package org.eclipse.osgi.internal.signedcontent;

import java.io.File;
import java.io.IOException;
import java.lang.reflect.Field;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.AccessController;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Dictionary;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.StringTokenizer;
import org.eclipse.osgi.framework.util.SecureAction;
import org.eclipse.osgi.internal.framework.EquinoxBundle;
import org.eclipse.osgi.internal.framework.EquinoxContainer;
import org.eclipse.osgi.internal.hookregistry.ActivatorHookFactory;
import org.eclipse.osgi.internal.hookregistry.HookConfigurator;
import org.eclipse.osgi.internal.hookregistry.HookRegistry;
import org.eclipse.osgi.internal.service.security.KeyStoreTrustEngine;
import org.eclipse.osgi.internal.signedcontent.SignedContentFromBundleFile;
import org.eclipse.osgi.service.security.TrustEngine;
import org.eclipse.osgi.signedcontent.SignedContent;
import org.eclipse.osgi.signedcontent.SignedContentFactory;
import org.eclipse.osgi.signedcontent.SignerInfo;
import org.eclipse.osgi.storage.BundleInfo;
import org.osgi.framework.Bundle;
import org.osgi.framework.BundleActivator;
import org.osgi.framework.BundleContext;
import org.osgi.framework.Constants;
import org.osgi.framework.Filter;
import org.osgi.framework.InvalidSyntaxException;
import org.osgi.framework.ServiceReference;
import org.osgi.framework.ServiceRegistration;
import org.osgi.util.tracker.ServiceTracker;
import org.osgi.util.tracker.ServiceTrackerCustomizer;

/* loaded from: input_file:ls/plugins/org.eclipse.osgi_3.17.201.v20220323-0814.jar:org/eclipse/osgi/internal/signedcontent/SignedBundleHook.class */
public class SignedBundleHook implements ActivatorHookFactory, HookConfigurator, SignedContentFactory {
    static final SecureAction secureAction = (SecureAction) AccessController.doPrivileged(SecureAction.createSecureAction());
    private static final String CACERTS_PATH = String.valueOf(System.getProperty("java.home")) + File.separatorChar + "lib" + File.separatorChar + "security" + File.separatorChar + "cacerts";
    private static final String CACERTS_TYPE = "JKS";
    private static final String OSGI_KEYSTORE = "osgi.framework.keystore";
    private int supportSignedBundles;
    TrustEngineListener trustEngineListener;
    private String trustEngineNameProp;
    private ServiceRegistration<?> signedContentFactoryReg;
    private ServiceRegistration<?> systemTrustEngineReg;
    private List<ServiceRegistration<?>> osgiTrustEngineReg;
    private ServiceTracker<TrustEngine, TrustEngine> trustEngineTracker;
    private BundleContext context;
    private EquinoxContainer container;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:ls/plugins/org.eclipse.osgi_3.17.201.v20220323-0814.jar:org/eclipse/osgi/internal/signedcontent/SignedBundleHook$TrustEngineCustomizer.class */
    public class TrustEngineCustomizer implements ServiceTrackerCustomizer<TrustEngine, TrustEngine> {
        TrustEngineCustomizer() {
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.osgi.util.tracker.ServiceTrackerCustomizer
        public TrustEngine addingService(ServiceReference<TrustEngine> serviceReference) {
            TrustEngine trustEngine = (TrustEngine) SignedBundleHook.this.getContext().getService(serviceReference);
            if (trustEngine != null) {
                try {
                    Field declaredField = TrustEngine.class.getDeclaredField("trustEngineListener");
                    declaredField.setAccessible(true);
                    declaredField.set(trustEngine, SignedBundleHook.this.trustEngineListener);
                } catch (Exception e) {
                    SignedBundleHook.this.log("Unable to set the trust engine listener.", 4, e);
                }
            }
            return trustEngine;
        }

        @Override // org.osgi.util.tracker.ServiceTrackerCustomizer
        public void modifiedService(ServiceReference<TrustEngine> serviceReference, TrustEngine trustEngine) {
        }

        @Override // org.osgi.util.tracker.ServiceTrackerCustomizer
        public void removedService(ServiceReference<TrustEngine> serviceReference, TrustEngine trustEngine) {
        }
    }

