package org.forgerock.audit.handlers.csv;

import com.fasterxml.jackson.annotation.JsonProperty;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.security.SignatureException;
import java.util.Arrays;
import java.util.Map;
import javax.crypto.SecretKey;
import org.forgerock.audit.secure.KeyStoreSecureStorage;
import org.forgerock.audit.secure.SecureStorage;
import org.forgerock.audit.secure.SecureStorageException;
import org.forgerock.util.encode.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.supercsv.io.CsvMapReader;
import org.supercsv.prefs.CsvPreference;

/* loaded from: input_file:org/forgerock/audit/handlers/csv/CsvSecureVerifier.class */
class CsvSecureVerifier {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) CsvSecureVerifier.class);
    private File csvFile;
    private final CsvPreference csvPreference;
    private final HmacCalculator hmacCalculator;
    private final SecureStorage secureStorage;
    private String lastHMAC;
    private byte[] lastSignature;
    private String[] headers;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/forgerock/audit/handlers/csv/CsvSecureVerifier$VerificationResult.class */
    public static final class VerificationResult {
        private final File archiveFile;
        private final boolean passedVerification;
        private final String failureReason;

        /* JADX INFO: Access modifiers changed from: package-private */
        public VerificationResult(File file, boolean z, String str) {
            this.archiveFile = file;
            this.passedVerification = z;
            this.failureReason = str;
        }

        public File getArchiveFile() {
            return this.archiveFile;
        }

        public boolean hasPassedVerification() {
            return this.passedVerification;
        }

        public String getFailureReason() {
            return this.failureReason;
        }
    }

    public CsvSecureVerifier(File file, CsvPreference csvPreference, SecureStorage secureStorage) {
        this.csvFile = file;
        this.csvPreference = csvPreference;
        this.secureStorage = secureStorage;
        try {
            SecretKey readInitialKey = secureStorage.readInitialKey();
            if (readInitialKey == null) {
                throw new IllegalStateException("Expecting to find an initial key into the keystore.");
            }
            this.hmacCalculator = new HmacCalculator(KeyStoreSecureStorage.HMAC_ALGORITHM);
            this.hmacCalculator.setCurrentKey(readInitialKey.getEncoded());
        } catch (SecureStorageException e) {
            throw new IllegalStateException(e);
        }
    }

