package com.google.gerrit.gpg;

import com.google.common.base.Preconditions;
import com.google.common.io.ByteStreams;
import com.google.gerrit.git.LockFailureException;
import com.ibm.icu.text.DateFormat;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.bcpg.ArmoredInputStream;
import org.bouncycastle.bcpg.ArmoredOutputStream;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.bc.BcPGPObjectFactory;
import org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider;
import org.eclipse.jgit.errors.IncorrectObjectTypeException;
import org.eclipse.jgit.errors.MissingObjectException;
import org.eclipse.jgit.lib.AnyObjectId;
import org.eclipse.jgit.lib.CommitBuilder;
import org.eclipse.jgit.lib.Constants;
import org.eclipse.jgit.lib.ObjectId;
import org.eclipse.jgit.lib.ObjectInserter;
import org.eclipse.jgit.lib.ObjectReader;
import org.eclipse.jgit.lib.ObjectStream;
import org.eclipse.jgit.lib.Ref;
import org.eclipse.jgit.lib.RefUpdate;
import org.eclipse.jgit.lib.Repository;
import org.eclipse.jgit.notes.Note;
import org.eclipse.jgit.notes.NoteMap;
import org.eclipse.jgit.revwalk.RevCommit;
import org.eclipse.jgit.revwalk.RevWalk;
import org.eclipse.jgit.util.NB;

/* loaded from: input_file:WEB-INF/lib/com_google_gerrit_gpg_libgpg.jar:com/google/gerrit/gpg/PublicKeyStore.class */
public class PublicKeyStore implements AutoCloseable {
    public static final String REFS_GPG_KEYS = "refs/meta/gpg-keys";
    private final Repository repo;
    private ObjectReader reader;
    private RevCommit tip;
    private NoteMap notes;
    private Map<Fingerprint, PGPPublicKeyRing> toAdd = new HashMap();
    private Set<Fingerprint> toRemove = new HashSet();

    public static PGPPublicKey getSigner(Iterable<PGPPublicKeyRing> iterable, PGPSignature pGPSignature, byte[] bArr) throws PGPException {
        for (PGPPublicKeyRing pGPPublicKeyRing : iterable) {
            PGPPublicKey publicKey = pGPPublicKeyRing.getPublicKey(pGPSignature.getKeyID());
            if (publicKey == null) {
                throw new IllegalStateException("No public key found for ID: " + keyIdToString(pGPSignature.getKeyID()));
            }
            pGPSignature.init(new BcPGPContentVerifierBuilderProvider(), publicKey);
            pGPSignature.update(bArr);
            if (pGPSignature.verify()) {
                return pGPPublicKeyRing.getPublicKey();
            }
        }
        return null;
    }

    public static PGPPublicKey getSigner(Iterable<PGPPublicKeyRing> iterable, PGPSignature pGPSignature, String str, PGPPublicKey pGPPublicKey) throws PGPException {
        Iterator<PGPPublicKeyRing> it = iterable.iterator();
        while (it.hasNext()) {
            PGPPublicKey publicKey = it.next().getPublicKey();
            pGPSignature.init(new BcPGPContentVerifierBuilderProvider(), publicKey);
            if (pGPSignature.verifyCertification(str, pGPPublicKey)) {
                return publicKey;
            }
        }
        return null;
    }

    public PublicKeyStore(Repository repository) {
        this.repo = repository;
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        reset();
    }

    private void reset() {
        if (this.reader != null) {
            this.reader.close();
            this.reader = null;
            this.notes = null;
        }
    }

    private void load() throws IOException {
        reset();
        this.reader = this.repo.newObjectReader();
        Ref exactRef = this.repo.getRefDatabase().exactRef(REFS_GPG_KEYS);
        if (exactRef == null) {
            return;
        }
        RevWalk revWalk = new RevWalk(this.reader);
        try {
            this.tip = revWalk.parseCommit(exactRef.getObjectId());
            this.notes = NoteMap.read(this.reader, this.tip);
            revWalk.close();
        } catch (Throwable th) {
            try {
                revWalk.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public PGPPublicKeyRingCollection get(long j) throws PGPException, IOException {
        return new PGPPublicKeyRingCollection(get(j, (byte[]) null));
    }

