package com.google.gerrit.gpg;

import com.google.common.flogger.FluentLogger;
import com.google.common.flogger.LazyArgs;
import com.google.gerrit.extensions.common.GpgKeyInfo;
import com.ibm.icu.text.PluralRules;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.bcpg.SignatureSubpacket;
import org.bouncycastle.bcpg.sig.RevocationKey;
import org.bouncycastle.bcpg.sig.RevocationReason;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider;

/* loaded from: input_file:com/google/gerrit/gpg/PublicKeyChecker.class */
public class PublicKeyChecker {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    private static final int COMPLETE_TRUST = 120;
    private PublicKeyStore store;
    private Map<Long, Fingerprint> trusted;
    private int maxTrustDepth;
    private Date effectiveTime = new Date();

    public PublicKeyChecker enableTrust(int i, Map<Long, Fingerprint> map) {
        if (i <= 0) {
            throw new IllegalArgumentException("maxTrustDepth must be positive, got: " + i);
        }
        if (map == null || map.isEmpty()) {
            throw new IllegalArgumentException("at least one trusted key is required");
        }
        this.maxTrustDepth = i;
        this.trusted = map;
        return this;
    }

    public PublicKeyChecker disableTrust() {
        this.trusted = null;
        return this;
    }

    public PublicKeyChecker setStore(PublicKeyStore publicKeyStore) {
        if (publicKeyStore == null) {
            throw new IllegalArgumentException("PublicKeyStore is required");
        }
        this.store = publicKeyStore;
        return this;
    }

    public PublicKeyChecker setEffectiveTime(Date date) {
        this.effectiveTime = date;
        return this;
    }

    protected Date getEffectiveTime() {
        return this.effectiveTime;
    }

    public final CheckResult check(PGPPublicKey pGPPublicKey) {
        if (this.store == null) {
            throw new IllegalStateException("PublicKeyStore is required");
        }
        return check(pGPPublicKey, 0, true, this.trusted != null ? new HashSet() : null);
    }

    public CheckResult checkCustom(PGPPublicKey pGPPublicKey, int i) {
        return CheckResult.ok(new String[0]);
    }

    private CheckResult check(PGPPublicKey pGPPublicKey, int i, boolean z, Set<Fingerprint> set) {
        CheckResult checkBasic = checkBasic(pGPPublicKey, this.effectiveTime);
        CheckResult checkCustom = checkCustom(pGPPublicKey, i);
        CheckResult checkWebOfTrust = checkWebOfTrust(pGPPublicKey, this.store, i, set);
        if (!z && !checkWebOfTrust.isTrusted()) {
            checkWebOfTrust = CheckResult.create(checkWebOfTrust.getStatus(), "Key is not trusted");
        }
        ArrayList arrayList = new ArrayList(checkBasic.getProblems().size() + checkCustom.getProblems().size() + checkWebOfTrust.getProblems().size());
        arrayList.addAll(checkBasic.getProblems());
        arrayList.addAll(checkCustom.getProblems());
        arrayList.addAll(checkWebOfTrust.getProblems());
        return CheckResult.create((checkBasic.getStatus() == GpgKeyInfo.Status.BAD || checkCustom.getStatus() == GpgKeyInfo.Status.BAD || checkWebOfTrust.getStatus() == GpgKeyInfo.Status.BAD) ? GpgKeyInfo.Status.BAD : checkWebOfTrust.getStatus() == GpgKeyInfo.Status.TRUSTED ? GpgKeyInfo.Status.TRUSTED : GpgKeyInfo.Status.OK, arrayList);
    }

    private CheckResult checkBasic(PGPPublicKey pGPPublicKey, Date date) {
        ArrayList arrayList = new ArrayList(2);
        gatherRevocationProblems(pGPPublicKey, date, arrayList);
        long validSeconds = pGPPublicKey.getValidSeconds() * 1000;
        if (validSeconds != 0 && date.getTime() - pGPPublicKey.getCreationTime().getTime() > validSeconds) {
            arrayList.add("Key is expired");
        }
        return CheckResult.create(arrayList);
    }

    private void gatherRevocationProblems(PGPPublicKey pGPPublicKey, Date date, List<String> list) {
        try {
            ArrayList arrayList = new ArrayList();
            HashMap hashMap = new HashMap();
            PGPSignature scanRevocations = scanRevocations(pGPPublicKey, date, arrayList, hashMap);
            if (scanRevocations != null) {
                RevocationReason revocationReason = getRevocationReason(scanRevocations);
                if (isRevocationValid(scanRevocations, revocationReason, date)) {
                    list.add(reasonToString(revocationReason));
                }
            } else {
                checkRevocations(pGPPublicKey, arrayList, hashMap, list);
            }
        } catch (PGPException | IOException e) {
            list.add("Error checking key revocation");
        }
    }

