package org.eclipse.jgit.internal.signing.ssh;

import java.security.PublicKey;
import java.text.MessageFormat;
import java.time.Instant;
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.config.keys.OpenSshCertificate;
import org.apache.sshd.common.signature.BuiltinSignatures;
import org.apache.sshd.common.signature.Signature;
import org.apache.sshd.common.util.buffer.ByteArrayBuffer;
import org.eclipse.jgit.annotations.NonNull;
import org.eclipse.jgit.internal.transport.sshd.SshdText;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:oxygen-git-client-addon-5.5.0/lib/org.eclipse.jgit.ssh.apache-7.1.0.202411261347-r.jar:org/eclipse/jgit/internal/signing/ssh/SshCertificateUtils.class */
final class SshCertificateUtils {
    private static final Logger LOG = LoggerFactory.getLogger(SshCertificateUtils.class);

    SshCertificateUtils() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String verify(OpenSshCertificate openSshCertificate, Instant instant) {
        if (!OpenSshCertificate.Type.USER.equals(openSshCertificate.getType())) {
            return MessageFormat.format(SshdText.get().signNotUserCertificate, KeyUtils.getFingerPrint(openSshCertificate.getCaPubKey()));
        }
        String verifySignature = verifySignature(openSshCertificate);
        if (verifySignature == null && instant != null) {
            verifySignature = checkExpiration(openSshCertificate, instant);
        }
        return verifySignature;
    }

    static String verifySignature(OpenSshCertificate openSshCertificate) {
        PublicKey caPubKey = openSshCertificate.getCaPubKey();
        PublicKey certPubKey = openSshCertificate.getCertPubKey();
        if (caPubKey == null || (caPubKey instanceof OpenSshCertificate) || certPubKey == null || (certPubKey instanceof OpenSshCertificate)) {
            return SshdText.get().signCertificateInvalid;
        }
        String keyType = KeyUtils.getKeyType(caPubKey);
        String signatureAlgorithm = openSshCertificate.getSignatureAlgorithm();
        if (!KeyUtils.getCanonicalKeyType(keyType).equals(KeyUtils.getCanonicalKeyType(signatureAlgorithm))) {
            return MessageFormat.format(SshdText.get().signCertAlgorithmMismatch, keyType, KeyUtils.getFingerPrint(openSshCertificate.getCaPubKey()), signatureAlgorithm);
        }
        BuiltinSignatures fromFactoryName = BuiltinSignatures.fromFactoryName(signatureAlgorithm);
        if (fromFactoryName == null || !fromFactoryName.isSupported()) {
            return MessageFormat.format(SshdText.get().signCertAlgorithmUnknown, KeyUtils.getFingerPrint(openSshCertificate.getCaPubKey()), signatureAlgorithm);
        }
        Signature create = fromFactoryName.create();
        try {
            create.initVerifier(null, caPubKey);
            create.update(null, getBlob(openSshCertificate));
            if (create.verify(null, openSshCertificate.getRawSignature())) {
                return null;
            }
            return MessageFormat.format(SshdText.get().signCertificateInvalid, KeyUtils.getFingerPrint(openSshCertificate.getCaPubKey()));
        } catch (Exception e) {
            LOG.warn("{}", SshdText.get().signLogFailure, e);
            return SshdText.get().signSeeLog;
        }
    }

    private static byte[] getBlob(OpenSshCertificate openSshCertificate) {
        ByteArrayBuffer byteArrayBuffer = new ByteArrayBuffer();
        byteArrayBuffer.putString(openSshCertificate.getKeyType());
        byteArrayBuffer.putBytes(openSshCertificate.getNonce());
        byteArrayBuffer.putRawPublicKeyBytes(openSshCertificate.getCertPubKey());
        byteArrayBuffer.putLong(openSshCertificate.getSerial());
        byteArrayBuffer.putInt(openSshCertificate.getType().getCode());
        byteArrayBuffer.putString(openSshCertificate.getId());
        ByteArrayBuffer byteArrayBuffer2 = new ByteArrayBuffer();
        byteArrayBuffer2.putStringList(openSshCertificate.getPrincipals(), false);
        byteArrayBuffer.putBytes(byteArrayBuffer2.getCompactData());
        byteArrayBuffer.putLong(openSshCertificate.getValidAfter());
        byteArrayBuffer.putLong(openSshCertificate.getValidBefore());
        byteArrayBuffer.putCertificateOptions(openSshCertificate.getCriticalOptions());
        byteArrayBuffer.putCertificateOptions(openSshCertificate.getExtensions());
        byteArrayBuffer.putString(openSshCertificate.getReserved());
        ByteArrayBuffer byteArrayBuffer3 = new ByteArrayBuffer();
        byteArrayBuffer3.putRawPublicKey(openSshCertificate.getCaPubKey());
        byteArrayBuffer.putBytes(byteArrayBuffer3.getCompactData());
        return byteArrayBuffer.getCompactData();
    }

    static String checkExpiration(OpenSshCertificate openSshCertificate, @NonNull Instant instant) {
        long epochSecond = instant.getEpochSecond();
        if (Long.compareUnsigned(epochSecond, openSshCertificate.getValidAfter()) < 0) {
            return MessageFormat.format(SshdText.get().signCertificateTooEarly, KeyUtils.getFingerPrint(openSshCertificate.getCaPubKey()));
        }
        if (Long.compareUnsigned(epochSecond, openSshCertificate.getValidBefore()) > 0) {
            return MessageFormat.format(SshdText.get().signCertificateExpired, KeyUtils.getFingerPrint(openSshCertificate.getCaPubKey()));
        }
        return null;
    }
}