    public PGPPublicKeyRing get(byte[] bArr) throws PGPException, IOException {
        List<PGPPublicKeyRing> list = get(Fingerprint.getId(bArr), bArr);
        if (list.isEmpty()) {
            return null;
        }
        return list.get(0);
    }

    private List<PGPPublicKeyRing> get(long j, byte[] bArr) throws IOException {
        if (this.reader == null) {
            load();
        }
        return this.notes == null ? Collections.emptyList() : get(keyObjectId(j), bArr);
    }

    private List<PGPPublicKeyRing> get(ObjectId objectId, byte[] bArr) throws IOException {
        Note note = this.notes.getNote(objectId);
        return note == null ? Collections.emptyList() : readKeysFromNote(note, bArr);
    }

    private List<PGPPublicKeyRing> readKeysFromNote(Note note, byte[] bArr) throws IOException, MissingObjectException, IncorrectObjectTypeException {
        boolean z = false;
        ArrayList arrayList = new ArrayList();
        ObjectStream openStream = this.reader.open(note.getData(), 3).openStream();
        try {
            byte[] byteArray = ByteStreams.toByteArray(openStream);
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArray);
            while (true) {
                Iterator it = new BcPGPObjectFactory(new ArmoredInputStream(byteArrayInputStream)).iterator();
                if (!it.hasNext()) {
                    break;
                }
                z = true;
                Object next = it.next();
                if (next instanceof PGPPublicKeyRing) {
                    PGPPublicKeyRing pGPPublicKeyRing = (PGPPublicKeyRing) next;
                    if (bArr == null || Arrays.equals(bArr, pGPPublicKeyRing.getPublicKey().getFingerprint())) {
                        arrayList.add(pGPPublicKeyRing);
                    }
                }
                Preconditions.checkState(!it.hasNext(), "expected one PGP object per ArmoredInputStream");
            }
            if (z) {
                if (openStream != null) {
                    openStream.close();
                }
                return arrayList;
            }
            String str = new String(byteArray, StandardCharsets.UTF_8);
            Preconditions.checkArgument(ObjectId.isId(str), "Not valid SHA1: " + str);
            List<PGPPublicKeyRing> list = get(ObjectId.fromString(str), bArr);
            if (openStream != null) {
                openStream.close();
            }
            return list;
        } catch (Throwable th) {
            if (openStream != null) {
                try {
                    openStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void rebuildSubkeyMasterKeyMap() throws MissingObjectException, IncorrectObjectTypeException, IOException, PGPException {
        if (this.reader == null) {
            load();
        }
        if (this.notes != null) {
            ObjectInserter newObjectInserter = this.repo.newObjectInserter();
            try {
                Iterator<Note> it = this.notes.iterator();
                while (it.hasNext()) {
                    Iterator<PGPPublicKeyRing> it2 = new PGPPublicKeyRingCollection(readKeysFromNote(it.next(), null)).iterator();
                    while (it2.hasNext()) {
                        PGPPublicKeyRing next = it2.next();
                        long keyID = next.getPublicKey().getKeyID();
                        saveSubkeyMapping(newObjectInserter, next, keyID, keyObjectId(keyID));
                    }
                }
                if (newObjectInserter != null) {
                    newObjectInserter.close();
                }
            } catch (Throwable th) {
                if (newObjectInserter != null) {
                    try {
                        newObjectInserter.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
    }

    public void add(PGPPublicKeyRing pGPPublicKeyRing) {
        int i = 0;
        Iterator<PGPPublicKey> it = pGPPublicKeyRing.iterator();
        while (it.hasNext()) {
            if (it.next().isMasterKey()) {
                i++;
            }
        }
        if (i != 1) {
            throw new IllegalArgumentException("Exactly 1 master key is required, found " + i);
        }
        Fingerprint fingerprint = new Fingerprint(pGPPublicKeyRing.getPublicKey().getFingerprint());
        this.toAdd.put(fingerprint, pGPPublicKeyRing);
        this.toRemove.remove(fingerprint);
    }

