package org.eclipse.jgit.internal.signing.ssh;

import com.google.gerrit.entities.CoreDownloadSchemes;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.text.MessageFormat;
import java.time.Instant;
import java.util.Date;
import java.util.Locale;
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.config.keys.OpenSshCertificate;
import org.apache.sshd.common.keyprovider.KeyPairProvider;
import org.apache.sshd.common.signature.BuiltinSignatures;
import org.apache.sshd.common.signature.Signature;
import org.apache.sshd.common.util.buffer.ByteArrayBuffer;
import org.eclipse.jgit.internal.transport.sshd.SshdText;
import org.eclipse.jgit.lib.GpgConfig;
import org.eclipse.jgit.lib.PersonIdent;
import org.eclipse.jgit.lib.Repository;
import org.eclipse.jgit.lib.SignatureVerifier;
import org.eclipse.jgit.signing.ssh.CachingSigningKeyDatabase;
import org.eclipse.jgit.signing.ssh.SigningKeyDatabase;
import org.eclipse.jgit.signing.ssh.VerificationException;
import org.eclipse.jgit.util.Base64;
import org.eclipse.jgit.util.RawParseUtils;
import org.eclipse.jgit.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/jgit/internal/signing/ssh/SshSignatureVerifier.class */
public class SshSignatureVerifier implements SignatureVerifier {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SshSignatureVerifier.class);
    private static final byte[] OBJECT = {111, 98, 106, 101, 99, 116, 32};
    private static final byte[] TREE = {116, 114, 101, 101, 32};
    private static final byte[] TYPE = {116, 121, 112, 101, 32};

    @Override // org.eclipse.jgit.lib.SignatureVerifier
    public String getName() {
        return "ssh";
    }

