package org.pgpainless.decryption_verification;

import java.io.BufferedInputStream;
import java.io.EOFException;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.annotation.Nonnull;
import org.bouncycastle.bcpg.ArmoredInputStream;
import org.bouncycastle.openpgp.PGPCompressedData;
import org.bouncycastle.openpgp.PGPEncryptedData;
import org.bouncycastle.openpgp.PGPEncryptedDataList;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyRing;
import org.bouncycastle.openpgp.PGPLiteralData;
import org.bouncycastle.openpgp.PGPObjectFactory;
import org.bouncycastle.openpgp.PGPOnePassSignature;
import org.bouncycastle.openpgp.PGPOnePassSignatureList;
import org.bouncycastle.openpgp.PGPPBEEncryptedData;
import org.bouncycastle.openpgp.PGPPrivateKey;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureList;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator;
import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
import org.pgpainless.PGPainless;
import org.pgpainless.algorithm.CompressionAlgorithm;
import org.pgpainless.algorithm.EncryptionPurpose;
import org.pgpainless.algorithm.StreamEncoding;
import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
import org.pgpainless.decryption_verification.OpenPgpMetadata;
import org.pgpainless.decryption_verification.SignatureInputStream;
import org.pgpainless.exception.MessageNotIntegrityProtectedException;
import org.pgpainless.exception.MissingDecryptionMethodException;
import org.pgpainless.exception.MissingLiteralDataException;
import org.pgpainless.exception.UnacceptableAlgorithmException;
import org.pgpainless.exception.WrongConsumingMethodException;
import org.pgpainless.implementation.ImplementationFactory;
import org.pgpainless.key.SubkeyIdentifier;
import org.pgpainless.key.info.KeyRingInfo;
import org.pgpainless.key.protection.SecretKeyRingProtector;
import org.pgpainless.key.protection.UnlockSecretKey;
import org.pgpainless.signature.DetachedSignature;
import org.pgpainless.signature.OnePassSignatureCheck;
import org.pgpainless.signature.SignatureUtils;
import org.pgpainless.util.CRCingArmoredInputStreamWrapper;
import org.pgpainless.util.IntegrityProtectedInputStream;
import org.pgpainless.util.Passphrase;
import org.pgpainless.util.Tuple;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/pgpainless/decryption_verification/DecryptionStreamFactory.class */
public final class DecryptionStreamFactory {
    private static final int MAX_RECURSION_DEPTH = 16;
    private final ConsumerOptions options;
    private final OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder();
    private final List<OnePassSignatureCheck> onePassSignatureChecks = new ArrayList();
    private final List<DetachedSignature> detachedSignatureChecks = new ArrayList();
    private IntegrityProtectedInputStream integrityProtectedEncryptedInputStream;
    private static final Logger LOGGER = LoggerFactory.getLogger(DecryptionStreamFactory.class);
    private static final PGPContentVerifierBuilderProvider verifierBuilderProvider = ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider();
    private static final KeyFingerPrintCalculator keyFingerprintCalculator = ImplementationFactory.getInstance().getKeyFingerprintCalculator();

    public static DecryptionStream create(@Nonnull InputStream inputStream, @Nonnull ConsumerOptions consumerOptions) throws PGPException, IOException {
        return new DecryptionStreamFactory(consumerOptions).parseOpenPGPDataAndCreateDecryptionStream(inputStream);
    }

    public DecryptionStreamFactory(ConsumerOptions consumerOptions) {
        this.options = consumerOptions;
        initializeDetachedSignatures(consumerOptions.getDetachedSignatures());
    }

