package org.sonar.python.checks.hotspots;

import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.regex.Pattern;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.tree.Argument;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.HasSymbol;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.QualifiedExpression;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.StringLiteral;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.checks.hotspots.CommonValidationUtils;
import org.sonar.python.checks.utils.Expressions;
import org.sonar.python.semantic.SymbolUtils;
import org.sonar.python.tree.TreeUtils;

@Rule(key = "S4426")
/* loaded from: input_file:org/sonar/python/checks/hotspots/StrongCryptographicKeysCheck.class */
public class StrongCryptographicKeysCheck extends PythonSubscriptionCheck {
    public static final String MESSAGE_AT_LEAST_65537_EXPONENT = "Use a public key exponent of at least 65537.";
    public static final String MESSAGE_AT_LEAST_2048_BIT = "Use a key length of at least 2048 bits.";
    public static final String MESSAGE_AT_LEAST_224_BIT = "Use a key length of at least 224 bits.";
    public static final String MESSAGE_NIST_APPROVED_CURVE = "Use a NIST-approved elliptic curve.";
    private static final Pattern CRYPTOGRAPHY_FORBIDDEN_CURVE = Pattern.compile("(SECP192R1|SECT571K1|SECT409K1|SECT283K1|SECT233K1|SECT163K1|SECT571R1|SECT409R1|SECT283R1|SECT233R1|SECT163R2)");
    private static final CommonValidationUtils.ArgumentValidator CRYPTOGRAPHY_KEY_SIZE = new CommonValidationUtils.ArgumentValidator(1, "key_size", (subscriptionContext, regularArgument) -> {
        if (isLessThan2048(regularArgument)) {
            subscriptionContext.addIssue(regularArgument, MESSAGE_AT_LEAST_2048_BIT);
        }
    });
    private static final CommonValidationUtils.ArgumentValidator CRYPTOGRAPHY_PUBLIC_EXPONENT = new CommonValidationUtils.ArgumentValidator(0, "public_exponent", (subscriptionContext, regularArgument) -> {
        if (isLessThan65537(regularArgument)) {
            subscriptionContext.addIssue(regularArgument, MESSAGE_AT_LEAST_65537_EXPONENT);
        }
    });
    public static final String CURVE = "curve";
    private static final CommonValidationUtils.ArgumentValidator CRYPTOGRAPHY_CURVE = new CommonValidationUtils.ArgumentValidator(0, CURVE, (subscriptionContext, regularArgument) -> {
        if (isNonCompliantCurve(regularArgument.expression())) {
            subscriptionContext.addIssue(regularArgument, MESSAGE_AT_LEAST_224_BIT);
        }
    });
    private static final CommonValidationUtils.ArgumentValidator CRYPTO_CRYPTODOME_KEY_SIZE = new CommonValidationUtils.ArgumentValidator(0, "bits", (subscriptionContext, regularArgument) -> {
        if (isLessThan2048(regularArgument)) {
            subscriptionContext.addIssue(regularArgument, MESSAGE_AT_LEAST_2048_BIT);
        }
    });
    private static final CommonValidationUtils.ArgumentValidator CRYPTO_EXPONENT = new CommonValidationUtils.ArgumentValidator(3, "e", (subscriptionContext, regularArgument) -> {
        if (isLessThan65537(regularArgument)) {
            subscriptionContext.addIssue(regularArgument, MESSAGE_AT_LEAST_65537_EXPONENT);
        }
    });
    private static final CommonValidationUtils.ArgumentValidator CRYPTODOME_EXPONENT = new CommonValidationUtils.ArgumentValidator(2, "e", (subscriptionContext, regularArgument) -> {
        if (isLessThan65537(regularArgument)) {
            subscriptionContext.addIssue(regularArgument, MESSAGE_AT_LEAST_65537_EXPONENT);
        }
    });
    private static final CommonValidationUtils.ArgumentValidator CRYPTODOME_ELGAMAL_CURVE = new CommonValidationUtils.ArgumentValidator(0, CURVE, (subscriptionContext, regularArgument) -> {
        if (isLessThan2048(regularArgument)) {
            subscriptionContext.addIssue(regularArgument, MESSAGE_AT_LEAST_2048_BIT);
        }
    });
    private static final CommonValidationUtils.ArgumentValidator CRYPTODOME_ECC_FORBIDDEN_CURVE = new CommonValidationUtils.ArgumentValidator(0, CURVE, (subscriptionContext, regularArgument) -> {
        if (isForbiddenCurve(regularArgument.expression(), Set.of("NIST P-192", "p192", "P-192", "prime192v1", "secp192r1"))) {
            subscriptionContext.addIssue(regularArgument, MESSAGE_NIST_APPROVED_CURVE);
        }
    });
    private static final Map<String, Collection<CommonValidationUtils.CallValidator>> CALL_EXPRESSION_VALIDATORS = Map.ofEntries(Map.entry("cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key", List.of(CRYPTOGRAPHY_KEY_SIZE, CRYPTOGRAPHY_PUBLIC_EXPONENT, CRYPTOGRAPHY_CURVE)), Map.entry("cryptography.hazmat.primitives.asymmetric.dsa.generate_private_key", List.of(CRYPTOGRAPHY_KEY_SIZE, CRYPTOGRAPHY_PUBLIC_EXPONENT, CRYPTOGRAPHY_CURVE)), Map.entry("cryptography.hazmat.primitives.asymmetric.ec.generate_private_key", List.of(CRYPTOGRAPHY_KEY_SIZE, CRYPTOGRAPHY_PUBLIC_EXPONENT, CRYPTOGRAPHY_CURVE)), Map.entry("cryptography.hazmat.primitives.asymmetric.dh.generate_parameters", List.of(CRYPTOGRAPHY_KEY_SIZE)), Map.entry("Crypto.PublicKey.RSA.generate", List.of(CRYPTO_CRYPTODOME_KEY_SIZE, CRYPTO_EXPONENT)), Map.entry("Crypto.PublicKey.DSA.generate", List.of(CRYPTO_CRYPTODOME_KEY_SIZE, CRYPTO_EXPONENT)), Map.entry("Cryptodome.PublicKey.RSA.generate", List.of(CRYPTO_CRYPTODOME_KEY_SIZE, CRYPTODOME_EXPONENT)), Map.entry("Cryptodome.PublicKey.DSA.generate", List.of(CRYPTO_CRYPTODOME_KEY_SIZE, CRYPTODOME_EXPONENT)), Map.entry("Cryptodome.PublicKey.ElGamal.generate", List.of(CRYPTODOME_ELGAMAL_CURVE)), Map.entry("Cryptodome.PublicKey.ECC.generate", List.of(CRYPTODOME_ECC_FORBIDDEN_CURVE)), Map.entry("OpenSSL.crypto.PKey.generate_key", List.of(new OpenSslCryptoModuleCallValidator())));

