package org.jvnet.hudson.update_center;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.security.DigestOutputStream;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.MessageDigest;
import java.security.PrivateKey;
import java.security.Security;
import java.security.Signature;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import net.sf.json.JSONArray;
import net.sf.json.JSONObject;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.io.output.NullOutputStream;
import org.apache.commons.io.output.TeeOutputStream;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMReader;
import org.jvnet.hudson.crypto.CertificateUtil;
import org.jvnet.hudson.crypto.SignatureOutputStream;
import org.jvnet.hudson.update_center.json.JsonSignature;
import org.kohsuke.args4j.CmdLineException;
import org.kohsuke.args4j.Option;

/* loaded from: input_file:org/jvnet/hudson/update_center/Signer.class */
public class Signer {

    @Option(name = "-key", usage = "Private key to sign the update center. Must be used in conjunction with -certificate.")
    public File privateKey = null;

    @Option(name = "-certificate", usage = "X509 certificate for the private key given by the -key option. Specify additional -certificate options to pass in intermediate certificates, if any.")
    public List<File> certificates = new ArrayList();

    @Option(name = "-root-certificate", usage = "Additional root certificates")
    public List<File> rootCA = new ArrayList();

    @Option(name = "-canonical")
    @Deprecated
    public File canonical = null;

    /* loaded from: input_file:org/jvnet/hudson/update_center/Signer$SignatureGenerator.class */
    static class SignatureGenerator {
        private final Signature sha1sig;
        private final Signature sha512sig;
        private final TeeOutputStream out;
        private final Signature verifier1;
        private final Signature verifier512;
        private final MessageDigest sha1 = DigestUtils.getSha1Digest();
        private final MessageDigest sha512 = DigestUtils.getSha512Digest();

        SignatureGenerator(X509Certificate x509Certificate, PrivateKey privateKey) throws GeneralSecurityException, IOException {
            DigestOutputStream digestOutputStream = new DigestOutputStream(new NullOutputStream(), this.sha1);
            DigestOutputStream digestOutputStream2 = new DigestOutputStream(new NullOutputStream(), this.sha512);
            this.sha1sig = Signature.getInstance("SHA1withRSA");
            this.sha1sig.initSign(privateKey);
            SignatureOutputStream signatureOutputStream = new SignatureOutputStream(this.sha1sig);
            this.sha512sig = Signature.getInstance("SHA512withRSA");
            this.sha512sig.initSign(privateKey);
            SignatureOutputStream signatureOutputStream2 = new SignatureOutputStream(this.sha512sig);
            this.verifier1 = Signature.getInstance("SHA1withRSA");
            this.verifier1.initVerify(x509Certificate.getPublicKey());
            SignatureOutputStream signatureOutputStream3 = new SignatureOutputStream(this.verifier1);
            this.verifier512 = Signature.getInstance("SHA512withRSA");
            this.verifier512.initVerify(x509Certificate.getPublicKey());
            this.out = new TeeOutputStream(new TeeOutputStream(new TeeOutputStream(new TeeOutputStream(new TeeOutputStream(digestOutputStream, signatureOutputStream), signatureOutputStream3), digestOutputStream2), signatureOutputStream2), new SignatureOutputStream(this.verifier512));
        }

        public TeeOutputStream getOut() {
            return this.out;
        }

        public void fill(JsonSignature jsonSignature) throws GeneralSecurityException {
            jsonSignature.correct_digest = new String(Base64.encodeBase64(this.sha1.digest()), StandardCharsets.UTF_8);
            jsonSignature.correct_digest512 = Hex.encodeHexString(this.sha512.digest());
            byte[] sign = this.sha1sig.sign();
            byte[] sign2 = this.sha512sig.sign();
            jsonSignature.correct_signature = new String(Base64.encodeBase64(sign), StandardCharsets.UTF_8);
            jsonSignature.correct_signature512 = Hex.encodeHexString(sign2);
            if (!this.verifier1.verify(sign)) {
                throw new GeneralSecurityException("Signature (SHA-1) failed to validate. Either the certificate and the private key weren't matching, or a bug in the program.");
            }
            if (!this.verifier512.verify(sign2)) {
                throw new GeneralSecurityException("Signature (SHA-512) failed to validate. Either the certificate and the private key weren't matching, or a bug in the program.");
            }
        }

        public void addRecord(JSONObject jSONObject, String str) throws GeneralSecurityException, IOException {
            jSONObject.put(str + "digest", new String(Base64.encodeBase64(this.sha1.digest()), StandardCharsets.UTF_8));
            jSONObject.put(str + "digest512", Hex.encodeHexString(this.sha512.digest()));
            byte[] sign = this.sha1sig.sign();
            byte[] sign2 = this.sha512sig.sign();
            jSONObject.put(str + "signature", new String(Base64.encodeBase64(sign), StandardCharsets.UTF_8));
            jSONObject.put(str + "signature512", Hex.encodeHexString(sign2));
            if (!this.verifier1.verify(sign)) {
                throw new GeneralSecurityException("Signature (SHA-1) failed to validate. Either the certificate and the private key weren't matching, or a bug in the program.");
            }
            if (!this.verifier512.verify(sign2)) {
                throw new GeneralSecurityException("Signature (SHA-512) failed to validate. Either the certificate and the private key weren't matching, or a bug in the program.");
            }
        }
    }

    public boolean isConfigured() {
        if (this.privateKey != null && !this.certificates.isEmpty()) {
            return true;
        }
        if (this.privateKey == null && this.certificates.isEmpty()) {
            return false;
        }
        throw new IllegalStateException("private key and certificate must be both specified");
    }

