package com.jetbrains.infra.pgpVerifier;

import java.io.Closeable;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.util.Iterator;
import java.util.Locale;
import kotlin.Metadata;
import kotlin.Unit;
import kotlin.io.CloseableKt;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.SourceDebugExtension;
import org.bouncycastle.bcpg.ArmoredInputStream;
import org.bouncycastle.bcpg.BCPGInputStream;
import org.bouncycastle.bcpg.PublicKeyPacket;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openpgp.PGPCompressedData;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureList;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.jcajce.JcaPGPObjectFactory;
import org.bouncycastle.openpgp.operator.jcajce.JcaKeyFingerprintCalculator;
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProvider;
import org.jetbrains.annotations.NotNull;

/* compiled from: PgpSignaturesVerifier.kt */
@Metadata(mv = {1, 8, 0}, k = 1, xi = 48, d1 = {"��V\n\u0002\u0018\u0002\n\u0002\u0010��\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0010\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\u000e\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u000b\n\u0002\b\u0007\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\t\n��\u0018��2\u00020\u0001B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0010\u0010\u0007\u001a\u00020\b2\u0006\u0010\t\u001a\u00020\nH\u0002J\u0012\u0010\u000b\u001a\u0004\u0018\u00010\f2\u0006\u0010\t\u001a\u00020\nH\u0002J\u0012\u0010\r\u001a\u0004\u0018\u00010\f2\u0006\u0010\u000e\u001a\u00020\u000fH\u0002J\u0010\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u0013H\u0002J\u0010\u0010\u0014\u001a\u00020\n2\u0006\u0010\u0015\u001a\u00020\u0013H\u0002J\u0018\u0010\u0016\u001a\u00020\u00172\u0006\u0010\u0018\u001a\u00020\n2\u0006\u0010\u0019\u001a\u00020\u000fH\u0002J\u0010\u0010\u001a\u001a\u00020\u00172\u0006\u0010\u000e\u001a\u00020\u000fH\u0002J \u0010\u001b\u001a\u00020\u00172\u0006\u0010\u0018\u001a\u00020\n2\u0006\u0010\u001c\u001a\u00020\n2\u0006\u0010\u0002\u001a\u00020\u0003H\u0002J&\u0010\u001d\u001a\u00020\b2\u0006\u0010\u001e\u001a\u00020\u001f2\u0006\u0010\u0012\u001a\u00020\u00132\u0006\u0010 \u001a\u00020\u00132\u0006\u0010\u0015\u001a\u00020\u0013J\f\u0010!\u001a\u00020\f*\u00020\"H\u0002R\u000e\u0010\u0005\u001a\u00020\u0006X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n��¨\u0006#"}, d2 = {"Lcom/jetbrains/infra/pgpVerifier/PgpSignaturesVerifier;", "", "logger", "Lcom/jetbrains/infra/pgpVerifier/PgpSignaturesVerifierLogger;", "(Lcom/jetbrains/infra/pgpVerifier/PgpSignaturesVerifierLogger;)V", "bouncyCastleProvider", "Lorg/bouncycastle/jce/provider/BouncyCastleProvider;", "assertPublicKeyFormat", "", "key", "Lorg/bouncycastle/openpgp/PGPPublicKey;", "checkPublicKeyFormat", "", "checkSignatureFormat", "sig", "Lorg/bouncycastle/openpgp/PGPSignature;", "getSignaturesFromFile", "Lorg/bouncycastle/openpgp/PGPSignatureList;", "detachedSignatureInputStream", "Ljava/io/InputStream;", "getTrustedMasterKey", "trustedMasterKeyInputStream", "isRevoked", "", "subKey", "signature", "isSignKey", "isSubKeyForSigning", "masterKey", "verifySignature", "file", "Ljava/nio/file/Path;", "untrustedPublicKeyBundleInputStream", "toKeyIdString", "", "download-pgp-verifier"})
@SourceDebugExtension({"SMAP\nPgpSignaturesVerifier.kt\nKotlin\n*S Kotlin\n*F\n+ 1 PgpSignaturesVerifier.kt\ncom/jetbrains/infra/pgpVerifier/PgpSignaturesVerifier\n+ 2 fake.kt\nkotlin/jvm/internal/FakeKt\n*L\n1#1,196:1\n1#2:197\n*E\n"})
/* loaded from: input_file:com/jetbrains/infra/pgpVerifier/PgpSignaturesVerifier.class */
public final class PgpSignaturesVerifier {

    @NotNull
    private final PgpSignaturesVerifierLogger logger;