    public VerificationResult verify() throws IOException {
        boolean z = false;
        CsvMapReader newBufferedCsvMapReader = newBufferedCsvMapReader();
        try {
            String[] header = newBufferedCsvMapReader.getHeader(true);
            int i = 0;
            for (String str : header) {
                if ("HMAC".equals(str) || "SIGNATURE".equals(str)) {
                    i++;
                }
            }
            if (!"HMAC".equals(header[header.length - 2]) || !"SIGNATURE".equals(header[header.length - 1])) {
                String str2 = "Found only " + i + " checked headers from : " + Arrays.toString(header);
                logger.debug(str2);
                VerificationResult newVerificationFailureResult = newVerificationFailureResult(str2);
                if (newBufferedCsvMapReader != null) {
                    newBufferedCsvMapReader.close();
                }
                return newVerificationFailureResult;
            }
            this.headers = new String[header.length - 2];
            System.arraycopy(header, 0, this.headers, 0, this.headers.length);
            while (true) {
                Map<String, String> read = newBufferedCsvMapReader.read(header);
                if (read == null) {
                    if (newBufferedCsvMapReader != null) {
                        newBufferedCsvMapReader.close();
                    }
                    try {
                        SecretKey readCurrentKey = this.secureStorage.readCurrentKey();
                        if (readCurrentKey == null) {
                            logger.trace("currentKey is null");
                            return newVerificationFailureResult("Final HMAC key is null");
                        }
                        boolean equals = Arrays.equals(this.hmacCalculator.getCurrentKey().getEncoded(), readCurrentKey.getEncoded());
                        logger.trace("keysMatch={}, lastRowWasSigned={}", Boolean.valueOf(equals), Boolean.valueOf(z));
                        return !equals ? newVerificationFailureResult("Final HMAC key doesn't match expected value") : !z ? newVerificationFailureResult("Missing final signature") : newVerificationSuccessResult();
                    } catch (SecureStorageException e) {
                        throw new IOException(e);
                    }
                }
                logger.trace("Verifying row {}", Integer.valueOf(newBufferedCsvMapReader.getRowNumber()));
                z = false;
                String str3 = read.get("SIGNATURE");
                if (str3 == null) {
                    if (!verifyHMAC(read, header)) {
                        String str4 = "The HMac at row " + newBufferedCsvMapReader.getRowNumber() + " is not correct.";
                        logger.trace(str4);
                        VerificationResult newVerificationFailureResult2 = newVerificationFailureResult(str4);
                        if (newBufferedCsvMapReader != null) {
                            newBufferedCsvMapReader.close();
                        }
                        return newVerificationFailureResult2;
                    }
                    logger.trace("The HMac at row {} is correct.", Integer.valueOf(newBufferedCsvMapReader.getRowNumber()));
                } else if (newBufferedCsvMapReader.getRowNumber() == 2) {
                    this.lastSignature = Base64.decode(str3);
                } else {
                    if (!verifySignature(str3)) {
                        String str5 = "The signature at row " + newBufferedCsvMapReader.getRowNumber() + " is not correct.";
                        logger.trace(str5);
                        VerificationResult newVerificationFailureResult3 = newVerificationFailureResult(str5);
                        if (newBufferedCsvMapReader != null) {
                            newBufferedCsvMapReader.close();
                        }
                        return newVerificationFailureResult3;
                    }
                    logger.trace("The signature at row {} is correct.", Integer.valueOf(newBufferedCsvMapReader.getRowNumber()));
                    z = true;
                }
            }
        } catch (Throwable th) {
            if (newBufferedCsvMapReader != null) {
                try {
                    newBufferedCsvMapReader.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private CsvMapReader newBufferedCsvMapReader() throws FileNotFoundException {
        return new CsvMapReader(new BufferedReader(new FileReader(this.csvFile)), this.csvPreference);
    }

    private VerificationResult newVerificationFailureResult(String str) {
        return new VerificationResult(this.csvFile, false, str);
    }

    private VerificationResult newVerificationSuccessResult() {
        return new VerificationResult(this.csvFile, true, JsonProperty.USE_DEFAULT_NAME);
    }

    private boolean verifyHMAC(Map<String, String> map, String[] strArr) throws IOException {
        try {
            String str = map.get("HMAC");
            String calculate = this.hmacCalculator.calculate(CsvSecureUtils.dataToSign(logger, map, dropExtraHeaders(strArr)));
            if (str.equals(calculate)) {
                this.lastHMAC = str;
                return true;
            }
            logger.trace("The HMAC is not valid. Expected : {} Found : {}", calculate, str);
            return false;
        } catch (SignatureException e) {
            logger.error(e.getMessage(), (Throwable) e);
            throw new IOException(e);
        }
    }

    private boolean verifySignature(String str) throws IOException {
        try {
            byte[] decode = Base64.decode(str);
            if (this.secureStorage.verify(CsvSecureUtils.dataToSign(this.lastSignature, this.lastHMAC), decode)) {
                this.lastSignature = decode;
                return true;
            }
            logger.trace("The signature does not match the expecting one.");
            return false;
        } catch (SecureStorageException e) {
            logger.error(e.getMessage(), (Throwable) e);
            throw new IOException(e);
        }
    }

    private String[] dropExtraHeaders(String... strArr) {
        return (String[]) Arrays.copyOf(strArr, strArr.length - 2);
    }

    public String[] getHeaders() {
        return this.headers;
    }

    public String getLastHMAC() {
        return this.lastHMAC;
    }

    public byte[] getLastSignature() {
        return this.lastSignature;
    }
}
