package com.atlassian.bitbucket.internal.x509;

import com.atlassian.bitbucket.dmz.signature.verification.SignatureState;
import com.atlassian.bitbucket.dmz.signature.verification.SignatureVerificationRequest;
import com.atlassian.bitbucket.dmz.signature.verification.SignatureVerificationResult;
import com.atlassian.bitbucket.dmz.signature.verification.SignatureVerifier;
import com.atlassian.bitbucket.internal.x509.dao.X509CertificateDao;
import com.atlassian.bitbucket.internal.x509.dao.X509RevokedCertificateDao;
import com.atlassian.bitbucket.internal.x509.model.InternalX509Certificate;
import com.atlassian.bitbucket.internal.x509.model.InternalX509RevokedCertificate_;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.bitbucket.user.UserService;
import com.atlassian.bitbucket.util.MoreCollectors;
import com.atlassian.bitbucket.util.PageUtils;
import com.atlassian.stash.internal.spring.SpringTransactionUtils;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.util.concurrent.UncheckedExecutionException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerId;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.bouncycastle.util.Selector;
import org.bouncycastle.util.Store;
import org.bouncycastle.util.StoreException;
import org.bouncycastle.util.encoders.Base64;
import org.bouncycastle.util.encoders.DecoderException;
import org.bouncycastle.util.encoders.EncoderException;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.transaction.PlatformTransactionManager;
import org.springframework.transaction.support.TransactionTemplate;

/* loaded from: input_file:com/atlassian/bitbucket/internal/x509/X509CertificateSignatureVerifier.class */
public class X509CertificateSignatureVerifier implements SignatureVerifier {

    @VisibleForTesting
    static final String ISSUER_CN = "x509_issuer_cn";

    @VisibleForTesting
    static final String ISSUER_O = "x509_issuer_o";

    @VisibleForTesting
    static final String ISSUER_OU = "x509_issuer_ou";

    @VisibleForTesting
    static final String ISSUER_SKI = "x509_issuer_ski";

    @VisibleForTesting
    static final String SIGNER_CN = "x509_signer_cn";

    @VisibleForTesting
    static final String SIGNER_O = "x509_signer_o";

    @VisibleForTesting
    static final String SIGNER_SHA1 = "x509_signer_sha1";

    @VisibleForTesting
    static final String SIGNER_SKI = "x509_signer_ski";

    @VisibleForTesting
    static final String X509_SIGNATURE_TYPE = "X509";
    private static final Logger log = LoggerFactory.getLogger(X509CertificateSignatureVerifier.class);
    private static final String X509_CERTIFICATE_HEADER = "-----BEGIN SIGNED MESSAGE-----";
    private final TransactionTemplate readOnlyTransaction;
    private final Cache<Long, Set<InternalX509Certificate>> signingCertificateMatchingIssuerCache;
    private final LoadingCache<Map<String, Long>, Boolean> signingCertificateRevokedCache;
    private final LoadingCache<String, Optional<ApplicationUser>> signingCertificateUserCache;
    private final X509CertificateDao x509CertificateDao;
    private final X509CertificateFactory x509CertificateFactory;

    public X509CertificateSignatureVerifier(int i, int i2, int i3, PlatformTransactionManager platformTransactionManager, final UserService userService, X509CertificateDao x509CertificateDao, X509CertificateFactory x509CertificateFactory, final X509RevokedCertificateDao x509RevokedCertificateDao) {
        this.x509CertificateDao = x509CertificateDao;
        this.x509CertificateFactory = x509CertificateFactory;
        this.readOnlyTransaction = new TransactionTemplate(platformTransactionManager, SpringTransactionUtils.definitionFor(0, true));
        this.signingCertificateRevokedCache = CacheBuilder.newBuilder().maximumSize(i).build(new CacheLoader<Map<String, Long>, Boolean>() { // from class: com.atlassian.bitbucket.internal.x509.X509CertificateSignatureVerifier.1
            public Boolean load(@Nonnull Map<String, Long> map) {
                Long l = map.get(InternalX509RevokedCertificate_.SERIAL_NUMBER);
                Long l2 = map.get("issuerId");
                TransactionTemplate transactionTemplate = X509CertificateSignatureVerifier.this.readOnlyTransaction;
                X509RevokedCertificateDao x509RevokedCertificateDao2 = x509RevokedCertificateDao;
                return (Boolean) transactionTemplate.execute(transactionStatus -> {
                    return Boolean.valueOf(x509RevokedCertificateDao2.existsBySerialNumberAndIssuerId(l.longValue(), l2.longValue()));
                });
            }
        });
        this.signingCertificateMatchingIssuerCache = CacheBuilder.newBuilder().maximumSize(i2).build();
        this.signingCertificateUserCache = CacheBuilder.newBuilder().maximumSize(i3).build(new CacheLoader<String, Optional<ApplicationUser>>() { // from class: com.atlassian.bitbucket.internal.x509.X509CertificateSignatureVerifier.2
            public Optional<ApplicationUser> load(@Nonnull String str) {
                TransactionTemplate transactionTemplate = X509CertificateSignatureVerifier.this.readOnlyTransaction;
                UserService userService2 = userService;
                return Optional.ofNullable((ApplicationUser) transactionTemplate.execute(transactionStatus -> {
                    return userService2.findUserByEmail(str);
                }));
            }
        });
    }

