package org.apache.nifi.processors.pgp;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.nifi.annotation.behavior.InputRequirement;
import org.apache.nifi.annotation.behavior.WritesAttribute;
import org.apache.nifi.annotation.behavior.WritesAttributes;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.SeeAlso;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.components.AllowableValue;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.expression.ExpressionLanguageScope;
import org.apache.nifi.flowfile.FlowFile;
import org.apache.nifi.flowfile.attributes.CoreAttributes;
import org.apache.nifi.pgp.service.api.PGPPrivateKeyService;
import org.apache.nifi.processor.AbstractProcessor;
import org.apache.nifi.processor.ProcessContext;
import org.apache.nifi.processor.ProcessSession;
import org.apache.nifi.processor.Relationship;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.processors.pgp.attributes.CompressionAlgorithm;
import org.apache.nifi.processors.pgp.attributes.FileEncoding;
import org.apache.nifi.processors.pgp.attributes.HashAlgorithm;
import org.apache.nifi.processors.pgp.attributes.SigningStrategy;
import org.apache.nifi.processors.pgp.exception.PGPProcessException;
import org.apache.nifi.processors.pgp.io.EncodingStreamCallback;
import org.apache.nifi.processors.pgp.io.KeyIdentifierConverter;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
import org.bouncycastle.openpgp.PGPPrivateKey;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureGenerator;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder;

@CapabilityDescription("Sign content using OpenPGP Private Keys")
@InputRequirement(InputRequirement.Requirement.INPUT_REQUIRED)
@Tags({"PGP", "GPG", "OpenPGP", "Encryption", "Signing", "RFC 4880"})
@SeeAlso({DecryptContentPGP.class, EncryptContentPGP.class, VerifyContentPGP.class})
@WritesAttributes({@WritesAttribute(attribute = "pgp.compression.algorithm", description = "Compression Algorithm"), @WritesAttribute(attribute = "pgp.compression.algorithm.id", description = "Compression Algorithm Identifier"), @WritesAttribute(attribute = "pgp.file.encoding", description = "File Encoding"), @WritesAttribute(attribute = "pgp.signature.algorithm", description = "Signature Algorithm including key and hash algorithm names"), @WritesAttribute(attribute = "pgp.signature.hash.algorithm.id", description = "Signature Hash Algorithm Identifier"), @WritesAttribute(attribute = "pgp.signature.key.algorithm.id", description = "Signature Key Algorithm Identifier"), @WritesAttribute(attribute = "pgp.signature.key.id", description = "Signature Public Key Identifier"), @WritesAttribute(attribute = "pgp.signature.type.id", description = "Signature Type Identifier"), @WritesAttribute(attribute = "pgp.signature.version", description = "Signature Version Number")})
/* loaded from: input_file:org/apache/nifi/processors/pgp/SignContentPGP.class */
public class SignContentPGP extends AbstractProcessor {
    public static final Relationship SUCCESS = new Relationship.Builder().name("success").description("Content signing succeeded").build();
    public static final Relationship FAILURE = new Relationship.Builder().name("failure").description("Content signing failed").build();
    public static final PropertyDescriptor COMPRESSION_ALGORITHM = new PropertyDescriptor.Builder().name("compression-algorithm").displayName("Compression Algorithm").description("Compression Algorithm for signing").required(true).defaultValue(CompressionAlgorithm.ZIP.name()).allowableValues(CompressionAlgorithm.values()).build();
    public static final PropertyDescriptor FILE_ENCODING = new PropertyDescriptor.Builder().name("file-encoding").displayName("File Encoding").description("File Encoding for signing").required(true).defaultValue(FileEncoding.BINARY.name()).allowableValues(FileEncoding.values()).build();
    public static final PropertyDescriptor HASH_ALGORITHM = new PropertyDescriptor.Builder().name("hash-algorithm").displayName("Hash Algorithm").description("Hash Algorithm for signing").required(true).defaultValue(HashAlgorithm.SHA512.name()).allowableValues(HashAlgorithm.values()).build();
    public static final PropertyDescriptor SIGNING_STRATEGY = new PropertyDescriptor.Builder().name("signing-strategy").displayName("Signing Strategy").description("Strategy for writing files to success after signing").required(true).defaultValue(SigningStrategy.SIGNED.name()).allowableValues((AllowableValue[]) Arrays.stream(SigningStrategy.values()).map(signingStrategy -> {
        return new AllowableValue(signingStrategy.name(), signingStrategy.name(), signingStrategy.getDescription());
    }).toArray(i -> {
        return new AllowableValue[i];
    })).build();
    public static final PropertyDescriptor PRIVATE_KEY_SERVICE = new PropertyDescriptor.Builder().name("private-key-service").displayName("Private Key Service").description("PGP Private Key Service for generating content signatures").identifiesControllerService(PGPPrivateKeyService.class).required(true).build();
    public static final PropertyDescriptor PRIVATE_KEY_ID = new PropertyDescriptor.Builder().name("private-key-id").displayName("Private Key ID").description("PGP Private Key Identifier formatted as uppercase hexadecimal string of 16 characters used for signing").expressionLanguageSupported(ExpressionLanguageScope.FLOWFILE_ATTRIBUTES).addValidator(StandardValidators.NON_EMPTY_EL_VALIDATOR).required(true).build();
    private static final Set<Relationship> RELATIONSHIPS = new HashSet(Arrays.asList(SUCCESS, FAILURE));
    private static final List<PropertyDescriptor> DESCRIPTORS = Arrays.asList(COMPRESSION_ALGORITHM, FILE_ENCODING, HASH_ALGORITHM, SIGNING_STRATEGY, PRIVATE_KEY_SERVICE, PRIVATE_KEY_ID);
    private static final boolean NESTED_SIGNATURE_DISABLED = false;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/nifi/processors/pgp/SignContentPGP$DetachedStreamCallback.class */
    public class DetachedStreamCallback extends SignatureStreamCallback {
        private DetachedStreamCallback(FileEncoding fileEncoding, CompressionAlgorithm compressionAlgorithm, String str, HashAlgorithm hashAlgorithm, PGPPrivateKey pGPPrivateKey) {
            super(fileEncoding, compressionAlgorithm, str, hashAlgorithm, pGPPrivateKey);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.apache.nifi.processors.pgp.io.EncodingStreamCallback
        public void processEncoding(InputStream inputStream, OutputStream outputStream) throws IOException, PGPException {
            processDetached(inputStream, outputStream);
        }

