package com.jetbrains.gateway.internal.toolboxFeed;

import com.jetbrains.gateway.ssh.SshPortForwarder;
import java.io.InputStream;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderResult;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import kotlin.Lazy;
import kotlin.LazyKt;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt;
import kotlin.collections.SetsKt;
import kotlin.io.CloseableKt;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.SourceDebugExtension;
import kotlin.text.StringsKt;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.cert.jcajce.JcaCertStoreBuilder;
import org.bouncycastle.cms.CMSSignedDataParser;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.jcajce.JcaSignerInfoVerifierBuilder;
import org.bouncycastle.cms.jcajce.JcaX509CertSelectorConverter;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DigestCalculatorProvider;
import org.bouncycastle.operator.SignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.jetbrains.annotations.NotNull;

/* compiled from: ToolboxFeedSignatureManager.kt */
@Metadata(mv = {2, 0, 0}, k = SshPortForwarder.useBlockingChannels, xi = 48, d1 = {"��,\n\u0002\u0018\u0002\n\u0002\u0010��\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0010\u0012\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\"\n\u0002\b\u0003\bÆ\u0002\u0018��2\u00020\u0001:\u0001\u0013B\t\b\u0002¢\u0006\u0004\b\u0002\u0010\u0003J\u000e\u0010\n\u001a\u00020\u000b2\u0006\u0010\f\u001a\u00020\u000bJ,\u0010\r\u001a\u00020\u000e2\u0006\u0010\u000f\u001a\u00020\u00052\f\u0010\u0010\u001a\b\u0012\u0004\u0012\u00020\u00050\u00112\f\u0010\u0012\u001a\b\u0012\u0004\u0012\u00020\u00050\u0011H\u0002R\u001b\u0010\u0004\u001a\u00020\u00058BX\u0082\u0084\u0002¢\u0006\f\n\u0004\b\b\u0010\t\u001a\u0004\b\u0006\u0010\u0007¨\u0006\u0014"}, d2 = {"Lcom/jetbrains/gateway/internal/toolboxFeed/ToolboxFeedSignatureManager;", "", "<init>", "()V", "trustedRoot", "Ljava/security/cert/X509Certificate;", "getTrustedRoot", "()Ljava/security/cert/X509Certificate;", "trustedRoot$delegate", "Lkotlin/Lazy;", "unpackAndVerify", "", "data", "verifyCertificate", "Ljava/security/cert/PKIXCertPathBuilderResult;", "cert", "trustedRootCerts", "", "intermediateCerts", "WhitelistedSignatureAlgorithmIdentifierFinder", "intellij.gateway.core"})
@SourceDebugExtension({"SMAP\nToolboxFeedSignatureManager.kt\nKotlin\n*S Kotlin\n*F\n+ 1 ToolboxFeedSignatureManager.kt\ncom/jetbrains/gateway/internal/toolboxFeed/ToolboxFeedSignatureManager\n+ 2 fake.kt\nkotlin/jvm/internal/FakeKt\n+ 3 _Collections.kt\nkotlin/collections/CollectionsKt___CollectionsKt\n*L\n1#1,108:1\n1#2:109\n1557#3:110\n1628#3,3:111\n1557#3:114\n1628#3,3:115\n*S KotlinDebug\n*F\n+ 1 ToolboxFeedSignatureManager.kt\ncom/jetbrains/gateway/internal/toolboxFeed/ToolboxFeedSignatureManager\n*L\n36#1:110\n36#1:111,3\n71#1:114\n71#1:115,3\n*E\n"})
/* loaded from: input_file:com/jetbrains/gateway/internal/toolboxFeed/ToolboxFeedSignatureManager.class */
public final class ToolboxFeedSignatureManager {

    @NotNull
    public static final ToolboxFeedSignatureManager INSTANCE = new ToolboxFeedSignatureManager();

    @NotNull
    private static final Lazy trustedRoot$delegate = LazyKt.lazy(ToolboxFeedSignatureManager::trustedRoot_delegate$lambda$1);