    @Override // org.eclipse.osgi.internal.hookregistry.ActivatorHookFactory
    public BundleActivator createActivator() {
        return new BundleActivator() { // from class: org.eclipse.osgi.internal.signedcontent.SignedBundleHook.1
            @Override // org.osgi.framework.BundleActivator
            public void start(BundleContext bundleContext) throws Exception {
                SignedBundleHook.this.frameworkStart(bundleContext);
            }

            @Override // org.osgi.framework.BundleActivator
            public void stop(BundleContext bundleContext) throws Exception {
                SignedBundleHook.this.frameworkStop(bundleContext);
            }
        };
    }

    BundleContext getContext() {
        return this.context;
    }

    void frameworkStart(BundleContext bundleContext) {
        this.context = bundleContext;
        if ((this.supportSignedBundles & 2) != 0) {
            this.trustEngineListener = new TrustEngineListener(this.context, this);
        }
        Hashtable hashtable = new Hashtable(7);
        hashtable.put(Constants.SERVICE_RANKING, Integer.MIN_VALUE);
        hashtable.put(SignedContentConstants.TRUST_ENGINE, SignedContentConstants.DEFAULT_TRUST_ENGINE);
        this.systemTrustEngineReg = this.context.registerService(TrustEngine.class.getName(), new KeyStoreTrustEngine(CACERTS_PATH, CACERTS_TYPE, null, "System", this), hashtable);
        String property = this.context.getProperty(OSGI_KEYSTORE);
        if (property != null) {
            try {
                URL url = new URL(property);
                if ("file".equals(url.getProtocol())) {
                    hashtable.put(SignedContentConstants.TRUST_ENGINE, OSGI_KEYSTORE);
                    String path = url.getPath();
                    this.osgiTrustEngineReg = new ArrayList(1);
                    this.osgiTrustEngineReg.add(this.context.registerService(TrustEngine.class.getName(), new KeyStoreTrustEngine(path, CACERTS_TYPE, null, OSGI_KEYSTORE, this), hashtable));
                }
            } catch (MalformedURLException e) {
                log("Invalid setting for osgi.framework.keystore", 2, e);
            }
        } else {
            String property2 = this.context.getProperty(Constants.FRAMEWORK_TRUST_REPOSITORIES);
            if (property2 != null) {
                hashtable.put(SignedContentConstants.TRUST_ENGINE, Constants.FRAMEWORK_TRUST_REPOSITORIES);
                StringTokenizer stringTokenizer = new StringTokenizer(property2, File.pathSeparator);
                this.osgiTrustEngineReg = new ArrayList(1);
                while (stringTokenizer.hasMoreTokens()) {
                    this.osgiTrustEngineReg.add(this.context.registerService(TrustEngine.class.getName(), new KeyStoreTrustEngine(stringTokenizer.nextToken(), CACERTS_TYPE, null, OSGI_KEYSTORE, this), hashtable));
                }
            }
        }
        this.signedContentFactoryReg = this.context.registerService(SignedContentFactory.class.getName(), this, (Dictionary<String, ?>) null);
    }

    void frameworkStop(BundleContext bundleContext) {
        if (this.signedContentFactoryReg != null) {
            this.signedContentFactoryReg.unregister();
            this.signedContentFactoryReg = null;
        }
        if (this.systemTrustEngineReg != null) {
            this.systemTrustEngineReg.unregister();
            this.systemTrustEngineReg = null;
        }
        if (this.osgiTrustEngineReg != null) {
            Iterator<ServiceRegistration<?>> it = this.osgiTrustEngineReg.iterator();
            while (it.hasNext()) {
                it.next().unregister();
            }
            this.osgiTrustEngineReg = null;
        }
        if (this.trustEngineTracker != null) {
            this.trustEngineTracker.close();
            this.trustEngineTracker = null;
        }
    }

    @Override // org.eclipse.osgi.internal.hookregistry.HookConfigurator
    public void addHooks(HookRegistry hookRegistry) {
        this.container = hookRegistry.getContainer();
        hookRegistry.addActivatorHookFactory(this);
        this.supportSignedBundles = hookRegistry.getConfiguration().supportSignedBundles;
        this.trustEngineNameProp = hookRegistry.getConfiguration().getConfiguration(SignedContentConstants.TRUST_ENGINE);
    }

