package jenkins.util;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.util.FormValidation;
import io.jenkins.cli.shaded.org.apache.sshd.common.signature.SignatureRSASHA512;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStreamWriter;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.InvalidPathException;
import java.nio.file.OpenOption;
import java.security.DigestOutputStream;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import net.sf.json.JSONObject;
import net.sf.json.util.JSONUtils;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.io.output.NullOutputStream;
import org.apache.commons.io.output.TeeOutputStream;
import org.jvnet.hudson.crypto.CertificateUtil;
import org.jvnet.hudson.crypto.SignatureOutputStream;

/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.337-rc32127.5b_5079977b_a_0.jar:jenkins/util/JSONSignatureValidator.class */
public class JSONSignatureValidator {
    private final String name;
    private static final Logger LOGGER = Logger.getLogger(JSONSignatureValidator.class.getName());

    public JSONSignatureValidator(String str) {
        this.name = str;
    }

    @SuppressFBWarnings(value = {"WEAK_MESSAGE_DIGEST_SHA1"}, justification = "SHA-1 is only used as a fallback if SHA-512 is not available")
    public FormValidation verifySignature(JSONObject jSONObject) throws IOException {
        try {
            FormValidation formValidation = null;
            JSONObject jSONObject2 = jSONObject.getJSONObject("signature");
            if (jSONObject2.isNullObject()) {
                return FormValidation.error("No signature block found in " + this.name);
            }
            jSONObject.remove("signature");
            ArrayList arrayList = new ArrayList();
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
            Iterator it = jSONObject2.getJSONArray("certificates").iterator();
            while (it.hasNext()) {
                Object next = it.next();
                try {
                    X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(next.toString().getBytes(StandardCharsets.UTF_8))));
                    try {
                        x509Certificate.checkValidity();
                    } catch (CertificateExpiredException e) {
                        formValidation = FormValidation.warning(e, String.format("Certificate %s has expired in %s", next, this.name));
                    } catch (CertificateNotYetValidException e2) {
                        formValidation = FormValidation.warning(e2, String.format("Certificate %s is not yet valid in %s", next, this.name));
                    }
                    LOGGER.log(Level.FINE, "Add certificate found in JSON document:\n\tsubjectDN: {0}\n\tissuer: {1}\n\tnotBefore: {2}\n\tnotAfter: {3}", new Object[]{x509Certificate.getSubjectDN(), x509Certificate.getIssuerDN(), x509Certificate.getNotBefore(), x509Certificate.getNotAfter()});
                    LOGGER.log(Level.FINEST, () -> {
                        return "Certificate from JSON document: " + x509Certificate;
                    });
                    arrayList.add(x509Certificate);
                } catch (IllegalArgumentException e3) {
                    throw new IOException("Could not decode certificate", e3);
                }
            }
            CertificateUtil.validatePath(arrayList, loadTrustAnchors(certificateFactory));
            if (arrayList.isEmpty()) {
                return FormValidation.error("No certificate found in %s. Cannot verify the signature", this.name);
            }
            FormValidation formValidation2 = null;
            try {
                MessageDigest messageDigest = MessageDigest.getInstance("SHA-512");
                Signature signature = Signature.getInstance(SignatureRSASHA512.ALGORITHM);
                signature.initVerify((Certificate) arrayList.get(0));
                formValidation2 = checkSpecificSignature(jSONObject, jSONObject2, messageDigest, "correct_digest512", signature, "correct_signature512", "SHA-512");
                switch (formValidation2.kind) {
                    case ERROR:
                        return formValidation2;
                    case WARNING:
                        LOGGER.log(Level.INFO, "JSON data source '" + this.name + "' does not provide a SHA-512 content checksum or signature. Looking for SHA-1.");
                        break;
                    case OK:
                        break;
                    default:
                        throw new AssertionError("Unknown form validation kind: " + formValidation2.kind);
                }
            } catch (NoSuchAlgorithmException e4) {
                LOGGER.log(Level.WARNING, "Failed to verify potential SHA-512 digest/signature, falling back to SHA-1", (Throwable) e4);
            }
            MessageDigest messageDigest2 = MessageDigest.getInstance("SHA1");
            Signature signature2 = Signature.getInstance("SHA1withRSA");
            signature2.initVerify((Certificate) arrayList.get(0));
            FormValidation checkSpecificSignature = checkSpecificSignature(jSONObject, jSONObject2, messageDigest2, "correct_digest", signature2, "correct_signature", "SHA-1");
            switch (checkSpecificSignature.kind) {
                case ERROR:
                    return checkSpecificSignature;
                case WARNING:
                    if (formValidation2.kind == FormValidation.Kind.WARNING) {
                        return FormValidation.error("No correct_signature or correct_signature512 entry found in '" + this.name + "'.");
                    }
                    break;
                case OK:
                    break;
                default:
                    throw new AssertionError("Unknown form validation kind: " + checkSpecificSignature.kind);
            }
            return formValidation != null ? formValidation : FormValidation.ok();
        } catch (GeneralSecurityException e5) {
            return FormValidation.error(e5, "Signature verification failed in " + this.name);
        }
    }

