package org.eclipse.cbi.maven.plugins.jarsigner;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Joiner;
import com.google.common.base.Preconditions;
import java.io.BufferedOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.DirectoryStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.StandardOpenOption;
import java.nio.file.attribute.FileAttribute;
import java.util.EnumSet;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import java.util.Set;
import java.util.jar.Attributes;
import java.util.jar.JarEntry;
import java.util.jar.JarInputStream;
import java.util.jar.Manifest;
import java.util.stream.StreamSupport;
import org.apache.maven.plugin.logging.Log;
import org.eclipse.cbi.common.security.MessageDigestAlgorithm;
import org.eclipse.cbi.common.util.Paths;
import org.eclipse.cbi.common.util.Zips;
import org.eclipse.cbi.maven.plugins.jarsigner.JarSigner;

/* loaded from: input_file:org/eclipse/cbi/maven/plugins/jarsigner/JarResigner.class */
public abstract class JarResigner implements JarSigner {
    private static final String DIGEST_ATTRIBUTE_SUFFIX = "-Digest";
    private final JarSigner delegate;
    private final Log log;

    /* loaded from: input_file:org/eclipse/cbi/maven/plugins/jarsigner/JarResigner$DoNotResign.class */
    private static class DoNotResign extends JarResigner {
        DoNotResign(JarSigner jarSigner, Log log) {
            super(jarSigner, log);
        }

        @Override // org.eclipse.cbi.maven.plugins.jarsigner.JarResigner
        public int resign(Path path, JarSigner.Options options) {
            log().info("Jar '" + path.toString() + "' is already signed and will *not* be resigned.");
            return 0;
        }
    }

    /* loaded from: input_file:org/eclipse/cbi/maven/plugins/jarsigner/JarResigner$OverwriteSignature.class */
    private static class OverwriteSignature extends JarResigner {
        OverwriteSignature(JarSigner jarSigner, Log log) {
            super(jarSigner, log);
        }

        @Override // org.eclipse.cbi.maven.plugins.jarsigner.JarResigner
        protected int resign(Path path, JarSigner.Options options) throws IOException {
            Path createTempDirectory = Files.createTempDirectory(Paths.getParent(path), "overwriteSignature-" + path.getFileName() + "-", new FileAttribute[0]);
            try {
                Zips.unpackJar(path, createTempDirectory);
                Path resolve = createTempDirectory.resolve("META-INF");
                boolean removeSignatureFilesIfAny = removeSignatureFilesIfAny(resolve);
                boolean removeManifestDigestsIfAny = removeManifestDigestsIfAny(resolve.resolve("MANIFEST.MF"));
                if (removeSignatureFilesIfAny || removeManifestDigestsIfAny) {
                    log().info("Jar '" + path.toString() + "' is already signed. The signature will be overwritten.");
                    Zips.packJar(createTempDirectory, path, false);
                } else {
                    log().info("No signature was found in Jar '" + path.toString() + "', it will be signed without touching it. Signature would have been overwritten otherwise.");
                }
                int sign = delegate().sign(path, options);
                Paths.deleteQuietly(createTempDirectory);
                return sign;
            } catch (Throwable th) {
                Paths.deleteQuietly(createTempDirectory);
                throw th;
            }
        }

        private boolean removeSignatureFilesIfAny(Path path) throws IOException {
            if (!Files.exists(path, new LinkOption[0])) {
                return false;
            }
            DirectoryStream<Path> newDirectoryStream = Files.newDirectoryStream(path, "*.{SF,DSA,RSA,EC}");
            try {
                List<Path> list = StreamSupport.stream(newDirectoryStream.spliterator(), false).toList();
                for (Path path2 : list) {
                    log().debug("Deleting signature file '" + path2 + "'");
                    Paths.delete(path2);
                }
                boolean z = !list.isEmpty();
                if (newDirectoryStream != null) {
                    newDirectoryStream.close();
                }
                return z;
            } catch (Throwable th) {
                if (newDirectoryStream != null) {
                    try {
                        newDirectoryStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }

