package com.google.gerrit.gpg;

import com.google.common.base.Preconditions;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.bcpg.ArmoredInputStream;
import org.bouncycastle.bcpg.ArmoredOutputStream;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.bc.BcPGPObjectFactory;
import org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider;
import org.eclipse.jgit.lib.CommitBuilder;
import org.eclipse.jgit.lib.ObjectId;
import org.eclipse.jgit.lib.ObjectInserter;
import org.eclipse.jgit.lib.ObjectReader;
import org.eclipse.jgit.lib.ObjectStream;
import org.eclipse.jgit.lib.Ref;
import org.eclipse.jgit.lib.RefUpdate;
import org.eclipse.jgit.lib.Repository;
import org.eclipse.jgit.notes.Note;
import org.eclipse.jgit.notes.NoteMap;
import org.eclipse.jgit.revwalk.RevCommit;
import org.eclipse.jgit.revwalk.RevWalk;
import org.eclipse.jgit.util.NB;
import org.openid4java.association.Association;

/* loaded from: input_file:com/google/gerrit/gpg/PublicKeyStore.class */
public class PublicKeyStore implements AutoCloseable {
    private static final ObjectId EMPTY_TREE = ObjectId.fromString("4b825dc642cb6eb9a060e54bf8d69288fbee4904");
    public static final String REFS_GPG_KEYS = "refs/meta/gpg-keys";
    private final Repository repo;
    private ObjectReader reader;
    private RevCommit tip;
    private NoteMap notes;
    private Map<Fingerprint, PGPPublicKeyRing> toAdd = new HashMap();
    private Set<Fingerprint> toRemove = new HashSet();

    public static PGPPublicKey getSigner(Iterable<PGPPublicKeyRing> iterable, PGPSignature pGPSignature, byte[] bArr) throws PGPException {
        Iterator<PGPPublicKeyRing> it = iterable.iterator();
        while (it.hasNext()) {
            PGPPublicKey publicKey = it.next().getPublicKey();
            pGPSignature.init(new BcPGPContentVerifierBuilderProvider(), publicKey);
            pGPSignature.update(bArr);
            if (pGPSignature.verify()) {
                return publicKey;
            }
        }
        return null;
    }

    public static PGPPublicKey getSigner(Iterable<PGPPublicKeyRing> iterable, PGPSignature pGPSignature, String str, PGPPublicKey pGPPublicKey) throws PGPException {
        Iterator<PGPPublicKeyRing> it = iterable.iterator();
        while (it.hasNext()) {
            PGPPublicKey publicKey = it.next().getPublicKey();
            pGPSignature.init(new BcPGPContentVerifierBuilderProvider(), publicKey);
            if (pGPSignature.verifyCertification(str, pGPPublicKey)) {
                return publicKey;
            }
        }
        return null;
    }

    public PublicKeyStore(Repository repository) {
        this.repo = repository;
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        reset();
    }

    private void reset() {
        if (this.reader != null) {
            this.reader.close();
            this.reader = null;
            this.notes = null;
        }
    }

    private void load() throws IOException {
        reset();
        this.reader = this.repo.newObjectReader();
        Ref exactRef = this.repo.getRefDatabase().exactRef(REFS_GPG_KEYS);
        if (exactRef == null) {
            return;
        }
        RevWalk revWalk = new RevWalk(this.reader);
        Throwable th = null;
        try {
            try {
                this.tip = revWalk.parseCommit(exactRef.getObjectId());
                this.notes = NoteMap.read(this.reader, this.tip);
                if (revWalk != null) {
                    if (0 == 0) {
                        revWalk.close();
                        return;
                    }
                    try {
                        revWalk.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (revWalk != null) {
                if (th != null) {
                    try {
                        revWalk.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    revWalk.close();
                }
            }
            throw th4;
        }
    }

    public PGPPublicKeyRingCollection get(long j) throws PGPException, IOException {
        return new PGPPublicKeyRingCollection(get(j, null));
    }

    public PGPPublicKeyRing get(byte[] bArr) throws PGPException, IOException {
        List<PGPPublicKeyRing> list = get(Fingerprint.getId(bArr), bArr);
        if (list.isEmpty()) {
            return null;
        }
        return list.get(0);
    }

