package dev.sigstore.fulcio.client;

import dev.sigstore.encryption.Keys;
import dev.sigstore.encryption.certificates.transparency.CTLogInfo;
import dev.sigstore.encryption.certificates.transparency.CTVerificationResult;
import dev.sigstore.encryption.certificates.transparency.CTVerifier;
import dev.sigstore.encryption.certificates.transparency.CertificateEntry;
import dev.sigstore.encryption.certificates.transparency.VerifiedSCT;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.Set;

/* loaded from: input_file:dev/sigstore/fulcio/client/FulcioVerifier.class */
public class FulcioVerifier {
    private final CTVerifier ctVerifier;
    private final TrustAnchor fulcioRoot;

    public static FulcioVerifier newFulcioVerifier(byte[] bArr, byte[] bArr2) throws InvalidKeySpecException, NoSuchAlgorithmException, CertificateException, IOException, InvalidAlgorithmParameterException {
        PublicKey publicKey = null;
        if (bArr2 != null) {
            publicKey = Keys.parsePublicKey(bArr2);
        }
        TrustAnchor trustAnchor = new TrustAnchor((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr)), null);
        new PKIXParameters((Set<TrustAnchor>) Collections.singleton(trustAnchor));
        return new FulcioVerifier(trustAnchor, publicKey);
    }

    private FulcioVerifier(TrustAnchor trustAnchor, PublicKey publicKey) {
        this.fulcioRoot = trustAnchor;
        if (publicKey == null) {
            this.ctVerifier = null;
        } else {
            CTLogInfo cTLogInfo = new CTLogInfo(publicKey, "fulcio ct log", "unused-url");
            this.ctVerifier = new CTVerifier(bArr -> {
                if (Arrays.equals(bArr, cTLogInfo.getID())) {
                    return cTLogInfo;
                }
                return null;
            });
        }
    }

    public void verifySct(SigningCertificate signingCertificate) throws FulcioVerificationException {
        if (this.ctVerifier == null) {
            throw new FulcioVerificationException("No ct-log public key was provided to verifier");
        }
        if (signingCertificate.getDetachedSct().isPresent()) {
            try {
                VerifiedSCT.Status verifySingleSCT = this.ctVerifier.verifySingleSCT(signingCertificate.getDetachedSct().get(), CertificateEntry.createForX509Certificate(signingCertificate.getLeafCertificate()));
                if (verifySingleSCT != VerifiedSCT.Status.VALID) {
                    throw new FulcioVerificationException("SCT could not be verified because " + verifySingleSCT.toString());
                }
                return;
            } catch (CertificateEncodingException e) {
                throw new FulcioVerificationException("Leaf certificate could not be parsed", e);
            }
        }
        if (!signingCertificate.hasEmbeddedSct()) {
            throw new FulcioVerificationException("No detached or embedded SCTs were found to verify");
        }
        try {
            CTVerificationResult verifySignedCertificateTimestamps = this.ctVerifier.verifySignedCertificateTimestamps(signingCertificate.getCertificates(), null, null);
            int size = verifySignedCertificateTimestamps.getValidSCTs().size();
            int size2 = verifySignedCertificateTimestamps.getInvalidSCTs().size();
            if (size == 0 || size2 != 0) {
                throw new FulcioVerificationException("Expecting at least one valid sct, but found " + size + " valid and " + size2 + " invalid scts");
            }
        } catch (CertificateEncodingException e2) {
            throw new FulcioVerificationException("Certificates could not be parsed during sct verification");
        }
    }

    public void verifyCertChain(SigningCertificate signingCertificate) throws FulcioVerificationException {
        try {
            CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
            try {
                PKIXParameters pKIXParameters = new PKIXParameters((Set<TrustAnchor>) Collections.singleton(this.fulcioRoot));
                pKIXParameters.setRevocationEnabled(false);
                pKIXParameters.setDate(new Date(signingCertificate.getLeafCertificate().getNotBefore().getTime()));
                try {
                    certPathValidator.validate(signingCertificate.getCertPath(), pKIXParameters);
                } catch (InvalidAlgorithmParameterException | CertPathValidatorException e) {
                    throw new FulcioVerificationException(e);
                }
            } catch (InvalidAlgorithmParameterException e2) {
                throw new RuntimeException("Can't create PKIX parameters for fulcioRoot. This should have been checked when generating a verifier instance", e2);
            }
        } catch (NoSuchAlgorithmException e3) {
            throw new RuntimeException("No PKIX CertPathValidator, we probably shouldn't be here, but this seems to be a system library error not a program control flow issue", e3);
        }
    }
}