    @Nonnull
    public Optional<SignatureVerificationResult> verifySignature(@Nonnull SignatureVerificationRequest signatureVerificationRequest) {
        Objects.requireNonNull(signatureVerificationRequest, "request");
        String signature = signatureVerificationRequest.getSignature();
        if (!isX509CertificateSignature(signature)) {
            return Optional.empty();
        }
        CMSSignedData cmsSignedData = getCmsSignedData(signature, signatureVerificationRequest.getSignedContent());
        if (cmsSignedData == null) {
            log.debug("Signed object data was null and verification could not be performed");
            return buildErrorSignatureVerificationResult();
        }
        Collection<SignerInformation> signers = getSigners(cmsSignedData);
        if (signers.isEmpty()) {
            return buildErrorSignatureVerificationResult();
        }
        if (signers.size() > 1) {
            log.debug("More than one signer was found in the signer information store for the signed data. Only the first signer will be used for verification of the Git object.");
        }
        SignerId sid = signers.iterator().next().getSID();
        Store<X509CertificateHolder> certificates = cmsSignedData.getCertificates();
        try {
            Collection matches = certificates.getMatches(sid);
            if (matches.isEmpty()) {
                log.warn("No X.509 certificate information could be found for the signer on the signed Git object. Cannot perform X.509 signature verification.");
                return buildErrorSignatureVerificationResult();
            }
            if (matches.size() > 1) {
                log.debug("More than one X.509certificate was found in the X.509 certificate holder store for the signed Git object for that signer. Only the first X.509 certificate will be used for verification of the Git object.");
            }
            X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) matches.iterator().next();
            try {
                try {
                    X509Certificate generateCertificate = this.x509CertificateFactory.generateCertificate(new ByteArrayInputStream(x509CertificateHolder.getEncoded()));
                    PublicKey publicKey = generateCertificate.getPublicKey();
                    Optional<ApplicationUser> matchingApplicationUser = getMatchingApplicationUser(generateCertificate, x509CertificateHolder.getSubject());
                    if (!matchingApplicationUser.isPresent()) {
                        return Optional.of(new SignatureVerificationResult.Builder(SignatureState.ERROR).verificationPublicKey(new X509CertificatePublicKey(publicKey)).signatureMetadata(buildSignatureMetadata(generateCertificate, null)).signatureType(X509_SIGNATURE_TYPE).build());
                    }
                    long longValue = generateCertificate.getSerialNumber().longValue();
                    return verifyCertificate(matchingApplicationUser.get(), getFilteredCertificates(longValue, x509CertificateHolder, certificates), generateCertificate, publicKey, longValue, (Date) signatureVerificationRequest.getObjectTimestamp().orElse(null));
                } catch (CertificateException e) {
                    log.debug("Cannot perform any verification as the signing X.509 certificate could not be generated", e);
                    return buildErrorSignatureVerificationResult();
                }
            } catch (IOException e2) {
                log.debug("Could not get the encoded format of the X.509 certificate for verifying the Git object signature. Cannot perform X.509 signature verification.", e2);
                return buildErrorSignatureVerificationResult();
            }
        } catch (StoreException e3) {
            log.error("Could not match the signer information with X.509 certificate store when verifying the Git object signature. Cannot perform X.509 signature verification.", e3);
            return buildErrorSignatureVerificationResult();
        }
    }

    private static Optional<SignatureVerificationResult> buildErrorSignatureVerificationResult() {
        return Optional.of(new SignatureVerificationResult.Builder(SignatureState.ERROR).signatureType(X509_SIGNATURE_TYPE).build());
    }

