package net.shibboleth.idp.installer.plugin.impl;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.StandardCopyOption;
import java.nio.file.attribute.FileAttribute;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.NotThreadSafe;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.component.AbstractInitializableComponent;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import org.bouncycastle.bcpg.ArmoredOutputStream;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPObjectFactory;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureList;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.jcajce.JcaPGPObjectFactory;
import org.bouncycastle.openpgp.operator.jcajce.JcaKeyFingerprintCalculator;
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProvider;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@NotThreadSafe
/* loaded from: input_file:net/shibboleth/idp/installer/plugin/impl/TrustStore.class */
public final class TrustStore extends AbstractInitializableComponent {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(TrustStore.class);

    @NonnullAfterInit
    private Path idpHome;

    @NonnullAfterInit
    private String explicitTrustStore;

    @NonnullAfterInit
    private String pluginId;

    @NonnullAfterInit
    private Path store;

    @NonnullAfterInit
    private Path backup;

    @NonnullAfterInit
    private PGPPublicKeyRingCollection keyRings;

    /* loaded from: input_file:net/shibboleth/idp/installer/plugin/impl/TrustStore$Signature.class */
    public static final class Signature {

        @Nonnull
        private PGPSignature signature;

        @Nonnull
        private String keyId;

        protected Signature(@Nonnull InputStream inputStream) throws IOException {
            InputStream decoderStream = PGPUtil.getDecoderStream(inputStream);
            try {
                Object nextObject = new JcaPGPObjectFactory(decoderStream).nextObject();
                if (!(nextObject instanceof PGPSignatureList)) {
                    throw new IOException("Provided file was not a signature");
                }
                this.signature = ((PGPSignatureList) nextObject).get(0);
                if (decoderStream != null) {
                    decoderStream.close();
                }
                this.keyId = String.format("0X%X", Long.valueOf(this.signature.getKeyID()));
            } catch (Throwable th) {
                if (decoderStream != null) {
                    try {
                        decoderStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }

        protected PGPSignature getSignature() {
            return this.signature;
        }

        public String toString() {
            return this.keyId;
        }
    }

    public void setPluginId(String str) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.pluginId = str;
    }

    public void setIdpHome(Path path) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.idpHome = path;
    }

    public void setTrustStore(@Nullable String str) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.explicitTrustStore = str;
    }

    private static PGPPublicKeyRingCollection loadStoreFrom(InputStream inputStream) throws IOException {
        try {
            InputStream decoderStream = PGPUtil.getDecoderStream(inputStream);
            try {
                ArrayList arrayList = new ArrayList();
                PGPObjectFactory pGPObjectFactory = new PGPObjectFactory(decoderStream, new JcaKeyFingerprintCalculator());
                while (true) {
                    Object nextObject = pGPObjectFactory.nextObject();
                    Object obj = nextObject;
                    if (nextObject == null) {
                        PGPPublicKeyRingCollection pGPPublicKeyRingCollection = new PGPPublicKeyRingCollection(arrayList);
                        if (decoderStream != null) {
                            decoderStream.close();
                        }
                        return pGPPublicKeyRingCollection;
                    }
                    while (obj instanceof PGPPublicKeyRing) {
                        arrayList.add((PGPPublicKeyRing) obj);
                        obj = pGPObjectFactory.nextObject();
                        if (obj == null) {
                            break;
                        }
                    }
                    throw new IOException(obj.getClass().getName() + " found where PGPPublicKeyRing expected");
                    pGPObjectFactory = new PGPObjectFactory(decoderStream, new JcaKeyFingerprintCalculator());
                }
            } finally {
            }
        } catch (PGPException e) {
            throw new IOException("Error reading key ring", e);
        }
    }

    protected void loadStore() throws IOException {
        InputStream newInputStream = Files.newInputStream(this.store, new OpenOption[0]);
        try {
            this.keyRings = loadStoreFrom(newInputStream);
            if (newInputStream != null) {
                newInputStream.close();
            }
        } catch (Throwable th) {
            if (newInputStream != null) {
                try {
                    newInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    protected void createNewStore() throws IOException {
        try {
            this.keyRings = new PGPPublicKeyRingCollection(Collections.emptyList());
            saveStoreInternal();
        } catch (PGPException e) {
            throw new IOException("Bad keystore", e);
        }
    }

    public void saveStore() throws IOException {
        ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this);
        saveStoreInternal();
    }

