package org.eclipse.equinox.internal.p2.engine.phases;

import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.eclipse.core.runtime.IStatus;
import org.eclipse.core.runtime.Status;
import org.eclipse.equinox.internal.p2.artifact.processors.pgp.PGPSignatureVerifier;
import org.eclipse.equinox.internal.p2.engine.DebugHelper;
import org.eclipse.equinox.internal.p2.engine.EngineActivator;
import org.eclipse.equinox.internal.p2.engine.Messages;
import org.eclipse.equinox.p2.core.IProvisioningAgent;
import org.eclipse.equinox.p2.core.UIServices;
import org.eclipse.equinox.p2.engine.IProfileRegistry;
import org.eclipse.equinox.p2.repository.artifact.IArtifactDescriptor;
import org.eclipse.osgi.signedcontent.SignedContent;
import org.eclipse.osgi.signedcontent.SignedContentFactory;
import org.eclipse.osgi.signedcontent.SignerInfo;
import org.eclipse.osgi.util.NLS;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceReference;

/* loaded from: input_file:org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.class */
public class CertificateChecker {
    private static final String DEBUG_PREFIX = "certificate checker";
    public static final String TRUSTED_KEY_STORE_PROPERTY = "pgp.trustedPublicKeys";
    private Map<IArtifactDescriptor, File> artifacts;
    private final IProvisioningAgent agent;
    private Set<PGPPublicKey> trustedKeys;

    public CertificateChecker() {
        this(null);
    }

    public CertificateChecker(IProvisioningAgent iProvisioningAgent) {
        this.artifacts = new HashMap();
        this.agent = iProvisioningAgent;
        this.artifacts = new HashMap();
    }

    public IStatus start() {
        BundleContext context = EngineActivator.getContext();
        ServiceReference serviceReference = context.getServiceReference(SignedContentFactory.class);
        try {
            return checkCertificates((SignedContentFactory) context.getService(serviceReference));
        } finally {
            context.ungetService(serviceReference);
        }
    }

