package org.apache.nifi.processors.pgp;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.nifi.annotation.behavior.InputRequirement;
import org.apache.nifi.annotation.behavior.WritesAttribute;
import org.apache.nifi.annotation.behavior.WritesAttributes;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.SeeAlso;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.flowfile.FlowFile;
import org.apache.nifi.pgp.service.api.KeyIdentifierConverter;
import org.apache.nifi.pgp.service.api.PGPPublicKeyService;
import org.apache.nifi.processor.AbstractProcessor;
import org.apache.nifi.processor.ProcessContext;
import org.apache.nifi.processor.ProcessSession;
import org.apache.nifi.processor.Relationship;
import org.apache.nifi.processor.io.StreamCallback;
import org.apache.nifi.processors.pgp.exception.PGPProcessException;
import org.apache.nifi.stream.io.StreamUtils;
import org.bouncycastle.openpgp.PGPCompressedData;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPLiteralData;
import org.bouncycastle.openpgp.PGPOnePassSignature;
import org.bouncycastle.openpgp.PGPOnePassSignatureList;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureList;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.jcajce.JcaPGPObjectFactory;
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProvider;

@CapabilityDescription("Verify signatures using OpenPGP Public Keys")
@InputRequirement(InputRequirement.Requirement.INPUT_REQUIRED)
@Tags({"PGP", "GPG", "OpenPGP", "Encryption", "Signing", "RFC 4880"})
@SeeAlso({DecryptContentPGP.class, EncryptContentPGP.class, SignContentPGP.class})
@WritesAttributes({@WritesAttribute(attribute = "pgp.literal.data.filename", description = "Filename from Literal Data"), @WritesAttribute(attribute = "pgp.literal.data.modified", description = "Modified Date Time from Literal Data in milliseconds"), @WritesAttribute(attribute = "pgp.signature.created", description = "Signature Creation Time in milliseconds"), @WritesAttribute(attribute = "pgp.signature.algorithm", description = "Signature Algorithm including key and hash algorithm names"), @WritesAttribute(attribute = "pgp.signature.hash.algorithm.id", description = "Signature Hash Algorithm Identifier"), @WritesAttribute(attribute = "pgp.signature.key.algorithm.id", description = "Signature Key Algorithm Identifier"), @WritesAttribute(attribute = "pgp.signature.key.id", description = "Signature Public Key Identifier"), @WritesAttribute(attribute = "pgp.signature.type.id", description = "Signature Type Identifier"), @WritesAttribute(attribute = "pgp.signature.version", description = "Signature Version Number")})
/* loaded from: input_file:org/apache/nifi/processors/pgp/VerifyContentPGP.class */
public class VerifyContentPGP extends AbstractProcessor {
    public static final Relationship SUCCESS = new Relationship.Builder().name("success").description("Signature Verification Succeeded").build();
    public static final Relationship FAILURE = new Relationship.Builder().name("failure").description("Signature Verification Failed").build();
    public static final PropertyDescriptor PUBLIC_KEY_SERVICE = new PropertyDescriptor.Builder().name("public-key-service").displayName("Public Key Service").description("PGP Public Key Service for verifying signatures with Public Key Encryption").identifiesControllerService(PGPPublicKeyService.class).required(true).build();
    private static final Set<Relationship> RELATIONSHIPS = new HashSet(Arrays.asList(SUCCESS, FAILURE));
    private static final List<PropertyDescriptor> DESCRIPTORS = Collections.singletonList(PUBLIC_KEY_SERVICE);
    private static final int BUFFER_SIZE = 8192;
    private static final String KEY_ID_UNKNOWN = "UNKNOWN";

    /* loaded from: input_file:org/apache/nifi/processors/pgp/VerifyContentPGP$VerifyStreamCallback.class */
    private class VerifyStreamCallback implements StreamCallback {
        private final PGPPublicKeyService publicKeyService;
        private final Map<String, String> attributes;
        private boolean verified;

        private VerifyStreamCallback(PGPPublicKeyService pGPPublicKeyService) {
            this.attributes = new HashMap();
            this.publicKeyService = pGPPublicKeyService;
        }