        private void processDetached(InputStream inputStream, OutputStream outputStream) throws IOException, PGPException {
            PGPSignatureGenerator signatureGenerator = getSignatureGenerator();
            byte[] createOutputBuffer = createOutputBuffer();
            while (true) {
                int read = inputStream.read(createOutputBuffer);
                if (read < 0) {
                    writeSignature(signatureGenerator, outputStream);
                    return;
                }
                signatureGenerator.update(createOutputBuffer, SignContentPGP.NESTED_SIGNATURE_DISABLED, read);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/nifi/processors/pgp/SignContentPGP$SignatureStreamCallback.class */
    public class SignatureStreamCallback extends EncodingStreamCallback {
        private final PGPPrivateKey privateKey;
        private final HashAlgorithm hashAlgorithm;
        private final Map<String, String> attributes;

        protected SignatureStreamCallback(FileEncoding fileEncoding, CompressionAlgorithm compressionAlgorithm, String str, HashAlgorithm hashAlgorithm, PGPPrivateKey pGPPrivateKey) {
            super(fileEncoding, compressionAlgorithm, str);
            this.attributes = new HashMap();
            this.hashAlgorithm = hashAlgorithm;
            this.privateKey = pGPPrivateKey;
            this.attributes.put("pgp.compression.algorithm", compressionAlgorithm.toString());
            this.attributes.put("pgp.compression.algorithm.id", Integer.toString(compressionAlgorithm.getId()));
            this.attributes.put("pgp.file.encoding", fileEncoding.toString());
        }

