package dev.sigstore.fulcio.client;

import com.google.protobuf.ByteString;
import dev.sigstore.encryption.certificates.transparency.SerializationException;
import dev.sigstore.fulcio.v2.CAGrpc;
import dev.sigstore.fulcio.v2.CreateSigningCertificateRequest;
import dev.sigstore.fulcio.v2.Credentials;
import dev.sigstore.fulcio.v2.PublicKey;
import dev.sigstore.fulcio.v2.PublicKeyRequest;
import dev.sigstore.fulcio.v2.SigningCertificate;
import dev.sigstore.http.GrpcChannels;
import dev.sigstore.http.HttpParams;
import dev.sigstore.http.ImmutableHttpParams;
import io.grpc.ManagedChannel;
import java.io.IOException;
import java.net.URI;
import java.security.cert.CertificateException;
import java.util.Base64;
import java.util.concurrent.TimeUnit;

/* loaded from: input_file:dev/sigstore/fulcio/client/FulcioClient.class */
public class FulcioClient {
    public static final String PUBLIC_FULCIO_SERVER = "fulcio.sigstore.dev";
    public static final String STAGING_FULCIO_SERVER = "fulcio.sigstage.dev";
    public static final boolean DEFAULT_REQUIRE_SCT = true;
    private final HttpParams httpParams;
    private final URI serverUrl;
    private final boolean requireSct;

    /* loaded from: input_file:dev/sigstore/fulcio/client/FulcioClient$Builder.class */
    public static class Builder {
        private URI serverUrl = URI.create(FulcioClient.PUBLIC_FULCIO_SERVER);
        private boolean requireSct = true;
        private HttpParams httpParams = ImmutableHttpParams.builder().build();

        private Builder() {
        }

        public Builder setHttpParams(HttpParams httpParams) {
            this.httpParams = httpParams;
            return this;
        }

        public Builder setServerUrl(URI uri) {
            this.serverUrl = uri;
            return this;
        }

        public Builder requireSct(boolean z) {
            this.requireSct = z;
            return this;
        }

        public FulcioClient build() {
            return new FulcioClient(this.httpParams, this.serverUrl, this.requireSct);
        }
    }

    public static Builder builder() {
        return new Builder();
    }

    private FulcioClient(HttpParams httpParams, URI uri, boolean z) {
        this.serverUrl = uri;
        this.requireSct = z;
        this.httpParams = httpParams;
    }

    public SigningCertificate signingCertificate(CertificateRequest certificateRequest) throws InterruptedException, CertificateException, IOException {
        ManagedChannel newManagedChannel = GrpcChannels.newManagedChannel(this.serverUrl, this.httpParams);
        try {
            CAGrpc.CABlockingStub newBlockingStub = CAGrpc.newBlockingStub(newManagedChannel);
            Credentials m154build = Credentials.newBuilder().setOidcIdentityToken(certificateRequest.getIdToken()).m154build();
            dev.sigstore.fulcio.v2.SigningCertificate createSigningCertificate = newBlockingStub.createSigningCertificate(CreateSigningCertificateRequest.newBuilder().setCredentials(m154build).setPublicKeyRequest(PublicKeyRequest.newBuilder().setPublicKey(PublicKey.newBuilder().setAlgorithm(certificateRequest.getPublicKeyAlgorithm()).setContent("-----BEGIN PUBLIC KEY-----\n" + Base64.getEncoder().encodeToString(certificateRequest.getPublicKey().getEncoded()) + "\n-----END PUBLIC KEY-----").m250build()).setProofOfPossession(ByteString.copyFrom(certificateRequest.getProofOfPossession())).m299build()).m105build());
            if (createSigningCertificate.getCertificateCase() != SigningCertificate.CertificateCase.SIGNED_CERTIFICATE_DETACHED_SCT) {
                SigningCertificate newSigningCertificate = SigningCertificate.newSigningCertificate(createSigningCertificate.getSignedCertificateEmbeddedSct());
                newManagedChannel.shutdownNow().awaitTermination(5L, TimeUnit.SECONDS);
                return newSigningCertificate;
            }
            if (createSigningCertificate.getSignedCertificateDetachedSct().getSignedCertificateTimestamp().isEmpty() && this.requireSct) {
                throw new CertificateException("no signed certificate timestamps were found in response from Fulcio");
            }
            try {
                SigningCertificate newSigningCertificate2 = SigningCertificate.newSigningCertificate(createSigningCertificate.getSignedCertificateDetachedSct());
                newManagedChannel.shutdownNow().awaitTermination(5L, TimeUnit.SECONDS);
                return newSigningCertificate2;
            } catch (SerializationException e) {
                throw new CertificateException("Could not parse detached SCT");
            }
        } catch (Throwable th) {
            newManagedChannel.shutdownNow().awaitTermination(5L, TimeUnit.SECONDS);
            throw th;
        }
    }
}
