KEYCLOAK-18852 Prevent NPE in case of missing truststore

even though the "return null" at the top of the method is called if no truststore is set, the finally block is still executed. And since the keystore is not there an NPE is thrown when calling the remove method.

services/src/main/java/org/keycloak/services/x509/NginxProxySslClientCertificateLookup.java

@@ -129,7 +129,7 @@ public class NginxProxySslClientCertificateLookup extends AbstractClientCertific
 
             // Rebuilding the end user certificate chain using Keycloak Truststore
             X509Certificate[] certChain = buildChain(clientCert);
-            if ( certChain == null || certChain.length == 0 ) {
+            if (certChain == null || certChain.length == 0) {
                 log.info("Impossible to rebuild end user cert chain : client certificate authentication will fail." );
                 chain.add(clientCert);
             } else {
@@ -157,7 +157,7 @@ public class NginxProxySslClientCertificateLookup extends AbstractClientCertific
         try {
 
             // No truststore : no way!
-            if (truststore == null) {
+            if (isTruststoreLoaded == false) {
                 log.warn("Keycloak Truststore is null, but it is required !");
                 log.warn("  see https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore");
                 return null;
@@ -198,18 +198,21 @@ public class NginxProxySslClientCertificateLookup extends AbstractClientCertific
         } catch (NoSuchAlgorithmException e) {
             log.error(e.getLocalizedMessage(),e);
         } catch (CertPathBuilderException e) {
-            if ( log.isEnabled(Level.TRACE) )
+            if (log.isEnabled(Level.TRACE)) {
                 log.debug(e.getLocalizedMessage(),e);
-            else
+            } else {
                 log.warn(e.getLocalizedMessage());
+            }
         } catch (InvalidAlgorithmParameterException e) {
             log.error(e.getLocalizedMessage(),e);
         } catch (NoSuchProviderException e) {
             log.error(e.getLocalizedMessage(),e);
         } finally {
+            if (isTruststoreLoaded) {
                 //Remove end user certificate
                 intermediateCerts.remove(end_user_auth_cert);
             }
+        }
 
         return user_cert_chain;
     }
@@ -219,11 +222,13 @@ public class NginxProxySslClientCertificateLookup extends AbstractClientCertific
 
         X509Certificate[] x509certchain = null;
 
-		if (certPath!=null) {
+        if (certPath != null) {
             List<X509Certificate> trustedX509Chain = new ArrayList<X509Certificate>();
-            for (Certificate certificate : certPath.getCertificates() )
+            for (Certificate certificate : certPath.getCertificates()) {
-        	    if ( certificate instanceof X509Certificate )
+                if (certificate instanceof X509Certificate) {
-        		    trustedX509Chain.add((X509Certificate)certificate);
+                    trustedX509Chain.add((X509Certificate) certificate);
+                }
+            }
             x509certchain = trustedX509Chain.toArray(new X509Certificate[0]);
         }
 
@@ -245,7 +250,7 @@ public class NginxProxySslClientCertificateLookup extends AbstractClientCertific
 
             TruststoreProvider provider = truststoreFactory.create(kcsession);
 
-	        if ( provider != null && provider.getTruststore() != null ) {
+            if (provider != null && provider.getTruststore() != null) {
                 truststore = provider.getTruststore();
                 trustedRootCerts = new HashSet<>(provider.getRootCertificates().values());
                 intermediateCerts = new HashSet<>(provider.getIntermediateCertificates().values());