        public void process(InputStream inputStream, OutputStream outputStream) throws IOException {
            Iterator<?> it = new JcaPGPObjectFactory(PGPUtil.getDecoderStream(inputStream)).iterator();
            if (it.hasNext()) {
                processObjectFactory(it, outputStream);
            }
            if (!this.verified) {
                throw new PGPProcessException(String.format("Signature Key ID [%s] Verification Failed", this.attributes.getOrDefault("pgp.signature.key.id", VerifyContentPGP.KEY_ID_UNKNOWN)));
            }
            VerifyContentPGP.this.getLogger().debug("One-Pass Signature Algorithm [{}] Verified", new Object[]{this.attributes.get("pgp.signature.algorithm")});
        }

        private void processObjectFactory(Iterator<?> it, OutputStream outputStream) throws IOException {
            PGPOnePassSignature pGPOnePassSignature = null;
            while (it.hasNext()) {
                Object next = it.next();
                VerifyContentPGP.this.getLogger().debug("PGP Object Read [{}]", new Object[]{next.getClass().getSimpleName()});
                if (next instanceof PGPCompressedData) {
                    try {
                        processObjectFactory(new JcaPGPObjectFactory(((PGPCompressedData) next).getDataStream()).iterator(), outputStream);
                    } catch (PGPException e) {
                        throw new PGPProcessException("Read Compressed Data Failed", e);
                    }
                } else if (next instanceof PGPOnePassSignatureList) {
                    pGPOnePassSignature = processOnePassSignatures((PGPOnePassSignatureList) next);
                } else if (next instanceof PGPLiteralData) {
                    processLiteralData((PGPLiteralData) next, outputStream, pGPOnePassSignature);
                } else if (next instanceof PGPSignatureList) {
                    processSignatures((PGPSignatureList) next, pGPOnePassSignature);
                }
            }
        }

        private PGPOnePassSignature processOnePassSignatures(PGPOnePassSignatureList pGPOnePassSignatureList) {
            VerifyContentPGP.this.getLogger().debug("One-Pass Signatures Found [{}]", new Object[]{Integer.valueOf(pGPOnePassSignatureList.size())});
            PGPOnePassSignature pGPOnePassSignature = null;
            Iterator it = pGPOnePassSignatureList.iterator();
            if (it.hasNext()) {
                PGPOnePassSignature pGPOnePassSignature2 = (PGPOnePassSignature) it.next();
                setOnePassSignatureAttributes(pGPOnePassSignature2);
                String format = KeyIdentifierConverter.format(pGPOnePassSignature2.getKeyID());
                Optional findPublicKey = this.publicKeyService.findPublicKey(format);
                if (findPublicKey.isPresent()) {
                    VerifyContentPGP.this.getLogger().debug("One-Pass Signature Key ID [{}] found", new Object[]{format});
                    try {
                        pGPOnePassSignature2.init(new JcaPGPContentVerifierBuilderProvider(), (PGPPublicKey) findPublicKey.get());
                        pGPOnePassSignature = pGPOnePassSignature2;
                    } catch (PGPException e) {
                        throw new PGPProcessException(String.format("One-Pass Signature Key ID [%s] Initialization Failed", format), e);
                    }
                } else {
                    VerifyContentPGP.this.getLogger().warn("One-Pass Signature Key ID [{}] not found in Public Key Service", new Object[]{format});
                }
            }
            return pGPOnePassSignature;
        }

        private void processLiteralData(PGPLiteralData pGPLiteralData, OutputStream outputStream, PGPOnePassSignature pGPOnePassSignature) throws IOException {
            setLiteralDataAttributes(pGPLiteralData);
            InputStream inputStream = pGPLiteralData.getInputStream();
            if (pGPOnePassSignature == null) {
                StreamUtils.copy(inputStream, outputStream);
            } else {
                processSignedStream(inputStream, outputStream, pGPOnePassSignature);
            }
        }

        private void processSignatures(PGPSignatureList pGPSignatureList, PGPOnePassSignature pGPOnePassSignature) {
            VerifyContentPGP.this.getLogger().debug("Signatures Found [{}]", new Object[]{Integer.valueOf(pGPSignatureList.size())});
            Iterator it = pGPSignatureList.iterator();
            if (it.hasNext()) {
                PGPSignature pGPSignature = (PGPSignature) it.next();
                setSignatureAttributes(pGPSignature);
                if (pGPOnePassSignature == null) {
                    VerifyContentPGP.this.getLogger().debug("One-Pass Signature not found: Verification Failed");
                    return;
                }
                try {
                    this.verified = pGPOnePassSignature.verify(pGPSignature);
                } catch (PGPException e) {
                    throw new PGPProcessException(String.format("One-Pass Signature Key ID [%s] Verification Failed", KeyIdentifierConverter.format(pGPOnePassSignature.getKeyID())), e);
                }
            }
        }

