package com.appian.componentplugin.validator;

import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.jar.JarEntry;
import java.util.jar.JarFile;

/* loaded from: input_file:com/appian/componentplugin/validator/JarVerifier.class */
public final class JarVerifier {
    private static final int BUFFER_SIZE = 65536;
    private static final String META_INF = "META-INF";
    private static final String META_INF_SLASH = "META-INF/";
    private final X509Certificate[] trustedCerts;

    /* loaded from: input_file:com/appian/componentplugin/validator/JarVerifier$AnnotatedJarEntry.class */
    public static final class AnnotatedJarEntry {
        public static final long NO_READ_VERIFICATION = -1;
        private final JarEntry jarEntry;
        private final long totalBytesRead;
        private final Optional<String> errorMessage;
        private final Optional<X509Certificate> x509CertificateApplied;

        public AnnotatedJarEntry(JarEntry jarEntry, long j, Optional<String> optional, Optional<X509Certificate> optional2) {
            this.jarEntry = jarEntry;
            this.totalBytesRead = j;
            this.errorMessage = optional;
            this.x509CertificateApplied = optional2;
        }

        public JarEntry getJarEntry() {
            return this.jarEntry;
        }

        public long getTotalBytesRead() {
            return this.totalBytesRead;
        }

        public Optional<String> getErrorMessage() {
            return this.errorMessage;
        }

        public Optional<X509Certificate> getX509CertificateApplied() {
            return this.x509CertificateApplied;
        }
    }

    public JarVerifier(X509Certificate... x509CertificateArr) {
        this.trustedCerts = x509CertificateArr;
    }

    public void verifyJar(File file) throws IOException {
        List<AnnotatedJarEntry> examineJar = examineJar(file);
        StringBuilder sb = new StringBuilder();
        Iterator<AnnotatedJarEntry> it = examineJar.iterator();
        while (it.hasNext()) {
            Optional<String> errorMessage = it.next().getErrorMessage();
            if (errorMessage.isPresent()) {
                if (sb.length() > 0) {
                    sb.append(", ");
                }
                sb.append(errorMessage.get());
            }
        }
        if (sb.length() > 0) {
            throw new SecurityException(sb.toString());
        }
    }

    public List<AnnotatedJarEntry> examineJar(File file) throws IOException {
        JarFile jarFile = new JarFile(file, true, 1);
        Throwable th = null;
        try {
            try {
                Enumeration<JarEntry> entries = jarFile.entries();
                ArrayList arrayList = new ArrayList();
                while (entries.hasMoreElements()) {
                    Optional<AnnotatedJarEntry> annotateJarEntry = annotateJarEntry(jarFile, entries.nextElement());
                    arrayList.getClass();
                    annotateJarEntry.ifPresent((v1) -> {
                        r1.add(v1);
                    });
                }
                if (jarFile != null) {
                    if (0 != 0) {
                        try {
                            jarFile.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        jarFile.close();
                    }
                }
                return arrayList;
            } finally {
            }
        } catch (Throwable th3) {
            if (jarFile != null) {
                if (th != null) {
                    try {
                        jarFile.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    jarFile.close();
                }
            }
            throw th3;
        }
    }

    private boolean isValidManifestName(String str) {
        if (!str.contains("..")) {
            return true;
        }
        int i = 0;
        for (String str2 : str.split("/")) {
            if (!".".equals(str2)) {
                if ("..".equals(str2)) {
                    i--;
                    if (i < 0) {
                        return false;
                    }
                }
                i++;
            }
        }
        return true;
    }

    private boolean skipDigitalSignatureManifestEntry(String str) {
        if (str == null) {
            return false;
        }
        if ((!str.equals(META_INF) && !str.startsWith(META_INF_SLASH)) || !isValidManifestName(str) || !str.startsWith(META_INF_SLASH)) {
            return false;
        }
        String lowerCase = str.substring(META_INF_SLASH.length()).toLowerCase();
        return "manifest.mf".equals(lowerCase) || lowerCase.endsWith(".sf") || lowerCase.endsWith(".dsa") || lowerCase.endsWith(".rsa") || lowerCase.startsWith("sig-");
    }