    public void remove(byte[] bArr) {
        Fingerprint fingerprint = new Fingerprint(bArr);
        this.toAdd.remove(fingerprint);
        this.toRemove.add(fingerprint);
    }

    public RefUpdate.Result save(CommitBuilder commitBuilder) throws PGPException, IOException {
        if (this.toAdd.isEmpty() && this.toRemove.isEmpty()) {
            return RefUpdate.Result.NO_CHANGE;
        }
        if (this.reader == null) {
            load();
        }
        if (this.notes == null) {
            this.notes = NoteMap.newEmptyMap();
        }
        ObjectInserter newObjectInserter = this.repo.newObjectInserter();
        try {
            Iterator<PGPPublicKeyRing> it = this.toAdd.values().iterator();
            while (it.hasNext()) {
                saveToNotes(newObjectInserter, it.next());
            }
            Iterator<Fingerprint> it2 = this.toRemove.iterator();
            while (it2.hasNext()) {
                deleteFromNotes(newObjectInserter, it2.next());
            }
            commitBuilder.setTreeId(this.notes.writeTree(newObjectInserter));
            if (commitBuilder.getTreeId().equals(this.tip != null ? this.tip.getTree() : Constants.EMPTY_TREE_ID)) {
                RefUpdate.Result result = RefUpdate.Result.NO_CHANGE;
                if (newObjectInserter != null) {
                    newObjectInserter.close();
                }
                return result;
            }
            if (this.tip != null) {
                commitBuilder.setParentId(this.tip);
            }
            if (commitBuilder.getMessage() == null) {
                int size = this.toAdd.size() + this.toRemove.size();
                Object[] objArr = new Object[2];
                objArr[0] = Integer.valueOf(size);
                objArr[1] = size != 1 ? DateFormat.SECOND : "";
                commitBuilder.setMessage(String.format("Update %d public key%s", objArr));
            }
            ObjectId insert = newObjectInserter.insert(commitBuilder);
            newObjectInserter.flush();
            if (newObjectInserter != null) {
                newObjectInserter.close();
            }
            RefUpdate updateRef = this.repo.updateRef(REFS_GPG_KEYS);
            updateRef.setExpectedOldObjectId(this.tip);
            updateRef.setNewObjectId(insert);
            updateRef.setRefLogIdent(commitBuilder.getCommitter());
            updateRef.setRefLogMessage("Store public keys", true);
            RefUpdate.Result update = updateRef.update();
            reset();
            switch (update) {
                case FAST_FORWARD:
                case NEW:
                case NO_CHANGE:
                    this.toAdd.clear();
                    this.toRemove.clear();
                    break;
                case LOCK_FAILURE:
                    throw new LockFailureException("Failed to store public keys", updateRef);
            }
            return update;
        } catch (Throwable th) {
            if (newObjectInserter != null) {
                try {
                    newObjectInserter.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void saveToNotes(ObjectInserter objectInserter, PGPPublicKeyRing pGPPublicKeyRing) throws PGPException, IOException {
        long keyID = pGPPublicKeyRing.getPublicKey().getKeyID();
        PGPPublicKeyRingCollection pGPPublicKeyRingCollection = get(keyID);
        ArrayList arrayList = new ArrayList(pGPPublicKeyRingCollection.size() + 1);
        boolean z = false;
        Iterator<PGPPublicKeyRing> it = pGPPublicKeyRingCollection.iterator();
        while (it.hasNext()) {
            PGPPublicKeyRing next = it.next();
            if (sameKey(pGPPublicKeyRing, next)) {
                arrayList.add(pGPPublicKeyRing);
                z = true;
            } else {
                arrayList.add(next);
            }
        }
        if (!z) {
            arrayList.add(pGPPublicKeyRing);
        }
        ObjectId keyObjectId = keyObjectId(keyID);
        this.notes.set(keyObjectId, objectInserter.insert(3, keysToArmored(arrayList)));
        saveSubkeyMapping(objectInserter, pGPPublicKeyRing, keyID, keyObjectId);
    }