    private static boolean isRevocationValid(PGPSignature pGPSignature, RevocationReason revocationReason, Date date) {
        return revocationReason.getRevocationReason() == 2 || pGPSignature.getCreationTime().before(date);
    }

    private PGPSignature scanRevocations(PGPPublicKey pGPPublicKey, Date date, List<PGPSignature> list, Map<Long, RevocationKey> map) throws PGPException {
        Iterator signatures = pGPPublicKey.getSignatures();
        while (signatures.hasNext()) {
            PGPSignature pGPSignature = (PGPSignature) signatures.next();
            switch (pGPSignature.getSignatureType()) {
                case 31:
                    RevocationKey revocationKey = getRevocationKey(pGPPublicKey, pGPSignature);
                    if (revocationKey == null) {
                        break;
                    } else {
                        map.put(Long.valueOf(Fingerprint.getId(revocationKey.getFingerprint())), revocationKey);
                        break;
                    }
                case 32:
                    if (pGPSignature.getKeyID() != pGPPublicKey.getKeyID()) {
                        RevocationReason revocationReason = getRevocationReason(pGPSignature);
                        if (revocationReason != null && isRevocationValid(pGPSignature, revocationReason, date)) {
                            list.add(pGPSignature);
                            break;
                        }
                    } else {
                        pGPSignature.init(new BcPGPContentVerifierBuilderProvider(), pGPPublicKey);
                        if (!pGPSignature.verifyCertification(pGPPublicKey)) {
                            break;
                        } else {
                            return pGPSignature;
                        }
                    }
                    break;
            }
        }
        return null;
    }

    private RevocationKey getRevocationKey(PGPPublicKey pGPPublicKey, PGPSignature pGPSignature) throws PGPException {
        SignatureSubpacket subpacket;
        if (pGPSignature.getKeyID() != pGPPublicKey.getKeyID() || (subpacket = pGPSignature.getHashedSubPackets().getSubpacket(12)) == null) {
            return null;
        }
        pGPSignature.init(new BcPGPContentVerifierBuilderProvider(), pGPPublicKey);
        if (pGPSignature.verifyCertification(pGPPublicKey)) {
            return new RevocationKey(subpacket.isCritical(), subpacket.isLongLength(), subpacket.getData());
        }
        return null;
    }

    private void checkRevocations(PGPPublicKey pGPPublicKey, List<PGPSignature> list, Map<Long, RevocationKey> map, List<String> list2) throws PGPException, IOException {
        for (PGPSignature pGPSignature : list) {
            RevocationKey revocationKey = map.get(Long.valueOf(pGPSignature.getKeyID()));
            if (revocationKey != null) {
                byte[] fingerprint = revocationKey.getFingerprint();
                PGPPublicKeyRing pGPPublicKeyRing = this.store.get(fingerprint);
                if (pGPPublicKeyRing == null) {
                    logger.atInfo().log("Key %s is revoked by %s, which is not in the store. Assuming revocation is valid.", LazyArgs.lazy(() -> {
                        return Fingerprint.toString(pGPPublicKey.getFingerprint());
                    }), LazyArgs.lazy(() -> {
                        return Fingerprint.toString(fingerprint);
                    }));
                    list2.add(reasonToString(getRevocationReason(pGPSignature)));
                } else {
                    PGPPublicKey publicKey = pGPPublicKeyRing.getPublicKey();
                    if (publicKey.getAlgorithm() == revocationKey.getAlgorithm() && checkBasic(publicKey, pGPSignature.getCreationTime()).isOk()) {
                        pGPSignature.init(new BcPGPContentVerifierBuilderProvider(), publicKey);
                        if (pGPSignature.verifyCertification(pGPPublicKey)) {
                            list2.add(reasonToString(getRevocationReason(pGPSignature)));
                        }
                    }
                }
            }
        }
    }

    private static RevocationReason getRevocationReason(PGPSignature pGPSignature) {
        if (pGPSignature.getSignatureType() != 32) {
            throw new IllegalArgumentException("Expected KEY_REVOCATION signature, got " + pGPSignature.getSignatureType());
        }
        SignatureSubpacket subpacket = pGPSignature.getHashedSubPackets().getSubpacket(29);
        if (subpacket == null) {
            return null;
        }
        return new RevocationReason(subpacket.isCritical(), subpacket.isLongLength(), subpacket.getData());
    }