    private IStatus checkCertificates(SignedContentFactory signedContentFactory) {
        UIServices uIServices = (UIServices) this.agent.getService(UIServices.class);
        ArrayList arrayList = new ArrayList();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        ArrayList arrayList2 = new ArrayList();
        HashMap hashMap3 = new HashMap();
        IStatus iStatus = Status.OK_STATUS;
        if (this.artifacts.isEmpty() || uIServices == null) {
            return iStatus;
        }
        HashSet hashSet = new HashSet();
        for (Map.Entry<IArtifactDescriptor, File> entry : this.artifacts.entrySet()) {
            File value = entry.getValue();
            try {
                SignedContent signedContent = signedContentFactory.getSignedContent(value);
                if (signedContent.isSigned()) {
                    SignerInfo[] signerInfos = signedContent.getSignerInfos();
                    if (Arrays.stream(signerInfos).noneMatch((v0) -> {
                        return v0.isTrusted();
                    })) {
                        for (SignerInfo signerInfo : signerInfos) {
                            if (!signerInfo.isTrusted()) {
                                Certificate[] certificateChain = signerInfo.getCertificateChain();
                                if (!arrayList.contains(certificateChain[0])) {
                                    arrayList.add(certificateChain[0]);
                                    arrayList2.add(certificateChain);
                                }
                                if (DebugHelper.DEBUG_CERTIFICATE_CHECKER_UNTRUSTED) {
                                    ((Collection) hashMap3.computeIfAbsent(certificateChain[0], certificate -> {
                                        return new ArrayList();
                                    })).add(value);
                                }
                            }
                        }
                    }
                } else {
                    Collection signatures = PGPSignatureVerifier.getSignatures(entry.getKey());
                    if (signatures.isEmpty()) {
                        hashMap2.put(entry.getKey(), value);
                    } else {
                        if (this.trustedKeys == null) {
                            this.trustedKeys = buildPGPTrustore();
                        }
                        if (hashSet.isEmpty() && !this.trustedKeys.isEmpty()) {
                            hashSet.addAll((Collection) this.trustedKeys.stream().map((v0) -> {
                                return v0.getKeyID();
                            }).map((v0) -> {
                                return Long.valueOf(v0);
                            }).collect(Collectors.toSet()));
                        }
                        Stream map = signatures.stream().map((v0) -> {
                            return v0.getKeyID();
                        });
                        hashSet.getClass();
                        if (map.noneMatch((v1) -> {
                            return r1.contains(v1);
                        })) {
                            hashMap.put(entry.getKey(), (Collection) signatures.stream().map((v0) -> {
                                return v0.getKeyID();
                            }).map(l -> {
                                return findKey(l.longValue(), (IArtifactDescriptor) entry.getKey());
                            }).filter((v0) -> {
                                return Objects.nonNull(v0);
                            }).collect(Collectors.toList()));
                        }
                    }
                }
            } catch (IOException e) {
                return new Status(4, EngineActivator.ID, Messages.CertificateChecker_SignedContentIOError, e);
            } catch (GeneralSecurityException | PGPException e2) {
                return new Status(4, EngineActivator.ID, Messages.CertificateChecker_SignedContentError, e2);
            }
        }
        if (DebugHelper.DEBUG_CERTIFICATE_CHECKER_UNSIGNED && !hashMap2.isEmpty()) {
            StringBuilder sb = new StringBuilder("The following artifacts are unsigned:\n");
            Iterator it = hashMap2.values().iterator();
            while (it.hasNext()) {
                sb.append(NLS.bind("  {0}\n", ((File) it.next()).getPath()));
            }
            DebugHelper.debug(DEBUG_PREFIX, sb.toString());
        }
        if (DebugHelper.DEBUG_CERTIFICATE_CHECKER_UNTRUSTED && !arrayList.isEmpty()) {
            StringBuilder sb2 = new StringBuilder("The following certificates are untrusted:\n");
            for (Certificate certificate2 : hashMap3.keySet()) {
                sb2.append(String.valueOf(certificate2.toString()) + "\n");
                sb2.append("  used by the following artifacts:\n");
                Iterator it2 = ((Collection) hashMap3.get(certificate2)).iterator();
                while (it2.hasNext()) {
                    sb2.append(NLS.bind("    {0}\n", ((File) it2.next()).getPath()));
                }
            }
            DebugHelper.debug(DEBUG_PREFIX, sb2.toString());
        }
        Set<PGPPublicKey> set = (Set) hashMap.values().stream().flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toSet());
        if (DebugHelper.DEBUG_CERTIFICATE_CHECKER_UNTRUSTED && !set.isEmpty()) {
            StringBuilder sb3 = new StringBuilder("The following PGP Keys are untrusted:\n");
            for (PGPPublicKey pGPPublicKey : set) {
                sb3.append(String.valueOf(Long.toHexString(pGPPublicKey.getKeyID())) + "\n");
                sb3.append("  used by the following artifacts:\n");
                for (Map.Entry entry2 : hashMap.entrySet()) {
                    if (((Collection) entry2.getValue()).stream().anyMatch(pGPPublicKey2 -> {
                        return pGPPublicKey2.getKeyID() == pGPPublicKey.getKeyID();
                    })) {
                        sb3.append(NLS.bind("    {0}\n", ((IArtifactDescriptor) entry2.getKey()).getArtifactKey()));
                    }
                }
            }
            DebugHelper.debug(DEBUG_PREFIX, sb3.toString());
        }
        String unsignedContentPolicy = getUnsignedContentPolicy();
        if (!hashMap2.isEmpty() && EngineActivator.UNSIGNED_FAIL.equals(unsignedContentPolicy)) {
            return new Status(4, EngineActivator.ID, NLS.bind(Messages.CertificateChecker_UnsignedNotAllowed, hashMap2));
        }
        String[] strArr = (EngineActivator.UNSIGNED_ALLOW.equals(unsignedContentPolicy) || hashMap2.isEmpty()) ? null : (String[]) hashMap2.values().stream().map((v0) -> {
            return v0.toString();
        }).toArray(i -> {
            return new String[i];
        });
        Certificate[][] certificateArr = arrayList.isEmpty() ? null : (Certificate[][]) arrayList2.toArray(i2 -> {
            return new Certificate[i2];
        });
        if (strArr == null && certificateArr == null && hashMap.isEmpty()) {
            return iStatus;
        }
        UIServices.TrustInfo trustInfo = uIServices.getTrustInfo(certificateArr, set, strArr);
        if (!hashMap2.isEmpty() && !trustInfo.trustUnsignedContent()) {
            return Status.CANCEL_STATUS;
        }
        Certificate[] trustedCertificates = trustInfo.getTrustedCertificates();
        if (certificateArr != null && trustedCertificates == null) {
            return new Status(8, EngineActivator.ID, Messages.CertificateChecker_CertificateRejected);
        }
        if (trustedCertificates != null) {
            for (Certificate certificate3 : trustedCertificates) {
                arrayList.remove(certificate3);
            }
        }
        hashSet.addAll((Collection) trustInfo.getTrustedPGPKeys().stream().map((v0) -> {
            return v0.getKeyID();
        }).collect(Collectors.toSet()));
        hashMap.values().removeIf(collection -> {
            return collection.stream().anyMatch(pGPPublicKey3 -> {
                return hashSet.contains(Long.valueOf(pGPPublicKey3.getKeyID()));
            });
        });
        return (arrayList.isEmpty() && hashMap.isEmpty()) ? trustInfo.persistTrust() ? persistTrustedCertificates(trustedCertificates) : iStatus : new Status(8, EngineActivator.ID, Messages.CertificateChecker_CertificateRejected);
    }