    /* compiled from: ToolboxFeedSignatureManager.kt */
    @Metadata(mv = {2, 0, 0}, k = SshPortForwarder.useBlockingChannels, xi = 48, d1 = {"��$\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010 \n\u0002\u0010\u000e\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\b\u0002\u0018��2\u00020\u0001B\u0007¢\u0006\u0004\b\u0002\u0010\u0003J\u0010\u0010\t\u001a\u00020\n2\u0006\u0010\u000b\u001a\u00020\u0006H\u0016R\u0014\u0010\u0004\u001a\b\u0012\u0004\u0012\u00020\u00060\u0005X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0007\u001a\u00020\bX\u0082\u0004¢\u0006\u0002\n��¨\u0006\f"}, d2 = {"Lcom/jetbrains/gateway/internal/toolboxFeed/ToolboxFeedSignatureManager$WhitelistedSignatureAlgorithmIdentifierFinder;", "Lorg/bouncycastle/operator/SignatureAlgorithmIdentifierFinder;", "<init>", "()V", "whitelistedAlgNamePrefixes", "", "", "default", "Lorg/bouncycastle/operator/DefaultSignatureAlgorithmIdentifierFinder;", "find", "Lorg/bouncycastle/asn1/x509/AlgorithmIdentifier;", "algName", "intellij.gateway.core"})
    @SourceDebugExtension({"SMAP\nToolboxFeedSignatureManager.kt\nKotlin\n*S Kotlin\n*F\n+ 1 ToolboxFeedSignatureManager.kt\ncom/jetbrains/gateway/internal/toolboxFeed/ToolboxFeedSignatureManager$WhitelistedSignatureAlgorithmIdentifierFinder\n+ 2 _Collections.kt\nkotlin/collections/CollectionsKt___CollectionsKt\n*L\n1#1,108:1\n2632#2,3:109\n*S KotlinDebug\n*F\n+ 1 ToolboxFeedSignatureManager.kt\ncom/jetbrains/gateway/internal/toolboxFeed/ToolboxFeedSignatureManager$WhitelistedSignatureAlgorithmIdentifierFinder\n*L\n100#1:109,3\n*E\n"})
    /* loaded from: input_file:com/jetbrains/gateway/internal/toolboxFeed/ToolboxFeedSignatureManager$WhitelistedSignatureAlgorithmIdentifierFinder.class */
    private static final class WhitelistedSignatureAlgorithmIdentifierFinder implements SignatureAlgorithmIdentifierFinder {

        @NotNull
        private final List<String> whitelistedAlgNamePrefixes = CollectionsKt.listOf(new String[]{"SHA256", "SHA384", "SHA512", "SHA3-256", "SHA3-384", "SHA3-512"});

        /* renamed from: default, reason: not valid java name */
        @NotNull
        private final DefaultSignatureAlgorithmIdentifierFinder f0default = new DefaultSignatureAlgorithmIdentifierFinder();

        @NotNull
        public AlgorithmIdentifier find(@NotNull String str) {
            boolean z;
            Intrinsics.checkNotNullParameter(str, "algName");
            List<String> list = this.whitelistedAlgNamePrefixes;
            if (!(list instanceof Collection) || !list.isEmpty()) {
                Iterator<T> it = list.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        z = true;
                        break;
                    }
                    if (StringsKt.startsWith$default(str, (String) it.next(), false, 2, (Object) null)) {
                        z = false;
                        break;
                    }
                }
            } else {
                z = true;
            }
            if (z) {
                throw new IllegalStateException(("Signature algorithm " + str + " is not whitelisted").toString());
            }
            AlgorithmIdentifier find = this.f0default.find(str);
            Intrinsics.checkNotNullExpressionValue(find, "find(...)");
            return find;
        }
    }

    private ToolboxFeedSignatureManager() {
    }

    private final X509Certificate getTrustedRoot() {
        return (X509Certificate) trustedRoot$delegate.getValue();
    }