    private FormValidation checkSpecificSignature(JSONObject jSONObject, JSONObject jSONObject2, MessageDigest messageDigest, String str, Signature signature, String str2, String str3) throws IOException {
        DigestOutputStream digestOutputStream = new DigestOutputStream(NullOutputStream.NULL_OUTPUT_STREAM, messageDigest);
        SignatureOutputStream signatureOutputStream = new SignatureOutputStream(signature);
        String optString = jSONObject2.optString(str, null);
        if (optString == null) {
            return FormValidation.warning("No '" + str + "' found");
        }
        String optString2 = jSONObject2.optString(str2, null);
        if (optString2 == null) {
            return FormValidation.warning("No '" + str2 + "' found");
        }
        jSONObject.writeCanonical(new OutputStreamWriter(new TeeOutputStream(digestOutputStream, signatureOutputStream), StandardCharsets.UTF_8)).close();
        if (digestMatches(messageDigest.digest(), optString)) {
            return !verifySignature(signature, optString2) ? FormValidation.error(str3 + " based signature in the update center doesn't match with the certificate in '" + this.name + JSONUtils.SINGLE_QUOTE) : FormValidation.ok();
        }
        String str4 = str3 + " digest mismatch: expected=" + optString + " in '" + this.name + JSONUtils.SINGLE_QUOTE;
        if (LOGGER.isLoggable(Level.SEVERE)) {
            LOGGER.severe(str4);
            LOGGER.severe(jSONObject.toString(2));
        }
        return FormValidation.error(str4);
    }

    private boolean verifySignature(Signature signature, String str) {
        try {
            if (signature.verify(Hex.decodeHex(str.toCharArray()))) {
                return true;
            }
        } catch (SignatureException | DecoderException e) {
        }
        try {
            return signature.verify(Base64.getDecoder().decode(str));
        } catch (IllegalArgumentException | SignatureException e2) {
            return false;
        }
    }

    private boolean digestMatches(byte[] bArr, String str) {
        return str.equalsIgnoreCase(Hex.encodeHexString(bArr)) || str.equalsIgnoreCase(Base64.getEncoder().encodeToString(bArr));
    }