        private boolean removeManifestDigestsIfAny(Path path) throws IOException {
            if (!Files.exists(path, new LinkOption[0])) {
                return false;
            }
            Manifest readManifest = readManifest(path);
            List<String> removeDigestAttributes = removeDigestAttributes(readManifest);
            if (!removeDigestAttributes.isEmpty()) {
                pruneEmptyEntries(readManifest, removeDigestAttributes);
                writeManifest(readManifest, path);
            }
            return !removeDigestAttributes.isEmpty();
        }

        private List<String> removeDigestAttributes(Manifest manifest) {
            return manifest.getEntries().entrySet().stream().map(entry -> {
                if (!((Attributes) entry.getValue()).keySet().removeIf(obj -> {
                    return obj.toString().endsWith(JarResigner.DIGEST_ATTRIBUTE_SUFFIX);
                })) {
                    return null;
                }
                log().debug("Deleting digest attribute(s) of entry '" + ((String) entry.getKey()) + "'");
                return (String) entry.getKey();
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).toList();
        }

        private void pruneEmptyEntries(Manifest manifest, List<String> list) {
            list.forEach(str -> {
                if (manifest.getAttributes(str).isEmpty()) {
                    log().debug("Deleting manifest entry for '" + str + "' as it has no attribute anymore");
                    manifest.getEntries().remove(str);
                }
            });
        }

        private static void writeManifest(Manifest manifest, Path path) throws IOException {
            BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(Files.newOutputStream(path, StandardOpenOption.WRITE, StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING));
            try {
                manifest.write(bufferedOutputStream);
                bufferedOutputStream.close();
            } catch (Throwable th) {
                try {
                    bufferedOutputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }

        private static Manifest readManifest(Path path) throws IOException {
            Manifest manifest = new Manifest();
            InputStream newInputStream = Files.newInputStream(path, StandardOpenOption.READ);
            try {
                manifest.read(newInputStream);
                if (newInputStream != null) {
                    newInputStream.close();
                }
                return manifest;
            } catch (Throwable th) {
                if (newInputStream != null) {
                    try {
                        newInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
    }

    /* loaded from: input_file:org/eclipse/cbi/maven/plugins/jarsigner/JarResigner$OverwriteSignatureWithSameDigestAlg.class */
    private static class OverwriteSignatureWithSameDigestAlg extends OverwriteSignature {
        private OverwriteSignatureWithSameDigestAlg(JarSigner jarSigner, Log log) {
            super(jarSigner, log);
        }

        @Override // org.eclipse.cbi.maven.plugins.jarsigner.JarResigner.OverwriteSignature, org.eclipse.cbi.maven.plugins.jarsigner.JarResigner
        protected int resign(Path path, JarSigner.Options options) throws IOException {
            log().debug("Jar signing options before change by strategy '" + Strategy.OVERWRITE_WITH_SAME_DIGEST_ALGORITHM + "': " + options);
            return super.resign(path, JarSigner.Options.copy(options).digestAlgorithm(getDigestAlgorithmToReuse(path)).build());
        }
    }

    /* loaded from: input_file:org/eclipse/cbi/maven/plugins/jarsigner/JarResigner$Resign.class */
    private static class Resign extends JarResigner {
        Resign(JarSigner jarSigner, Log log) {
            super(jarSigner, log);
        }

        @Override // org.eclipse.cbi.maven.plugins.jarsigner.JarResigner
        protected int resign(Path path, JarSigner.Options options) throws IOException {
            log().info("Jar '" + path.toString() + "' is already signed and will be resigned.");
            return delegate().sign(path, options);
        }
    }