        protected void writeSignature(PGPSignatureGenerator pGPSignatureGenerator, OutputStream outputStream) throws PGPException, IOException {
            PGPSignature generate = pGPSignatureGenerator.generate();
            generate.encode(outputStream);
            setSignatureAttributes(generate);
        }

        protected PGPSignatureGenerator getSignatureGenerator() throws PGPException {
            int algorithm = this.privateKey.getPublicKeyPacket().getAlgorithm();
            PGPSignatureGenerator pGPSignatureGenerator = new PGPSignatureGenerator(new JcaPGPContentSignerBuilder(algorithm, this.hashAlgorithm.getId()).setSecureRandom(new SecureRandom()));
            pGPSignatureGenerator.init(SignContentPGP.NESTED_SIGNATURE_DISABLED, this.privateKey);
            return pGPSignatureGenerator;
        }

        private void setSignatureAttributes(PGPSignature pGPSignature) {
            setSignatureAlgorithm(pGPSignature.getKeyAlgorithm(), pGPSignature.getHashAlgorithm());
            this.attributes.put("pgp.signature.created", Long.toString(pGPSignature.getCreationTime().getTime()));
            this.attributes.put("pgp.signature.key.id", KeyIdentifierConverter.format(pGPSignature.getKeyID()));
            this.attributes.put("pgp.signature.type.id", Integer.toString(pGPSignature.getSignatureType()));
            this.attributes.put("pgp.signature.version", Integer.toString(pGPSignature.getVersion()));
        }

        private void setSignatureAlgorithm(int i, int i2) {
            this.attributes.put("pgp.signature.hash.algorithm.id", Integer.toString(i2));
            this.attributes.put("pgp.signature.key.algorithm.id", Integer.toString(i));
            try {
                this.attributes.put("pgp.signature.algorithm", PGPUtil.getSignatureName(i, i2));
            } catch (PGPException e) {
                SignContentPGP.this.getLogger().debug("Signature Algorithm Key Identifier [{}] Hash Identifier [{}] not found", new Object[]{Integer.valueOf(i), Integer.valueOf(i2)});
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/nifi/processors/pgp/SignContentPGP$SignedStreamCallback.class */
    public class SignedStreamCallback extends SignatureStreamCallback {
        private SignedStreamCallback(FileEncoding fileEncoding, CompressionAlgorithm compressionAlgorithm, String str, HashAlgorithm hashAlgorithm, PGPPrivateKey pGPPrivateKey) {
            super(fileEncoding, compressionAlgorithm, str, hashAlgorithm, pGPPrivateKey);
        }

        @Override // org.apache.nifi.processors.pgp.io.EncodingStreamCallback
        protected void processCompression(InputStream inputStream, OutputStream outputStream) throws IOException, PGPException {
            PGPSignatureGenerator signatureGenerator = getSignatureGenerator();
            signatureGenerator.generateOnePassVersion(false).encode(outputStream);
            PGPLiteralDataGenerator pGPLiteralDataGenerator = new PGPLiteralDataGenerator();
            OutputStream openLiteralOutputStream = openLiteralOutputStream(pGPLiteralDataGenerator, outputStream);
            Throwable th = SignContentPGP.NESTED_SIGNATURE_DISABLED;
            try {
                try {
                    processSigned(inputStream, openLiteralOutputStream, signatureGenerator);
                    if (openLiteralOutputStream != null) {
                        if (th != null) {
                            try {
                                openLiteralOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            openLiteralOutputStream.close();
                        }
                    }
                    pGPLiteralDataGenerator.close();
                    writeSignature(signatureGenerator, outputStream);
                } finally {
                }
            } catch (Throwable th3) {
                if (openLiteralOutputStream != null) {
                    if (th != null) {
                        try {
                            openLiteralOutputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        openLiteralOutputStream.close();
                    }
                }
                throw th3;
            }
        }