    private static Map<String, String> buildSignatureMetadata(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        ImmutableMap.Builder builder = new ImmutableMap.Builder();
        if (x509Certificate != null) {
            String subjectKeyIdentifier = getSubjectKeyIdentifier(x509Certificate);
            if (subjectKeyIdentifier != null) {
                builder.put(SIGNER_SKI, subjectKeyIdentifier);
            }
            Map<String, String> includeCertificateSubjectDN = includeCertificateSubjectDN(x509Certificate, false);
            if (!includeCertificateSubjectDN.isEmpty()) {
                builder.putAll(includeCertificateSubjectDN);
            }
            try {
                builder.put(SIGNER_SHA1, new String(Hex.encode(DigestUtils.sha1(x509Certificate.getEncoded())), StandardCharsets.UTF_8).replaceAll("..", "$0 ").trim().toUpperCase(Locale.US));
            } catch (Exception e) {
                log.debug("Could not generate the SHA-1 fingerprint for the signing X.509 certificate");
            }
        }
        if (x509Certificate2 != null) {
            String subjectKeyIdentifier2 = getSubjectKeyIdentifier(x509Certificate2);
            if (subjectKeyIdentifier2 != null) {
                builder.put(ISSUER_SKI, subjectKeyIdentifier2);
            }
            Map<String, String> includeCertificateSubjectDN2 = includeCertificateSubjectDN(x509Certificate2, true);
            if (!includeCertificateSubjectDN2.isEmpty()) {
                builder.putAll(includeCertificateSubjectDN2);
            }
        }
        return builder.build();
    }

    private static CMSSignedData getCmsSignedData(String str, String str2) {
        try {
            try {
                return new CMSSignedData(new CMSProcessableByteArray(str2.getBytes(StandardCharsets.UTF_8)), Base64.decode(transformSignature(str)));
            } catch (CMSException e) {
                log.debug("Could not construct the signed data object for X.509 certificate signature verification.", e);
                return null;
            }
        } catch (DecoderException e2) {
            log.debug("Could not decode signature to be used for X.509 certificate signature verification.", e2);
            return null;
        }
    }

    private static Collection<SignerInformation> getSigners(CMSSignedData cMSSignedData) {
        SignerInformationStore signerInfos = cMSSignedData.getSignerInfos();
        if (signerInfos.size() != 0) {
            return signerInfos.getSigners();
        }
        log.debug("Signer information store did not contain any signing information for the signed data.");
        return ImmutableList.of();
    }

    private static SignatureState getSignerValidity(X509Certificate x509Certificate, long j, Date date, String str) {
        try {
            if (date == null) {
                log.debug("The committer timestamp is unexpectedly null. The signing X.509 certificate's validity period with serial number '{}' cannot be checked when verified against issuer X.509 certificate with fingerprint '{}'", Long.valueOf(j), str);
                return SignatureState.GOOD_BUT_UNKNOWN_VALIDITY;
            }
            x509Certificate.checkValidity(date);
            return SignatureState.GOOD;
        } catch (CertificateExpiredException e) {
            log.warn("The signing X.509 certificate with serial number '{}' has expired and should not be used for signing when verified against issuer X.509 certificate with fingerprint '{}': {}", new Object[]{Long.valueOf(j), str, e.getMessage()});
            return SignatureState.GOOD_BUT_MADE_AFTER_EXPIRY;
        } catch (CertificateNotYetValidException e2) {
            log.warn("The signing X.509 certificate with serial number '{}' has been issued but should not be used yet when verified against issuer X.509 certificate with fingerprint '{}': {}", new Object[]{Long.valueOf(j), str, e2.getMessage()});
            return SignatureState.GOOD_BUT_MADE_BEFORE_VALIDITY;
        }
    }

    private static String getSubjectKeyIdentifier(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.subjectKeyIdentifier.getId());
        if (extensionValue == null) {
            log.debug("No subject key identifier information was present for the X.509 certificate");
            return null;
        }
        try {
            try {
                try {
                    return new String(Hex.encode(SubjectKeyIdentifier.getInstance(ASN1Primitive.fromByteArray(ASN1OctetString.getInstance(ASN1Primitive.fromByteArray(extensionValue)).getOctets())).getKeyIdentifier()), StandardCharsets.UTF_8).replaceAll("..", "$0 ").trim().toUpperCase(Locale.US);
                } catch (EncoderException e) {
                    log.debug("Could not successfully encode the subject key identifier");
                    return null;
                }
            } catch (IOException e2) {
                log.debug("Could not successfully parse the ASN1 subject key identifier bytes");
                return null;
            }
        } catch (IOException e3) {
            log.debug("Could not successfully parse the subject key identifier bytes");
            return null;
        }
    }

