package com.intellij.ide.plugins.marketplace;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.intellij.ide.IdeBundle;
import com.intellij.ide.plugins.IdeaPluginDescriptor;
import com.intellij.ide.plugins.certificates.PluginCertificateStore;
import com.intellij.ide.plugins.marketplace.statistics.PluginManagerUsageCollector;
import com.intellij.ide.plugins.marketplace.statistics.enums.DialogAcceptanceResultEnum;
import com.intellij.ide.plugins.marketplace.statistics.enums.SignatureVerificationResult;
import com.intellij.openapi.application.ApplicationManager;
import com.intellij.openapi.application.ModalityState;
import com.intellij.openapi.diagnostic.Logger;
import com.intellij.openapi.ui.Messages;
import com.intellij.openapi.util.registry.RegistryManager;
import com.intellij.platform.util.io.storages.blobstorage.StreamlinedBlobStorageHelper;
import com.intellij.util.io.HttpRequests;
import com.intellij.util.net.ssl.CertificateUtil;
import java.io.File;
import java.io.InputStream;
import java.net.URI;
import java.security.cert.CRL;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import kotlin.ExperimentalUnsignedTypes;
import kotlin.Lazy;
import kotlin.LazyKt;
import kotlin.Metadata;
import kotlin.NoWhenBranchMatchedException;
import kotlin.Result;
import kotlin.ResultKt;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.JvmStatic;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.Ref;
import kotlin.jvm.internal.SourceDebugExtension;
import kotlin.text.StringsKt;
import org.jetbrains.annotations.ApiStatus;
import org.jetbrains.annotations.Nls;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.zip.signer.signer.CertificateUtils;
import org.jetbrains.zip.signer.verifier.InvalidSignatureResult;
import org.jetbrains.zip.signer.verifier.MissingSignatureResult;
import org.jetbrains.zip.signer.verifier.SuccessfulVerificationResult;
import org.jetbrains.zip.signer.verifier.ZipVerifier;

