package org.eclipse.jgit.internal.signing.ssh;

import java.io.EOFException;
import java.io.IOException;
import java.io.InputStream;
import java.io.StreamCorruptedException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.apache.sshd.common.config.keys.OpenSshCertificate;
import org.apache.sshd.common.util.buffer.BufferUtils;
import org.apache.sshd.common.util.buffer.ByteArrayBuffer;
import org.eclipse.jgit.annotations.NonNull;
import org.eclipse.jgit.api.errors.JGitInternalException;
import org.eclipse.jgit.internal.transport.sshd.SshdText;
import org.eclipse.jgit.util.IO;
import org.eclipse.jgit.util.StringUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/eclipse/jgit/internal/signing/ssh/OpenSshBinaryKrl.class */
public class OpenSshBinaryKrl {
    static final byte[] MAGIC = {83, 83, 72, 75, 82, 76, 10};
    private static final int FORMAT_VERSION = 1;
    private static final int SECTION_CERTIFICATES = 1;
    private static final int SECTION_KEY = 2;
    private static final int SECTION_SHA1 = 3;
    private static final int SECTION_SIGNATURE = 4;
    private static final int SECTION_SHA256 = 5;
    private static final int SECTION_EXTENSION = 255;
    private static final int CERT_SERIAL_LIST = 32;
    private static final int CERT_SERIAL_RANGES = 33;
    private static final int CERT_SERIAL_BITS = 34;
    private static final int CERT_KEY_IDS = 35;
    private static final int CERT_EXTENSIONS = 57;
    private final Map<Blob, CertificateRevocation> certificates = new HashMap();
    private final Set<Blob> blobs = new HashSet();
    private final Set<Blob> sha1 = new HashSet();
    private final Set<Blob> sha256 = new HashSet();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/jgit/internal/signing/ssh/OpenSshBinaryKrl$Blob.class */
    public static final class Blob extends Record {
        private final byte[] blob;

        private Blob(byte[] bArr) {
            this.blob = bArr;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || !(obj instanceof Blob)) {
                return false;
            }
            return Arrays.equals(this.blob, ((Blob) obj).blob);
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return Arrays.hashCode(this.blob);
        }

        public byte[] blob() {
            return this.blob;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, Blob.class), Blob.class, "blob", "FIELD:Lorg/eclipse/jgit/internal/signing/ssh/OpenSshBinaryKrl$Blob;->blob:[B").dynamicInvoker().invoke(this) /* invoke-custom */;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/jgit/internal/signing/ssh/OpenSshBinaryKrl$CertificateRevocation.class */
    public static class CertificateRevocation {
        final SerialRangeSet ranges = new SerialRangeSet();
        final Set<String> keyIds = new HashSet();

        private CertificateRevocation() {
        }
    }

    private OpenSshBinaryKrl() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isRevoked(PublicKey publicKey) {
        if (publicKey instanceof OpenSshCertificate) {
            OpenSshCertificate openSshCertificate = (OpenSshCertificate) publicKey;
            if (this.certificates.isEmpty()) {
                return false;
            }
            return isRevoked(openSshCertificate, this.certificates.get(null)) || isRevoked(openSshCertificate, this.certificates.get(blob(openSshCertificate.getCaPubKey())));
        }
        if (!this.blobs.isEmpty() && this.blobs.contains(blob(publicKey))) {
            return true;
        }
        if (this.sha256.isEmpty() || !this.sha256.contains(hash("SHA256", publicKey))) {
            return !this.sha1.isEmpty() && this.sha1.contains(hash("SHA1", publicKey));
        }
        return true;
    }

    private boolean isRevoked(OpenSshCertificate openSshCertificate, CertificateRevocation certificateRevocation) {
        if (certificateRevocation == null) {
            return false;
        }
        String id = openSshCertificate.getId();
        if (!StringUtils.isEmptyOrNull(id) && certificateRevocation.keyIds.contains(id)) {
            return true;
        }
        long serial = openSshCertificate.getSerial();
        return serial != 0 && certificateRevocation.ranges.contains(serial);
    }

    private Blob blob(PublicKey publicKey) {
        ByteArrayBuffer byteArrayBuffer = new ByteArrayBuffer();
        byteArrayBuffer.putRawPublicKey(publicKey);
        return new Blob(byteArrayBuffer.getCompactData());
    }