    public void saveStoreInternal() throws IOException {
        if (Files.exists(this.store, new LinkOption[0])) {
            Files.copy(this.store, this.backup, StandardCopyOption.REPLACE_EXISTING);
        }
        OutputStream newOutputStream = Files.newOutputStream(this.store, new OpenOption[0]);
        try {
            Iterator keyRings = this.keyRings.getKeyRings();
            while (keyRings.hasNext()) {
                PGPPublicKey publicKey = ((PGPPublicKeyRing) keyRings.next()).getPublicKey();
                StringBuffer append = new StringBuffer().append("\n\r");
                Iterator userIDs = publicKey.getUserIDs();
                if (userIDs.hasNext()) {
                    append.append((String) userIDs.next()).append('\t');
                }
                append.append("id\t").append(String.format("%X", Integer.valueOf((int) publicKey.getKeyID()))).append("\n\r");
                newOutputStream.write(append.toString().getBytes());
                ArmoredOutputStream armoredOutputStream = new ArmoredOutputStream(newOutputStream);
                try {
                    publicKey.encode(armoredOutputStream);
                    armoredOutputStream.close();
                } catch (Throwable th) {
                    try {
                        armoredOutputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            }
            if (newOutputStream != null) {
                newOutputStream.close();
            }
        } catch (Throwable th3) {
            if (newOutputStream != null) {
                try {
                    newOutputStream.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    public void importKeyFromStream(Signature signature, InputStream inputStream, Predicate<String> predicate) throws IOException {
        try {
            PGPPublicKey publicKey = loadStoreFrom(inputStream).getPublicKey(signature.getSignature().getKeyID());
            if (publicKey == null) {
                this.log.info("Provided key stream did not contain a key for {}", signature);
                return;
            }
            StringBuilder append = new StringBuilder("Signature:\t").append(signature.toString()).append("\nFingerPrint:\t").append(new String(Hex.encode(publicKey.getFingerprint())).toUpperCase());
            Iterator userIDs = publicKey.getUserIDs();
            while (userIDs.hasNext()) {
                append.append("\nUsername:\t").append((String) userIDs.next());
            }
            append.append('\n');
            String sb = append.toString();
            this.log.debug("Asking to import key\n{}", sb);
            if (!predicate.test(sb)) {
                this.log.info("Key import barred by user");
            } else {
                this.keyRings = PGPPublicKeyRingCollection.addPublicKeyRing(this.keyRings, new PGPPublicKeyRing(Collections.singletonList(publicKey)));
                saveStoreInternal();
            }
        } catch (PGPException e) {
            this.log.warn("Couldn't locate key", e);
        }
    }

    public static Signature signatureOf(InputStream inputStream) throws IOException {
        return new Signature(inputStream);
    }

    public boolean contains(Signature signature) {
        PGPSignature signature2 = signature.getSignature();
        this.log.debug("Looking for key with Id {}", signature);
        try {
            return this.keyRings.getPublicKey(signature2.getKeyID()) != null;
        } catch (PGPException e) {
            this.log.warn("Error looking for key {}", signature, e);
            return false;
        }
    }

    public boolean checkSignature(InputStream inputStream, Signature signature) throws IOException {
        try {
            PGPSignature signature2 = signature.getSignature();
            signature2.init(new JcaPGPContentVerifierBuilderProvider().setProvider("BC"), this.keyRings.getPublicKey(signature2.getKeyID()));
            byte[] bArr = new byte[1024];
            int read = inputStream.read(bArr);
            while (read > 0) {
                signature2.update(bArr, 0, read);
                read = inputStream.read(bArr);
            }
            boolean verify = signature2.verify();
            if (verify) {
                this.log.debug("Signature Check Succeeded");
            } else {
                this.log.debug("Signature Check Failed");
            }
            return verify;
        } catch (PGPException e) {
            this.log.warn("Error thrown during signature check", e);
            return false;
        }
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.pluginId == null) {
            throw new ComponentInitializationException("Plugin Id not set up");
        }
        if (this.explicitTrustStore != null) {
            this.store = Path.of(this.explicitTrustStore, new String[0]);
            if (!Files.exists(this.store, new LinkOption[0])) {
                this.log.error("Trust store {} does not exist", this.explicitTrustStore);
                throw new ComponentInitializationException("Supplied trust store does not exist.");
            }
            this.backup = Path.of(this.explicitTrustStore + ".backup", new String[0]);
            this.log.debug("Plugin {}: Loading explicit truststore {}", this.pluginId, this.explicitTrustStore);
            try {
                loadStore();
                return;
            } catch (IOException e) {
                this.log.error("Plugin {}: Could not load explicit trust store {}", new Object[]{this.pluginId, this.explicitTrustStore, e});
                throw new ComponentInitializationException(e);
            }
        }
        if (this.idpHome == null) {
            throw new ComponentInitializationException("IdP home not set up");
        }
        if (!Files.exists(this.idpHome, new LinkOption[0])) {
            throw new ComponentInitializationException("IdP home '" + this.idpHome + "' does not exist");
        }
        try {
            Path resolve = this.idpHome.resolve("credentials").resolve(this.pluginId);
            if (!Files.exists(resolve, new LinkOption[0])) {
                this.log.info("Plugin {}: Trust store folder does not exist, creating", this.pluginId);
                Files.createDirectories(resolve, new FileAttribute[0]);
            }
            this.store = resolve.resolve("truststore.asc");
            this.backup = resolve.resolve("truststore.asc.backup");
            if (Files.exists(this.store, new LinkOption[0])) {
                this.log.debug("Plugin {}: Trust store exists, loading", this.pluginId);
                loadStore();
            } else {
                this.log.info("Plugin {}: Trust store does not exist, creating", this.pluginId);
                createNewStore();
            }
        } catch (IOException e2) {
            throw new ComponentInitializationException(e2);
        }
    }
}