    private void initializeDetachedSignatures(Set<PGPSignature> set) {
        for (PGPSignature pGPSignature : set) {
            long determineIssuerKeyId = SignatureUtils.determineIssuerKeyId(pGPSignature);
            PGPPublicKeyRing findSignatureVerificationKeyRing = findSignatureVerificationKeyRing(determineIssuerKeyId);
            if (findSignatureVerificationKeyRing != null) {
                PGPPublicKey publicKey = findSignatureVerificationKeyRing.getPublicKey(determineIssuerKeyId);
                SubkeyIdentifier subkeyIdentifier = new SubkeyIdentifier((PGPKeyRing) findSignatureVerificationKeyRing, publicKey.getKeyID());
                try {
                    pGPSignature.init(verifierBuilderProvider, publicKey);
                    this.detachedSignatureChecks.add(new DetachedSignature(pGPSignature, findSignatureVerificationKeyRing, subkeyIdentifier));
                } catch (PGPException e) {
                    LOGGER.warn("Cannot verify detached signature made by {}. Reason: {}", new Object[]{subkeyIdentifier, e.getMessage(), e});
                }
            }
        }
    }

    private DecryptionStream parseOpenPGPDataAndCreateDecryptionStream(InputStream inputStream) throws IOException, PGPException {
        InputStream wrapInVerifySignatureStream;
        BufferedInputStream bufferedInputStream = new BufferedInputStream(inputStream);
        bufferedInputStream.mark(200);
        ArmoredInputStream possiblyWrap = CRCingArmoredInputStreamWrapper.possiblyWrap(PGPUtil.getDecoderStream(bufferedInputStream));
        if ((possiblyWrap instanceof ArmoredInputStream) && possiblyWrap.isClearText()) {
            throw new WrongConsumingMethodException("Message appears to be using the Cleartext Signature Framework. Use PGPainless.verifyCleartextSignedMessage() to verify this message instead.");
        }
        try {
            wrapInVerifySignatureStream = processPGPPackets(new PGPObjectFactory(possiblyWrap, keyFingerprintCalculator), 1);
        } catch (EOFException e) {
            throw e;
        } catch (IOException e2) {
            if (!e2.getMessage().contains("invalid armor")) {
                throw e2;
            }
            LOGGER.debug("The message is apparently not armored.");
            bufferedInputStream.reset();
            wrapInVerifySignatureStream = wrapInVerifySignatureStream(bufferedInputStream);
        } catch (MissingLiteralDataException e3) {
            LOGGER.debug("The message appears to not be an OpenPGP message. This is probably data signed with detached signatures?");
            bufferedInputStream.reset();
            wrapInVerifySignatureStream = wrapInVerifySignatureStream(bufferedInputStream);
        }
        return new DecryptionStream(wrapInVerifySignatureStream, this.resultBuilder, this.integrityProtectedEncryptedInputStream, possiblyWrap instanceof ArmoredInputStream ? possiblyWrap : null);
    }

    private InputStream wrapInVerifySignatureStream(InputStream inputStream) {
        return new SignatureInputStream.VerifySignatures(inputStream, this.onePassSignatureChecks, this.detachedSignatureChecks, this.options, this.resultBuilder);
    }

    private InputStream processPGPPackets(@Nonnull PGPObjectFactory pGPObjectFactory, int i) throws IOException, PGPException {
        Object nextObject;
        if (i >= MAX_RECURSION_DEPTH) {
            throw new PGPException("Maximum recursion depth of packages exceeded.");
        }
        do {
            nextObject = pGPObjectFactory.nextObject();
            if (nextObject == null) {
                throw new MissingLiteralDataException("No Literal Data Packet found");
            }
            if (nextObject instanceof PGPEncryptedDataList) {
                return processPGPEncryptedDataList((PGPEncryptedDataList) nextObject, i);
            }
            if (nextObject instanceof PGPCompressedData) {
                return processPGPCompressedData((PGPCompressedData) nextObject, i);
            }
            if (nextObject instanceof PGPOnePassSignatureList) {
                return processOnePassSignatureList(pGPObjectFactory, (PGPOnePassSignatureList) nextObject, i);
            }
        } while (!(nextObject instanceof PGPLiteralData));
        return processPGPLiteralData(pGPObjectFactory, (PGPLiteralData) nextObject, i);
    }