    private List<PGPPublicKeyRing> get(long j, byte[] bArr) throws IOException {
        Note note;
        if (this.reader == null) {
            load();
        }
        if (this.notes != null && (note = this.notes.getNote(keyObjectId(j))) != null) {
            ArrayList arrayList = new ArrayList();
            ObjectStream openStream = this.reader.open(note.getData(), 3).openStream();
            Throwable th = null;
            while (true) {
                try {
                    try {
                        Iterator it = new BcPGPObjectFactory(new ArmoredInputStream(openStream)).iterator();
                        if (!it.hasNext()) {
                            break;
                        }
                        Object next = it.next();
                        if (next instanceof PGPPublicKeyRing) {
                            PGPPublicKeyRing pGPPublicKeyRing = (PGPPublicKeyRing) next;
                            if (bArr == null || Arrays.equals(bArr, pGPPublicKeyRing.getPublicKey().getFingerprint())) {
                                arrayList.add(pGPPublicKeyRing);
                            }
                        }
                        Preconditions.checkState(!it.hasNext(), "expected one PGP object per ArmoredInputStream");
                    } finally {
                    }
                } catch (Throwable th2) {
                    if (openStream != null) {
                        if (th != null) {
                            try {
                                openStream.close();
                            } catch (Throwable th3) {
                                th.addSuppressed(th3);
                            }
                        } else {
                            openStream.close();
                        }
                    }
                    throw th2;
                }
            }
            if (openStream != null) {
                if (0 != 0) {
                    try {
                        openStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    openStream.close();
                }
            }
            return arrayList;
        }
        return Collections.emptyList();
    }

    public void add(PGPPublicKeyRing pGPPublicKeyRing) {
        int i = 0;
        Iterator it = pGPPublicKeyRing.iterator();
        while (it.hasNext()) {
            if (((PGPPublicKey) it.next()).isMasterKey()) {
                i++;
            }
        }
        if (i != 1) {
            throw new IllegalArgumentException("Exactly 1 master key is required, found " + i);
        }
        Fingerprint fingerprint = new Fingerprint(pGPPublicKeyRing.getPublicKey().getFingerprint());
        this.toAdd.put(fingerprint, pGPPublicKeyRing);
        this.toRemove.remove(fingerprint);
    }

    public void remove(byte[] bArr) {
        Fingerprint fingerprint = new Fingerprint(bArr);
        this.toAdd.remove(fingerprint);
        this.toRemove.add(fingerprint);
    }

    public RefUpdate.Result save(CommitBuilder commitBuilder) throws PGPException, IOException {
        if (this.toAdd.isEmpty() && this.toRemove.isEmpty()) {
            return RefUpdate.Result.NO_CHANGE;
        }
        if (this.reader == null) {
            load();
        }
        if (this.notes == null) {
            this.notes = NoteMap.newEmptyMap();
        }
        ObjectInserter newObjectInserter = this.repo.newObjectInserter();
        Throwable th = null;
        try {
            Iterator<PGPPublicKeyRing> it = this.toAdd.values().iterator();
            while (it.hasNext()) {
                saveToNotes(newObjectInserter, it.next());
            }
            Iterator<Fingerprint> it2 = this.toRemove.iterator();
            while (it2.hasNext()) {
                deleteFromNotes(newObjectInserter, it2.next());
            }
            commitBuilder.setTreeId(this.notes.writeTree(newObjectInserter));
            if (commitBuilder.getTreeId().equals(this.tip != null ? this.tip.getTree() : EMPTY_TREE)) {
                RefUpdate.Result result = RefUpdate.Result.NO_CHANGE;
                if (newObjectInserter != null) {
                    if (0 != 0) {
                        try {
                            newObjectInserter.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newObjectInserter.close();
                    }
                }
                return result;
            }
            if (this.tip != null) {
                commitBuilder.setParentId(this.tip);
            }
            if (commitBuilder.getMessage() == null) {
                int size = this.toAdd.size() + this.toRemove.size();
                Object[] objArr = new Object[2];
                objArr[0] = Integer.valueOf(size);
                objArr[1] = size != 1 ? "s" : "";
                commitBuilder.setMessage(String.format("Update %d public key%s", objArr));
            }
            ObjectId insert = newObjectInserter.insert(commitBuilder);
            newObjectInserter.flush();
            if (newObjectInserter != null) {
                if (0 != 0) {
                    try {
                        newObjectInserter.close();
                    } catch (Throwable th3) {
                        th.addSuppressed(th3);
                    }
                } else {
                    newObjectInserter.close();
                }
            }
            RefUpdate updateRef = this.repo.updateRef(REFS_GPG_KEYS);
            updateRef.setExpectedOldObjectId(this.tip);
            updateRef.setNewObjectId(insert);
            updateRef.setRefLogIdent(commitBuilder.getCommitter());
            updateRef.setRefLogMessage("Store public keys", true);
            RefUpdate.Result update = updateRef.update();
            reset();
            switch (update) {
                case FAST_FORWARD:
                case NEW:
                case NO_CHANGE:
                    this.toAdd.clear();
                    this.toRemove.clear();
                    break;
            }
            return update;
        } catch (Throwable th4) {
            if (newObjectInserter != null) {
                if (0 != 0) {
                    try {
                        newObjectInserter.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    newObjectInserter.close();
                }
            }
            throw th4;
        }
    }

