package net.shibboleth.mvn.enforcer.impl;

import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.PrintWriter;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.security.Security;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import javax.annotation.Nonnull;
import net.shibboleth.mvn.enforcer.impl.GPGKeyRing;
import net.shibboleth.mvn.enforcer.impl.ParsedPom;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/mvn/enforcer/impl/BaseSigChecker.class */
public class BaseSigChecker {
    private final PrintWriter report;
    private final ProjectPomContext projectContext;
    private final Logger log = EnforcerLogger.getLogger(BaseSigChecker.class);
    private final Map<String, Optional<GPGKeyRing>> keyRings = new HashMap();

    public BaseSigChecker(@Nonnull ProjectPomContext projectPomContext, @Nonnull PrintWriter printWriter) {
        this.projectContext = (ProjectPomContext) Constraint.isNotNull(projectPomContext, "project must not be null");
        this.report = (PrintWriter) Constraint.isNotNull(printWriter, "Writer must not be null");
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ProjectPomContext getProjectContext() {
        return this.projectContext;
    }

    protected MavenLoader getMavenLoader() {
        return getProjectContext().getMavenLoader();
    }

    protected PrintWriter getReport() {
        return this.report;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean checkSignature(InputStream inputStream, ParsedPom.PomArtifact pomArtifact) {
        String groupId = pomArtifact.getGroupId();
        String artifactId = pomArtifact.getArtifactId();
        String version = "".equals(pomArtifact.getClassifier()) ? pomArtifact.getVersion() : pomArtifact.getVersion() + " (" + pomArtifact.getClassifier() + ")";
        if (this.projectContext.getParentPom().getGeneratedArtifacts().contains(pomArtifact)) {
            this.report.format("%-30s: %-14s Generated by build.  Not checked\n", artifactId, version);
            return true;
        }
        if (this.projectContext.isSnapShot() && version.endsWith("-SNAPSHOT")) {
            this.report.format("%-30s: %-14s Snapshot version on a snapshot build.  Not Checked\n", artifactId, version);
            return true;
        }
        GPGKeyRing keyRing = getKeyRing(groupId);
        if (keyRing == null) {
            this.report.format("%-30s: %-14s No keyring for group %s\n", artifactId, version, groupId);
            this.log.error("Artifact: {} Version: {} Group: {} No keyring ", new Object[]{artifactId, version, groupId});
            return false;
        }
        GPGKeyRing.Signature signature = getSignature(pomArtifact);
        if (signature == null) {
            this.report.format("%-30s: %-14s Could not find signature (group : %s)\n", artifactId, version, groupId);
            this.log.error("{} {} could not find signature (group={})", new Object[]{artifactId, version, groupId});
            return false;
        }
        if (!keyRing.contains(signature)) {
            this.report.format("%-30s: %-14s KeyId (%s) not found in keyring for %s\n", artifactId, version, signature.toString(), groupId);
            this.log.error("{} {} KeyId ({}) not found in keyring for {}", new Object[]{artifactId, version, signature.toString(), groupId});
            return false;
        }
        try {
            if (keyRing.checkSignature(inputStream, signature)) {
                this.report.format("%-30s: %-14s Signature Match in keyring %s : %s \n", artifactId, version, groupId, keyRing.getKeyInfo(signature));
                return true;
            }
            this.report.format("%-30s: %-14s Signature Mismatch : %s in keyring %s\n", artifactId, version, keyRing.getKeyInfo(signature), groupId);
            this.log.error("{} {} Signature Mismatch : ({}) in keyring for {}", new Object[]{artifactId, version, signature.toString(), groupId});
            return false;
        } catch (IOException e) {
            this.log.error("Failed", e);
            return false;
        }
    }

    private GPGKeyRing.Signature getSignature(ParsedPom.PomArtifact pomArtifact) {
        Path path;
        try {
            path = getMavenLoader().downloadArtifact(pomArtifact, "jar.asc");
        } catch (Exception e) {
            this.log.debug("Error loading {} from maven loader", pomArtifact, e);
            path = null;
        }
        if (path != null && Files.exists(path, new LinkOption[0])) {
            try {
                BufferedInputStream bufferedInputStream = new BufferedInputStream(new FileInputStream(path.toFile()));
                try {
                    GPGKeyRing.Signature signatureOf = GPGKeyRing.signatureOf(bufferedInputStream);
                    bufferedInputStream.close();
                    return signatureOf;
                } finally {
                }
            } catch (IOException e2) {
                this.log.error("Could not load key from store", e2);
                return null;
            }
        }
        this.log.info("Could not find key for {}, trying classpath store.", pomArtifact);
        try {
            InputStream resourceAsStream = getProjectContext().getEnforcerLoader().getResourceAsStream("net/shibboleth/mvn/enforcer/data/localSignatures/" + pomArtifact.toString() + ".jar.asc");
            try {
                if (resourceAsStream == null) {
                    this.log.error("Key for {} no found in classpath store", pomArtifact);
                    if (resourceAsStream != null) {
                        resourceAsStream.close();
                    }
                    return null;
                }
                GPGKeyRing.Signature signatureOf2 = GPGKeyRing.signatureOf(resourceAsStream);
                this.report.format("%-30s: %-14s Signature not available.  Loaded from classpath store\n", pomArtifact.getArtifactId(), pomArtifact.getVersion());
                this.log.info("Key for {} found in classpath store.", pomArtifact);
                if (resourceAsStream != null) {
                    resourceAsStream.close();
                }
                return signatureOf2;
            } finally {
            }
        } catch (Throwable th) {
            this.log.error("Could not load key from classpath store:", th);
            return null;
        }
    }

    private GPGKeyRing getKeyRing(String str) {
        Optional<GPGKeyRing> optional = this.keyRings.get(str);
        if (optional != null) {
            if (optional.isEmpty()) {
                return null;
            }
            return optional.get();
        }
        try {
            GPGKeyRing gPGKeyRing = new GPGKeyRing(this.projectContext.getEnforcerLoader(), str);
            this.keyRings.put(str, Optional.of(gPGKeyRing));
            return gPGKeyRing;
        } catch (Exception e) {
            this.log.error("Could not load keyring for " + str, e);
            this.keyRings.put(str, Optional.empty());
            return null;
        }
    }
}
