package org.sonar.python.checks.hotspots;

import java.util.List;
import java.util.regex.Pattern;
import org.apache.commons.lang.StringUtils;
import org.sonar.check.Rule;
import org.sonar.python.PythonSubscriptionCheck;
import org.sonar.python.SubscriptionCheck;
import org.sonar.python.SubscriptionContext;
import org.sonar.python.api.tree.PyArgumentTree;
import org.sonar.python.api.tree.PyCallExpressionTree;
import org.sonar.python.api.tree.PyExpressionTree;
import org.sonar.python.api.tree.PyNameTree;
import org.sonar.python.api.tree.PyNumericLiteralTree;
import org.sonar.python.api.tree.PyQualifiedExpressionTree;
import org.sonar.python.api.tree.Tree;
import org.sonar.python.semantic.Symbol;

@Rule(key = "S4426")
/* loaded from: input_file:org/sonar/python/checks/hotspots/StrongCryptographicKeysCheck.class */
public class StrongCryptographicKeysCheck extends PythonSubscriptionCheck {
    private static final Pattern CRYPTOGRAPHY = Pattern.compile("cryptography.hazmat.primitives.asymmetric.(rsa|dsa|ec).generate_private_key");
    private static final Pattern CRYPTOGRAPHY_FORBIDDEN_CURVE = Pattern.compile("(SECP192R1|SECT163K1|SECT163R2)");
    private static final Pattern CRYPTO = Pattern.compile("Crypto.PublicKey.(RSA|DSA).generate");
    private static final Pattern CRYPTODOME = Pattern.compile("Cryptodome.PublicKey.(RSA|DSA).generate");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/python/checks/hotspots/StrongCryptographicKeysCheck$CryptoAPICheck.class */
    public static abstract class CryptoAPICheck {
        private static final int CURVE_ARGUMENT_POSITION = 0;

        private CryptoAPICheck() {
        }

        abstract int getKeySizeArgumentPosition();

        abstract int getExponentArgumentPosition();

        abstract String getKeySizeKeywordName();

        abstract String getExponentKeywordName();

        private boolean isNonCompliantKeySizeArgument(PyArgumentTree pyArgumentTree, int i) {
            PyNameTree keywordArgument = pyArgumentTree.keywordArgument();
            return keywordArgument == null ? i == getKeySizeArgumentPosition() && isLessThan2048(pyArgumentTree.expression()) : keywordArgument.name().equals(getKeySizeKeywordName()) && isLessThan2048(pyArgumentTree.expression());
        }

        private boolean isNonCompliantExponentArgument(PyArgumentTree pyArgumentTree, int i) {
            PyNameTree keywordArgument = pyArgumentTree.keywordArgument();
            return keywordArgument == null ? i == getExponentArgumentPosition() && isLessThan65537(pyArgumentTree.expression()) : keywordArgument.name().equals(getExponentKeywordName()) && isLessThan65537(pyArgumentTree.expression());
        }

        private static boolean isLessThan2048(PyExpressionTree pyExpressionTree) {
            try {
                if (pyExpressionTree.is(Tree.Kind.NUMERIC_LITERAL)) {
                    if (((PyNumericLiteralTree) pyExpressionTree).valueAsLong() < 2048) {
                        return true;
                    }
                }
                return false;
            } catch (NumberFormatException e) {
                return false;
            }
        }

        private static boolean isLessThan65537(PyExpressionTree pyExpressionTree) {
            try {
                if (pyExpressionTree.is(Tree.Kind.NUMERIC_LITERAL)) {
                    if (((PyNumericLiteralTree) pyExpressionTree).valueAsLong() < 65537) {
                        return true;
                    }
                }
                return false;
            } catch (NumberFormatException e) {
                return false;
            }
        }

        private static boolean isNonCompliantCurveArgument(PyArgumentTree pyArgumentTree, int i, SubscriptionContext subscriptionContext) {
            PyNameTree keywordArgument = pyArgumentTree.keywordArgument();
            return keywordArgument == null ? i == 0 && isNonCompliantCurve(pyArgumentTree.expression(), subscriptionContext) : keywordArgument.name().equals("curve") && isNonCompliantCurve(pyArgumentTree.expression(), subscriptionContext);
        }

        private static boolean isNonCompliantCurve(PyExpressionTree pyExpressionTree, SubscriptionContext subscriptionContext) {
            if (!pyExpressionTree.is(Tree.Kind.QUALIFIED_EXPR)) {
                return false;
            }
            PyQualifiedExpressionTree pyQualifiedExpressionTree = (PyQualifiedExpressionTree) pyExpressionTree;
            Symbol symbol = subscriptionContext.symbolTable().getSymbol(pyQualifiedExpressionTree.qualifier());
            if (symbol == null || !symbol.qualifiedName().equals("cryptography.hazmat.primitives.asymmetric.ec")) {
                return false;
            }
            return StrongCryptographicKeysCheck.CRYPTOGRAPHY_FORBIDDEN_CURVE.matcher(pyQualifiedExpressionTree.name().name()).matches();
        }