/* compiled from: PluginSignatureChecker.kt */
@ApiStatus.Internal
@Metadata(mv = {2, 0, 0}, k = 1, xi = StreamlinedBlobStorageHelper.HeaderLayout.DATA_FORMAT_VERSION_OFFSET, d1 = {"��\\\n\u0002\u0018\u0002\n\u0002\u0010��\n\u0002\b\u0003\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\u0010\u000e\n��\n\u0002\u0018\u0002\n\u0002\u0010\u000b\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0006\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0010 \n\u0002\b\u0003\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u0011\n\u0002\b\b\bÁ\u0002\u0018��2\u00020\u0001B\t\b\u0002¢\u0006\u0004\b\u0002\u0010\u0003J,\u0010\u0013\u001a\u00020\u000b2\u0006\u0010\u0014\u001a\u00020\u00152\u0006\u0010\u0016\u001a\u00020\u00172\b\b\u0002\u0010\u0018\u001a\u00020\u000b2\b\b\u0002\u0010\u0019\u001a\u00020\u000bH\u0007J(\u0010\u001a\u001a\u00020\u000b2\u0006\u0010\u0014\u001a\u00020\u00152\u0006\u0010\u0016\u001a\u00020\u00172\u000e\b\u0002\u0010\u001b\u001a\b\u0012\u0004\u0012\u00020\u000e0\u001cH\u0002J(\u0010\u001d\u001a\u00020\u000b2\u0006\u0010\u0014\u001a\u00020\u00152\u0006\u0010\u0016\u001a\u00020\u00172\u000e\b\u0002\u0010\u001b\u001a\b\u0012\u0004\u0012\u00020\u000e0\u001cH\u0002J\b\u0010\u001e\u001a\u00020\u000bH\u0002J\u001c\u0010\u001f\u001a\b\u0012\u0004\u0012\u00020 0\u001c2\f\u0010!\u001a\b\u0012\u0004\u0012\u00020\"0\u001cH\u0002J;\u0010#\u001a\u00020\u000b2\u0006\u0010\u0014\u001a\u00020\u00152\u0006\u0010\u0016\u001a\u00020\u00172\b\b\u0002\u0010\u0019\u001a\u00020\u000b2\u0012\u0010$\u001a\n\u0012\u0006\b\u0001\u0012\u00020\u000e0%\"\u00020\u000eH\u0002¢\u0006\u0002\u0010&J3\u0010'\u001a\u0004\u0018\u00010\b2\u0006\u0010\u0014\u001a\u00020\u00152\u0006\u0010(\u001a\u00020\u00172\u0012\u0010\u001b\u001a\n\u0012\u0006\b\u0001\u0012\u00020\u000e0%\"\u00020\u000eH\u0003¢\u0006\u0002\u0010)J\u0010\u0010*\u001a\u00020\b2\u0006\u0010\u0014\u001a\u00020\u0015H\u0003J\u001a\u0010+\u001a\u00020\u000b2\u0006\u0010\u0014\u001a\u00020\u00152\b\b\u0001\u0010,\u001a\u00020\bH\u0002R\u000e\u0010\u0004\u001a\u00020\u0005X\u0082\u0004¢\u0006\u0002\n��Rh\u0010\u0006\u001aZ\u0012\f\u0012\n \t*\u0004\u0018\u00010\b0\b\u0012\u0018\u0012\u0016\u0012\u0004\u0012\u00020\u000b \t*\n\u0012\u0004\u0012\u00020\u000b\u0018\u00010\n0\n \t*,\u0012\f\u0012\n \t*\u0004\u0018\u00010\b0\b\u0012\u0018\u0012\u0016\u0012\u0004\u0012\u00020\u000b \t*\n\u0012\u0004\u0012\u00020\u000b\u0018\u00010\n0\n\u0018\u00010\u00070\u0007X\u0082\u0004¢\u0006\u0004\n\u0002\u0010\fR\u001d\u0010\r\u001a\u0004\u0018\u00010\u000e8BX\u0082\u0084\u0002¢\u0006\f\n\u0004\b\u0011\u0010\u0012\u001a\u0004\b\u000f\u0010\u0010¨\u0006-"}, d2 = {"Lcom/intellij/ide/plugins/marketplace/PluginSignatureChecker;", "", "<init>", "()V", "LOG", "Lcom/intellij/openapi/diagnostic/Logger;", "jetBrainsCertificateRevokedCache", "Lcom/github/benmanes/caffeine/cache/Cache;", "", "kotlin.jvm.PlatformType", "Ljava/util/Optional;", "", "Lcom/github/benmanes/caffeine/cache/Cache;", "jetbrainsCertificate", "Ljava/security/cert/Certificate;", "getJetbrainsCertificate", "()Ljava/security/cert/Certificate;", "jetbrainsCertificate$delegate", "Lkotlin/Lazy;", "verifyIfRequired", "descriptor", "Lcom/intellij/ide/plugins/IdeaPluginDescriptor;", "pluginFile", "Ljava/io/File;", "isMarketplace", "showAcceptDialog", "isSignedInBackground", "certificates", "", "isSignedInWithAcceptDialog", "isJetBrainsCertificateRevoked", "getRevocationLists", "Ljava/security/cert/X509CRL;", "certs", "Ljava/security/cert/X509Certificate;", "isSignedBy", "certificate", "", "(Lcom/intellij/ide/plugins/IdeaPluginDescriptor;Ljava/io/File;Z[Ljava/security/cert/Certificate;)Z", "verifyPluginAndGetErrorMessage", "file", "(Lcom/intellij/ide/plugins/IdeaPluginDescriptor;Ljava/io/File;[Ljava/security/cert/Certificate;)Ljava/lang/String;", "getSignatureWarningMessage", "processSignatureCheckerVerdict", "message", "intellij.platform.ide.impl"})
@SourceDebugExtension({"SMAP\nPluginSignatureChecker.kt\nKotlin\n*S Kotlin\n*F\n+ 1 PluginSignatureChecker.kt\ncom/intellij/ide/plugins/marketplace/PluginSignatureChecker\n+ 2 fake.kt\nkotlin/jvm/internal/FakeKt\n+ 3 ArraysJVM.kt\nkotlin/collections/ArraysKt__ArraysJVMKt\n+ 4 _Collections.kt\nkotlin/collections/CollectionsKt___CollectionsKt\n+ 5 _Arrays.kt\nkotlin/collections/ArraysKt___ArraysKt\n+ 6 logger.kt\ncom/intellij/openapi/diagnostic/LoggerKt\n*L\n1#1,222:1\n1#2:223\n1#2:238\n37#3,2:224\n37#3,2:226\n1611#4,9:228\n1863#4:237\n1864#4:239\n1620#4:240\n12574#5,2:241\n14#6:243\n*S KotlinDebug\n*F\n+ 1 PluginSignatureChecker.kt\ncom/intellij/ide/plugins/marketplace/PluginSignatureChecker\n*L\n129#1:238\n90#1:224,2\n113#1:226,2\n129#1:228,9\n129#1:237\n129#1:239\n129#1:240\n178#1:241,2\n35#1:243\n*E\n"})
/* loaded from: input_file:com/intellij/ide/plugins/marketplace/PluginSignatureChecker.class */
public final class PluginSignatureChecker {