    @NotNull
    private final BouncyCastleProvider bouncyCastleProvider;

    public PgpSignaturesVerifier(@NotNull PgpSignaturesVerifierLogger pgpSignaturesVerifierLogger) {
        Intrinsics.checkNotNullParameter(pgpSignaturesVerifierLogger, "logger");
        this.logger = pgpSignaturesVerifierLogger;
        this.bouncyCastleProvider = new BouncyCastleProvider();
    }

    public final void verifySignature(@NotNull Path path, @NotNull InputStream inputStream, @NotNull InputStream inputStream2, @NotNull InputStream inputStream3) {
        Intrinsics.checkNotNullParameter(path, "file");
        Intrinsics.checkNotNullParameter(inputStream, "detachedSignatureInputStream");
        Intrinsics.checkNotNullParameter(inputStream2, "untrustedPublicKeyBundleInputStream");
        Intrinsics.checkNotNullParameter(inputStream3, "trustedMasterKeyInputStream");
        PGPSignatureList signaturesFromFile = getSignaturesFromFile(inputStream);
        PGPPublicKeyRingCollection pGPPublicKeyRingCollection = new PGPPublicKeyRingCollection(PGPUtil.getDecoderStream(inputStream2), new JcaKeyFingerprintCalculator());
        PGPPublicKey trustedMasterKey = getTrustedMasterKey(inputStream3);
        boolean z = false;
        byte[] bArr = new byte[16384];
        Iterator it = signaturesFromFile.iterator();
        while (it.hasNext()) {
            PGPSignature pGPSignature = (PGPSignature) it.next();
            Intrinsics.checkNotNullExpressionValue(pGPSignature, "signature");
            String checkSignatureFormat = checkSignatureFormat(pGPSignature);
            if (checkSignatureFormat != null) {
                this.logger.info("Signature skipped: " + checkSignatureFormat);
            } else {
                PGPPublicKey publicKey = pGPPublicKeyRingCollection.getPublicKey(pGPSignature.getKeyID());
                if (publicKey != null) {
                    String checkPublicKeyFormat = checkPublicKeyFormat(publicKey);
                    if (checkPublicKeyFormat != null) {
                        this.logger.info("Key skipped: " + checkPublicKeyFormat);
                    } else if (!isSubKeyForSigning(publicKey, trustedMasterKey, this.logger)) {
                        continue;
                    } else if (isRevoked(publicKey, pGPSignature)) {
                        this.logger.info("Key (ID:" + toKeyIdString(publicKey.getKeyID()) + ") was revoked before signature timestamp");
                    } else {
                        pGPSignature.init(new JcaPGPContentVerifierBuilderProvider().setProvider(this.bouncyCastleProvider), publicKey);
                        InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
                        Throwable th = null;
                        try {
                            try {
                                InputStream inputStream4 = newInputStream;
                                while (true) {
                                    int read = inputStream4.read(bArr);
                                    if (read < 0) {
                                        break;
                                    } else {
                                        pGPSignature.update(bArr, 0, read);
                                    }
                                }
                                Unit unit = Unit.INSTANCE;
                                CloseableKt.closeFinally(newInputStream, (Throwable) null);
                                if (!pGPSignature.verify()) {
                                    throw new IllegalStateException(("Signature verification failed for " + path).toString());
                                }
                                z = true;
                            } finally {
                            }
                        } catch (Throwable th2) {
                            CloseableKt.closeFinally(newInputStream, th);
                            throw th2;
                        }
                    }
                } else {
                    continue;
                }
            }
        }
        if (!z) {
            throw new IllegalStateException(("No keys matched signature for " + path).toString());
        }
    }

    private final PGPPublicKey getTrustedMasterKey(InputStream inputStream) {
        BCPGInputStream bCPGInputStream = (Closeable) new BCPGInputStream(new ArmoredInputStream(inputStream));
        Throwable th = null;
        try {
            try {
                BCPGInputStream bCPGInputStream2 = bCPGInputStream;
                PublicKeyPacket readPacket = bCPGInputStream2.readPacket();
                Intrinsics.checkNotNull(readPacket, "null cannot be cast to non-null type org.bouncycastle.bcpg.PublicKeyPacket");
                PublicKeyPacket publicKeyPacket = readPacket;
                byte[] readAllBytes = bCPGInputStream2.readAllBytes();
                Intrinsics.checkNotNullExpressionValue(readAllBytes, "rest");
                if (!(readAllBytes.length == 0)) {
                    throw new IllegalStateException("Some leftovers in the stream after reading PublicKeyPacket".toString());
                }
                CloseableKt.closeFinally(bCPGInputStream, (Throwable) null);
                PGPPublicKey pGPPublicKey = new PGPPublicKey(publicKeyPacket, new JcaKeyFingerprintCalculator());
                if (!pGPPublicKey.isMasterKey()) {
                    throw new IllegalArgumentException(("Key " + toKeyIdString(pGPPublicKey.getKeyID()) + " must be a master key").toString());
                }
                assertPublicKeyFormat(pGPPublicKey);
                return pGPPublicKey;
            } finally {
            }
        } catch (Throwable th2) {
            CloseableKt.closeFinally(bCPGInputStream, th);
            throw th2;
        }
    }

