package io.jenkins.plugins.wiz;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.Security;
import java.util.Iterator;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.bouncycastle.bcpg.ArmoredInputStream;
import org.bouncycastle.bcpg.BCPGInputStream;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureList;
import org.bouncycastle.openpgp.PGPSignatureSubpacketVector;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.jcajce.JcaPGPObjectFactory;
import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator;
import org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider;

/* loaded from: input_file:io/jenkins/plugins/wiz/PGPVerifier.class */
public class PGPVerifier {
    private static final Logger LOGGER = Logger.getLogger(PGPVerifier.class.getName());

    /* loaded from: input_file:io/jenkins/plugins/wiz/PGPVerifier$PGPVerificationException.class */
    public static class PGPVerificationException extends Exception {
        public PGPVerificationException(String str) {
            super(str);
        }

        public PGPVerificationException(String str, Throwable th) {
            super(str, th);
        }
    }

    public boolean verifySignatureFromFiles(String str, String str2, String str3) throws PGPVerificationException {
        try {
            LOGGER.log(Level.FINE, "Starting signature verification for file: {0}", str);
            return verifySignature(readFileWithValidation(str, "data"), readFileWithValidation(str2, "signature"), readFileWithValidation(str3, "public key"));
        } catch (IOException e) {
            LOGGER.log(Level.SEVERE, "Failed to read verification files: {0}", e.getMessage());
            throw new PGPVerificationException("Failed to read verification files", e);
        } catch (Exception e2) {
            LOGGER.log(Level.SEVERE, "Signature verification failed: {0}", e2.getMessage());
            throw new PGPVerificationException("Signature verification failed", e2);
        }
    }

    private boolean verifySignature(byte[] bArr, byte[] bArr2, byte[] bArr3) throws PGPVerificationException {
        try {
            validateInput(bArr, bArr2, bArr3);
            PGPPublicKey readPublicKey = readPublicKey(new ByteArrayInputStream(bArr3));
            PGPSignature readSignature = readSignature(bArr2);
            LOGGER.log(Level.FINE, "Verifying signature with key ID: {0}", Long.toHexString(readPublicKey.getKeyID()));
            readSignature.init(new BcPGPContentVerifierBuilderProvider(), readPublicKey);
            readSignature.update(bArr);
            boolean verify = readSignature.verify();
            LOGGER.log(Level.FINE, "Signature verification result: {0}", Boolean.valueOf(verify));
            return verify;
        } catch (Exception e) {
            LOGGER.log(Level.SEVERE, "Signature verification failed: {0}", e.getMessage());
            throw new PGPVerificationException("Signature verification failed", e);
        }
    }

    private PGPPublicKey readPublicKey(InputStream inputStream) throws PGPVerificationException {
        try {
            ArmoredInputStream armoredInputStream = new ArmoredInputStream(inputStream);
            try {
                PGPPublicKey findSigningKey = findSigningKey(readKeyRingCollection(armoredInputStream));
                armoredInputStream.close();
                return findSigningKey;
            } finally {
            }
        } catch (Exception e) {
            LOGGER.log(Level.SEVERE, "Failed to read public key: {0}", e.getMessage());
            throw new PGPVerificationException("Failed to read public key", e);
        }
    }

    private PGPPublicKeyRingCollection readKeyRingCollection(ArmoredInputStream armoredInputStream) throws IOException, PGPException {
        return new PGPPublicKeyRingCollection(armoredInputStream, new BcKeyFingerprintCalculator());
    }

    private PGPPublicKey findSigningKey(PGPPublicKeyRingCollection pGPPublicKeyRingCollection) throws PGPVerificationException {
        Iterator it = pGPPublicKeyRingCollection.iterator();
        while (it.hasNext()) {
            PGPPublicKey findSigningKeyInRing = findSigningKeyInRing((PGPPublicKeyRing) it.next());
            if (findSigningKeyInRing != null) {
                return findSigningKeyInRing;
            }
        }
        throw new PGPVerificationException("No suitable signing key found in provided key ring");
    }

    private PGPPublicKey findSigningKeyInRing(PGPPublicKeyRing pGPPublicKeyRing) {
        LOGGER.log(Level.FINE, "Processing keyring with master key: {0}", Long.toHexString(pGPPublicKeyRing.getPublicKey().getKeyID()));
        Iterator publicKeys = pGPPublicKeyRing.getPublicKeys();
        while (publicKeys.hasNext()) {
            PGPPublicKey pGPPublicKey = (PGPPublicKey) publicKeys.next();
            if (isValidSigningKey(pGPPublicKey)) {
                return pGPPublicKey;
            }
        }
        return null;
    }

    private boolean isValidSigningKey(PGPPublicKey pGPPublicKey) {
        LOGGER.log(Level.FINE, "Examining key: {0}", Long.toHexString(pGPPublicKey.getKeyID()));
        Iterator signatures = pGPPublicKey.getSignatures();
        while (signatures.hasNext()) {
            if (hasValidSigningFlag(signatures.next(), pGPPublicKey)) {
                return true;
            }
        }
        return false;
    }

    private boolean hasValidSigningFlag(Object obj, PGPPublicKey pGPPublicKey) {
        PGPSignatureSubpacketVector hashedSubPackets;
        if (!(obj instanceof PGPSignature) || (hashedSubPackets = ((PGPSignature) obj).getHashedSubPackets()) == null) {
            return false;
        }
        int keyFlags = hashedSubPackets.getKeyFlags();
        LOGGER.log(Level.FINE, "Key flags: {0}", Integer.valueOf(keyFlags));
        if (pGPPublicKey.isMasterKey() || (keyFlags & 2) == 0) {
            return false;
        }
        LOGGER.log(Level.FINE, "Found suitable signing key");
        return true;
    }

