package dev.sigstore.tuf;

import com.google.common.annotations.VisibleForTesting;
import dev.sigstore.encryption.Keys;
import dev.sigstore.encryption.signers.Verifiers;
import dev.sigstore.json.GsonSupplier;
import dev.sigstore.tuf.model.Key;
import dev.sigstore.tuf.model.Role;
import dev.sigstore.tuf.model.Root;
import dev.sigstore.tuf.model.RootRole;
import dev.sigstore.tuf.model.Signature;
import dev.sigstore.tuf.model.SignedTufMeta;
import dev.sigstore.tuf.model.Snapshot;
import dev.sigstore.tuf.model.Targets;
import dev.sigstore.tuf.model.Timestamp;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.spec.InvalidKeySpecException;
import java.time.Clock;
import java.time.ZonedDateTime;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.bouncycastle.util.encoders.Hex;

/* loaded from: input_file:dev/sigstore/tuf/Updater.class */
public class Updater {
    private static final int MAX_UPDATES = 1024;
    private Clock clock;
    private Verifiers.Supplier verifiers;
    private MetaFetcher fetcher;
    private ZonedDateTime updateStartTime;
    private Path trustedRootPath;
    private TufLocalStore localStore;

    /* loaded from: input_file:dev/sigstore/tuf/Updater$Builder.class */
    public static class Builder {
        private Clock clock = Clock.systemUTC();
        private Verifiers.Supplier verifiers = Verifiers::newVerifier;
        private MetaFetcher fetcher;
        private Path trustedRootPath;
        private TufLocalStore localStore;

        public Builder setClock(Clock clock) {
            this.clock = clock;
            return this;
        }

        public Builder setVerifiers(Verifiers.Supplier supplier) {
            this.verifiers = supplier;
            return this;
        }

        public Builder setLocalStore(TufLocalStore tufLocalStore) {
            this.localStore = tufLocalStore;
            return this;
        }

        public Builder setTrustedRootPath(Path path) {
            this.trustedRootPath = path;
            return this;
        }

        public Builder setFetcher(MetaFetcher metaFetcher) {
            this.fetcher = metaFetcher;
            return this;
        }

        public Updater build() {
            return new Updater(this.clock, this.verifiers, this.fetcher, this.trustedRootPath, this.localStore);
        }
    }

    Updater(Clock clock, Verifiers.Supplier supplier, MetaFetcher metaFetcher, Path path, TufLocalStore tufLocalStore) {
        this.clock = clock;
        this.verifiers = supplier;
        this.trustedRootPath = path;
        this.localStore = tufLocalStore;
        this.fetcher = metaFetcher;
    }

    public static Builder builder() {
        return new Builder();
    }

    public void update() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException {
        Root updateRoot = updateRoot();
        updateTargets(updateRoot, updateSnapshot(updateRoot, updateTimestamp(updateRoot)));
    }

    Root updateRoot() throws IOException, RoleExpiredException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, MetaFileExceedsMaxException, RoleVersionException, SignatureVerificationException {
        this.updateStartTime = ZonedDateTime.now(this.clock);
        Root root = (Root) GsonSupplier.GSON.get().fromJson(Files.readString(this.trustedRootPath), Root.class);
        int version = root.getSignedMeta2().getVersion();
        RootRole rootRole = root.getSignedMeta2().mo529getRoles().get("snapshot");
        RootRole rootRole2 = root.getSignedMeta2().mo529getRoles().get("timestamp");
        for (int i = version + 1; i < version + MAX_UPDATES; i++) {
            Optional<MetaFetchResult<Root>> rootAtVersion = this.fetcher.getRootAtVersion(i);
            if (rootAtVersion.isEmpty()) {
                break;
            }
            Root metaResource = rootAtVersion.get().getMetaResource();
            verifyDelegate(root, metaResource);
            verifyDelegate(metaResource, metaResource);
            if (metaResource.getSignedMeta2().getVersion() != i) {
                throw new RoleVersionException(i, metaResource.getSignedMeta2().getVersion());
            }
            root = metaResource;
            this.localStore.storeTrustedRoot(root);
        }
        throwIfExpired(root.getSignedMeta2().getExpiresAsDate());
        if (hasNewKeys(rootRole, root.getSignedMeta2().getRole(Role.Name.SNAPSHOT)) || hasNewKeys(rootRole2, root.getSignedMeta2().getRole(Role.Name.TIMESTAMP))) {
            this.localStore.clearMetaDueToKeyRotation();
        }
        return root;
    }