    /* loaded from: input_file:org/eclipse/cbi/maven/plugins/jarsigner/JarResigner$ResignWithSameDigestAlg.class */
    private static class ResignWithSameDigestAlg extends Resign {
        public ResignWithSameDigestAlg(JarSigner jarSigner, Log log) {
            super(jarSigner, log);
        }

        @Override // org.eclipse.cbi.maven.plugins.jarsigner.JarResigner.Resign, org.eclipse.cbi.maven.plugins.jarsigner.JarResigner
        protected int resign(Path path, JarSigner.Options options) throws IOException {
            log().debug("Jar signing options before change by strategy '" + Strategy.RESIGN_WITH_SAME_DIGEST_ALGORITHM + "': " + options);
            return super.resign(path, JarSigner.Options.copy(options).digestAlgorithm(getDigestAlgorithmToReuse(path)).build());
        }
    }

    /* loaded from: input_file:org/eclipse/cbi/maven/plugins/jarsigner/JarResigner$Strategy.class */
    public enum Strategy {
        DO_NOT_RESIGN,
        THROW_EXCEPTION,
        RESIGN,
        RESIGN_WITH_SAME_DIGEST_ALGORITHM,
        OVERWRITE,
        OVERWRITE_WITH_SAME_DIGEST_ALGORITHM
    }

    /* loaded from: input_file:org/eclipse/cbi/maven/plugins/jarsigner/JarResigner$ThrowException.class */
    private static class ThrowException extends JarResigner {
        ThrowException(JarSigner jarSigner, Log log) {
            super(jarSigner, log);
        }

        @Override // org.eclipse.cbi.maven.plugins.jarsigner.JarResigner
        public int resign(Path path, JarSigner.Options options) {
            throw new IllegalStateException("Jar '" + path + "' is already signed");
        }
    }

    JarResigner(JarSigner jarSigner, Log log) {
        this.delegate = (JarSigner) Preconditions.checkNotNull(jarSigner);
        this.log = (Log) Preconditions.checkNotNull(log);
    }

    final Log log() {
        return this.log;
    }

    public static JarSigner create(Strategy strategy, JarSigner jarSigner, Log log) {
        JarSigner overwriteSignatureWithSameDigestAlg;
        switch (strategy) {
            case DO_NOT_RESIGN:
                overwriteSignatureWithSameDigestAlg = new DoNotResign(jarSigner, log);
                break;
            case THROW_EXCEPTION:
                overwriteSignatureWithSameDigestAlg = new ThrowException(jarSigner, log);
                break;
            case RESIGN:
                overwriteSignatureWithSameDigestAlg = new Resign(jarSigner, log);
                break;
            case RESIGN_WITH_SAME_DIGEST_ALGORITHM:
                overwriteSignatureWithSameDigestAlg = new ResignWithSameDigestAlg(jarSigner, log);
                break;
            case OVERWRITE:
                overwriteSignatureWithSameDigestAlg = new OverwriteSignature(jarSigner, log);
                break;
            case OVERWRITE_WITH_SAME_DIGEST_ALGORITHM:
                overwriteSignatureWithSameDigestAlg = new OverwriteSignatureWithSameDigestAlg(jarSigner, log);
                break;
            default:
                throw new IllegalStateException("Unknow resigning strategy: " + strategy);
        }
        return overwriteSignatureWithSameDigestAlg;
    }

    JarSigner delegate() {
        return this.delegate;
    }

    @Override // org.eclipse.cbi.maven.plugins.jarsigner.JarSigner
    public int sign(Path path, JarSigner.Options options) throws IOException {
        return isAlreadySigned(path) ? resign(path, options) : delegate().sign(path, options);
    }

    abstract int resign(Path path, JarSigner.Options options) throws IOException;

