package io.quarkus.oidc.runtime;

import io.quarkus.oidc.TokenCertificateValidator;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.quarkus.vertx.http.runtime.security.HttpSecurityUtils;
import io.vertx.ext.auth.impl.CertificateHelper;
import java.security.Key;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import org.jboss.logging.Logger;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.lang.UnresolvableKeyException;

/* loaded from: input_file:io/quarkus/oidc/runtime/CertChainPublicKeyResolver.class */
public class CertChainPublicKeyResolver implements RefreshableVerificationKeyResolver {
    private static final Logger LOG = Logger.getLogger(OidcProvider.class);
    final io.quarkus.oidc.OidcTenantConfig oidcConfig;
    final Set<String> thumbprints;
    final Optional<String> expectedLeafCertificateName;
    final List<TokenCertificateValidator> certificateValidators;

    public CertChainPublicKeyResolver(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        this.oidcConfig = oidcTenantConfig;
        if (oidcTenantConfig.certificateChain().trustStorePassword().isEmpty()) {
            throw new ConfigurationException("Truststore with configured password which keeps thumbprints of the trusted certificates must be present");
        }
        this.thumbprints = TrustStoreUtils.getTrustedCertificateThumbprints(oidcTenantConfig.certificateChain().trustStoreFile().get(), oidcTenantConfig.certificateChain().trustStorePassword().get(), oidcTenantConfig.certificateChain().trustStoreCertAlias(), oidcTenantConfig.certificateChain().trustStoreFileType());
        this.expectedLeafCertificateName = oidcTenantConfig.certificateChain().leafCertificateName();
        this.certificateValidators = TenantFeatureFinder.find(oidcTenantConfig, TokenCertificateValidator.class);
    }

    public Key resolveKey(JsonWebSignature jsonWebSignature, List<JsonWebStructure> list) throws UnresolvableKeyException {
        try {
            List<X509Certificate> certificateChainHeaderValue = jsonWebSignature.getCertificateChainHeaderValue();
            if (certificateChainHeaderValue == null) {
                LOG.debug("Token does not have an 'x5c' certificate chain header");
                return null;
            }
            if (certificateChainHeaderValue.isEmpty()) {
                LOG.debug("Token 'x5c' certificate chain is empty");
                return null;
            }
            CertificateHelper.checkValidity(certificateChainHeaderValue, (List) null);
            if (certificateChainHeaderValue.size() == 1) {
                X509Certificate x509Certificate = certificateChainHeaderValue.get(0);
                x509Certificate.verify(x509Certificate.getPublicKey());
            }
            LOG.debug("Checking a thumbprint of the root chain certificate");
            if (!this.thumbprints.contains(TrustStoreUtils.calculateThumprint(certificateChainHeaderValue.get(certificateChainHeaderValue.size() - 1)))) {
                LOG.error("Thumprint of the root chain certificate is invalid");
                throw new UnresolvableKeyException("Thumprint of the root chain certificate is invalid");
            }
            if (!this.certificateValidators.isEmpty()) {
                LOG.debug("Running custom TokenCertificateValidators");
                Iterator<TokenCertificateValidator> it = this.certificateValidators.iterator();
                while (it.hasNext()) {
                    it.next().validate(this.oidcConfig, certificateChainHeaderValue, jsonWebSignature.getUnverifiedPayload());
                }
            }
            if (this.expectedLeafCertificateName.isPresent()) {
                String commonName = HttpSecurityUtils.getCommonName(certificateChainHeaderValue.get(0).getSubjectX500Principal());
                if (!this.expectedLeafCertificateName.get().equals(commonName)) {
                    LOG.errorf("Wrong leaf certificate common name: %s", commonName);
                    throw new UnresolvableKeyException("Wrong leaf certificate common name");
                }
            } else if (this.certificateValidators.isEmpty()) {
                LOG.debug("Checking a thumbprint of the leaf chain certificate");
                if (!this.thumbprints.contains(TrustStoreUtils.calculateThumprint(certificateChainHeaderValue.get(0)))) {
                    LOG.error("Thumprint of the leaf chain certificate is invalid");
                    throw new UnresolvableKeyException("Thumprint of the leaf chain certificate is invalid");
                }
            }
            return certificateChainHeaderValue.get(0).getPublicKey();
        } catch (Exception e) {
            throw new UnresolvableKeyException("Invalid certificate chain", e);
        } catch (UnresolvableKeyException e2) {
            throw e2;
        }
    }
}