    @NotNull
    public static final PluginSignatureChecker INSTANCE = new PluginSignatureChecker();

    @NotNull
    private static final Logger LOG;
    private static final Cache<String, Optional<Boolean>> jetBrainsCertificateRevokedCache;

    @NotNull
    private static final Lazy jetbrainsCertificate$delegate;

    private PluginSignatureChecker() {
    }

    private final Certificate getJetbrainsCertificate() {
        return (Certificate) jetbrainsCertificate$delegate.getValue();
    }

    @JvmStatic
    public static final boolean verifyIfRequired(@NotNull IdeaPluginDescriptor ideaPluginDescriptor, @NotNull File file, boolean z, boolean z2) {
        Intrinsics.checkNotNullParameter(ideaPluginDescriptor, "descriptor");
        Intrinsics.checkNotNullParameter(file, "pluginFile");
        if (!RegistryManager.Companion.getInstance().is(z ? "marketplace.certificate.signature.check" : "custom-repository.certificate.signature.check")) {
            return true;
        }
        List<X509Certificate> certificates = PluginCertificateStore.INSTANCE.getCustomTrustManager().getCertificates();
        Intrinsics.checkNotNullExpressionValue(certificates, "getCertificates(...)");
        List<? extends Certificate> plus = CollectionsKt.plus(certificates, PluginCertificateStore.INSTANCE.getManagedTrustedCertificates());
        return z2 ? INSTANCE.isSignedInWithAcceptDialog(ideaPluginDescriptor, file, plus) : INSTANCE.isSignedInBackground(ideaPluginDescriptor, file, plus);
    }

    public static /* synthetic */ boolean verifyIfRequired$default(IdeaPluginDescriptor ideaPluginDescriptor, File file, boolean z, boolean z2, int i, Object obj) {
        if ((i & 4) != 0) {
            z = false;
        }
        if ((i & 8) != 0) {
            z2 = true;
        }
        return verifyIfRequired(ideaPluginDescriptor, file, z, z2);
    }