    private InputStream processPGPEncryptedDataList(PGPEncryptedDataList pGPEncryptedDataList, int i) throws PGPException, IOException {
        LOGGER.debug("Depth {}: Encountered PGPEncryptedDataList", Integer.valueOf(i));
        return processPGPPackets(new PGPObjectFactory(PGPUtil.getDecoderStream(decryptSessionKey(pGPEncryptedDataList)), keyFingerprintCalculator), i + 1);
    }

    private InputStream processPGPCompressedData(PGPCompressedData pGPCompressedData, int i) throws PGPException, IOException {
        CompressionAlgorithm fromId = CompressionAlgorithm.fromId(pGPCompressedData.getAlgorithm());
        LOGGER.debug("Depth {}: Encountered PGPCompressedData: {}", Integer.valueOf(i), fromId);
        this.resultBuilder.setCompressionAlgorithm(fromId);
        return processPGPPackets(new PGPObjectFactory(PGPUtil.getDecoderStream(pGPCompressedData.getDataStream()), keyFingerprintCalculator), i + 1);
    }

    private InputStream processOnePassSignatureList(@Nonnull PGPObjectFactory pGPObjectFactory, PGPOnePassSignatureList pGPOnePassSignatureList, int i) throws PGPException, IOException {
        LOGGER.debug("Depth {}: Encountered PGPOnePassSignatureList of size {}", Integer.valueOf(i), Integer.valueOf(pGPOnePassSignatureList.size()));
        initOnePassSignatures(pGPOnePassSignatureList);
        return processPGPPackets(pGPObjectFactory, i + 1);
    }

    private InputStream processPGPLiteralData(@Nonnull PGPObjectFactory pGPObjectFactory, PGPLiteralData pGPLiteralData, int i) throws IOException {
        LOGGER.debug("Depth {}: Found PGPLiteralData", Integer.valueOf(i));
        InputStream inputStream = pGPLiteralData.getInputStream();
        this.resultBuilder.setFileName(pGPLiteralData.getFileName()).setModificationDate(pGPLiteralData.getModificationTime()).setFileEncoding(StreamEncoding.fromCode(pGPLiteralData.getFormat()));
        if (this.onePassSignatureChecks.isEmpty()) {
            LOGGER.debug("No OnePassSignatures found -> We are done");
            return inputStream;
        }
        List<PGPSignature> list = SignatureUtils.toList(parseSignatures(pGPObjectFactory));
        for (int i2 = 0; i2 < this.onePassSignatureChecks.size(); i2++) {
            this.onePassSignatureChecks.get(i2).setSignature(list.get((this.onePassSignatureChecks.size() - i2) - 1));
        }
        return new SignatureInputStream.VerifySignatures(inputStream, this.onePassSignatureChecks, this.detachedSignatureChecks, this.options, this.resultBuilder) { // from class: org.pgpainless.decryption_verification.DecryptionStreamFactory.1
        };
    }

    private PGPSignatureList parseSignatures(PGPObjectFactory pGPObjectFactory) throws IOException {
        PGPSignatureList pGPSignatureList = null;
        Object nextObject = pGPObjectFactory.nextObject();
        while (nextObject != null && pGPSignatureList == null) {
            if (nextObject instanceof PGPSignatureList) {
                pGPSignatureList = (PGPSignatureList) nextObject;
            } else {
                nextObject = pGPObjectFactory.nextObject();
            }
        }
        if (pGPSignatureList == null || pGPSignatureList.isEmpty()) {
            throw new IOException("Verification failed - No Signatures found");
        }
        return pGPSignatureList;
    }