    @VisibleForTesting
    static boolean isAlreadySigned(Path path) throws IOException {
        boolean z = false;
        JarInputStream jarInputStream = new JarInputStream(Files.newInputStream(path, new OpenOption[0]));
        try {
            for (JarEntry nextJarEntry = jarInputStream.getNextJarEntry(); nextJarEntry != null && !z; nextJarEntry = jarInputStream.getNextJarEntry()) {
                z = isBlockOrSF(nextJarEntry.getName()) || hasManifestDigest(nextJarEntry.getAttributes());
            }
            jarInputStream.close();
            return z;
        } catch (Throwable th) {
            try {
                jarInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    static boolean hasManifestDigest(Attributes attributes) {
        if (attributes != null) {
            return attributes.keySet().stream().anyMatch(obj -> {
                return obj.toString().endsWith(DIGEST_ATTRIBUTE_SUFFIX);
            });
        }
        return false;
    }

    private static boolean isBlockOrSF(String str) {
        String upperCase = str.toUpperCase(Locale.ENGLISH);
        if (upperCase.startsWith("META-INF/") || upperCase.startsWith("/META-INF/")) {
            return upperCase.endsWith(".SF") || upperCase.endsWith(".DSA") || upperCase.endsWith(".RSA") || upperCase.endsWith(".EC");
        }
        return false;
    }

    public static JarSigner doNotResign(JarSigner jarSigner, Log log) {
        return new DoNotResign(jarSigner, log);
    }

    public static JarSigner throwException(JarSigner jarSigner, Log log) {
        return new ThrowException(jarSigner, log);
    }

    public static JarSigner resignWithSameDigestAlgorithm(JarSigner jarSigner, Log log) {
        return new ResignWithSameDigestAlg(jarSigner, log);
    }

    public static JarSigner resign(JarSigner jarSigner, Log log) {
        return new Resign(jarSigner, log);
    }

    public static JarSigner overwriteWithSameDigestAlgorithm(JarSigner jarSigner, Log log) {
        return new OverwriteSignatureWithSameDigestAlg(jarSigner, log);
    }

    public static JarSigner overwrite(JarSigner jarSigner, Log log) {
        return new OverwriteSignature(jarSigner, log);
    }

    @VisibleForTesting
    static Set<MessageDigestAlgorithm> getAllUsedDigestAlgorithm(Path path) throws IOException {
        EnumSet noneOf = EnumSet.noneOf(MessageDigestAlgorithm.class);
        JarInputStream jarInputStream = new JarInputStream(Files.newInputStream(path, new OpenOption[0]));
        try {
            for (JarEntry nextJarEntry = jarInputStream.getNextJarEntry(); nextJarEntry != null; nextJarEntry = jarInputStream.getNextJarEntry()) {
                Attributes attributes = nextJarEntry.getAttributes();
                if (attributes != null) {
                    for (Object obj : attributes.keySet()) {
                        if (obj.toString().endsWith(DIGEST_ATTRIBUTE_SUFFIX)) {
                            noneOf.add(MessageDigestAlgorithm.fromStandardName(obj.toString().substring(0, obj.toString().length() - DIGEST_ATTRIBUTE_SUFFIX.length())));
                        }
                    }
                }
            }
            jarInputStream.close();
            return noneOf;
        } catch (Throwable th) {
            try {
                jarInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @VisibleForTesting
    static MessageDigestAlgorithm getDigestAlgorithmToReuse(Path path) throws IOException {
        Set<MessageDigestAlgorithm> allUsedDigestAlgorithm = getAllUsedDigestAlgorithm(path);
        if (allUsedDigestAlgorithm.isEmpty()) {
            throw new IllegalArgumentException("Jar '" + path + "' is not signed while it was asked to be resigned.");
        }
        if (allUsedDigestAlgorithm.size() > 1) {
            throw new IllegalArgumentException("Can't resign with the same digest algorithm. Jar '" + path + "' contains entries that has been signed with more than one digest algorithm: '" + Joiner.on(", ").join(allUsedDigestAlgorithm) + "'. Use another strategy to resign.");
        }
        return allUsedDigestAlgorithm.iterator().next();
    }
}
