                        } catch (CertificateEncodingException | HashException e) {
                            AbstractX509ClientCertificateAuthenticator.logger.warn("Unable to get certificate's thumbprint", e);
                            return null;
                        }
                    });
                    break;
                case 5:
                    userIdentityExtractor = identityExtractorProvider.getPatternIdentityExtractor(AbstractX509ClientCertificateAuthenticator.DEFAULT_MATCH_ALL_EXPRESSION, x509CertificateArr4 -> {
                        return getSerialnumberFunc(x509AuthenticatorConfigModel).apply(x509CertificateArr4) + "##" + getIssuerDNFunc(x509AuthenticatorConfigModel).apply(x509CertificateArr4);
                    });
                    break;
                case 6:
                    userIdentityExtractor = identityExtractorProvider.getX500NameExtractor("CN", subject);
                    break;
                case 7:
                    userIdentityExtractor = identityExtractorProvider.either(identityExtractorProvider.getX500NameExtractor("EmailAddress", subject)).or(identityExtractorProvider.getX500NameExtractor("E", subject));
                    break;
                case 8:
                    userIdentityExtractor = identityExtractorProvider.getSubjectAltNameExtractor(1);
                    break;
                case 9:
                    userIdentityExtractor = identityExtractorProvider.getSubjectAltNameExtractor(0);
                    break;
                case ProtocolMapperUtils.PRIORITY_ROLE_NAMES_MAPPER /* 10 */:
                    userIdentityExtractor = identityExtractorProvider.getCertificatePemIdentityExtractor();
                    break;
                default:
                    AbstractX509ClientCertificateAuthenticator.logger.warnf("[UserIdentityExtractorBuilder:fromConfig] Unknown or unsupported user identity source: \"%s\"", mappingSourceType.getName());
                    break;
            }
            return userIdentityExtractor;
        }
    }

    /* loaded from: input_file:org/keycloak/authentication/authenticators/x509/AbstractX509ClientCertificateAuthenticator$UserIdentityToModelMapperBuilder.class */
    protected static class UserIdentityToModelMapperBuilder {
        protected UserIdentityToModelMapperBuilder() {
        }

        static UserIdentityToModelMapper fromConfig(X509AuthenticatorConfigModel x509AuthenticatorConfigModel) {
            X509AuthenticatorConfigModel.IdentityMapperType userIdentityMapperType = x509AuthenticatorConfigModel.getUserIdentityMapperType();
            String customAttributeName = x509AuthenticatorConfigModel.getCustomAttributeName();
            UserIdentityToModelMapper userIdentityToModelMapper = null;
            switch (AnonymousClass1.$SwitchMap$org$keycloak$authentication$authenticators$x509$X509AuthenticatorConfigModel$IdentityMapperType[userIdentityMapperType.ordinal()]) {
                case DeclarativeUserProfileProvider.PROVIDER_PRIORITY /* 1 */:
                    userIdentityToModelMapper = UserIdentityToModelMapper.getUserIdentityToCustomAttributeMapper(customAttributeName);
                    break;
                case 2:
                    userIdentityToModelMapper = UserIdentityToModelMapper.getUsernameOrEmailMapper();
                    break;
                default:
                    AbstractX509ClientCertificateAuthenticator.logger.warnf("[UserIdentityToModelMapperBuilder:fromConfig] Unknown or unsupported user identity mapper: \"%s\"", userIdentityMapperType.getName());
                    break;
            }
            return userIdentityToModelMapper;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response createInfoResponse(AuthenticationFlowContext authenticationFlowContext, String str, Object... objArr) {
        return authenticationFlowContext.form().setInfo(str, objArr).createInfoPage();
    }

    public CertificateValidator.CertificateValidatorBuilder certificateValidationParameters(KeycloakSession keycloakSession, X509AuthenticatorConfigModel x509AuthenticatorConfigModel) throws Exception {
        return CertificateValidatorConfigBuilder.fromConfig(keycloakSession, x509AuthenticatorConfigModel);
    }

    public void close() {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public X509Certificate[] getCertificateChain(AuthenticationFlowContext authenticationFlowContext) {
        try {
            X509ClientCertificateLookup x509ClientCertificateLookup = (X509ClientCertificateLookup) authenticationFlowContext.getSession().getProvider(X509ClientCertificateLookup.class);
            if (x509ClientCertificateLookup == null) {
                logger.errorv("\"{0}\" Spi is not available, did you forget to update the configuration?", X509ClientCertificateLookup.class);
                return null;
            }
            X509Certificate[] certificateChain = x509ClientCertificateLookup.getCertificateChain(authenticationFlowContext.getHttpRequest());
            if (certificateChain != null) {
                for (X509Certificate x509Certificate : certificateChain) {
                    logger.tracev("\"{0}\"", x509Certificate.getSubjectDN().getName());
                }
            }
            return certificateChain;
        } catch (GeneralSecurityException e) {
            logger.error(e.getMessage(), e);
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void saveX509CertificateAuditDataToAuthSession(AuthenticationFlowContext authenticationFlowContext, X509Certificate x509Certificate) {
        authenticationFlowContext.getAuthenticationSession().setAuthNote("x509_cert_serial_number", x509Certificate.getSerialNumber().toString());
        authenticationFlowContext.getAuthenticationSession().setAuthNote("x509_cert_subject_distinguished_name", x509Certificate.getSubjectDN().toString());
        authenticationFlowContext.getAuthenticationSession().setAuthNote("x509_cert_issuer_distinguished_name", x509Certificate.getIssuerDN().toString());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void recordX509CertificateAuditDataViaContextEvent(AuthenticationFlowContext authenticationFlowContext) {
        recordX509DetailFromAuthSessionToEvent(authenticationFlowContext, "x509_cert_serial_number");
        recordX509DetailFromAuthSessionToEvent(authenticationFlowContext, "x509_cert_subject_distinguished_name");
        recordX509DetailFromAuthSessionToEvent(authenticationFlowContext, "x509_cert_issuer_distinguished_name");
    }

    private void recordX509DetailFromAuthSessionToEvent(AuthenticationFlowContext authenticationFlowContext, String str) {
        authenticationFlowContext.getEvent().detail(str, authenticationFlowContext.getAuthenticationSession().getAuthNote(str));
    }

    public UserIdentityExtractor getUserIdentityExtractor(X509AuthenticatorConfigModel x509AuthenticatorConfigModel) {
        return UserIdentityExtractorBuilder.fromConfig(x509AuthenticatorConfigModel);
    }

    public UserIdentityToModelMapper getUserIdentityToModelMapper(X509AuthenticatorConfigModel x509AuthenticatorConfigModel) {
        return UserIdentityToModelMapperBuilder.fromConfig(x509AuthenticatorConfigModel);
    }

    public boolean requiresUser() {
        return false;
    }

    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return true;
    }

    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
    }
}