    private Optional<AnnotatedJarEntry> annotateJarEntry(JarFile jarFile, JarEntry jarEntry) throws IOException {
        if (!jarEntry.isDirectory() && !skipDigitalSignatureManifestEntry(jarEntry.getName())) {
            long readJarEntry = readJarEntry(jarFile, jarEntry);
            List<X509Certificate> filterToX509Certificates = filterToX509Certificates(jarEntry.getCertificates());
            if (filterToX509Certificates.isEmpty()) {
                return Optional.of(new AnnotatedJarEntry(jarEntry, readJarEntry, Optional.of(jarEntry.getName() + " has no X509Certificates"), Optional.empty()));
            }
            Optional<X509Certificate> findSignerMatchingTrustedCert = findSignerMatchingTrustedCert(filterToX509Certificates);
            return findSignerMatchingTrustedCert.isPresent() ? Optional.of(new AnnotatedJarEntry(jarEntry, readJarEntry, Optional.empty(), findSignerMatchingTrustedCert)) : Optional.of(new AnnotatedJarEntry(jarEntry, readJarEntry, Optional.of("Could not apply any given X509Certificates to " + jarEntry.getName()), Optional.empty()));
        }
        return Optional.empty();
    }

    private Optional<X509Certificate> findSignerMatchingTrustedCert(List<X509Certificate> list) {
        for (X509Certificate x509Certificate : this.trustedCerts) {
            Optional<X509Certificate> findSignerMatchingTrustedCert = findSignerMatchingTrustedCert(x509Certificate, list);
            if (findSignerMatchingTrustedCert.isPresent()) {
                return findSignerMatchingTrustedCert;
            }
        }
        return Optional.empty();
    }

    private List<X509Certificate> filterToX509Certificates(Certificate[] certificateArr) {
        ArrayList arrayList = new ArrayList();
        if (certificateArr != null && certificateArr.length > 0) {
            for (Certificate certificate : certificateArr) {
                if (certificate instanceof X509Certificate) {
                    arrayList.add((X509Certificate) certificate);
                }
            }
        }
        return arrayList;
    }

    private long readJarEntry(JarFile jarFile, JarEntry jarEntry) throws IOException {
        long size = jarEntry.getSize();
        byte[] bArr = new byte[size < 65536 ? (int) size : BUFFER_SIZE];
        long j = 0;
        InputStream inputStream = jarFile.getInputStream(jarEntry);
        Throwable th = null;
        while (true) {
            try {
                try {
                    int read = inputStream.read(bArr, 0, bArr.length);
                    if (read < 0) {
                        break;
                    }
                    j += read;
                } finally {
                }
            } catch (Throwable th2) {
                if (inputStream != null) {
                    if (th != null) {
                        try {
                            inputStream.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        inputStream.close();
                    }
                }
                throw th2;
            }
        }
        long j2 = j;
        if (inputStream != null) {
            if (0 != 0) {
                try {
                    inputStream.close();
                } catch (Throwable th4) {
                    th.addSuppressed(th4);
                }
            } else {
                inputStream.close();
            }
        }
        return j2;
    }

    private Optional<X509Certificate> findSignerMatchingTrustedCert(X509Certificate x509Certificate, List<X509Certificate> list) {
        if (!list.isEmpty() && getDirectSigners(list).contains(x509Certificate)) {
            return Optional.of(x509Certificate);
        }
        return Optional.empty();
    }

    private Set<X509Certificate> getDirectSigners(List<X509Certificate> list) {
        HashSet hashSet = new HashSet();
        hashSet.add(list.get(0));
        for (int i = 1; i < list.size(); i++) {
            X509Certificate x509Certificate = list.get(i - 1);
            X509Certificate x509Certificate2 = list.get(i);
            if (!x509Certificate.getIssuerX500Principal().equals(x509Certificate2.getSubjectX500Principal())) {
                hashSet.add(x509Certificate2);
            }
        }
        return hashSet;
    }
}