    private final PGPSignatureList getSignaturesFromFile(InputStream inputStream) {
        PGPSignatureList pGPSignatureList;
        Object nextObject = new JcaPGPObjectFactory(PGPUtil.getDecoderStream(inputStream)).nextObject();
        if (nextObject == null) {
            throw new IllegalStateException("PGP signature stream is empty".toString());
        }
        if (nextObject instanceof PGPCompressedData) {
            Object nextObject2 = new JcaPGPObjectFactory(((PGPCompressedData) nextObject).getDataStream()).nextObject();
            Intrinsics.checkNotNull(nextObject2, "null cannot be cast to non-null type org.bouncycastle.openpgp.PGPSignatureList");
            pGPSignatureList = (PGPSignatureList) nextObject2;
        } else {
            pGPSignatureList = (PGPSignatureList) nextObject;
        }
        return pGPSignatureList;
    }

    private final boolean isRevoked(PGPPublicKey pGPPublicKey, PGPSignature pGPSignature) {
        Iterator signatures = pGPPublicKey.getSignatures();
        Intrinsics.checkNotNullExpressionValue(signatures, "subKey.signatures");
        while (signatures.hasNext()) {
            PGPSignature pGPSignature2 = (PGPSignature) signatures.next();
            if (pGPSignature2.getSignatureType() == 40 && pGPSignature2.getCreationTime().compareTo(pGPSignature.getCreationTime()) <= 0) {
                return true;
            }
        }
        return false;
    }

    private final boolean isSubKeyForSigning(PGPPublicKey pGPPublicKey, PGPPublicKey pGPPublicKey2, PgpSignaturesVerifierLogger pgpSignaturesVerifierLogger) {
        if (!pGPPublicKey2.isMasterKey()) {
            throw new IllegalArgumentException(("Key " + toKeyIdString(pGPPublicKey2.getKeyID()) + " must be a master key").toString());
        }
        if (!(!pGPPublicKey.isMasterKey())) {
            throw new IllegalArgumentException(("Key " + toKeyIdString(pGPPublicKey.getKeyID()) + " must be a sub key").toString());
        }
        Iterator keySignatures = pGPPublicKey.getKeySignatures();
        Intrinsics.checkNotNullExpressionValue(keySignatures, "subKey.keySignatures");
        while (keySignatures.hasNext()) {
            PGPSignature pGPSignature = (PGPSignature) keySignatures.next();
            if (pGPSignature != null && pGPSignature.getSignatureType() == 24 && pGPSignature.getKeyID() == pGPPublicKey2.getKeyID() && isSignKey(pGPSignature)) {
                String checkSignatureFormat = checkSignatureFormat(pGPSignature);
                if (checkSignatureFormat != null) {
                    pgpSignaturesVerifierLogger.info("Signature for key '" + toKeyIdString(pGPPublicKey.getKeyID()) + "' was skipped: " + checkSignatureFormat);
                } else {
                    pGPSignature.init(new JcaPGPContentVerifierBuilderProvider().setProvider(this.bouncyCastleProvider), pGPPublicKey2);
                    if (pGPSignature.verifyCertification(pGPPublicKey2, pGPPublicKey)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private final boolean isSignKey(PGPSignature pGPSignature) {
        return (pGPSignature.getHashedSubPackets().getKeyFlags() & 2) != 0;
    }

    private final String checkPublicKeyFormat(PGPPublicKey pGPPublicKey) {
        if (pGPPublicKey.getVersion() != 4) {
            return "Only PGP Public Keys version 4 are supported. Key ID = " + Long.toHexString(pGPPublicKey.getKeyID());
        }
        if (pGPPublicKey.getBitStrength() < 2048 || pGPPublicKey.getBitStrength() > 100000) {
            return "Only PGP Public Keys bits >= 2048. Key ID = " + Long.toHexString(pGPPublicKey.getKeyID());
        }
        return null;
    }

    private final void assertPublicKeyFormat(PGPPublicKey pGPPublicKey) {
        String checkPublicKeyFormat = checkPublicKeyFormat(pGPPublicKey);
        if (checkPublicKeyFormat != null) {
            throw new IllegalStateException(checkPublicKeyFormat.toString());
        }
    }

    private final String checkSignatureFormat(PGPSignature pGPSignature) {
        if (pGPSignature.getHashAlgorithm() != 8 && pGPSignature.getHashAlgorithm() != 9 && pGPSignature.getHashAlgorithm() != 10) {
            return "Only hashAlgorithms SHA256/384/512 are supported. See https://tools.ietf.org/html/rfc4880#section-9.4";
        }
        if (pGPSignature.getKeyAlgorithm() != 1) {
            return "Only keyAlgorithm = 1 (RSA (Encrypt or Sign)) is supported. See https://tools.ietf.org/html/rfc4880#section-9.1";
        }
        return null;
    }

    private final String toKeyIdString(long j) {
        String hexString = Long.toHexString(j);
        Intrinsics.checkNotNullExpressionValue(hexString, "toHexString(this)");
        String upperCase = hexString.toUpperCase(Locale.ROOT);
        Intrinsics.checkNotNullExpressionValue(upperCase, "this as java.lang.String).toUpperCase(Locale.ROOT)");
        return upperCase;
    }
}