    private InputStream decryptSessionKey(@Nonnull PGPEncryptedDataList pGPEncryptedDataList) throws PGPException {
        Iterator encryptedDataObjects = pGPEncryptedDataList.getEncryptedDataObjects();
        if (!encryptedDataObjects.hasNext()) {
            throw new PGPException("Decryption failed - EncryptedDataList has no items");
        }
        PGPPrivateKey pGPPrivateKey = null;
        PGPPublicKeyEncryptedData pGPPublicKeyEncryptedData = null;
        ArrayList<PGPPBEEncryptedData> arrayList = new ArrayList();
        ArrayList<PGPPublicKeyEncryptedData> arrayList2 = new ArrayList();
        ArrayList arrayList3 = new ArrayList();
        while (encryptedDataObjects.hasNext()) {
            PGPPublicKeyEncryptedData pGPPublicKeyEncryptedData2 = (PGPEncryptedData) encryptedDataObjects.next();
            if (!pGPPublicKeyEncryptedData2.isIntegrityProtected()) {
                throw new MessageNotIntegrityProtectedException();
            }
            if (pGPPublicKeyEncryptedData2 instanceof PGPPBEEncryptedData) {
                arrayList.add((PGPPBEEncryptedData) pGPPublicKeyEncryptedData2);
            } else if (pGPPublicKeyEncryptedData2 instanceof PGPPublicKeyEncryptedData) {
                arrayList2.add(pGPPublicKeyEncryptedData2);
            }
        }
        for (PGPPBEEncryptedData pGPPBEEncryptedData : arrayList) {
            Iterator<Passphrase> it = this.options.getDecryptionPassphrases().iterator();
            while (it.hasNext()) {
                PBEDataDecryptorFactory pBEDataDecryptorFactory = ImplementationFactory.getInstance().getPBEDataDecryptorFactory(it.next());
                try {
                    InputStream dataStream = pGPPBEEncryptedData.getDataStream(pBEDataDecryptorFactory);
                    SymmetricKeyAlgorithm fromId = SymmetricKeyAlgorithm.fromId(pGPPBEEncryptedData.getSymmetricAlgorithm(pBEDataDecryptorFactory));
                    throwIfAlgorithmIsRejected(fromId);
                    this.resultBuilder.setSymmetricKeyAlgorithm(fromId);
                    this.integrityProtectedEncryptedInputStream = new IntegrityProtectedInputStream(dataStream, pGPPBEEncryptedData);
                    return this.integrityProtectedEncryptedInputStream;
                } catch (PGPException e) {
                    LOGGER.debug("Probable passphrase mismatch, skip PBE encrypted data block", e);
                }
            }
        }
        for (PGPPublicKeyEncryptedData pGPPublicKeyEncryptedData3 : arrayList2) {
            PGPPrivateKey pGPPrivateKey2 = null;
            if (this.options.getDecryptionKeys().isEmpty()) {
                break;
            }
            long keyID = pGPPublicKeyEncryptedData3.getKeyID();
            if (keyID == 0) {
                LOGGER.debug("Hidden recipient detected. Try to decrypt with all available secret keys.");
                for (PGPSecretKeyRing pGPSecretKeyRing : this.options.getDecryptionKeys()) {
                    if (pGPPrivateKey2 != null) {
                        break;
                    }
                    Iterator<PGPPublicKey> it2 = new KeyRingInfo(pGPSecretKeyRing).getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS).iterator();
                    while (it2.hasNext()) {
                        PGPSecretKey secretKey = pGPSecretKeyRing.getSecretKey(it2.next().getKeyID());
                        if (secretKey != null) {
                            pGPPrivateKey2 = tryPublicKeyDecryption(pGPSecretKeyRing, secretKey, pGPPublicKeyEncryptedData3, arrayList3, true);
                        }
                    }
                }
            } else {
                LOGGER.debug("PGPEncryptedData is encrypted for key {}", Long.toHexString(keyID));
                this.resultBuilder.addRecipientKeyId(Long.valueOf(keyID));
                PGPSecretKeyRing findDecryptionKeyRing = findDecryptionKeyRing(keyID);
                if (findDecryptionKeyRing == null) {
                    LOGGER.debug("Missing certificate of {}. Skip.", Long.toHexString(keyID));
                } else {
                    pGPPrivateKey2 = tryPublicKeyDecryption(findDecryptionKeyRing, findDecryptionKeyRing.getSecretKey(keyID), pGPPublicKeyEncryptedData3, arrayList3, true);
                }
            }
            if (pGPPrivateKey2 != null) {
                pGPPrivateKey = pGPPrivateKey2;
                pGPPublicKeyEncryptedData = pGPPublicKeyEncryptedData3;
            }
        }
        if (pGPPublicKeyEncryptedData == null) {
            Iterator<Tuple<SubkeyIdentifier, PGPPublicKeyEncryptedData>> it3 = arrayList3.iterator();
            while (true) {
                if (!it3.hasNext()) {
                    break;
                }
                Tuple<SubkeyIdentifier, PGPPublicKeyEncryptedData> next = it3.next();
                SubkeyIdentifier a = next.getA();
                PGPPublicKeyEncryptedData b = next.getB();
                PGPSecretKeyRing findDecryptionKeyRing2 = findDecryptionKeyRing(a.getKeyId());
                PGPPrivateKey tryPublicKeyDecryption = tryPublicKeyDecryption(findDecryptionKeyRing2, findDecryptionKeyRing2.getSecretKey(a.getSubkeyId()), b, arrayList3, false);
                if (tryPublicKeyDecryption != null) {
                    pGPPrivateKey = tryPublicKeyDecryption;
                    pGPPublicKeyEncryptedData = b;
                    break;
                }
            }
        }
        return decryptWith(pGPPublicKeyEncryptedData, pGPPrivateKey);
    }