    /* loaded from: input_file:org/sonar/python/checks/hotspots/StrongCryptographicKeysCheck$OpenSslCryptoModuleCallValidator.class */
    private static class OpenSslCryptoModuleCallValidator implements CommonValidationUtils.CallValidator {
        private static final Set<String> KEY_TYPE_FQNS_TO_CHECK = Set.of("OpenSSL.crypto.TYPE_RSA", "OpenSSL.crypto.TYPE_DSA");

        private OpenSslCryptoModuleCallValidator() {
        }

        @Override // org.sonar.python.checks.hotspots.CommonValidationUtils.CallValidator
        public void validate(SubscriptionContext subscriptionContext, CallExpression callExpression) {
            List arguments = callExpression.arguments();
            if (keyTypeNeedsToBeChecked(arguments)) {
                TreeUtils.nthArgumentOrKeywordOptional(1, "bits", arguments).filter(StrongCryptographicKeysCheck::isLessThan2048).ifPresent(regularArgument -> {
                    subscriptionContext.addIssue(regularArgument, StrongCryptographicKeysCheck.MESSAGE_AT_LEAST_2048_BIT);
                });
            }
        }

        private static boolean keyTypeNeedsToBeChecked(List<Argument> list) {
            Optional map = TreeUtils.nthArgumentOrKeywordOptional(0, "type", list).map((v0) -> {
                return v0.expression();
            });
            Class<HasSymbol> cls = HasSymbol.class;
            Objects.requireNonNull(HasSymbol.class);
            Optional filter = map.filter((v1) -> {
                return r1.isInstance(v1);
            });
            Class<HasSymbol> cls2 = HasSymbol.class;
            Objects.requireNonNull(HasSymbol.class);
            Optional map2 = filter.map((v1) -> {
                return r1.cast(v1);
            }).map((v0) -> {
                return v0.symbol();
            }).map((v0) -> {
                return v0.fullyQualifiedName();
            });
            Set<String> set = KEY_TYPE_FQNS_TO_CHECK;
            Objects.requireNonNull(set);
            return ((Boolean) map2.map((v1) -> {
                return r1.contains(v1);
            }).orElse(false)).booleanValue();
        }
    }

    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, subscriptionContext -> {
            CallExpression syntaxNode = subscriptionContext.syntaxNode();
            CALL_EXPRESSION_VALIDATORS.getOrDefault(SymbolUtils.qualifiedNameOrEmpty(syntaxNode), List.of()).forEach(callValidator -> {
                callValidator.validate(subscriptionContext, syntaxNode);
            });
        });
    }

    private static boolean isForbiddenCurve(Expression expression, Set<String> set) {
        if (expression.getKind() == Tree.Kind.STRING_LITERAL) {
            return set.contains(((StringLiteral) expression).trimmedQuotesValue());
        }
        if (expression.getKind() == Tree.Kind.NAME) {
            return ((Boolean) Expressions.singleAssignedNonNameValue((Name) expression).map(expression2 -> {
                return Boolean.valueOf(isForbiddenCurve(expression2, set));
            }).orElse(false)).booleanValue();
        }
        return false;
    }

    private static boolean isNonCompliantCurve(Expression expression) {
        Symbol symbol;
        if (expression instanceof Name) {
            expression = Expressions.singleAssignedValue((Name) expression);
            if (expression == null) {
                return false;
            }
        }
        if (expression instanceof CallExpression) {
            expression = ((CallExpression) expression).callee();
        }
        if (!expression.is(new Tree.Kind[]{Tree.Kind.QUALIFIED_EXPR})) {
            return false;
        }
        QualifiedExpression qualifiedExpression = (QualifiedExpression) expression;
        HasSymbol qualifier = qualifiedExpression.qualifier();
        if ((qualifier instanceof HasSymbol) && (symbol = qualifier.symbol()) != null && "cryptography.hazmat.primitives.asymmetric.ec".equals(symbol.fullyQualifiedName())) {
            return CRYPTOGRAPHY_FORBIDDEN_CURVE.matcher(qualifiedExpression.name().name()).matches();
        }
        return false;
    }

    private static boolean isLessThan2048(RegularArgument regularArgument) {
        return CommonValidationUtils.isLessThan(regularArgument.expression(), 2048);
    }

    private static boolean isLessThan65537(RegularArgument regularArgument) {
        return CommonValidationUtils.isLessThan(regularArgument.expression(), 65537);
    }
}