    private Blob hash(String str, PublicKey publicKey) {
        ByteArrayBuffer byteArrayBuffer = new ByteArrayBuffer();
        byteArrayBuffer.putRawPublicKey(publicKey);
        try {
            return new Blob(MessageDigest.getInstance(str).digest(byteArrayBuffer.getCompactData()));
        } catch (NoSuchAlgorithmException e) {
            throw new JGitInternalException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NonNull
    public static OpenSshBinaryKrl load(InputStream inputStream, boolean z) throws IOException {
        if (!z) {
            byte[] bArr = new byte[MAGIC.length];
            IO.readFully(inputStream, bArr);
            if (!Arrays.equals(bArr, MAGIC)) {
                throw new StreamCorruptedException(SshdText.get().signKrlInvalidMagic);
            }
        }
        skipHeader(inputStream);
        return load(inputStream);
    }

    private static long getUInt(InputStream inputStream) throws IOException {
        byte[] bArr = new byte[4];
        IO.readFully(inputStream, bArr);
        return BufferUtils.getUInt(bArr);
    }

    private static long getLong(InputStream inputStream) throws IOException {
        byte[] bArr = new byte[8];
        IO.readFully(inputStream, bArr);
        return BufferUtils.getLong(bArr, 0, 8);
    }

    private static void skipHeader(InputStream inputStream) throws IOException {
        long uInt = getUInt(inputStream);
        if (uInt != 1) {
            throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlInvalidVersion, Long.valueOf(uInt)));
        }
        inputStream.skip(24L);
        inputStream.skip(getUInt(inputStream));
        inputStream.skip(getUInt(inputStream));
    }

    private static OpenSshBinaryKrl load(InputStream inputStream) throws IOException {
        OpenSshBinaryKrl openSshBinaryKrl = new OpenSshBinaryKrl();
        while (true) {
            int read = inputStream.read();
            if (read < 0) {
                return openSshBinaryKrl;
            }
            switch (read) {
                case 1:
                    readCertificates(openSshBinaryKrl.certificates, inputStream, getUInt(inputStream));
                    break;
                case 2:
                    readBlobs("explicit_keys", openSshBinaryKrl.blobs, inputStream, getUInt(inputStream), 0L);
                    break;
                case 3:
                    readBlobs("fingerprint_sha1", openSshBinaryKrl.sha1, inputStream, getUInt(inputStream), 20L);
                    break;
                case 4:
                    inputStream.skip(getUInt(inputStream));
                    break;
                case 5:
                    readBlobs("fingerprint_sha256", openSshBinaryKrl.sha256, inputStream, getUInt(inputStream), 32L);
                    break;
                case 255:
                    inputStream.skip(getUInt(inputStream));
                    break;
                default:
                    throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlUnknownSection, Integer.valueOf(read)));
            }
        }
    }

    private static void readBlobs(String str, Set<Blob> set, InputStream inputStream, long j, long j2) throws IOException {
        while (j >= 4) {
            long uInt = getUInt(inputStream);
            long j3 = j - 4;
            if (uInt > j3) {
                throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlBlobLengthInvalid, str, Long.valueOf(uInt)));
            }
            if (j2 != 0 && uInt != j2) {
                throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlBlobLengthInvalidExpected, str, Long.valueOf(uInt), Long.valueOf(j2)));
            }
            byte[] bArr = new byte[(int) uInt];
            IO.readFully(inputStream, bArr);
            j = j3 - uInt;
            set.add(new Blob(bArr));
        }
        if (j != 0) {
            throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlBlobLeftover, str, Long.valueOf(j)));
        }
    }

