package org.keycloak.utils;

import java.security.GeneralSecurityException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.security.auth.x500.X500Principal;
import org.jboss.logging.Logger;
import org.keycloak.models.KeycloakSession;
import org.keycloak.truststore.TruststoreProvider;

/* loaded from: input_file:org/keycloak/utils/CRLUtils.class */
public final class CRLUtils {
    private static final Logger log = Logger.getLogger(CRLUtils.class);

    public static void check(X509Certificate[] x509CertificateArr, X509CRL x509crl, KeycloakSession keycloakSession) throws GeneralSecurityException {
        if (x509CertificateArr.length < 2) {
            throw new GeneralSecurityException("Not possible to verify signature on CRL. X509 certificate doesn't have CA chain available on it");
        }
        X500Principal issuerX500Principal = x509crl.getIssuerX500Principal();
        X509Certificate x509Certificate = null;
        int i = 1;
        while (true) {
            if (i >= x509CertificateArr.length) {
                break;
            }
            X509Certificate x509Certificate2 = x509CertificateArr[i];
            if (issuerX500Principal.equals(x509Certificate2.getSubjectX500Principal())) {
                x509Certificate = x509Certificate2;
                log.tracef("Found certificate used to sign CRL in the CA chain of the certificate. CRL issuer: %s", issuerX500Principal);
                break;
            }
            i++;
        }
        if (x509Certificate == null) {
            log.tracef("Not found CRL issuer '%s' in the CA chain of the certificate. Fallback to lookup CRL issuer in the truststore", issuerX500Principal);
            x509Certificate = findCRLSignatureCertificateInTruststore(keycloakSession, x509CertificateArr, issuerX500Principal);
        }
        x509crl.verify(x509Certificate.getPublicKey());
        if (x509crl.isRevoked(x509CertificateArr[0])) {
            String format = String.format("Certificate has been revoked, certificate's subject: %s", x509CertificateArr[0].getSubjectDN().getName());
            log.debug(format);
            throw new GeneralSecurityException(format);
        }
    }

    private static X509Certificate findCRLSignatureCertificateInTruststore(KeycloakSession keycloakSession, X509Certificate[] x509CertificateArr, X500Principal x500Principal) throws GeneralSecurityException {
        TruststoreProvider provider = keycloakSession.getProvider(TruststoreProvider.class);
        if (provider == null || provider.getTruststore() == null) {
            throw new GeneralSecurityException("Truststore not available");
        }
        Map rootCertificates = provider.getRootCertificates();
        Map intermediateCertificates = provider.getIntermediateCertificates();
        X509Certificate x509Certificate = (X509Certificate) intermediateCertificates.get(x500Principal);
        if (x509Certificate == null) {
            x509Certificate = (X509Certificate) rootCertificates.get(x500Principal);
        }
        if (x509Certificate == null) {
            throw new GeneralSecurityException("Not available certificate for CRL issuer '" + x500Principal + "' in the truststore, nor in the CA chain");
        }
        log.tracef("Found CRL issuer certificate with subject '%s' in the truststore. Verifying trust anchor", x500Principal);
        Set set = (Set) Arrays.asList(x509CertificateArr).stream().map((v0) -> {
            return v0.getSubjectX500Principal();
        }).collect(Collectors.toSet());
        set.remove(x509CertificateArr[0].getSubjectX500Principal());
        X509Certificate x509Certificate2 = x509Certificate;
        X500Principal x500Principal2 = x500Principal;
        Iterator it = set.iterator();
        do {
            if (it.hasNext()) {
                if (((X500Principal) it.next()).equals(x500Principal2)) {
                    log.tracef("Found trust anchor of the CRL issuer '%s' in the CA chain. Anchor is '%s'", x500Principal, x500Principal2);
                } else {
                    x500Principal2 = x509Certificate2.getIssuerX500Principal();
                    x509Certificate2 = (X509Certificate) intermediateCertificates.get(x500Principal2);
                    if (x509Certificate2 == null) {
                        x509Certificate2 = (X509Certificate) rootCertificates.get(x500Principal2);
                    }
                }
            }
            return x509Certificate;
        } while (x509Certificate2 != null);
        throw new GeneralSecurityException("Certificate for CRL issuer '" + x500Principal + "' available in the truststore, but doesn't have trust anchors with the CA chain.");
    }
}