    public JsonSignature sign(String str) throws GeneralSecurityException, IOException {
        if (!isConfigured()) {
            return null;
        }
        JsonSignature jsonSignature = new JsonSignature();
        List<X509Certificate> certificateChain = getCertificateChain();
        SignatureGenerator signatureGenerator = new SignatureGenerator(certificateChain.get(0), ((KeyPair) new PEMReader(Files.newBufferedReader(this.privateKey.toPath(), StandardCharsets.UTF_8)).readObject()).getPrivate());
        OutputStreamWriter outputStreamWriter = new OutputStreamWriter((OutputStream) signatureGenerator.getOut(), StandardCharsets.UTF_8);
        Throwable th = null;
        try {
            try {
                IOUtils.write(str, outputStreamWriter);
                if (outputStreamWriter != null) {
                    if (0 != 0) {
                        try {
                            outputStreamWriter.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        outputStreamWriter.close();
                    }
                }
                signatureGenerator.fill(jsonSignature);
                ArrayList arrayList = new ArrayList();
                Iterator<X509Certificate> it = certificateChain.iterator();
                while (it.hasNext()) {
                    arrayList.add(new String(Base64.encodeBase64(it.next().getEncoded()), StandardCharsets.UTF_8));
                }
                jsonSignature.certificates = arrayList;
                return jsonSignature;
            } finally {
            }
        } catch (Throwable th3) {
            if (outputStreamWriter != null) {
                if (th != null) {
                    try {
                        outputStreamWriter.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    outputStreamWriter.close();
                }
            }
            throw th3;
        }
    }

    public JSONObject sign(JSONObject jSONObject) throws GeneralSecurityException, IOException, CmdLineException {
        if (!isConfigured()) {
            return jSONObject;
        }
        JSONObject jSONObject2 = new JSONObject();
        List<X509Certificate> certificateChain = getCertificateChain();
        X509Certificate x509Certificate = certificateChain.get(0);
        PrivateKey privateKey = ((KeyPair) new PEMReader(Files.newBufferedReader(this.privateKey.toPath(), StandardCharsets.UTF_8)).readObject()).getPrivate();
        SignatureGenerator signatureGenerator = new SignatureGenerator(x509Certificate, privateKey);
        jSONObject.writeCanonical(new OutputStreamWriter((OutputStream) signatureGenerator.getOut(), StandardCharsets.UTF_8));
        signatureGenerator.addRecord(jSONObject2, "");
        FileOutputStream nullOutputStream = new NullOutputStream();
        if (this.canonical != null) {
            nullOutputStream = new FileOutputStream(this.canonical);
        }
        SignatureGenerator signatureGenerator2 = new SignatureGenerator(x509Certificate, privateKey);
        OutputStreamWriter outputStreamWriter = new OutputStreamWriter((OutputStream) new TeeOutputStream(signatureGenerator2.getOut(), nullOutputStream), StandardCharsets.UTF_8);
        Throwable th = null;
        try {
            try {
                jSONObject.writeCanonical(outputStreamWriter);
                if (outputStreamWriter != null) {
                    if (0 != 0) {
                        try {
                            outputStreamWriter.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        outputStreamWriter.close();
                    }
                }
                signatureGenerator2.addRecord(jSONObject2, "correct_");
                JSONArray jSONArray = new JSONArray();
                Iterator<X509Certificate> it = certificateChain.iterator();
                while (it.hasNext()) {
                    jSONArray.add(new String(Base64.encodeBase64(it.next().getEncoded()), StandardCharsets.UTF_8));
                }
                jSONObject2.put("certificates", jSONArray);
                jSONObject.put("signature", jSONObject2);
                return jSONObject;
            } finally {
            }
        } catch (Throwable th3) {
            if (outputStreamWriter != null) {
                if (th != null) {
                    try {
                        outputStreamWriter.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    outputStreamWriter.close();
                }
            }
            throw th3;
        }
    }

    protected List<X509Certificate> getCertificateChain() throws IOException, GeneralSecurityException {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
        ArrayList arrayList = new ArrayList();
        Iterator<File> it = this.certificates.iterator();
        while (it.hasNext()) {
            X509Certificate loadCertificate = loadCertificate(certificateFactory, it.next());
            loadCertificate.checkValidity(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(30L)));
            arrayList.add(loadCertificate);
        }
        Set defaultRootCAs = CertificateUtil.getDefaultRootCAs();
        defaultRootCAs.add(new TrustAnchor((X509Certificate) certificateFactory.generateCertificate(getClass().getResourceAsStream("/hudson-community.cert")), null));
        defaultRootCAs.add(new TrustAnchor((X509Certificate) certificateFactory.generateCertificate(getClass().getResourceAsStream("/jenkins-update-center-root-ca.cert")), null));
        Iterator<File> it2 = this.rootCA.iterator();
        while (it2.hasNext()) {
            defaultRootCAs.add(new TrustAnchor(loadCertificate(certificateFactory, it2.next()), null));
        }
        try {
            CertificateUtil.validatePath(arrayList, defaultRootCAs);
        } catch (GeneralSecurityException e) {
            e.printStackTrace();
        }
        return arrayList;
    }

    private X509Certificate loadCertificate(CertificateFactory certificateFactory, File file) throws CertificateException, IOException {
        try {
            FileInputStream fileInputStream = new FileInputStream(file);
            Throwable th = null;
            try {
                try {
                    X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(fileInputStream);
                    x509Certificate.checkValidity();
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    return x509Certificate;
                } finally {
                }
            } catch (Throwable th3) {
                if (fileInputStream != null) {
                    if (th != null) {
                        try {
                            fileInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        fileInputStream.close();
                    }
                }
                throw th3;
            }
        } catch (IOException | CertificateException e) {
            throw ((IOException) new IOException("Failed to load certificate " + file).initCause(e));
        }
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