    private PGPSignature readSignature(byte[] bArr) throws PGPVerificationException {
        LOGGER.log(Level.FINE, "Reading signature data of size: {0} bytes", Integer.valueOf(bArr.length));
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            try {
                PGPSignature readBinarySignature = readBinarySignature(byteArrayInputStream);
                if (readBinarySignature != null) {
                    byteArrayInputStream.close();
                    return readBinarySignature;
                }
                byteArrayInputStream.reset();
                PGPSignature readArmoredSignature = readArmoredSignature(byteArrayInputStream);
                if (readArmoredSignature != null) {
                    byteArrayInputStream.close();
                    return readArmoredSignature;
                }
                byteArrayInputStream.reset();
                PGPSignature readRawSignature = readRawSignature(byteArrayInputStream);
                if (readRawSignature == null) {
                    throw new PGPVerificationException("Failed to read signature in any supported format");
                }
                byteArrayInputStream.close();
                return readRawSignature;
            } finally {
            }
        } catch (IOException e) {
            LOGGER.log(Level.SEVERE, "Error reading signature data: {0}", e.getMessage());
            throw new PGPVerificationException("Error reading signature data", e);
        }
    }

    private PGPSignature readBinarySignature(InputStream inputStream) {
        try {
            Object nextObject = new JcaPGPObjectFactory(inputStream).nextObject();
            if (!(nextObject instanceof PGPSignatureList)) {
                if (!(nextObject instanceof PGPSignature)) {
                    return null;
                }
                LOGGER.log(Level.FINE, "Successfully read binary signature");
                return (PGPSignature) nextObject;
            }
            PGPSignatureList pGPSignatureList = (PGPSignatureList) nextObject;
            if (pGPSignatureList.isEmpty()) {
                return null;
            }
            LOGGER.log(Level.FINE, "Successfully read binary signature list");
            return pGPSignatureList.get(0);
        } catch (Exception e) {
            LOGGER.log(Level.FINE, "Failed to read binary signature: {0}", e.getMessage());
            return null;
        }
    }

    private PGPSignature readArmoredSignature(InputStream inputStream) {
        try {
            Object nextObject = new JcaPGPObjectFactory(PGPUtil.getDecoderStream(inputStream)).nextObject();
            if (!(nextObject instanceof PGPSignatureList)) {
                if (!(nextObject instanceof PGPSignature)) {
                    return null;
                }
                LOGGER.log(Level.FINE, "Successfully read ASCII armored signature");
                return (PGPSignature) nextObject;
            }
            PGPSignatureList pGPSignatureList = (PGPSignatureList) nextObject;
            if (pGPSignatureList.isEmpty()) {
                return null;
            }
            LOGGER.log(Level.FINE, "Successfully read ASCII armored signature list");
            return pGPSignatureList.get(0);
        } catch (Exception e) {
            LOGGER.log(Level.FINE, "Failed to read ASCII armored signature: {0}", e.getMessage());
            return null;
        }
    }

    private PGPSignature readRawSignature(InputStream inputStream) {
        try {
            PGPSignature pGPSignature = new PGPSignature(new BCPGInputStream(inputStream));
            LOGGER.log(Level.FINE, "Successfully read raw signature");
            return pGPSignature;
        } catch (Exception e) {
            LOGGER.log(Level.FINE, "Failed to read raw signature: {0}", e.getMessage());
            return null;
        }
    }

    private void validateInput(byte[] bArr, byte[] bArr2, byte[] bArr3) throws PGPVerificationException {
        if (bArr == null || bArr.length == 0) {
            LOGGER.log(Level.SEVERE, "Signed data validation failed: data is null or empty");
            throw new PGPVerificationException("Signed data is null or empty");
        }
        if (bArr2 == null || bArr2.length == 0) {
            LOGGER.log(Level.SEVERE, "Signature validation failed: signature is null or empty");
            throw new PGPVerificationException("Signature is null or empty");
        }
        if (bArr3 == null || bArr3.length == 0) {
            LOGGER.log(Level.SEVERE, "Public key validation failed: key is null or empty");
            throw new PGPVerificationException("Public key is null or empty");
        }
    }

    private byte[] readFileWithValidation(String str, String str2) throws IOException {
        if (str == null || str.trim().isEmpty()) {
            LOGGER.log(Level.SEVERE, "Invalid {0} file path: null or empty", str2);
            throw new IOException(str2 + " path is null or empty");
        }
        try {
            byte[] readAllBytes = Files.readAllBytes(Paths.get(str, new String[0]));
            if (readAllBytes.length == 0) {
                LOGGER.log(Level.SEVERE, "Empty {0} file: {1}", new Object[]{str2, str});
                throw new IOException(str2 + " file is empty");
            }
            LOGGER.log(Level.FINE, "Successfully read {0} file: {1}, size: {2} bytes", new Object[]{str2, str, Integer.valueOf(readAllBytes.length)});
            return readAllBytes;
        } catch (IOException e) {
            LOGGER.log(Level.SEVERE, "Failed to read {0} file {1}: {2}", new Object[]{str2, str, e.getMessage()});
            throw new IOException("Failed to read " + str2 + " file: " + str, e);
        }
    }

    static {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }
}