    private PGPPrivateKey tryPublicKeyDecryption(PGPSecretKeyRing pGPSecretKeyRing, PGPSecretKey pGPSecretKey, PGPPublicKeyEncryptedData pGPPublicKeyEncryptedData, List<Tuple<SubkeyIdentifier, PGPPublicKeyEncryptedData>> list, boolean z) throws PGPException {
        SecretKeyRingProtector secretKeyProtector = this.options.getSecretKeyProtector(pGPSecretKeyRing);
        if (z && !secretKeyProtector.hasPassphraseFor(Long.valueOf(pGPSecretKey.getKeyID()))) {
            list.add(new Tuple<>(new SubkeyIdentifier((PGPKeyRing) pGPSecretKeyRing, pGPSecretKey.getKeyID()), pGPPublicKeyEncryptedData));
            return null;
        }
        PGPPrivateKey unlockSecretKey = UnlockSecretKey.unlockSecretKey(pGPSecretKey, secretKeyProtector.getDecryptor(Long.valueOf(pGPSecretKey.getKeyID())));
        try {
            pGPPublicKeyEncryptedData.getSymmetricAlgorithm(ImplementationFactory.getInstance().getPublicKeyDataDecryptorFactory(unlockSecretKey));
            LOGGER.debug("Found correct decryption key {}.", Long.toHexString(pGPSecretKey.getKeyID()));
            this.resultBuilder.setDecryptionKey(new SubkeyIdentifier((PGPKeyRing) pGPSecretKeyRing, unlockSecretKey.getKeyID()));
            return unlockSecretKey;
        } catch (PGPException | ClassCastException e) {
            return null;
        }
    }

    private InputStream decryptWith(PGPPublicKeyEncryptedData pGPPublicKeyEncryptedData, PGPPrivateKey pGPPrivateKey) throws PGPException {
        if (pGPPrivateKey == null || pGPPublicKeyEncryptedData == null) {
            throw new MissingDecryptionMethodException("Decryption failed - No suitable decryption key or passphrase found");
        }
        PublicKeyDataDecryptorFactory publicKeyDataDecryptorFactory = ImplementationFactory.getInstance().getPublicKeyDataDecryptorFactory(pGPPrivateKey);
        SymmetricKeyAlgorithm fromId = SymmetricKeyAlgorithm.fromId(pGPPublicKeyEncryptedData.getSymmetricAlgorithm(publicKeyDataDecryptorFactory));
        if (fromId == SymmetricKeyAlgorithm.NULL) {
            LOGGER.debug("Message is unencrypted");
        } else {
            LOGGER.debug("Message is encrypted using {}", fromId);
        }
        throwIfAlgorithmIsRejected(fromId);
        this.resultBuilder.setSymmetricKeyAlgorithm(fromId);
        this.integrityProtectedEncryptedInputStream = new IntegrityProtectedInputStream(pGPPublicKeyEncryptedData.getDataStream(publicKeyDataDecryptorFactory), pGPPublicKeyEncryptedData);
        return this.integrityProtectedEncryptedInputStream;
    }

