package dev.sigstore.fulcio.client;

import com.google.api.client.util.PemReader;
import com.google.common.annotations.VisibleForTesting;
import com.google.gson.JsonParseException;
import com.google.protobuf.ByteString;
import dev.sigstore.encryption.certificates.transparency.DigitallySigned;
import dev.sigstore.encryption.certificates.transparency.SerializationException;
import dev.sigstore.encryption.certificates.transparency.SignedCertificateTimestamp;
import dev.sigstore.fulcio.v2.CertificateChain;
import dev.sigstore.fulcio.v2.SigningCertificateDetachedSCT;
import dev.sigstore.fulcio.v2.SigningCertificateEmbeddedSCT;
import dev.sigstore.json.GsonSupplier;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringReader;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertPath;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import javax.annotation.Nullable;

/* loaded from: input_file:dev/sigstore/fulcio/client/SigningCertificate.class */
public class SigningCertificate {
    private static final String SCT_X509_OID = "1.3.6.1.4.1.11129.2.4.2";
    private final CertPath certPath;

    @Nullable
    private final SignedCertificateTimestamp sct;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:dev/sigstore/fulcio/client/SigningCertificate$SctJson.class */
    public static class SctJson {
        private int sct_version;
        private byte[] id;
        private long timestamp;
        private byte[] extensions;
        private byte[] signature;

        private SctJson() {
        }

        public SignedCertificateTimestamp toSct() throws JsonParseException, SerializationException {
            if (this.sct_version != 0) {
                throw new JsonParseException("Invalid SCT version:" + this.sct_version + ", only 0 (V1) is allowed");
            }
            if (this.extensions.length != 0) {
                throw new JsonParseException("SCT has extensions that cannot be handled by client:" + new String(this.extensions));
            }
            return new SignedCertificateTimestamp(SignedCertificateTimestamp.Version.V1, this.id, this.timestamp, this.extensions, DigitallySigned.decode(this.signature), SignedCertificateTimestamp.Origin.OCSP_RESPONSE);
        }
    }

    public static SigningCertificate from(CertPath certPath) {
        return new SigningCertificate(certPath);
    }

    static SigningCertificate newSigningCertificate(String str, @Nullable String str2) throws CertificateException, IOException, SerializationException {
        CertPath decodeCerts = decodeCerts(str);
        return str2 != null ? new SigningCertificate(decodeCerts, decodeSCT(new String(Base64.getDecoder().decode(str2), StandardCharsets.UTF_8))) : new SigningCertificate(decodeCerts, null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SigningCertificate newSigningCertificate(SigningCertificateDetachedSCT signingCertificateDetachedSCT) throws CertificateException, SerializationException {
        SignedCertificateTimestamp signedCertificateTimestamp = null;
        if (!signingCertificateDetachedSCT.getSignedCertificateTimestamp().isEmpty()) {
            signedCertificateTimestamp = decodeSCT(signingCertificateDetachedSCT.getSignedCertificateTimestamp().toStringUtf8());
        }
        return new SigningCertificate(decodeCerts(signingCertificateDetachedSCT.getChain()), signedCertificateTimestamp);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SigningCertificate newSigningCertificate(SigningCertificateEmbeddedSCT signingCertificateEmbeddedSCT) throws CertificateException {
        return new SigningCertificate(decodeCerts(signingCertificateEmbeddedSCT.getChain()));
    }

    @VisibleForTesting
    static CertPath decodeCerts(CertificateChain certificateChain) throws CertificateException {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        ArrayList arrayList = new ArrayList();
        if (certificateChain.getCertificatesCount() == 0) {
            throw new CertificateParsingException("no valid PEM certificates were found in response from Fulcio");
        }
        Iterator it = certificateChain.mo24getCertificatesList().asByteStringList().iterator();
        while (it.hasNext()) {
            arrayList.add((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(((ByteString) it.next()).toByteArray())));
        }
        return certificateFactory.generateCertPath(arrayList);
    }

    @VisibleForTesting
    static CertPath decodeCerts(String str) throws CertificateException, IOException {
        PemReader pemReader = new PemReader(new StringReader(str));
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        ArrayList arrayList = new ArrayList();
        while (true) {
            PemReader.Section readNextSection = pemReader.readNextSection();
            if (readNextSection == null) {
                break;
            }
            arrayList.add((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(readNextSection.getBase64DecodedBytes())));
        }
        if (arrayList.isEmpty()) {
            throw new CertificateParsingException("no valid PEM certificates were found in response from Fulcio");
        }
        return certificateFactory.generateCertPath(arrayList);
    }

    @VisibleForTesting
    static SignedCertificateTimestamp decodeSCT(String str) throws SerializationException {
        return ((SctJson) GsonSupplier.GSON.get().fromJson(str, SctJson.class)).toSct();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasEmbeddedSct() {
        return getLeafCertificate().getExtensionValue("1.3.6.1.4.1.11129.2.4.2") != null;
    }

    private SigningCertificate(CertPath certPath, SignedCertificateTimestamp signedCertificateTimestamp) {
        this.certPath = certPath;
        this.sct = signedCertificateTimestamp;
    }

    private SigningCertificate(CertPath certPath) {
        this.certPath = certPath;
        this.sct = null;
    }

    public CertPath getCertPath() {
        return this.certPath;
    }

    public List<X509Certificate> getCertificates() {
        return this.certPath.getCertificates();
    }

    public X509Certificate getLeafCertificate() {
        return (X509Certificate) this.certPath.getCertificates().get(0);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Optional<SignedCertificateTimestamp> getDetachedSct() {
        return Optional.ofNullable(this.sct);
    }
}