    private static void readCertificates(Map<Blob, CertificateRevocation> map, InputStream inputStream, long j) throws IOException {
        long uInt = getUInt(inputStream);
        long j2 = j - 4;
        if (uInt > j2) {
            throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlCaKeyLengthInvalid, Long.valueOf(uInt)));
        }
        Blob blob = null;
        if (uInt > 0) {
            byte[] bArr = new byte[(int) uInt];
            IO.readFully(inputStream, bArr);
            blob = new Blob(bArr);
            j2 -= uInt;
        }
        CertificateRevocation computeIfAbsent = map.computeIfAbsent(blob, blob2 -> {
            return new CertificateRevocation();
        });
        long uInt2 = getUInt(inputStream);
        long j3 = j2 - 4;
        if (uInt2 > j3) {
            throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlCaKeyLengthInvalid, Long.valueOf(uInt2)));
        }
        inputStream.skip(uInt2);
        long j4 = j3 - uInt2;
        if (j4 == 0) {
            throw new StreamCorruptedException(SshdText.get().signKrlNoCertificateSubsection);
        }
        while (j4 > 0) {
            int read = inputStream.read();
            if (read < 0) {
                throw new EOFException();
            }
            long j5 = j4 - 1;
            if (j5 < 4) {
                throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlCertificateLeftover, Long.valueOf(j5)));
            }
            long uInt3 = getUInt(inputStream);
            long j6 = j5 - 4;
            if (uInt3 > j6) {
                throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlCertificateSubsectionLength, Long.valueOf(uInt3)));
            }
            if (uInt3 > 0) {
                switch (read) {
                    case 32:
                        readSerials(computeIfAbsent.ranges, inputStream, uInt3, false);
                        break;
                    case 33:
                        readSerials(computeIfAbsent.ranges, inputStream, uInt3, true);
                        break;
                    case 34:
                        readSerialBitSet(computeIfAbsent.ranges, inputStream, uInt3);
                        break;
                    case 35:
                        readIds(computeIfAbsent.keyIds, inputStream, uInt3);
                        break;
                    case 57:
                        inputStream.skip(uInt3);
                        break;
                    default:
                        throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlUnknownSubsection, Long.valueOf(read)));
                }
            }
            j4 = j6 - uInt3;
        }
    }

    private static void readSerials(SerialRangeSet serialRangeSet, InputStream inputStream, long j, boolean z) throws IOException {
        while (j >= 8) {
            long j2 = getLong(inputStream);
            j -= 8;
            if (j2 == 0) {
                throw new StreamCorruptedException(SshdText.get().signKrlSerialZero);
            }
            if (!z) {
                serialRangeSet.add(j2);
            } else {
                if (j < 8) {
                    throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlShortRange, Long.valueOf(j)));
                }
                long j3 = getLong(inputStream);
                j -= 8;
                if (Long.compareUnsigned(j2, j3) > 0) {
                    throw new StreamCorruptedException(SshdText.get().signKrlEmptyRange);
                }
                serialRangeSet.add(j2, j3);
            }
        }
        if (j != 0) {
            throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlCertificateSubsectionLeftover, Long.valueOf(j)));
        }
    }

    private static void readSerialBitSet(SerialRangeSet serialRangeSet, InputStream inputStream, long j) throws IOException {
        while (j > 0) {
            if (j < 8) {
                throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlCertificateSubsectionLeftover, Long.valueOf(j)));
            }
            long j2 = getLong(inputStream);
            long j3 = j - 8;
            if (j3 < 4) {
                throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlCertificateSubsectionLeftover, Long.valueOf(j3)));
            }
            long uInt = getUInt(inputStream);
            long j4 = j3 - 4;
            if (uInt == 0 || uInt > j4) {
                throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlInvalidBitSetLength, Long.valueOf(uInt)));
            }
            for (int i = ((int) uInt) - 1; i >= 0; i--) {
                int read = inputStream.read();
                if (read < 0) {
                    throw new EOFException();
                }
                if (read != 0) {
                    int i2 = 0;
                    int i3 = 1;
                    while (true) {
                        int i4 = i3;
                        if (i2 >= 8) {
                            break;
                        }
                        if ((read & i4) != 0) {
                            serialRangeSet.add(j2 + (i * 8) + i2);
                        }
                        i2++;
                        i3 = i4 << 1;
                    }
                }
            }
            j = j4 - uInt;
        }
    }

    private static void readIds(Set<String> set, InputStream inputStream, long j) throws IOException {
        while (j >= 4) {
            long uInt = getUInt(inputStream);
            long j2 = j - 4;
            if (uInt > j2) {
                throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlInvalidKeyIdLength, Long.valueOf(uInt)));
            }
            byte[] bArr = new byte[(int) uInt];
            IO.readFully(inputStream, bArr);
            set.add(new String(bArr, StandardCharsets.UTF_8));
            j = j2 - uInt;
        }
        if (j != 0) {
            throw new StreamCorruptedException(MessageFormat.format(SshdText.get().signKrlCertificateSubsectionLeftover, Long.valueOf(j)));
        }
    }
}