    private void throwIfAlgorithmIsRejected(SymmetricKeyAlgorithm symmetricKeyAlgorithm) throws UnacceptableAlgorithmException {
        if (PGPainless.getPolicy().getSymmetricKeyDecryptionAlgorithmPolicy().isAcceptable(symmetricKeyAlgorithm)) {
        } else {
            throw new UnacceptableAlgorithmException("Data is " + (symmetricKeyAlgorithm == SymmetricKeyAlgorithm.NULL ? "unencrypted" : "encrypted with symmetric algorithm " + symmetricKeyAlgorithm) + " which is not acceptable as per PGPainless' policy.\nTo mark this algorithm as acceptable, use PGPainless.getPolicy().setSymmetricKeyDecryptionAlgorithmPolicy().");
        }
    }

    private void initOnePassSignatures(@Nonnull PGPOnePassSignatureList pGPOnePassSignatureList) throws PGPException {
        Iterator<PGPOnePassSignature> it = pGPOnePassSignatureList.iterator();
        if (!it.hasNext()) {
            throw new PGPException("Verification failed - No OnePassSignatures found");
        }
        processOnePassSignatures(it);
    }

    private void processOnePassSignatures(Iterator<PGPOnePassSignature> it) throws PGPException {
        while (it.hasNext()) {
            processOnePassSignature(it.next());
        }
    }

    private void processOnePassSignature(PGPOnePassSignature pGPOnePassSignature) throws PGPException {
        long keyID = pGPOnePassSignature.getKeyID();
        LOGGER.debug("Encountered OnePassSignature from {}", Long.toHexString(keyID));
        PGPPublicKeyRing findSignatureVerificationKeyRing = findSignatureVerificationKeyRing(keyID);
        if (findSignatureVerificationKeyRing == null) {
            LOGGER.debug("Missing verification key from {}", Long.toHexString(keyID));
            return;
        }
        pGPOnePassSignature.init(verifierBuilderProvider, findSignatureVerificationKeyRing.getPublicKey(keyID));
        this.onePassSignatureChecks.add(new OnePassSignatureCheck(pGPOnePassSignature, findSignatureVerificationKeyRing));
    }

    private PGPSecretKeyRing findDecryptionKeyRing(long j) {
        for (PGPSecretKeyRing pGPSecretKeyRing : this.options.getDecryptionKeys()) {
            if (pGPSecretKeyRing.getSecretKey(j) != null) {
                return pGPSecretKeyRing;
            }
        }
        return null;
    }

    private PGPPublicKeyRing findSignatureVerificationKeyRing(long j) {
        PGPPublicKeyRing pGPPublicKeyRing = null;
        Iterator<PGPPublicKeyRing> it = this.options.getCertificates().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            PGPPublicKeyRing next = it.next();
            if (next.getPublicKey(j) != null) {
                LOGGER.debug("Found public key {} for signature verification", Long.toHexString(j));
                pGPPublicKeyRing = next;
                break;
            }
        }
        if (pGPPublicKeyRing == null && this.options.getMissingCertificateCallback() != null) {
            pGPPublicKeyRing = this.options.getMissingCertificateCallback().onMissingPublicKeyEncountered(Long.valueOf(j));
        }
        return pGPPublicKeyRing;
    }
}