    @SuppressFBWarnings(value = {"NP_LOAD_OF_KNOWN_NULL_VALUE", "RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE"}, justification = "https://github.com/spotbugs/spotbugs/issues/756")
    protected Set<TrustAnchor> loadTrustAnchors(CertificateFactory certificateFactory) throws IOException {
        HashSet hashSet = new HashSet();
        Jenkins jenkins2 = Jenkins.get();
        for (String str : jenkins2.servletContext.getResourcePaths("/WEB-INF/update-center-rootCAs")) {
            if (!str.endsWith("/") && !str.endsWith(".txt")) {
                try {
                    InputStream resourceAsStream = jenkins2.servletContext.getResourceAsStream(str);
                    Throwable th = null;
                    if (resourceAsStream != null) {
                        try {
                            try {
                                Certificate generateCertificate = certificateFactory.generateCertificate(resourceAsStream);
                                if (generateCertificate instanceof X509Certificate) {
                                    X509Certificate x509Certificate = (X509Certificate) generateCertificate;
                                    LOGGER.log(Level.FINE, "Add CA certificate found in webapp resources:\n\tsubjectDN: {0}\n\tissuer: {1}\n\tnotBefore: {2}\n\tnotAfter: {3}", new Object[]{x509Certificate.getSubjectDN(), x509Certificate.getIssuerDN(), x509Certificate.getNotBefore(), x509Certificate.getNotAfter()});
                                }
                                LOGGER.log(Level.FINEST, () -> {
                                    return "CA certificate from webapp resource " + str + ": " + generateCertificate;
                                });
                                if (resourceAsStream != null) {
                                    if (0 != 0) {
                                        try {
                                            resourceAsStream.close();
                                        } catch (Throwable th2) {
                                            th.addSuppressed(th2);
                                        }
                                    } else {
                                        resourceAsStream.close();
                                    }
                                }
                                try {
                                    hashSet.add(new TrustAnchor((X509Certificate) generateCertificate, null));
                                } catch (IllegalArgumentException e) {
                                    LOGGER.log(Level.WARNING, String.format("The name constraints in the certificate resource %s could not be decoded. Skipping this resource for now.", str), (Throwable) e);
                                }
                            } catch (Throwable th3) {
                                th = th3;
                                throw th3;
                                break;
                            }
                        } catch (Throwable th4) {
                            if (resourceAsStream != null) {
                                if (th != null) {
                                    try {
                                        resourceAsStream.close();
                                    } catch (Throwable th5) {
                                        th.addSuppressed(th5);
                                    }
                                } else {
                                    resourceAsStream.close();
                                }
                            }
                            throw th4;
                            break;
                        }
                    } else if (resourceAsStream != null) {
                        if (0 != 0) {
                            try {
                                resourceAsStream.close();
                            } catch (Throwable th6) {
                                th.addSuppressed(th6);
                            }
                        } else {
                            resourceAsStream.close();
                        }
                    }
                } catch (CertificateException e2) {
                    LOGGER.log(Level.WARNING, String.format("Webapp resources in /WEB-INF/update-center-rootCAs are expected to be either certificates or .txt files documenting the certificates, but %s did not parse as a certificate. Skipping this resource for now.", str), (Throwable) e2);
                }
            }
        }
        File[] listFiles = new File(jenkins2.root, "update-center-rootCAs").listFiles();
        if (listFiles != null) {
            for (File file : listFiles) {
                if (!file.isDirectory() && !file.getName().endsWith(".txt")) {
                    try {
                        InputStream newInputStream = Files.newInputStream(file.toPath(), new OpenOption[0]);
                        Throwable th7 = null;
                        try {
                            try {
                                Certificate generateCertificate2 = certificateFactory.generateCertificate(newInputStream);
                                if (generateCertificate2 instanceof X509Certificate) {
                                    X509Certificate x509Certificate2 = (X509Certificate) generateCertificate2;
                                    LOGGER.log(Level.FINE, "Add CA certificate found in Jenkins home:\n\tsubjectDN: {0}\n\tissuer: {1}\n\tnotBefore: {2}\n\tnotAfter: {3}", new Object[]{x509Certificate2.getSubjectDN(), x509Certificate2.getIssuerDN(), x509Certificate2.getNotBefore(), x509Certificate2.getNotAfter()});
                                }
                                LOGGER.log(Level.FINEST, () -> {
                                    return "CA certificate from Jenkins home " + file + ": " + generateCertificate2;
                                });
                                if (newInputStream != null) {
                                    if (0 != 0) {
                                        try {
                                            newInputStream.close();
                                        } catch (Throwable th8) {
                                            th7.addSuppressed(th8);
                                        }
                                    } else {
                                        newInputStream.close();
                                    }
                                }
                                try {
                                    hashSet.add(new TrustAnchor((X509Certificate) generateCertificate2, null));
                                } catch (IllegalArgumentException e3) {
                                    LOGGER.log(Level.WARNING, String.format("The name constraints in the certificate file %s could not be decoded. Skipping this file for now.", file.getAbsolutePath()), (Throwable) e3);
                                }
                            } catch (Throwable th9) {
                                th7 = th9;
                                throw th9;
                                break;
                            }
                        } catch (Throwable th10) {
                            if (newInputStream != null) {
                                if (th7 != null) {
                                    try {
                                        newInputStream.close();
                                    } catch (Throwable th11) {
                                        th7.addSuppressed(th11);
                                    }
                                } else {
                                    newInputStream.close();
                                }
                            }
                            throw th10;
                            break;
                        }
                    } catch (InvalidPathException e4) {
                        throw new IOException(e4);
                    } catch (CertificateException e5) {
                        LOGGER.log(Level.WARNING, String.format("Files in %s are expected to be either certificates or .txt files documenting the certificates, but %s did not parse as a certificate. Skipping this file for now.", file.getParentFile().getAbsolutePath(), file.getAbsolutePath()), (Throwable) e5);
                    }
                }
            }
        }
        return hashSet;
    }
}