        private void processSignedStream(InputStream inputStream, OutputStream outputStream, PGPOnePassSignature pGPOnePassSignature) throws IOException {
            VerifyContentPGP.this.getLogger().debug("Processing Data for One-Pass Signature with Key ID [{}]", new Object[]{KeyIdentifierConverter.format(pGPOnePassSignature.getKeyID())});
            byte[] bArr = new byte[VerifyContentPGP.BUFFER_SIZE];
            while (true) {
                int read = inputStream.read(bArr);
                if (read < 0) {
                    return;
                }
                pGPOnePassSignature.update(bArr, 0, read);
                outputStream.write(bArr, 0, read);
            }
        }

        private void setOnePassSignatureAttributes(PGPOnePassSignature pGPOnePassSignature) {
            setSignatureAlgorithm(pGPOnePassSignature.getKeyAlgorithm(), pGPOnePassSignature.getHashAlgorithm());
            this.attributes.put("pgp.signature.key.id", KeyIdentifierConverter.format(pGPOnePassSignature.getKeyID()));
            this.attributes.put("pgp.signature.type.id", Integer.toString(pGPOnePassSignature.getSignatureType()));
        }

        private void setSignatureAttributes(PGPSignature pGPSignature) {
            setSignatureAlgorithm(pGPSignature.getKeyAlgorithm(), pGPSignature.getHashAlgorithm());
            this.attributes.put("pgp.signature.created", Long.toString(pGPSignature.getCreationTime().getTime()));
            this.attributes.put("pgp.signature.key.id", KeyIdentifierConverter.format(pGPSignature.getKeyID()));
            this.attributes.put("pgp.signature.type.id", Integer.toString(pGPSignature.getSignatureType()));
            this.attributes.put("pgp.signature.version", Integer.toString(pGPSignature.getVersion()));
        }

        private void setLiteralDataAttributes(PGPLiteralData pGPLiteralData) {
            this.attributes.put("pgp.literal.data.filename", pGPLiteralData.getFileName());
            this.attributes.put("pgp.literal.data.modified", Long.toString(pGPLiteralData.getModificationTime().getTime()));
        }

        private void setSignatureAlgorithm(int i, int i2) {
            this.attributes.put("pgp.signature.hash.algorithm.id", Integer.toString(i2));
            this.attributes.put("pgp.signature.key.algorithm.id", Integer.toString(i));
            try {
                this.attributes.put("pgp.signature.algorithm", PGPUtil.getSignatureName(i, i2));
            } catch (PGPException e) {
                VerifyContentPGP.this.getLogger().debug("Signature Algorithm Key Identifier [{}] Hash Identifier [{}] not found", new Object[]{Integer.valueOf(i), Integer.valueOf(i2)});
            }
        }
    }

    public Set<Relationship> getRelationships() {
        return RELATIONSHIPS;
    }

    public final List<PropertyDescriptor> getSupportedPropertyDescriptors() {
        return DESCRIPTORS;
    }

    public void onTrigger(ProcessContext processContext, ProcessSession processSession) {
        FlowFile flowFile = processSession.get();
        if (flowFile == null) {
            return;
        }
        VerifyStreamCallback verifyStreamCallback = new VerifyStreamCallback(processContext.getProperty(PUBLIC_KEY_SERVICE).asControllerService(PGPPublicKeyService.class));
        try {
            flowFile = processSession.putAllAttributes(processSession.write(flowFile, verifyStreamCallback), verifyStreamCallback.attributes);
            getLogger().info("Signature Key ID [{}] Verification Completed {}", new Object[]{flowFile.getAttribute("pgp.signature.key.id"), flowFile});
            processSession.transfer(flowFile, SUCCESS);
        } catch (RuntimeException e) {
            FlowFile putAllAttributes = processSession.putAllAttributes(flowFile, verifyStreamCallback.attributes);
            getLogger().error("Processing Failed {}", new Object[]{putAllAttributes, e});
            processSession.transfer(putAllAttributes, FAILURE);
        }
    }
}
