package com.google.gerrit.gpg;

import com.google.common.base.Joiner;
import com.google.gerrit.extensions.common.GpgKeyInfo;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import org.bouncycastle.bcpg.ArmoredInputStream;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureList;
import org.bouncycastle.openpgp.bc.BcPGPObjectFactory;
import org.eclipse.jgit.lib.Constants;
import org.eclipse.jgit.lib.Repository;
import org.eclipse.jgit.transport.PushCertificate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/google/gerrit/gpg/PushCertificateChecker.class */
public abstract class PushCertificateChecker {
    private static final Logger log = LoggerFactory.getLogger(PushCertificateChecker.class);
    private final PublicKeyChecker publicKeyChecker;
    private boolean checkNonce = true;

    /* loaded from: input_file:com/google/gerrit/gpg/PushCertificateChecker$Result.class */
    public static class Result {
        private final PGPPublicKey key;
        private final CheckResult checkResult;

        private Result(PGPPublicKey pGPPublicKey, CheckResult checkResult) {
            this.key = pGPPublicKey;
            this.checkResult = checkResult;
        }

        public PGPPublicKey getPublicKey() {
            return this.key;
        }

        public CheckResult getCheckResult() {
            return this.checkResult;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PushCertificateChecker(PublicKeyChecker publicKeyChecker) {
        this.publicKeyChecker = publicKeyChecker;
    }

    public PushCertificateChecker setCheckNonce(boolean z) {
        this.checkNonce = z;
        return this;
    }

    /* JADX WARN: Finally extract failed */
    public final Result check(PushCertificate pushCertificate) {
        if (this.checkNonce && pushCertificate.getNonceStatus() != PushCertificate.NonceStatus.OK) {
            return new Result(null, CheckResult.bad("Invalid nonce"));
        }
        ArrayList arrayList = new ArrayList(2);
        Result result = null;
        try {
            PGPSignature readSignature = readSignature(pushCertificate);
            if (readSignature != null) {
                Repository repository = getRepository();
                try {
                    PublicKeyStore publicKeyStore = new PublicKeyStore(repository);
                    Throwable th = null;
                    try {
                        try {
                            result = checkSignature(readSignature, pushCertificate, publicKeyStore);
                            arrayList.add(checkCustom(repository));
                            if (0 != 0) {
                                try {
                                    publicKeyStore.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                publicKeyStore.close();
                            }
                            if (shouldClose(repository)) {
                                repository.close();
                            }
                        } finally {
                        }
                    } catch (Throwable th3) {
                        if (th != null) {
                            try {
                                publicKeyStore.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            publicKeyStore.close();
                        }
                        throw th3;
                    }
                } catch (Throwable th5) {
                    if (shouldClose(repository)) {
                        repository.close();
                    }
                    throw th5;
                }
            } else {
                arrayList.add(CheckResult.bad("Invalid signature format"));
            }
        } catch (PGPException | IOException e) {
            log.error("Internal error checking push certificate", e);
            arrayList.add(CheckResult.bad("Internal error checking push certificate"));
        }
        return combine(result, arrayList);
    }

    private static Result combine(Result result, List<CheckResult> list) {
        PGPPublicKey pGPPublicKey;
        ArrayList arrayList = new ArrayList();
        boolean z = false;
        for (CheckResult checkResult : list) {
            arrayList.addAll(checkResult.getProblems());
            z |= checkResult.getStatus() == GpgKeyInfo.Status.BAD;
        }
        GpgKeyInfo.Status status = z ? GpgKeyInfo.Status.BAD : GpgKeyInfo.Status.OK;
        if (result != null) {
            pGPPublicKey = result.getPublicKey();
            CheckResult checkResult2 = result.getCheckResult();
            arrayList.addAll(checkResult2.getProblems());
            if (checkResult2.getStatus() == GpgKeyInfo.Status.BAD) {
                status = GpgKeyInfo.Status.BAD;
            } else if (!z && checkResult2.getStatus() == GpgKeyInfo.Status.TRUSTED) {
                status = GpgKeyInfo.Status.TRUSTED;
            }
        } else {
            pGPPublicKey = null;
        }
        return new Result(pGPPublicKey, CheckResult.create(status, arrayList));
    }

    protected abstract Repository getRepository() throws IOException;

    protected abstract boolean shouldClose(Repository repository);

    protected CheckResult checkCustom(Repository repository) {
        return CheckResult.ok(new String[0]);
    }

    private PGPSignature readSignature(PushCertificate pushCertificate) throws IOException {
        BcPGPObjectFactory bcPGPObjectFactory = new BcPGPObjectFactory(new ArmoredInputStream(new ByteArrayInputStream(Constants.encode(pushCertificate.getSignature()))));
        while (true) {
            Object nextObject = bcPGPObjectFactory.nextObject();
            if (nextObject == null) {
                return null;
            }
            if (nextObject instanceof PGPSignatureList) {
                PGPSignatureList pGPSignatureList = (PGPSignatureList) nextObject;
                if (!pGPSignatureList.isEmpty()) {
                    return pGPSignatureList.get(0);
                }
            }
        }
    }

    private Result checkSignature(PGPSignature pGPSignature, PushCertificate pushCertificate, PublicKeyStore publicKeyStore) throws PGPException, IOException {
        PGPPublicKeyRingCollection pGPPublicKeyRingCollection = publicKeyStore.get(pGPSignature.getKeyID());
        if (!pGPPublicKeyRingCollection.getKeyRings().hasNext()) {
            return new Result(null, CheckResult.bad("No public keys found for key ID " + PublicKeyStore.keyIdToString(pGPSignature.getKeyID())));
        }
        PGPPublicKey signer = PublicKeyStore.getSigner(pGPPublicKeyRingCollection, pGPSignature, Constants.encode(pushCertificate.toText()));
        if (signer == null) {
            return new Result(null, CheckResult.bad("Signature by " + PublicKeyStore.keyIdToString(pGPSignature.getKeyID()) + " is not valid"));
        }
        CheckResult check = this.publicKeyChecker.setStore(publicKeyStore).setEffectiveTime(pGPSignature.getCreationTime()).check(signer);
        if (check.getProblems().isEmpty()) {
            return new Result(signer, check);
        }
        return new Result(signer, CheckResult.create(check.getStatus(), "Invalid public key " + PublicKeyStore.keyToString(signer) + ":\n  " + Joiner.on("\n  ").join(check.getProblems())));
    }
}