        private void processSigned(InputStream inputStream, OutputStream outputStream, PGPSignatureGenerator pGPSignatureGenerator) throws IOException {
            byte[] createOutputBuffer = createOutputBuffer();
            while (true) {
                int read = inputStream.read(createOutputBuffer);
                if (read < 0) {
                    return;
                }
                outputStream.write(createOutputBuffer, SignContentPGP.NESTED_SIGNATURE_DISABLED, read);
                pGPSignatureGenerator.update(createOutputBuffer, SignContentPGP.NESTED_SIGNATURE_DISABLED, read);
            }
        }
    }

    public Set<Relationship> getRelationships() {
        return RELATIONSHIPS;
    }

    public final List<PropertyDescriptor> getSupportedPropertyDescriptors() {
        return DESCRIPTORS;
    }

    public void onTrigger(ProcessContext processContext, ProcessSession processSession) {
        FlowFile flowFile = processSession.get();
        if (flowFile == null) {
            return;
        }
        try {
            SignatureStreamCallback streamCallback = getStreamCallback(processContext, flowFile);
            flowFile = processSession.putAllAttributes(processSession.write(flowFile, streamCallback), streamCallback.attributes);
            processSession.transfer(flowFile, SUCCESS);
        } catch (RuntimeException e) {
            getLogger().error("Signing Failed {}", new Object[]{flowFile, e});
            processSession.transfer(flowFile, FAILURE);
        }
    }

    private SignatureStreamCallback getStreamCallback(ProcessContext processContext, FlowFile flowFile) {
        FileEncoding fileEncoding = getFileEncoding(processContext);
        CompressionAlgorithm compressionAlgorithm = getCompressionAlgorithm(processContext);
        HashAlgorithm hashAlgorithm = getHashAlgorithm(processContext);
        String attribute = flowFile.getAttribute(CoreAttributes.FILENAME.key());
        SigningStrategy signingStrategy = getSigningStrategy(processContext);
        PGPPrivateKey privateKey = getPrivateKey(processContext, flowFile);
        return SigningStrategy.SIGNED.equals(signingStrategy) ? new SignedStreamCallback(fileEncoding, compressionAlgorithm, attribute, hashAlgorithm, privateKey) : new DetachedStreamCallback(fileEncoding, compressionAlgorithm, attribute, hashAlgorithm, privateKey);
    }

    private PGPPrivateKey getPrivateKey(ProcessContext processContext, FlowFile flowFile) {
        PGPPrivateKeyService asControllerService = processContext.getProperty(PRIVATE_KEY_SERVICE).asControllerService(PGPPrivateKeyService.class);
        long privateKeyId = getPrivateKeyId(processContext, flowFile);
        return (PGPPrivateKey) asControllerService.findPrivateKey(privateKeyId).orElseThrow(() -> {
            return new PGPProcessException(String.format("Private Key ID [%s] not found", KeyIdentifierConverter.format(privateKeyId)));
        });
    }

    private long getPrivateKeyId(ProcessContext processContext, FlowFile flowFile) {
        String value = processContext.getProperty(PRIVATE_KEY_ID).evaluateAttributeExpressions(flowFile).getValue();
        try {
            return KeyIdentifierConverter.parse(value);
        } catch (NumberFormatException e) {
            throw new PGPProcessException(String.format("Private Key ID [%s] Hexadecimal Parsing Failed", value), e);
        }
    }

    private CompressionAlgorithm getCompressionAlgorithm(ProcessContext processContext) {
        return CompressionAlgorithm.valueOf(processContext.getProperty(COMPRESSION_ALGORITHM).getValue());
    }

    private FileEncoding getFileEncoding(ProcessContext processContext) {
        return FileEncoding.valueOf(processContext.getProperty(FILE_ENCODING).getValue());
    }

    private HashAlgorithm getHashAlgorithm(ProcessContext processContext) {
        return HashAlgorithm.valueOf(processContext.getProperty(HASH_ALGORITHM).getValue());
    }

    private SigningStrategy getSigningStrategy(ProcessContext processContext) {
        return SigningStrategy.valueOf(processContext.getProperty(SIGNING_STRATEGY).getValue());
    }
}