    @Override // org.eclipse.jgit.lib.SignatureVerifier
    public SignatureVerifier.SignatureVerification verify(Repository repository, GpgConfig gpgConfig, byte[] bArr, byte[] bArr2) throws IOException {
        String fingerPrint;
        boolean z;
        PersonIdent gitIdentity = getGitIdentity(bArr);
        Date date = null;
        Instant instant = null;
        if (gitIdentity != null) {
            date = gitIdentity.getWhen();
            instant = gitIdentity.getWhenAsInstant();
        }
        SignatureVerifier.TrustLevel trustLevel = SignatureVerifier.TrustLevel.NEVER;
        try {
            byte[] dearmor = dearmor(bArr2);
            int match = RawParseUtils.match(dearmor, 0, SshSignatureConstants.MAGIC);
            if (match < 0) {
                return new SignatureVerifier.SignatureVerification(getName(), date, null, null, null, false, false, trustLevel, SshdText.get().signInvalidMagic);
            }
            ByteArrayBuffer byteArrayBuffer = new ByteArrayBuffer(dearmor, match, dearmor.length - match);
            long uInt = byteArrayBuffer.getUInt();
            if (uInt != 1) {
                return new SignatureVerifier.SignatureVerification(getName(), date, null, null, null, false, false, trustLevel, MessageFormat.format(SshdText.get().signInvalidVersion, Long.toString(uInt)));
            }
            PublicKey publicKey = byteArrayBuffer.getPublicKey();
            if (publicKey instanceof OpenSshCertificate) {
                OpenSshCertificate openSshCertificate = (OpenSshCertificate) publicKey;
                fingerPrint = KeyUtils.getFingerPrint(openSshCertificate.getCertPubKey());
                String verify = SshCertificateUtils.verify(openSshCertificate, instant);
                if (verify != null) {
                    return new SignatureVerifier.SignatureVerification(getName(), date, null, fingerPrint, null, false, false, trustLevel, verify);
                }
            } else {
                fingerPrint = KeyUtils.getFingerPrint(publicKey);
            }
            String string = byteArrayBuffer.getString();
            if (!CoreDownloadSchemes.ANON_GIT.equals(string)) {
                return new SignatureVerifier.SignatureVerification(getName(), date, null, fingerPrint, null, false, false, trustLevel, MessageFormat.format(SshdText.get().signInvalidNamespace, string));
            }
            byteArrayBuffer.getString();
            String string2 = byteArrayBuffer.getString();
            try {
                byte[] digest = MessageDigest.getInstance(string2.toUpperCase(Locale.ROOT)).digest(bArr);
                ByteArrayBuffer byteArrayBuffer2 = new ByteArrayBuffer(byteArrayBuffer.getBytes());
                if (byteArrayBuffer.available() > 0) {
                    return new SignatureVerifier.SignatureVerification(getName(), date, null, fingerPrint, null, false, false, trustLevel, SshdText.get().signGarbageAtEnd);
                }
                String string3 = byteArrayBuffer2.getString();
                boolean z2 = -1;
                switch (string3.hashCode()) {
                    case -1921420161:
                        if (string3.equals(KeyPairProvider.SSH_DSS)) {
                            z2 = false;
                            break;
                        }
                        break;
                    case -1921406725:
                        if (string3.equals(KeyPairProvider.SSH_RSA)) {
                            z2 = 2;
                            break;
                        }
                        break;
                    case -1849781967:
                        if (string3.equals(KeyPairProvider.SSH_RSA_CERT)) {
                            z2 = 3;
                            break;
                        }
                        break;
                    case 1058005037:
                        if (string3.equals(KeyPairProvider.SSH_DSS_CERT)) {
                            z2 = true;
                            break;
                        }
                        break;
                }
                switch (z2) {
                    case false:
                    case true:
                    case true:
                    case true:
                        return new SignatureVerifier.SignatureVerification(getName(), date, null, fingerPrint, null, false, false, trustLevel, MessageFormat.format(SshdText.get().signInvalidAlgorithm, string3));
                    default:
                        String signatureAlgorithm = KeyUtils.getSignatureAlgorithm(KeyUtils.getKeyType(publicKey), publicKey);
                        if (!KeyUtils.getCanonicalKeyType(signatureAlgorithm).equals(KeyUtils.getCanonicalKeyType(string3))) {
                            return new SignatureVerifier.SignatureVerification(getName(), date, null, fingerPrint, null, false, false, trustLevel, MessageFormat.format(SshdText.get().signMismatchedSignatureAlgorithm, signatureAlgorithm, string3));
                        }
                        BuiltinSignatures fromFactoryName = BuiltinSignatures.fromFactoryName(string3);
                        if (fromFactoryName == null || !fromFactoryName.isSupported()) {
                            return new SignatureVerifier.SignatureVerification(getName(), date, null, fingerPrint, null, false, false, trustLevel, MessageFormat.format(SshdText.get().signUnknownSignatureAlgorithm, string3));
                        }
                        String str = null;
                        try {
                            Signature create = fromFactoryName.create();
                            create.initVerifier(null, publicKey instanceof OpenSshCertificate ? ((OpenSshCertificate) publicKey).getCertPubKey() : publicKey);
                            ByteArrayBuffer byteArrayBuffer3 = new ByteArrayBuffer();
                            byteArrayBuffer3.putRawBytes(SshSignatureConstants.MAGIC);
                            byteArrayBuffer3.putString(CoreDownloadSchemes.ANON_GIT);
                            byteArrayBuffer3.putUInt(0L);
                            byteArrayBuffer3.putString(string2);
                            byteArrayBuffer3.putBytes(digest);
                            create.update(null, byteArrayBuffer3.getCompactData());
                            z = create.verify(null, byteArrayBuffer2.getBytes());
                        } catch (Exception e) {
                            LOG.warn("{}", SshdText.get().signLogFailure, e);
                            z = false;
                            str = SshdText.get().signSeeLog;
                        }
                        boolean z3 = false;
                        String str2 = null;
                        if (z) {
                            if (byteArrayBuffer2.available() > 0) {
                                z = false;
                                str = SshdText.get().signGarbageAtEnd;
                            } else {
                                SigningKeyDatabase signingKeyDatabase = SigningKeyDatabase.getInstance();
                                if (signingKeyDatabase.isRevoked(repository, gpgConfig, publicKey)) {
                                    z = false;
                                    str = publicKey instanceof OpenSshCertificate ? MessageFormat.format(SshdText.get().signCertificateRevoked, KeyUtils.getFingerPrint(((OpenSshCertificate) publicKey).getCaPubKey())) : SshdText.get().signKeyRevoked;
                                } else {
                                    try {
                                        str2 = signingKeyDatabase.isAllowed(repository, gpgConfig, publicKey, CoreDownloadSchemes.ANON_GIT, gitIdentity);
                                        if (StringUtils.isEmptyOrNull(str2)) {
                                            z = false;
                                            str = SshdText.get().signNoPrincipalMatched;
                                            trustLevel = SignatureVerifier.TrustLevel.UNKNOWN;
                                        } else {
                                            trustLevel = SignatureVerifier.TrustLevel.FULL;
                                        }
                                    } catch (IOException e2) {
                                        LOG.warn("{}", SshdText.get().signLogFailure, e2);
                                        z = false;
                                        str = SshdText.get().signSeeLog;
                                    } catch (VerificationException e3) {
                                        z = false;
                                        str = e3.getMessage();
                                        z3 = e3.isExpired();
                                    }
                                }
                            }
                        }
                        return new SignatureVerifier.SignatureVerification(getName(), date, null, fingerPrint, str2, z, z3, trustLevel, str);
                }
            } catch (NoSuchAlgorithmException e4) {
                return new SignatureVerifier.SignatureVerification(getName(), date, null, fingerPrint, null, false, false, trustLevel, MessageFormat.format(SshdText.get().signUnknownHashAlgorithm, string2));
            }
        } catch (IllegalArgumentException e5) {
            return new SignatureVerifier.SignatureVerification(getName(), date, null, null, null, false, false, trustLevel, MessageFormat.format(SshdText.get().signInvalidSignature, e5.getLocalizedMessage()));
        }
    }