    private static Map<String, String> includeCertificateSubjectDN(X509Certificate x509Certificate, boolean z) {
        Principal subjectDN = x509Certificate.getSubjectDN();
        if (subjectDN == null) {
            return Collections.emptyMap();
        }
        String name = subjectDN.getName();
        if (StringUtils.isBlank(name)) {
            return Collections.emptyMap();
        }
        ImmutableMap.Builder builder = new ImmutableMap.Builder();
        for (String str : name.split(",")) {
            if (str.startsWith("CN=")) {
                builder.put(z ? ISSUER_CN : SIGNER_CN, str);
            } else if (str.startsWith("O=")) {
                builder.put(z ? ISSUER_O : SIGNER_O, str);
            } else if (z && str.startsWith("OU=")) {
                builder.put(ISSUER_OU, str);
            }
        }
        return builder.build();
    }

    private static boolean isX509CertificateSignature(String str) {
        return str.startsWith(X509_CERTIFICATE_HEADER);
    }

    private static String transformSignature(String str) {
        return str.replaceAll("-----([^\\s\\d]+) SIGNED MESSAGE-----\n", "");
    }

    private Optional<String> getEmailAddressFromSubjectAlternativeNameAttribute(X509Certificate x509Certificate) {
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            return subjectAlternativeNames == null ? Optional.empty() : subjectAlternativeNames.stream().filter(list -> {
                return list.get(0).equals(1);
            }).map(list2 -> {
                return (String) list2.get(1);
            }).findFirst();
        } catch (CertificateParsingException e) {
            log.debug("Could not successfully parse the SAN to find an email address for the signing certificate.");
            log.debug("No SAN RFC822 Name attribute could be found for the signing certificate.");
            return Optional.empty();
        }
    }

    private Optional<String> getEmailAddressFromX500Name(X500Name x500Name) {
        RDN rdn;
        if (x500Name == null) {
            log.debug("X500Name used to determine the signing X.509 certificate's owner is null.");
            return Optional.empty();
        }
        RDN[] rDNs = x500Name.getRDNs(BCStyle.E);
        if (rDNs.length != 0 && (rdn = rDNs[0]) != null && rdn.getFirst() != null) {
            return Optional.of(IETFUtils.valueToString(rdn.getFirst().getValue()));
        }
        log.debug("We could not find an email address for the X500Name entry '{}'.", x500Name);
        return Optional.empty();
    }

    private Set<InternalX509Certificate> getFilteredCertificates(long j, X509CertificateHolder x509CertificateHolder, Store<X509CertificateHolder> store) {
        try {
            return (Set) this.signingCertificateMatchingIssuerCache.get(Long.valueOf(j), () -> {
                Set set = (Set) store.getMatches((Selector) null).stream().filter(x509CertificateHolder2 -> {
                    return !Objects.equals(x509CertificateHolder2, x509CertificateHolder);
                }).map(x509CertificateHolder3 -> {
                    try {
                        return DigestUtils.sha256Hex(x509CertificateHolder3.getEncoded());
                    } catch (IOException e) {
                        log.error("Could not determine the issuer's fingerprint for verifying the X.509 certificate with serial number '{}'", x509CertificateHolder3.getSerialNumber());
                        return null;
                    }
                }).filter((v0) -> {
                    return Objects.nonNull(v0);
                }).collect(MoreCollectors.toImmutableSet());
                if (!set.isEmpty()) {
                    return (Set) this.readOnlyTransaction.execute(transactionStatus -> {
                        return this.x509CertificateDao.getByFingerprints(set);
                    });
                }
                log.debug("No filtered issuer X.509 certificate fingerprints were found. All the trusted X.509 certificates in the database will be checked when verifying the signature of the Git object.");
                return (Set) ((Stream) this.readOnlyTransaction.execute(transactionStatus2 -> {
                    X509CertificateDao x509CertificateDao = this.x509CertificateDao;
                    Objects.requireNonNull(x509CertificateDao);
                    return PageUtils.toStream(x509CertificateDao::findAll, 500);
                })).collect(Collectors.toSet());
            });
        } catch (ExecutionException | UncheckedExecutionException e) {
            log.debug("Encountered an issue when determining the signing X.509 certificate's issuer information. All the trusted X.509 certificates in the database will be checked when verifying the signature of the Git object.");
            return (Set) ((Stream) this.readOnlyTransaction.execute(transactionStatus -> {
                X509CertificateDao x509CertificateDao = this.x509CertificateDao;
                Objects.requireNonNull(x509CertificateDao);
                return PageUtils.toStream(x509CertificateDao::findAll, 500);
            })).collect(Collectors.toSet());
        }
    }