    private final boolean isSignedInBackground(IdeaPluginDescriptor ideaPluginDescriptor, File file, List<? extends Certificate> list) {
        Object obj;
        Certificate jetbrainsCertificate = getJetbrainsCertificate();
        if (jetbrainsCertificate == null) {
            return false;
        }
        try {
            Result.Companion companion = Result.Companion;
            obj = Result.constructor-impl(Boolean.valueOf(isJetBrainsCertificateRevoked()));
        } catch (Throwable th) {
            Result.Companion companion2 = Result.Companion;
            obj = Result.constructor-impl(ResultKt.createFailure(th));
        }
        Object obj2 = obj;
        Boolean bool = (Boolean) (Result.isFailure-impl(obj2) ? null : obj2);
        if (bool == null) {
            return false;
        }
        if (bool.booleanValue()) {
            LOG.info("Plugin " + file.getName() + " has revoked JetBrains certificate");
            return false;
        }
        Certificate[] certificateArr = (Certificate[]) CollectionsKt.plus(list, jetbrainsCertificate).toArray(new Certificate[0]);
        return isSignedBy(ideaPluginDescriptor, file, false, (Certificate[]) Arrays.copyOf(certificateArr, certificateArr.length));
    }

    static /* synthetic */ boolean isSignedInBackground$default(PluginSignatureChecker pluginSignatureChecker, IdeaPluginDescriptor ideaPluginDescriptor, File file, List list, int i, Object obj) {
        if ((i & 4) != 0) {
            list = CollectionsKt.emptyList();
        }
        return pluginSignatureChecker.isSignedInBackground(ideaPluginDescriptor, file, list);
    }

    private final boolean isSignedInWithAcceptDialog(IdeaPluginDescriptor ideaPluginDescriptor, File file, List<? extends Certificate> list) {
        Certificate jetbrainsCertificate = getJetbrainsCertificate();
        if (jetbrainsCertificate == null) {
            String message = IdeBundle.message("jetbrains.certificate.not.found", new Object[0]);
            Intrinsics.checkNotNullExpressionValue(message, "message(...)");
            return processSignatureCheckerVerdict(ideaPluginDescriptor, message);
        }
        try {
            if (!isJetBrainsCertificateRevoked()) {
                Certificate[] certificateArr = (Certificate[]) CollectionsKt.plus(list, jetbrainsCertificate).toArray(new Certificate[0]);
                return isSignedBy(ideaPluginDescriptor, file, true, (Certificate[]) Arrays.copyOf(certificateArr, certificateArr.length));
            }
            LOG.info("Plugin " + file.getName() + " has revoked JetBrains certificate");
            String message2 = IdeBundle.message("plugin.signature.checker.revoked.cert", ideaPluginDescriptor.getName());
            Intrinsics.checkNotNullExpressionValue(message2, "message(...)");
            return processSignatureCheckerVerdict(ideaPluginDescriptor, message2);
        } catch (IllegalArgumentException e) {
            String message3 = e.getMessage();
            if (message3 == null) {
                message3 = IdeBundle.message("jetbrains.certificate.invalid", new Object[0]);
                Intrinsics.checkNotNullExpressionValue(message3, "message(...)");
            }
            return processSignatureCheckerVerdict(ideaPluginDescriptor, message3);
        }
    }

    static /* synthetic */ boolean isSignedInWithAcceptDialog$default(PluginSignatureChecker pluginSignatureChecker, IdeaPluginDescriptor ideaPluginDescriptor, File file, List list, int i, Object obj) {
        if ((i & 4) != 0) {
            list = CollectionsKt.emptyList();
        }
        return pluginSignatureChecker.isSignedInWithAcceptDialog(ideaPluginDescriptor, file, list);
    }

    private final boolean isJetBrainsCertificateRevoked() {
        Optional optional = (Optional) jetBrainsCertificateRevokedCache.getIfPresent(getClass().getName());
        Boolean bool = optional != null ? (Boolean) optional.get() : null;
        if (bool != null) {
            return bool.booleanValue();
        }
        Certificate jetbrainsCertificate = getJetbrainsCertificate();
        List<? extends X509Certificate> listOfNotNull = CollectionsKt.listOfNotNull(jetbrainsCertificate instanceof X509Certificate ? (X509Certificate) jetbrainsCertificate : null);
        boolean z = CertificateUtils.findRevokedCertificate(listOfNotNull, getRevocationLists(listOfNotNull)) != null;
        jetBrainsCertificateRevokedCache.put(getClass().getName(), Optional.of(Boolean.valueOf(z)));
        return z;
    }

