package dev.sigstore.encryption.certificates.transparency;

import java.io.IOException;
import java.io.OutputStream;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Objects;
import java.util.stream.Stream;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.TBSCertificate;
import org.bouncycastle.asn1.x509.V3TBSCertificateGenerator;

/* loaded from: input_file:dev/sigstore/encryption/certificates/transparency/CertificateEntry.class */
public class CertificateEntry {
    private final LogEntryType entryType;
    private final byte[] issuerKeyHash;
    private final byte[] certificate;

    /* loaded from: input_file:dev/sigstore/encryption/certificates/transparency/CertificateEntry$LogEntryType.class */
    public enum LogEntryType {
        X509_ENTRY,
        PRECERT_ENTRY
    }

    private CertificateEntry(LogEntryType logEntryType, byte[] bArr, byte[] bArr2) {
        if (logEntryType == LogEntryType.PRECERT_ENTRY && bArr2 == null) {
            throw new IllegalArgumentException("issuerKeyHash missing for precert entry.");
        }
        if (logEntryType == LogEntryType.X509_ENTRY && bArr2 != null) {
            throw new IllegalArgumentException("unexpected issuerKeyHash for X509 entry.");
        }
        if (bArr2 != null && bArr2.length != 32) {
            throw new IllegalArgumentException("issuerKeyHash must be 32 bytes long");
        }
        this.entryType = logEntryType;
        this.issuerKeyHash = bArr2;
        this.certificate = bArr;
    }

    public static CertificateEntry createForPrecertificate(byte[] bArr, byte[] bArr2) {
        return new CertificateEntry(LogEntryType.PRECERT_ENTRY, bArr, bArr2);
    }

    public static CertificateEntry createForPrecertificate(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertificateException {
        try {
            if (!x509Certificate.getNonCriticalExtensionOIDs().contains(CTConstants.X509_SCT_LIST_OID)) {
                throw new CertificateException("Certificate does not contain embedded signed timestamps");
            }
            Certificate certificate = Certificate.getInstance(x509Certificate.getEncoded());
            Extensions extensions = certificate.getTBSCertificate().getExtensions();
            Stream filter = ((Stream) Arrays.stream(extensions.getExtensionOIDs()).sequential()).filter(aSN1ObjectIdentifier -> {
                return !aSN1ObjectIdentifier.getId().equals(CTConstants.X509_SCT_LIST_OID);
            }).filter(aSN1ObjectIdentifier2 -> {
                return !aSN1ObjectIdentifier2.getId().equals(CTConstants.POISON_EXTENSION_OID);
            });
            Objects.requireNonNull(extensions);
            Extensions extensions2 = new Extensions((Extension[]) filter.map(extensions::getExtension).toArray(i -> {
                return new Extension[i];
            }));
            TBSCertificate tBSCertificate = certificate.getTBSCertificate();
            V3TBSCertificateGenerator v3TBSCertificateGenerator = new V3TBSCertificateGenerator();
            v3TBSCertificateGenerator.setSerialNumber(tBSCertificate.getSerialNumber());
            v3TBSCertificateGenerator.setSignature(tBSCertificate.getSignature());
            v3TBSCertificateGenerator.setIssuer(tBSCertificate.getIssuer());
            v3TBSCertificateGenerator.setStartDate(tBSCertificate.getStartDate());
            v3TBSCertificateGenerator.setEndDate(tBSCertificate.getEndDate());
            v3TBSCertificateGenerator.setSubject(tBSCertificate.getSubject());
            v3TBSCertificateGenerator.setSubjectPublicKeyInfo(tBSCertificate.getSubjectPublicKeyInfo());
            v3TBSCertificateGenerator.setIssuerUniqueID(tBSCertificate.getIssuerUniqueId());
            v3TBSCertificateGenerator.setSubjectUniqueID(tBSCertificate.getSubjectUniqueId());
            v3TBSCertificateGenerator.setExtensions(extensions2);
            TBSCertificate generateTBSCertificate = v3TBSCertificateGenerator.generateTBSCertificate();
            byte[] encoded = x509Certificate2.getPublicKey().getEncoded();
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(encoded);
            return createForPrecertificate(generateTBSCertificate.getEncoded(), messageDigest.digest());
        } catch (IOException e) {
            throw new CertificateException("Could not create precertificate", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new RuntimeException(e2);
        }
    }

    public static CertificateEntry createForX509Certificate(byte[] bArr) {
        return new CertificateEntry(LogEntryType.X509_ENTRY, bArr, null);
    }

    public static CertificateEntry createForX509Certificate(X509Certificate x509Certificate) throws CertificateEncodingException {
        return createForX509Certificate(x509Certificate.getEncoded());
    }

    public LogEntryType getEntryType() {
        return this.entryType;
    }

    public byte[] getCertificate() {
        return this.certificate;
    }

    public byte[] getIssuerKeyHash() {
        return this.issuerKeyHash;
    }

    public void encode(OutputStream outputStream) throws SerializationException {
        Serialization.writeNumber(outputStream, this.entryType.ordinal(), 2);
        if (this.entryType == LogEntryType.PRECERT_ENTRY) {
            Serialization.writeFixedBytes(outputStream, this.issuerKeyHash);
        }
        Serialization.writeVariableBytes(outputStream, this.certificate, 3);
    }
}
