package com.evolveum.midpoint.web.boot;

import com.evolveum.midpoint.repo.common.subscription.JarSignatureHolder;
import com.evolveum.midpoint.util.logging.LoggingUtils;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.jar.JarEntry;
import java.util.jar.JarFile;
import org.jetbrains.annotations.NotNull;
import org.springframework.boot.system.ApplicationHome;

/* loaded from: input_file:BOOT-INF/lib/admin-gui-4.8.7-SNAPSHOT.jar:com/evolveum/midpoint/web/boot/MidPointJarSignatureChecker.class */
public class MidPointJarSignatureChecker {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) MidPointJarSignatureChecker.class);

    public static void setupJarSignature() {
        JarSignatureHolder.setJarSignatureValidity(checkJarSignature());
    }

    @NotNull
    private static JarSignatureHolder.Validity checkJarSignature() {
        if (isOverlayDetected()) {
            return JarSignatureHolder.Validity.OVERLAY_DETECTED;
        }
        try {
            File source = new ApplicationHome(MidPointSpringApplication.class).getSource();
            if (!source.isFile() || !source.getName().toLowerCase().endsWith(".jar")) {
                LOGGER.info("Application is not running from a JAR file, skipping JAR signature check: {}", source);
                return JarSignatureHolder.Validity.NOT_APPLICABLE;
            }
            JarFile jarFile = new JarFile(source);
            try {
                JarSignatureHolder.Validity verify = verify(jarFile);
                jarFile.close();
                return verify;
            } finally {
            }
        } catch (Exception e) {
            LoggingUtils.logException(LOGGER, "Couldn't verify JAR file signature", e, new Object[0]);
            return JarSignatureHolder.Validity.ERROR;
        }
    }

    private static boolean isOverlayDetected() {
        if (MidPointJarSignatureChecker.class.getClassLoader().getResource("overlay-info.txt") == null) {
            return false;
        }
        LOGGER.info("The overlay-info.txt file was found, skipping JAR signature check");
        return true;
    }

    private static JarSignatureHolder.Validity verify(JarFile jarFile) throws IOException, CertificateException {
        InputStream resourceAsStream = MidPointJarSignatureChecker.class.getClassLoader().getResourceAsStream("jar-signing.cer");
        try {
            if (resourceAsStream == null) {
                LOGGER.info("No jar signing certificate found");
                JarSignatureHolder.Validity validity = JarSignatureHolder.Validity.ERROR;
                if (resourceAsStream != null) {
                    resourceAsStream.close();
                }
                return validity;
            }
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(resourceAsStream);
            if (resourceAsStream != null) {
                resourceAsStream.close();
            }
            byte[] bArr = new byte[8192];
            Enumeration<JarEntry> entries = jarFile.entries();
            while (entries.hasMoreElements()) {
                JarEntry nextElement = entries.nextElement();
                if (!nextElement.isDirectory()) {
                    LOGGER.trace("Checking JAR entry {}", nextElement);
                    try {
                        InputStream inputStream = jarFile.getInputStream(nextElement);
                        do {
                            try {
                            } finally {
                            }
                        } while (inputStream.read(bArr, 0, bArr.length) != -1);
                        if (inputStream != null) {
                            inputStream.close();
                        }
                        Certificate[] certificates = nextElement.getCertificates();
                        if (certificates != null && certificates.length != 0) {
                            boolean z = false;
                            int length = certificates.length;
                            int i = 0;
                            while (true) {
                                if (i >= length) {
                                    break;
                                }
                                if (certificates[i].equals(x509Certificate)) {
                                    z = true;
                                    break;
                                }
                                i++;
                            }
                            if (!z) {
                                LOGGER.info("File without matching certificate in JAR: {}", nextElement);
                                return JarSignatureHolder.Validity.INVALID;
                            }
                        } else if (!nextElement.getName().startsWith("META-INF/")) {
                            LOGGER.info("Unsigned file in JAR (only those in META-INF are allowed to be unsigned): {}", nextElement);
                            return JarSignatureHolder.Validity.INVALID;
                        }
                    } catch (SecurityException e) {
                        LOGGER.info("JAR signature verification failed for entry {}", nextElement, e);
                        return JarSignatureHolder.Validity.INVALID;
                    }
                }
            }
            LOGGER.info("JAR signature verification succeeded for {}", jarFile.getName());
            return JarSignatureHolder.Validity.VALID;
        } catch (Throwable th) {
            if (resourceAsStream != null) {
                try {
                    resourceAsStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