    private static PersonIdent getGitIdentity(byte[] bArr) {
        int tagger;
        if (RawParseUtils.match(bArr, 0, TREE) > 0) {
            int committer = RawParseUtils.committer(bArr, 0);
            if (committer < 0) {
                return null;
            }
            return RawParseUtils.parsePersonIdent(bArr, committer);
        }
        int match = RawParseUtils.match(bArr, 0, OBJECT);
        if (match <= 0 || RawParseUtils.match(bArr, RawParseUtils.nextLF(bArr, match), TYPE) <= 0 || (tagger = RawParseUtils.tagger(bArr, 0)) < 0) {
            return null;
        }
        return RawParseUtils.parsePersonIdent(bArr, tagger);
    }

    private static byte[] dearmor(byte[] bArr) {
        int match = RawParseUtils.match(bArr, 0, SshSignatureConstants.ARMOR_HEAD);
        if (match > 0) {
            if (bArr[match] == 13) {
                match++;
            }
            if (bArr[match] == 10) {
                match++;
            }
        }
        int length = bArr.length;
        if (length > match + 1 && bArr[length - 1] == 10) {
            length--;
            if (length > match + 1 && bArr[length - 1] == 13) {
                length--;
            }
        }
        int length2 = length - SshSignatureConstants.ARMOR_END.length;
        if (length2 < 0 || length2 < match || RawParseUtils.match(bArr, length2, SshSignatureConstants.ARMOR_END) < 0) {
            length2 = bArr.length;
        }
        if (match < 0) {
            match = 0;
        }
        return Base64.decode(bArr, match, length2 - match);
    }

    @Override // org.eclipse.jgit.lib.SignatureVerifier
    public void clear() {
        SigningKeyDatabase signingKeyDatabase = SigningKeyDatabase.getInstance();
        if (signingKeyDatabase instanceof CachingSigningKeyDatabase) {
            ((CachingSigningKeyDatabase) signingKeyDatabase).clearCache();
        }
    }
}