    private void saveSubkeyMapping(ObjectInserter objectInserter, PGPPublicKeyRing pGPPublicKeyRing, long j, ObjectId objectId) throws IOException {
        byte[] bytes = objectId.name().getBytes(StandardCharsets.UTF_8);
        ObjectId objectId2 = null;
        Iterator<PGPPublicKey> it = pGPPublicKeyRing.iterator();
        while (it.hasNext()) {
            long keyID = it.next().getKeyID();
            if (j != keyID) {
                if (objectId2 == null) {
                    objectId2 = objectInserter.insert(3, bytes);
                }
                ObjectId keyObjectId = keyObjectId(keyID);
                Preconditions.checkArgument(this.notes.get(keyObjectId) == null || this.notes.get(keyObjectId).equals((AnyObjectId) objectId2), "Master key differs for subkey: " + keyObjectId.name());
                this.notes.set(keyObjectId, objectId2);
            }
        }
    }

    private void deleteFromNotes(ObjectInserter objectInserter, Fingerprint fingerprint) throws PGPException, IOException {
        long id = fingerprint.getId();
        PGPPublicKeyRingCollection pGPPublicKeyRingCollection = get(id);
        ArrayList arrayList = new ArrayList(pGPPublicKeyRingCollection.size());
        Iterator<PGPPublicKeyRing> it = pGPPublicKeyRingCollection.iterator();
        while (it.hasNext()) {
            PGPPublicKeyRing next = it.next();
            if (!fingerprint.equalsBytes(next.getPublicKey().getFingerprint())) {
                arrayList.add(next);
            }
        }
        if (arrayList.size() == pGPPublicKeyRingCollection.size()) {
            return;
        }
        ObjectId keyObjectId = keyObjectId(id);
        if (!arrayList.isEmpty()) {
            this.notes.set(keyObjectId, objectInserter.insert(3, keysToArmored(arrayList)));
            return;
        }
        Iterator<PGPPublicKey> it2 = get(fingerprint.get()).iterator();
        while (it2.hasNext()) {
            long keyID = it2.next().getKeyID();
            if (id != keyID) {
                this.notes.remove(keyObjectId(keyID));
            }
        }
        this.notes.remove(keyObjectId);
    }

    private static boolean sameKey(PGPPublicKeyRing pGPPublicKeyRing, PGPPublicKeyRing pGPPublicKeyRing2) {
        return Arrays.equals(pGPPublicKeyRing.getPublicKey().getFingerprint(), pGPPublicKeyRing2.getPublicKey().getFingerprint());
    }

    private static byte[] keysToArmored(List<PGPPublicKeyRing> list) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(4096 * list.size());
        for (PGPPublicKeyRing pGPPublicKeyRing : list) {
            ArmoredOutputStream armoredOutputStream = new ArmoredOutputStream(byteArrayOutputStream);
            try {
                pGPPublicKeyRing.encode(armoredOutputStream);
                armoredOutputStream.close();
            } catch (Throwable th) {
                try {
                    armoredOutputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
        return byteArrayOutputStream.toByteArray();
    }

    public static String keyToString(PGPPublicKey pGPPublicKey) {
        Iterator<String> userIDs = pGPPublicKey.getUserIDs();
        Object[] objArr = new Object[3];
        objArr[0] = keyIdToString(pGPPublicKey.getKeyID());
        objArr[1] = userIDs.hasNext() ? userIDs.next() + " " : "";
        objArr[2] = Fingerprint.toString(pGPPublicKey.getFingerprint());
        return String.format("%s %s(%s)", objArr);
    }

    public static String keyIdToString(long j) {
        return String.format("%08X", Integer.valueOf((int) j));
    }

    static ObjectId keyObjectId(long j) {
        byte[] bArr = new byte[20];
        NB.encodeInt64(bArr, 0, j);
        return ObjectId.fromRaw(bArr);
    }
}