    @Override // org.eclipse.osgi.signedcontent.SignedContentFactory
    public SignedContent getSignedContent(File file) throws IOException, InvalidKeyException, SignatureException, CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
        SignedContentFromBundleFile signedContentFromBundleFile = new SignedContentFromBundleFile(file, this.container.getConfiguration().getDebug());
        determineTrust(signedContentFromBundleFile, 2);
        return signedContentFromBundleFile;
    }

    @Override // org.eclipse.osgi.signedcontent.SignedContentFactory
    public SignedContent getSignedContent(Bundle bundle) throws IOException, InvalidKeyException, SignatureException, CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
        SignedContentFromBundleFile signedContentFromBundleFile = new SignedContentFromBundleFile(((BundleInfo.Generation) ((EquinoxBundle) bundle).getModule().getCurrentRevision().getRevisionInfo()).getBundleFile());
        determineTrust(signedContentFromBundleFile, 2);
        return signedContentFromBundleFile;
    }

    public void log(String str, int i, Throwable th) {
        this.container.getLogServices().log("org.eclipse.osgi", i, str, th);
    }

    private TrustEngine[] getTrustEngines() {
        if (this.context == null) {
            return new TrustEngine[0];
        }
        if (this.trustEngineTracker == null) {
            Filter filter = null;
            if (this.trustEngineNameProp != null) {
                try {
                    filter = this.context.createFilter("(&(objectClass=" + TrustEngine.class.getName() + ")(" + SignedContentConstants.TRUST_ENGINE + "=" + this.trustEngineNameProp + "))");
                } catch (InvalidSyntaxException e) {
                    log("Invalid trust engine filter", 2, e);
                }
            }
            if (filter != null) {
                this.trustEngineTracker = new ServiceTracker<>(this.context, filter, new TrustEngineCustomizer());
            } else {
                this.trustEngineTracker = new ServiceTracker<>(this.context, TrustEngine.class.getName(), new TrustEngineCustomizer());
            }
            this.trustEngineTracker.open();
        }
        Object[] services = this.trustEngineTracker.getServices();
        if (services == null) {
            return new TrustEngine[0];
        }
        TrustEngine[] trustEngineArr = new TrustEngine[services.length];
        System.arraycopy(services, 0, trustEngineArr, 0, services.length);
        return trustEngineArr;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void determineTrust(SignedContentFromBundleFile signedContentFromBundleFile, int i) {
        TrustEngine[] trustEngineArr = null;
        for (SignerInfo signerInfo : signedContentFromBundleFile.getSignerInfos()) {
            if (signerInfo.getTrustAnchor() == null) {
                if (trustEngineArr == null) {
                    trustEngineArr = getTrustEngines();
                }
                ((SignedContentFromBundleFile.BaseSignerInfo) signerInfo).setTrustAnchor(findTrustAnchor(signerInfo.getCertificateChain(), trustEngineArr, i));
                SignerInfo tSASignerInfo = signedContentFromBundleFile.getTSASignerInfo(signerInfo);
                if (tSASignerInfo != null) {
                    ((SignedContentFromBundleFile.BaseSignerInfo) tSASignerInfo).setTrustAnchor(findTrustAnchor(tSASignerInfo.getCertificateChain(), trustEngineArr, i));
                }
            }
        }
    }

    private Certificate findTrustAnchor(Certificate[] certificateArr, TrustEngine[] trustEngineArr, int i) {
        Certificate findTrustAnchor;
        if ((i & 2) == 0) {
            if (certificateArr == null || certificateArr.length <= 0) {
                return null;
            }
            return certificateArr[certificateArr.length - 1];
        }
        for (TrustEngine trustEngine : trustEngineArr) {
            try {
                findTrustAnchor = trustEngine.findTrustAnchor(certificateArr);
            } catch (IOException e) {
                log("TrustEngine failure: " + trustEngine.getName(), 2, e);
            }
            if (findTrustAnchor != null) {
                return findTrustAnchor;
            }
        }
        return null;
    }
}