    private Optional<ApplicationUser> getMatchingApplicationUser(X509Certificate x509Certificate, X500Name x500Name) {
        Optional<String> emailAddressFromSubjectAlternativeNameAttribute = getEmailAddressFromSubjectAlternativeNameAttribute(x509Certificate);
        if (!emailAddressFromSubjectAlternativeNameAttribute.isPresent()) {
            emailAddressFromSubjectAlternativeNameAttribute = getEmailAddressFromX500Name(x500Name);
        }
        if (!emailAddressFromSubjectAlternativeNameAttribute.isPresent()) {
            log.debug("No email address could be found for the signing certificate. Cannot perform X.509 signature verification.");
            return Optional.empty();
        }
        try {
            return (Optional) this.signingCertificateUserCache.get(emailAddressFromSubjectAlternativeNameAttribute.get());
        } catch (ExecutionException e) {
            log.debug("Could not successfully match the email address to a user in the system.Cannot perform X.509 signature verification.");
            return Optional.empty();
        }
    }

    private Optional<SignatureVerificationResult> verifyCertificate(ApplicationUser applicationUser, Set<InternalX509Certificate> set, X509Certificate x509Certificate, PublicKey publicKey, long j, Date date) {
        X509Certificate generateCertificate;
        for (InternalX509Certificate internalX509Certificate : set) {
            String fingerprint = internalX509Certificate.getFingerprint();
            log.debug("Attempting to verify signing X.509 certificate with serial number '{}' against issuer X.509 certificate with fingerprint '{}'", Long.valueOf(j), fingerprint);
            try {
                generateCertificate = this.x509CertificateFactory.generateCertificate(new ByteArrayInputStream(internalX509Certificate.getEncoded()));
            } catch (CertificateException e) {
                log.debug("Could not generate issuer X.509 certificate with fingerprint '{}' for verifying signing X.509 certificate with serial number '{}'", fingerprint, Long.valueOf(j));
            }
            try {
                try {
                    x509Certificate.verify(generateCertificate.getPublicKey());
                    Boolean bool = null;
                    try {
                        ImmutableMap.Builder builder = new ImmutableMap.Builder();
                        builder.put(InternalX509RevokedCertificate_.SERIAL_NUMBER, Long.valueOf(j));
                        builder.put("issuerId", Long.valueOf(internalX509Certificate.getId()));
                        bool = (Boolean) this.signingCertificateRevokedCache.get(builder.build());
                    } catch (ExecutionException e2) {
                        log.debug("Could not determine whether or not the signing X.509 certificate with serial number '{}' was revoked or not when verified against issuer X.509 certificate with fingerprint '{}'.", Long.valueOf(j), fingerprint);
                    }
                    if (!Boolean.TRUE.equals(bool)) {
                        return Optional.of(new SignatureVerificationResult.Builder(getSignerValidity(x509Certificate, j, date, fingerprint)).owner(applicationUser).signatureMetadata(buildSignatureMetadata(x509Certificate, generateCertificate)).signatureType(X509_SIGNATURE_TYPE).verificationPublicKey(new X509CertificatePublicKey(publicKey)).build());
                    }
                    log.warn("The signing X.509 certificate with serial number '{}' has been revoked and should not be used when verified against issuer X.509 certificate with fingerprint '{}'.", Long.valueOf(j), fingerprint);
                    return Optional.of(new SignatureVerificationResult.Builder(SignatureState.GOOD_BUT_REVOKED).owner(applicationUser).signatureMetadata(buildSignatureMetadata(x509Certificate, generateCertificate)).verificationPublicKey(new X509CertificatePublicKey(publicKey)).signatureType(X509_SIGNATURE_TYPE).build());
                } catch (SignatureException e3) {
                }
            } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | CertificateException e4) {
                log.debug("Could not correctly verify signing X.509 certificate with serial number '{}' using issuer X.509 certificate with fingerprint '{}'", Long.valueOf(j), fingerprint);
            }
        }
        return Optional.of(new SignatureVerificationResult.Builder(SignatureState.GOOD_BUT_UNKNOWN_VALIDITY).owner(applicationUser).signatureMetadata(buildSignatureMetadata(x509Certificate, null)).signatureType(X509_SIGNATURE_TYPE).verificationPublicKey(new X509CertificatePublicKey(publicKey)).build());
    }
}