    private final List<X509CRL> getRevocationLists(List<? extends X509Certificate> list) {
        List<? extends X509Certificate> subList = list.subList(0, list.size() - 1);
        ArrayList arrayList = new ArrayList();
        Iterator<T> it = subList.iterator();
        while (it.hasNext()) {
            List crlUris = CertificateUtils.getCrlUris((X509Certificate) it.next());
            if (crlUris.isEmpty()) {
                LOG.error("CRL not found for certificate");
                throw new IllegalArgumentException("CRL not found for certificate");
            }
            if (crlUris.size() > 1) {
                LOG.error("Multiple CRL URI found in certificate");
                throw new IllegalArgumentException("Multiple CRL URI found in certificate");
            }
            CRL generateCRL = CertificateFactory.getInstance(CertificateUtil.X509).generateCRL((InputStream) HttpRequests.request(((URI) CollectionsKt.first(crlUris)).toURL().toExternalForm()).throwStatusCodeException(false).productNameAsUserAgent().connect(PluginSignatureChecker::getRevocationLists$lambda$3$lambda$2));
            X509CRL x509crl = generateCRL instanceof X509CRL ? (X509CRL) generateCRL : null;
            if (x509crl != null) {
                arrayList.add(x509crl);
            }
        }
        return arrayList;
    }

    private final boolean isSignedBy(IdeaPluginDescriptor ideaPluginDescriptor, File file, boolean z, Certificate... certificateArr) {
        String verifyPluginAndGetErrorMessage = verifyPluginAndGetErrorMessage(ideaPluginDescriptor, file, (Certificate[]) Arrays.copyOf(certificateArr, certificateArr.length));
        return (verifyPluginAndGetErrorMessage == null || !z) ? verifyPluginAndGetErrorMessage == null : processSignatureCheckerVerdict(ideaPluginDescriptor, verifyPluginAndGetErrorMessage);
    }

    static /* synthetic */ boolean isSignedBy$default(PluginSignatureChecker pluginSignatureChecker, IdeaPluginDescriptor ideaPluginDescriptor, File file, boolean z, Certificate[] certificateArr, int i, Object obj) {
        if ((i & 4) != 0) {
            z = true;
        }
        return pluginSignatureChecker.isSignedBy(ideaPluginDescriptor, file, z, certificateArr);
    }

    @Nls
    @ExperimentalUnsignedTypes
    private final String verifyPluginAndGetErrorMessage(IdeaPluginDescriptor ideaPluginDescriptor, File file, Certificate... certificateArr) {
        boolean z;
        InvalidSignatureResult verify = ZipVerifier.verify(file);
        if (verify instanceof InvalidSignatureResult) {
            PluginManagerUsageCollector.INSTANCE.signatureCheckResult(ideaPluginDescriptor, SignatureVerificationResult.INVALID_SIGNATURE);
            return IdeBundle.message("plugin.invalid.signature.result", ideaPluginDescriptor.getName(), verify.getErrorMessage());
        }
        if (verify instanceof MissingSignatureResult) {
            PluginManagerUsageCollector.INSTANCE.signatureCheckResult(ideaPluginDescriptor, SignatureVerificationResult.MISSING_SIGNATURE);
            return getSignatureWarningMessage(ideaPluginDescriptor);
        }
        if (!(verify instanceof SuccessfulVerificationResult)) {
            throw new NoWhenBranchMatchedException();
        }
        int i = 0;
        int length = certificateArr.length;
        while (true) {
            if (i >= length) {
                z = false;
                break;
            }
            Certificate certificate = certificateArr[i];
            if ((certificate instanceof X509Certificate) && ((SuccessfulVerificationResult) verify).isSignedBy((X509Certificate) certificate)) {
                z = true;
                break;
            }
            i++;
        }
        if (z) {
            PluginManagerUsageCollector.INSTANCE.signatureCheckResult(ideaPluginDescriptor, SignatureVerificationResult.SUCCESSFUL);
            return null;
        }
        PluginManagerUsageCollector.INSTANCE.signatureCheckResult(ideaPluginDescriptor, SignatureVerificationResult.WRONG_SIGNATURE);
        return getSignatureWarningMessage(ideaPluginDescriptor);
    }