        void checkArguments(SubscriptionContext subscriptionContext, List<PyArgumentTree> list) {
            for (PyArgumentTree pyArgumentTree : list) {
                if (isNonCompliantKeySizeArgument(pyArgumentTree, 0)) {
                    subscriptionContext.addIssue(pyArgumentTree, "Use a key length of at least 2048 bits.");
                }
                if (isNonCompliantExponentArgument(pyArgumentTree, 0)) {
                    subscriptionContext.addIssue(pyArgumentTree, "Use a public key exponent of at least 65537.");
                }
                if ((this instanceof CryptographyModuleCheck) && isNonCompliantCurveArgument(pyArgumentTree, 0, subscriptionContext)) {
                    subscriptionContext.addIssue(pyArgumentTree, "Use a key length of at least 224 bits.");
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/python/checks/hotspots/StrongCryptographicKeysCheck$CryptoModuleCheck.class */
    public static class CryptoModuleCheck extends CryptoAPICheck {
        private CryptoModuleCheck() {
            super();
        }

        @Override // org.sonar.python.checks.hotspots.StrongCryptographicKeysCheck.CryptoAPICheck
        protected int getExponentArgumentPosition() {
            return 3;
        }

        @Override // org.sonar.python.checks.hotspots.StrongCryptographicKeysCheck.CryptoAPICheck
        protected int getKeySizeArgumentPosition() {
            return 0;
        }

        @Override // org.sonar.python.checks.hotspots.StrongCryptographicKeysCheck.CryptoAPICheck
        protected String getExponentKeywordName() {
            return "e";
        }

        @Override // org.sonar.python.checks.hotspots.StrongCryptographicKeysCheck.CryptoAPICheck
        protected String getKeySizeKeywordName() {
            return "bits";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/python/checks/hotspots/StrongCryptographicKeysCheck$CryptodomeModuleCheck.class */
    public static class CryptodomeModuleCheck extends CryptoAPICheck {
        private CryptodomeModuleCheck() {
            super();
        }

        @Override // org.sonar.python.checks.hotspots.StrongCryptographicKeysCheck.CryptoAPICheck
        protected int getExponentArgumentPosition() {
            return 2;
        }

        @Override // org.sonar.python.checks.hotspots.StrongCryptographicKeysCheck.CryptoAPICheck
        protected String getExponentKeywordName() {
            return "e";
        }

        @Override // org.sonar.python.checks.hotspots.StrongCryptographicKeysCheck.CryptoAPICheck
        protected String getKeySizeKeywordName() {
            return "bits";
        }

        @Override // org.sonar.python.checks.hotspots.StrongCryptographicKeysCheck.CryptoAPICheck
        protected int getKeySizeArgumentPosition() {
            return 0;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/python/checks/hotspots/StrongCryptographicKeysCheck$CryptographyModuleCheck.class */
    public static class CryptographyModuleCheck extends CryptoAPICheck {
        private CryptographyModuleCheck() {
            super();
        }

        @Override // org.sonar.python.checks.hotspots.StrongCryptographicKeysCheck.CryptoAPICheck
        protected int getKeySizeArgumentPosition() {
            return 1;
        }

        @Override // org.sonar.python.checks.hotspots.StrongCryptographicKeysCheck.CryptoAPICheck
        protected int getExponentArgumentPosition() {
            return 0;
        }

        @Override // org.sonar.python.checks.hotspots.StrongCryptographicKeysCheck.CryptoAPICheck
        protected String getKeySizeKeywordName() {
            return "key_size";
        }

        @Override // org.sonar.python.checks.hotspots.StrongCryptographicKeysCheck.CryptoAPICheck
        protected String getExponentKeywordName() {
            return "public_exponent";
        }
    }

    @Override // org.sonar.python.SubscriptionCheck
    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, subscriptionContext -> {
            PyCallExpressionTree pyCallExpressionTree = (PyCallExpressionTree) subscriptionContext.syntaxNode();
            List<PyArgumentTree> arguments = pyCallExpressionTree.arguments();
            String qualifiedName = getQualifiedName(pyCallExpressionTree, subscriptionContext);
            if (CRYPTOGRAPHY.matcher(qualifiedName).matches()) {
                new CryptographyModuleCheck().checkArguments(subscriptionContext, arguments);
            } else if (CRYPTO.matcher(qualifiedName).matches()) {
                new CryptoModuleCheck().checkArguments(subscriptionContext, arguments);
            } else if (CRYPTODOME.matcher(qualifiedName).matches()) {
                new CryptodomeModuleCheck().checkArguments(subscriptionContext, arguments);
            }
        });
    }

    private static String getQualifiedName(PyCallExpressionTree pyCallExpressionTree, SubscriptionContext subscriptionContext) {
        PyExpressionTree callee = pyCallExpressionTree.callee();
        String str = StringUtils.EMPTY;
        if (callee.is(Tree.Kind.QUALIFIED_EXPR)) {
            str = "." + ((PyQualifiedExpressionTree) callee).name().name();
            callee = ((PyQualifiedExpressionTree) callee).qualifier();
        }
        Symbol symbol = subscriptionContext.symbolTable().getSymbol(callee);
        return symbol != null ? symbol.qualifiedName() + str : StringUtils.EMPTY;
    }
}