    private PGPPublicKey findKey(long j, IArtifactDescriptor iArtifactDescriptor) {
        PGPPublicKey key = PGPSignatureVerifier.keystore.getKey(j);
        if (key != null) {
            return key;
        }
        PGPSignatureVerifier.keystore.addKeys(new String[]{iArtifactDescriptor.getProperty("pgp.publicKeys")});
        return PGPSignatureVerifier.keystore.getKey(j);
    }

    /* JADX WARN: Code restructure failed: missing block: B:24:0x006f, code lost:
    
        r0.addTrustAnchor(r0, r0.toString());
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private org.eclipse.core.runtime.IStatus persistTrustedCertificates(java.security.cert.Certificate[] r8) {
        /*
            Method dump skipped, instructions count: 221
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.eclipse.equinox.internal.p2.engine.phases.CertificateChecker.persistTrustedCertificates(java.security.cert.Certificate[]):org.eclipse.core.runtime.IStatus");
    }

    private String getUnsignedContentPolicy() {
        String property = EngineActivator.getContext().getProperty(EngineActivator.PROP_UNSIGNED_POLICY);
        if (property == null) {
            property = EngineActivator.UNSIGNED_PROMPT;
        }
        return property;
    }

    public void add(Map<IArtifactDescriptor, File> map) {
        this.artifacts.putAll(map);
    }

    public Set<PGPPublicKey> buildPGPTrustore() {
        HashSet hashSet = new HashSet(PGPSignatureVerifier.readPublicKeys(((IProfileRegistry) this.agent.getService(IProfileRegistry.class)).getProfile(IProfileRegistry.SELF).getProperty(TRUSTED_KEY_STORE_PROPERTY)));
        PGPSignatureVerifier.PGPPublicKeyStore pGPPublicKeyStore = PGPSignatureVerifier.keystore;
        pGPPublicKeyStore.getClass();
        hashSet.forEach(pGPPublicKeyStore::addKey);
        return hashSet;
    }
}