    @Nls
    private final String getSignatureWarningMessage(IdeaPluginDescriptor ideaPluginDescriptor) {
        String organization = ideaPluginDescriptor.getOrganization();
        String vendor = organization == null || StringsKt.isBlank(organization) ? ideaPluginDescriptor.getVendor() : ideaPluginDescriptor.getOrganization();
        String str = vendor;
        String message = IdeBundle.message("plugin.signature.not.signed", ideaPluginDescriptor.getName(), ideaPluginDescriptor.getPluginId().getIdString(), ideaPluginDescriptor.getVersion(), str == null || StringsKt.isBlank(str) ? vendor : IdeBundle.message("jetbrains.certificate.vendor", vendor));
        Intrinsics.checkNotNullExpressionValue(message, "message(...)");
        return message;
    }

    private final boolean processSignatureCheckerVerdict(IdeaPluginDescriptor ideaPluginDescriptor, @Nls String str) {
        String message = IdeBundle.message("plugin.signature.checker.title", new Object[0]);
        Intrinsics.checkNotNullExpressionValue(message, "message(...)");
        String message2 = IdeBundle.message("plugin.signature.checker.yes", new Object[0]);
        Intrinsics.checkNotNullExpressionValue(message2, "message(...)");
        String message3 = IdeBundle.message("plugin.signature.checker.no", new Object[0]);
        Intrinsics.checkNotNullExpressionValue(message3, "message(...)");
        Ref.IntRef intRef = new Ref.IntRef();
        intRef.element = -1;
        ApplicationManager.getApplication().invokeAndWait(() -> {
            processSignatureCheckerVerdict$lambda$5(r1, r2, r3, r4, r5);
        }, ModalityState.any());
        PluginManagerUsageCollector.INSTANCE.signatureWarningShown(ideaPluginDescriptor, intRef.element == 0 ? DialogAcceptanceResultEnum.ACCEPTED : DialogAcceptanceResultEnum.DECLINED);
        return intRef.element == 0;
    }

    private static final Certificate jetbrainsCertificate_delegate$lambda$0() {
        InputStream resourceAsStream = INSTANCE.getClass().getClassLoader().getResourceAsStream("ca.crt");
        if (resourceAsStream != null) {
            return CertificateFactory.getInstance(CertificateUtil.X509).generateCertificate(resourceAsStream);
        }
        LOG.warn(IdeBundle.message("jetbrains.certificate.not.found", new Object[0]));
        return null;
    }

    private static final InputStream getRevocationLists$lambda$3$lambda$2(HttpRequests.Request request) {
        Intrinsics.checkNotNullParameter(request, "it");
        return request.getInputStream();
    }

    private static final void processSignatureCheckerVerdict$lambda$5(Ref.IntRef intRef, String str, String str2, String str3, String str4) {
        intRef.element = Messages.showYesNoDialog(str, str2, str3, str4, Messages.getWarningIcon());
    }

    static {
        Logger logger = Logger.getInstance(PluginSignatureChecker.class);
        Intrinsics.checkNotNullExpressionValue(logger, "getInstance(...)");
        LOG = logger;
        jetBrainsCertificateRevokedCache = Caffeine.newBuilder().expireAfterWrite(1L, TimeUnit.HOURS).build();
        jetbrainsCertificate$delegate = LazyKt.lazy(PluginSignatureChecker::jetbrainsCertificate_delegate$lambda$0);
    }
}