    private void saveToNotes(ObjectInserter objectInserter, PGPPublicKeyRing pGPPublicKeyRing) throws PGPException, IOException {
        long keyID = pGPPublicKeyRing.getPublicKey().getKeyID();
        PGPPublicKeyRingCollection pGPPublicKeyRingCollection = get(keyID);
        ArrayList arrayList = new ArrayList(pGPPublicKeyRingCollection.size() + 1);
        boolean z = false;
        Iterator it = pGPPublicKeyRingCollection.iterator();
        while (it.hasNext()) {
            PGPPublicKeyRing pGPPublicKeyRing2 = (PGPPublicKeyRing) it.next();
            if (sameKey(pGPPublicKeyRing, pGPPublicKeyRing2)) {
                arrayList.add(pGPPublicKeyRing);
                z = true;
            } else {
                arrayList.add(pGPPublicKeyRing2);
            }
        }
        if (!z) {
            arrayList.add(pGPPublicKeyRing);
        }
        this.notes.set(keyObjectId(keyID), objectInserter.insert(3, keysToArmored(arrayList)));
    }

    private void deleteFromNotes(ObjectInserter objectInserter, Fingerprint fingerprint) throws PGPException, IOException {
        long id = fingerprint.getId();
        PGPPublicKeyRingCollection pGPPublicKeyRingCollection = get(id);
        ArrayList arrayList = new ArrayList(pGPPublicKeyRingCollection.size());
        Iterator it = pGPPublicKeyRingCollection.iterator();
        while (it.hasNext()) {
            PGPPublicKeyRing pGPPublicKeyRing = (PGPPublicKeyRing) it.next();
            if (!fingerprint.equalsBytes(pGPPublicKeyRing.getPublicKey().getFingerprint())) {
                arrayList.add(pGPPublicKeyRing);
            }
        }
        if (arrayList.size() == pGPPublicKeyRingCollection.size()) {
            return;
        }
        if (arrayList.isEmpty()) {
            this.notes.remove(keyObjectId(id));
        } else {
            this.notes.set(keyObjectId(id), objectInserter.insert(3, keysToArmored(arrayList)));
        }
    }

    private static boolean sameKey(PGPPublicKeyRing pGPPublicKeyRing, PGPPublicKeyRing pGPPublicKeyRing2) {
        return Arrays.equals(pGPPublicKeyRing.getPublicKey().getFingerprint(), pGPPublicKeyRing2.getPublicKey().getFingerprint());
    }

    private static byte[] keysToArmored(List<PGPPublicKeyRing> list) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(4096 * list.size());
        for (PGPPublicKeyRing pGPPublicKeyRing : list) {
            ArmoredOutputStream armoredOutputStream = new ArmoredOutputStream(byteArrayOutputStream);
            Throwable th = null;
            try {
                try {
                    pGPPublicKeyRing.encode(armoredOutputStream);
                    if (armoredOutputStream != null) {
                        if (0 != 0) {
                            try {
                                armoredOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            armoredOutputStream.close();
                        }
                    }
                } finally {
                }
            } catch (Throwable th3) {
                if (armoredOutputStream != null) {
                    if (th != null) {
                        try {
                            armoredOutputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        armoredOutputStream.close();
                    }
                }
                throw th3;
            }
        }
        return byteArrayOutputStream.toByteArray();
    }

    public static String keyToString(PGPPublicKey pGPPublicKey) {
        Iterator userIDs = pGPPublicKey.getUserIDs();
        Object[] objArr = new Object[3];
        objArr[0] = keyIdToString(pGPPublicKey.getKeyID());
        objArr[1] = userIDs.hasNext() ? ((String) userIDs.next()) + Association.FAILED_ASSOC_HANDLE : "";
        objArr[2] = Fingerprint.toString(pGPPublicKey.getFingerprint());
        return String.format("%s %s(%s)", objArr);
    }

    public static String keyIdToString(long j) {
        return String.format("%08X", Integer.valueOf((int) j));
    }

    static ObjectId keyObjectId(long j) {
        byte[] bArr = new byte[20];
        NB.encodeInt64(bArr, 0, j);
        return ObjectId.fromRaw(bArr);
    }
}