    @NotNull
    public final byte[] unpackAndVerify(@NotNull byte[] bArr) {
        Intrinsics.checkNotNullParameter(bArr, "data");
        DigestCalculatorProvider bcDigestCalculatorProvider = new BcDigestCalculatorProvider();
        try {
            CMSSignedDataParser cMSSignedDataParser = new CMSSignedDataParser(bcDigestCalculatorProvider, bArr);
            InputStream contentStream = cMSSignedDataParser.getSignedContent().getContentStream();
            Throwable th = null;
            try {
                try {
                    byte[] readAllBytes = contentStream.readAllBytes();
                    CloseableKt.closeFinally(contentStream, (Throwable) null);
                    CertStore build = new JcaCertStoreBuilder().addCertificates(cMSSignedDataParser.getCertificates()).build();
                    Collection<? extends Certificate> certificates = build.getCertificates(null);
                    Intrinsics.checkNotNullExpressionValue(certificates, "getCertificates(...)");
                    Collection<? extends Certificate> collection = certificates;
                    ArrayList arrayList = new ArrayList(CollectionsKt.collectionSizeOrDefault(collection, 10));
                    for (Certificate certificate : collection) {
                        Intrinsics.checkNotNull(certificate, "null cannot be cast to non-null type java.security.cert.X509Certificate");
                        arrayList.add((X509Certificate) certificate);
                    }
                    Set<? extends X509Certificate> set = CollectionsKt.toSet(arrayList);
                    WhitelistedSignatureAlgorithmIdentifierFinder whitelistedSignatureAlgorithmIdentifierFinder = new WhitelistedSignatureAlgorithmIdentifierFinder();
                    Iterable signerInfos = cMSSignedDataParser.getSignerInfos();
                    Intrinsics.checkNotNullExpressionValue(signerInfos, "getSignerInfos(...)");
                    List<SignerInformation> list = CollectionsKt.toList(signerInfos);
                    if (list.isEmpty()) {
                        throw new IllegalStateException("CMS content is not signed (empty signers list)".toString());
                    }
                    int i = 0;
                    for (SignerInformation signerInformation : list) {
                        int i2 = i;
                        i++;
                        Collection<? extends Certificate> certificates2 = build.getCertificates(new JcaX509CertSelectorConverter().getCertSelector(signerInformation.getSID()));
                        Intrinsics.checkNotNullExpressionValue(certificates2, "getCertificates(...)");
                        Certificate certificate2 = (Certificate) CollectionsKt.firstOrNull(certificates2);
                        if (certificate2 == null) {
                            throw new IllegalStateException(("Can't find signer certificate in embedded certificates for signature #" + i2).toString());
                        }
                        JcaSignerInfoVerifierBuilder jcaSignerInfoVerifierBuilder = new JcaSignerInfoVerifierBuilder(bcDigestCalculatorProvider);
                        jcaSignerInfoVerifierBuilder.setSignatureAlgorithmFinder(whitelistedSignatureAlgorithmIdentifierFinder);
                        if (!signerInformation.verify(jcaSignerInfoVerifierBuilder.build((X509Certificate) certificate2))) {
                            throw new IllegalStateException(("Can't verify signature hash correctness for signature #" + i2).toString());
                        }
                        verifyCertificate((X509Certificate) certificate2, SetsKt.setOf(getTrustedRoot()), set);
                    }
                    Intrinsics.checkNotNull(readAllBytes);
                    return readAllBytes;
                } finally {
                }
            } catch (Throwable th2) {
                CloseableKt.closeFinally(contentStream, th);
                throw th2;
            }
        } catch (Throwable th3) {
            throw new IllegalStateException("Unable to read DER-encoded CMS from input data", th3);
        }
    }

    private final PKIXCertPathBuilderResult verifyCertificate(X509Certificate x509Certificate, Set<? extends X509Certificate> set, Set<? extends X509Certificate> set2) {
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        Set<? extends X509Certificate> set3 = set;
        ArrayList arrayList = new ArrayList(CollectionsKt.collectionSizeOrDefault(set3, 10));
        Iterator<T> it = set3.iterator();
        while (it.hasNext()) {
            arrayList.add(new TrustAnchor((X509Certificate) it.next(), null));
        }
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters((Set<TrustAnchor>) CollectionsKt.toSet(arrayList), x509CertSelector);
        pKIXBuilderParameters.setRevocationEnabled(false);
        pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(set2)));
        CertPathBuilderResult build = CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
        Intrinsics.checkNotNull(build, "null cannot be cast to non-null type java.security.cert.PKIXCertPathBuilderResult");
        return (PKIXCertPathBuilderResult) build;
    }

    private static final X509Certificate trustedRoot_delegate$lambda$1() {
        InputStream resourceAsStream = ToolboxFeedSignatureManager.class.getClassLoader().getResourceAsStream("toolbox-feed-ca.crt");
        if (resourceAsStream == null) {
            throw new IllegalStateException("Unable to load toolbox feed CA from resources".toString());
        }
        InputStream inputStream = resourceAsStream;
        Throwable th = null;
        try {
            try {
                Certificate generateCertificate = CertificateFactory.getInstance("X.509").generateCertificate(inputStream);
                Intrinsics.checkNotNull(generateCertificate, "null cannot be cast to non-null type java.security.cert.X509Certificate");
                X509Certificate x509Certificate = (X509Certificate) generateCertificate;
                CloseableKt.closeFinally(inputStream, (Throwable) null);
                return x509Certificate;
            } finally {
            }
        } catch (Throwable th2) {
            CloseableKt.closeFinally(inputStream, th);
            throw th2;
        }
    }
}