    private static String reasonToString(RevocationReason revocationReason) {
        StringBuilder sb = new StringBuilder("Key is revoked (");
        if (revocationReason == null) {
            return sb.append("no reason provided)").toString();
        }
        switch (revocationReason.getRevocationReason()) {
            case 0:
                sb.append("no reason code specified");
                break;
            case 1:
                sb.append("superseded");
                break;
            case 2:
                sb.append("key material has been compromised");
                break;
            case 3:
                sb.append("retired and no longer valid");
                break;
            default:
                sb.append("reason code ").append(Integer.toString(revocationReason.getRevocationReason())).append(')');
                break;
        }
        sb.append(')');
        String revocationDescription = revocationReason.getRevocationDescription();
        if (!revocationDescription.isEmpty()) {
            sb.append(PluralRules.KEYWORD_RULE_SEPARATOR).append(revocationDescription);
        }
        return sb.toString();
    }

    private CheckResult checkWebOfTrust(PGPPublicKey pGPPublicKey, PublicKeyStore publicKeyStore, int i, Set<Fingerprint> set) {
        if (this.trusted == null) {
            return CheckResult.trusted();
        }
        Fingerprint fingerprint = new Fingerprint(pGPPublicKey.getFingerprint());
        if (set.contains(fingerprint)) {
            return CheckResult.ok("Key is trusted in a cycle");
        }
        set.add(fingerprint);
        Fingerprint fingerprint2 = this.trusted.get(Long.valueOf(pGPPublicKey.getKeyID()));
        if (fingerprint2 != null && fingerprint2.equals(fingerprint)) {
            return CheckResult.trusted();
        }
        if (i >= this.maxTrustDepth) {
            return CheckResult.ok("No path of depth <= " + this.maxTrustDepth + " to a trusted key");
        }
        ArrayList arrayList = new ArrayList();
        Iterator userIDs = pGPPublicKey.getUserIDs();
        while (userIDs.hasNext()) {
            String str = (String) userIDs.next();
            Iterator signaturesForID = pGPPublicKey.getSignaturesForID(str);
            while (signaturesForID.hasNext()) {
                PGPSignature pGPSignature = (PGPSignature) signaturesForID.next();
                if (pGPSignature.getSignatureType() == 16 || pGPSignature.getSignatureType() == 19) {
                    PGPPublicKey signer = getSigner(publicKeyStore, pGPSignature, str, pGPPublicKey, arrayList);
                    if (signer != null && !Arrays.equals(signer.getFingerprint(), pGPPublicKey.getFingerprint())) {
                        if (checkTrustSubpacket(pGPSignature, i) == null && check(signer, i + 1, false, set).isTrusted()) {
                            return CheckResult.trusted();
                        }
                        arrayList.add(CheckResult.ok("Certification by " + PublicKeyStore.keyToString(signer) + " is valid, but key is not trusted"));
                    }
                }
            }
        }
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add("No path to a trusted key");
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            arrayList2.addAll(((CheckResult) it.next()).getProblems());
        }
        return CheckResult.create(GpgKeyInfo.Status.OK, arrayList2);
    }

    private static PGPPublicKey getSigner(PublicKeyStore publicKeyStore, PGPSignature pGPSignature, String str, PGPPublicKey pGPPublicKey, List<CheckResult> list) {
        try {
            PGPPublicKeyRingCollection pGPPublicKeyRingCollection = publicKeyStore.get(pGPSignature.getKeyID());
            if (!pGPPublicKeyRingCollection.getKeyRings().hasNext()) {
                list.add(CheckResult.ok("Key " + PublicKeyStore.keyIdToString(pGPSignature.getKeyID()) + " used for certification is not in store"));
                return null;
            }
            PGPPublicKey signer = PublicKeyStore.getSigner(pGPPublicKeyRingCollection, pGPSignature, str, pGPPublicKey);
            if (signer != null) {
                return signer;
            }
            list.add(CheckResult.ok("Certification by " + PublicKeyStore.keyIdToString(pGPSignature.getKeyID()) + " is not valid"));
            return null;
        } catch (PGPException | IOException e) {
            list.add(CheckResult.ok("Error checking certification by " + PublicKeyStore.keyIdToString(pGPSignature.getKeyID())));
            return null;
        }
    }

    private String checkTrustSubpacket(PGPSignature pGPSignature, int i) {
        SignatureSubpacket subpacket = pGPSignature.getHashedSubPackets().getSubpacket(5);
        if (subpacket == null || subpacket.getData().length != 2) {
            return "Certification is missing trust information";
        }
        if (subpacket.getData()[1] < 120) {
            return "Certification does not fully trust key";
        }
        byte b = subpacket.getData()[0];
        int i2 = i + 1;
        if (b < i2) {
            return "Certification trusts to depth " + ((int) b) + ", but depth " + i2 + " is required";
        }
        return null;
    }
}
