package org.cloudfoundry.multiapps.controller.process.util;

import java.io.IOException;
import java.io.InputStream;
import java.net.JarURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.jar.JarEntry;
import java.util.jar.JarFile;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.inject.Named;
import org.apache.commons.lang3.ArrayUtils;
import org.cloudfoundry.multiapps.common.SLException;
import org.cloudfoundry.multiapps.controller.core.util.FileUtils;
import org.cloudfoundry.multiapps.controller.process.Messages;

@Named
/* loaded from: input_file:org/cloudfoundry/multiapps/controller/process/util/JarSignatureVerifier.class */
public class JarSignatureVerifier {
    private static final String META_INF = "META-INF";
    private static final int BUFFER_SIZE = 8192;
    private static final Pattern X509_CERT_SUBJECT_NAME = Pattern.compile("CN=(.+), OU=(.+), O=(.+), C=(.+)");

    /* loaded from: input_file:org/cloudfoundry/multiapps/controller/process/util/JarSignatureVerifier$CertificateSubject.class */
    private static class CertificateSubject {
        private String commonName;
        private String organizationalUnit;
        private String organization;
        private String country;

        CertificateSubject(String str) {
            Matcher matcher = JarSignatureVerifier.X509_CERT_SUBJECT_NAME.matcher(str);
            if (matcher.matches()) {
                this.commonName = matcher.group(1);
                this.organizationalUnit = matcher.group(2);
                this.organization = matcher.group(3);
                this.country = matcher.group(4);
            }
        }
    }

    public void verify(URL url, List<X509Certificate> list, String str) {
        try {
            verifyJarEntries(getJarEntries(openJarFile(url)), list, str);
        } catch (IOException | SecurityException | SLException e) {
            throw new SLException(e, Messages.COULD_NOT_VERIFY_ARCHIVE_SIGNATURE, new Object[]{e.getMessage()});
        }
    }

    private JarFile openJarFile(URL url) throws IOException {
        return ((JarURLConnection) toJarUrl(url).openConnection()).getJarFile();
    }

    private URL toJarUrl(URL url) throws MalformedURLException {
        return new URL("jar:" + url.toString() + "!/");
    }

    private List<JarEntry> getJarEntries(JarFile jarFile) {
        return (List) jarFile.stream().map(jarEntry -> {
            return verifyJarEntry(jarFile, jarEntry);
        }).filter(jarEntry2 -> {
            return !jarEntry2.isDirectory();
        }).collect(Collectors.toList());
    }

    private JarEntry verifyJarEntry(JarFile jarFile, JarEntry jarEntry) {
        FileUtils.validatePath(jarEntry.getName());
        try {
            verifySignature(jarFile, jarEntry);
            return jarEntry;
        } catch (IOException e) {
            throw new SLException(e, e.getMessage());
        }
    }

    private void verifySignature(JarFile jarFile, JarEntry jarEntry) throws IOException {
        byte[] bArr = new byte[BUFFER_SIZE];
        InputStream inputStream = jarFile.getInputStream(jarEntry);
        do {
            try {
            } catch (Throwable th) {
                if (inputStream != null) {
                    try {
                        inputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } while (inputStream.read(bArr, 0, bArr.length) != -1);
        if (inputStream != null) {
            inputStream.close();
        }
    }

    private void verifyJarEntries(List<JarEntry> list, List<X509Certificate> list2, String str) {
        verifyArchiveFilesAreSigned(list);
        Iterator<JarEntry> it = getSignedJarEntries(list).iterator();
        while (it.hasNext()) {
            validateCertificateChain(list2, toX509Certificates(it.next().getCertificates()), str);
        }
    }

    private void verifyArchiveFilesAreSigned(List<JarEntry> list) {
        List<JarEntry> nonMetaInformationJarEntries = getNonMetaInformationJarEntries(list);
        List<JarEntry> nonSignedJarEntries = getNonSignedJarEntries(nonMetaInformationJarEntries);
        if (nonSignedJarEntries.isEmpty()) {
            return;
        }
        if (nonMetaInformationJarEntries.size() != nonSignedJarEntries.size()) {
            throw new SLException(Messages.THE_ARCHIVE_CONTAINS_UNSIGNED_FILES, new Object[]{getJarEntriesNames(nonSignedJarEntries)});
        }
        throw new SLException(Messages.THE_ARCHIVE_IS_NOT_SIGNED);
    }

    private List<JarEntry> getNonMetaInformationJarEntries(List<JarEntry> list) {
        return (List) list.stream().filter(jarEntry -> {
            return !isMetaInformation(jarEntry);
        }).collect(Collectors.toList());
    }

    private boolean isMetaInformation(JarEntry jarEntry) {
        return jarEntry.getName().startsWith("META-INF");
    }

    private List<JarEntry> getNonSignedJarEntries(List<JarEntry> list) {
        return (List) list.stream().filter(jarEntry -> {
            return !isSigned(jarEntry);
        }).collect(Collectors.toList());
    }

    private boolean isSigned(JarEntry jarEntry) {
        return ArrayUtils.isNotEmpty(jarEntry.getCertificates());
    }

    private String getJarEntriesNames(List<JarEntry> list) {
        return (String) list.stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.joining(System.lineSeparator()));
    }

    private List<JarEntry> getSignedJarEntries(List<JarEntry> list) {
        return (List) list.stream().filter(this::isSigned).collect(Collectors.toList());
    }

    private List<X509Certificate> toX509Certificates(Certificate[] certificateArr) {
        return (List) Arrays.stream(certificateArr).map(certificate -> {
            return (X509Certificate) certificate;
        }).collect(Collectors.toList());
    }

    private void validateCertificateChain(List<X509Certificate> list, List<X509Certificate> list2, String str) {
        list2.forEach(this::checkValidityOfCertificate);
        List<String> certificatesNames = getCertificatesNames(list2);
        if (str != null && !certificatesNames.contains(str)) {
            throw new SLException(Messages.WILL_LOOK_FOR_CERTIFICATE_CN, new Object[]{str});
        }
        if (Collections.disjoint(list2, list)) {
            throw new SLException(Messages.THE_ARCHIVE_IS_NOT_SIGNED_BY_TRUSTED_CERTIFICATE_AUTHORITY, new Object[]{getCertificatesNames(list)});
        }
    }

    private void checkValidityOfCertificate(X509Certificate x509Certificate) {
        try {
            x509Certificate.checkValidity();
        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
            throw new SLException(e, e.getMessage());
        }
    }

    private List<String> getCertificatesNames(List<X509Certificate> list) {
        return (List) list.stream().map(this::getCertificateCN).collect(Collectors.toList());
    }

    private String getCertificateCN(X509Certificate x509Certificate) {
        return new CertificateSubject(x509Certificate.getSubjectDN().getName()).commonName;
    }
}
