package net.shibboleth.metadata.validate.x509;

import java.io.BufferedReader;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.concurrent.GuardedBy;
import javax.annotation.concurrent.ThreadSafe;
import net.shibboleth.metadata.Item;
import net.shibboleth.metadata.pipeline.StageProcessingException;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.DeprecationSupport;
import org.apache.commons.codec.binary.Hex;
import org.springframework.core.io.Resource;

@ThreadSafe
/* loaded from: input_file:net/shibboleth/metadata/validate/x509/X509RSAOpenSSLKeylistValidator.class */
public class X509RSAOpenSSLKeylistValidator extends AbstractX509Validator {
    private static final byte[] OPEN_SSL_PREFIX;

    @GuardedBy("this")
    @NonnullAfterInit
    private Resource keylistResource;

    @GuardedBy("this")
    private int keySize;

    @Nonnull
    @GuardedBy("this")
    private final Set<String> digestValues = new HashSet();
    static final /* synthetic */ boolean $assertionsDisabled;

    @NonnullAfterInit
    public final synchronized Resource getKeylistResource() {
        return this.keylistResource;
    }

    public synchronized void setKeylistResource(@Nonnull Resource resource) {
        checkSetterPreconditions();
        this.keylistResource = (Resource) Constraint.isNotNull(resource, "keylist resource can not be null");
    }

    @Deprecated(since = "0.10.0", forRemoval = true)
    @NonnullAfterInit
    public final synchronized Resource getBlacklistResource() {
        DeprecationSupport.warnOnce(DeprecationSupport.ObjectType.METHOD, "getBlacklistResource", "X509RSAOpenSSLKeylistValidator", "getKeylistResource");
        return getKeylistResource();
    }

    @Deprecated(since = "0.10.0", forRemoval = true)
    public synchronized void setBlacklistResource(@Nonnull Resource resource) {
        DeprecationSupport.warnOnce(DeprecationSupport.ObjectType.METHOD, "setBlacklistResource", "X509RSAOpenSSLKeylistValidator", "setKeylistResource");
        setKeylistResource(resource);
    }

    public synchronized void setKeySize(int i) {
        this.keySize = i;
    }

    public final synchronized int getKeySize() {
        return this.keySize;
    }

    @Nonnull
    private String openSSLDigest(@Nonnull BigInteger bigInteger) throws StageProcessingException {
        try {
            byte[] byteArray = bigInteger.toByteArray();
            if (byteArray[0] == 0) {
                byteArray = Arrays.copyOfRange(byteArray, 1, byteArray.length);
            }
            char[] encodeHex = Hex.encodeHex(byteArray, false);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            try {
                byteArrayOutputStream.write(OPEN_SSL_PREFIX);
                for (char c : encodeHex) {
                    byteArrayOutputStream.write((byte) c);
                }
                byteArrayOutputStream.write(10);
                MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
                messageDigest.update(byteArrayOutputStream.toByteArray());
                String substring = String.valueOf(Hex.encodeHex(messageDigest.digest(), true)).substring(20);
                if ($assertionsDisabled || substring != null) {
                    return substring;
                }
                throw new AssertionError();
            } catch (IOException e) {
                throw new StageProcessingException("internal error writing to ByteArrayStream", e);
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new StageProcessingException("could not create message digester", e2);
        }
    }

    @Override // net.shibboleth.metadata.validate.x509.AbstractX509Validator
    public void doValidate(@Nonnull X509Certificate x509Certificate, @Nonnull Item<?> item, @Nonnull String str) throws StageProcessingException {
        Set<String> set;
        int i;
        checkComponentActive();
        PublicKey publicKey = x509Certificate.getPublicKey();
        if ("RSA".equals(publicKey.getAlgorithm())) {
            BigInteger modulus = ((RSAPublicKey) publicKey).getModulus();
            if (!$assertionsDisabled && modulus == null) {
                throw new AssertionError();
            }
            synchronized (this) {
                set = this.digestValues;
                i = this.keySize;
            }
            if (i == 0 || i == modulus.bitLength()) {
                String openSSLDigest = openSSLDigest(modulus);
                if (set.contains(openSSLDigest)) {
                    addError("RSA modulus included in key list (" + openSSLDigest + ")", item, str);
                }
            }
        }
    }

    protected void doDestroy() {
        this.digestValues.clear();
        super.doDestroy();
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.keylistResource == null) {
            throw new ComponentInitializationException("Unable to initialize " + getId() + ", keylistResource must not be null");
        }
        try {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(this.keylistResource.getInputStream(), StandardCharsets.UTF_8));
            while (true) {
                try {
                    String readLine = bufferedReader.readLine();
                    if (readLine == null) {
                        bufferedReader.close();
                        return;
                    } else if (readLine.trim().length() != 0) {
                        if (readLine.charAt(0) != '#') {
                            this.digestValues.add(readLine);
                        }
                    }
                } finally {
                }
            }
        } catch (IOException e) {
            throw new ComponentInitializationException("Unable to initialize " + getId() + ", error reading keylistResource " + this.keylistResource.getDescription() + " information", e);
        }
    }

    static {
        $assertionsDisabled = !X509RSAOpenSSLKeylistValidator.class.desiredAssertionStatus();
        OPEN_SSL_PREFIX = new byte[]{77, 111, 100, 117, 108, 117, 115, 61};
    }
}