    private void throwIfExpired(ZonedDateTime zonedDateTime) {
        if (zonedDateTime.isBefore(this.updateStartTime)) {
            throw new RoleExpiredException(this.fetcher.getSource(), this.updateStartTime, zonedDateTime);
        }
    }

    private boolean hasNewKeys(RootRole rootRole, RootRole rootRole2) {
        return rootRole2.mo523getKeyids().stream().allMatch(str -> {
            return rootRole.mo523getKeyids().contains(str);
        });
    }

    void verifyDelegate(Root root, SignedTufMeta signedTufMeta) throws SignatureVerificationException, IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException {
        verifyDelegate(signedTufMeta.mo528getSignatures(), root.getSignedMeta2().mo530getKeys(), root.getSignedMeta2().getRole(Role.Name.valueOf(signedTufMeta.getSignedMeta2().getType().toUpperCase())), signedTufMeta.getCanonicalSignedBytes());
    }

    @VisibleForTesting
    void verifyDelegate(List<Signature> list, Map<String, Key> map, Role role, byte[] bArr) throws SignatureVerificationException, NoSuchAlgorithmException, InvalidKeyException, InvalidKeySpecException {
        HashSet hashSet = new HashSet((role.mo523getKeyids().size() * 4) / 3);
        for (String str : role.mo523getKeyids()) {
            Optional<Signature> findFirst = list.stream().filter(signature -> {
                return signature.getKeyId().equals(str);
            }).findFirst();
            if (findFirst.isPresent()) {
                Signature signature2 = findFirst.get();
                Key key = map.get(signature2.getKeyId());
                if (key != null) {
                    PublicKey constructTufPublicKey = Keys.constructTufPublicKey(Hex.decode(key.mo526getKeyVal().get("public")), key.getScheme());
                    try {
                        if (this.verifiers.newVerifier(constructTufPublicKey).verify(bArr, Hex.decode(signature2.getSignature()))) {
                            hashSet.add(signature2.getKeyId());
                        }
                    } catch (SignatureException e) {
                        throw new TufException(e);
                    }
                } else {
                    continue;
                }
            }
        }
        if (hashSet.size() < role.getThreshold()) {
            throw new SignatureVerificationException(role.getThreshold(), hashSet.size());
        }
    }

    Timestamp updateTimestamp(Root root) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, MetaNotFoundException, SignatureVerificationException {
        Timestamp timestamp = (Timestamp) ((MetaFetchResult) this.fetcher.getMeta(Role.Name.TIMESTAMP, Timestamp.class).orElseThrow(() -> {
            return new MetaNotFoundException("could not find timestamp.json on mirror.");
        })).getMetaResource();
        verifyDelegate(root, timestamp);
        Optional<Timestamp> loadTimestamp = this.localStore.loadTimestamp();
        if (loadTimestamp.isPresent()) {
            Timestamp timestamp2 = loadTimestamp.get();
            if (loadTimestamp.get().getSignedMeta2().getVersion() >= timestamp.getSignedMeta2().getVersion()) {
                throw new RoleVersionException(timestamp2.getSignedMeta2().getVersion() + 1, timestamp.getSignedMeta2().getVersion());
            }
        }
        throwIfExpired(timestamp.getSignedMeta2().getExpiresAsDate());
        this.localStore.storeMeta(timestamp);
        return timestamp;
    }

    Snapshot updateSnapshot(Root root, Timestamp timestamp) {
        return null;
    }

    Targets updateTargets(Root root, Snapshot snapshot) {
        return null;
    }

    @VisibleForTesting
    TufLocalStore getLocalStore() {
        return this.localStore;
    }
}
