package dev.sigstore;

import com.google.api.client.util.Preconditions;
import dev.sigstore.VerificationMaterial;
import dev.sigstore.encryption.certificates.Certificates;
import dev.sigstore.encryption.signers.Verifiers;
import dev.sigstore.fulcio.client.FulcioVerificationException;
import dev.sigstore.fulcio.client.FulcioVerifier;
import dev.sigstore.fulcio.client.SigningCertificate;
import dev.sigstore.rekor.client.HashedRekordRequest;
import dev.sigstore.rekor.client.RekorClient;
import dev.sigstore.rekor.client.RekorEntry;
import dev.sigstore.rekor.client.RekorVerificationException;
import dev.sigstore.rekor.client.RekorVerifier;
import java.io.IOException;
import java.net.URI;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.sql.Date;
import java.time.Instant;
import java.util.Optional;

/* loaded from: input_file:dev/sigstore/KeylessVerifier.class */
public class KeylessVerifier {
    private final FulcioVerifier fulcioVerifier;
    private final RekorVerifier rekorVerifier;
    private final RekorClient rekorClient;

    /* loaded from: input_file:dev/sigstore/KeylessVerifier$Builder.class */
    public static class Builder {
        private FulcioVerifier fulcioVerifier;
        private RekorClient rekorClient;
        private RekorVerifier rekorVerifier;

        public Builder fulcioVerifier(FulcioVerifier fulcioVerifier) {
            this.fulcioVerifier = fulcioVerifier;
            return this;
        }

        public Builder rekorClient(RekorClient rekorClient, RekorVerifier rekorVerifier) {
            this.rekorClient = rekorClient;
            this.rekorVerifier = rekorVerifier;
            return this;
        }

        public KeylessVerifier build() {
            Preconditions.checkNotNull(this.fulcioVerifier);
            Preconditions.checkNotNull(this.rekorVerifier);
            Preconditions.checkNotNull(this.rekorClient);
            return new KeylessVerifier(this.fulcioVerifier, this.rekorClient, this.rekorVerifier);
        }

        public Builder sigstorePublicDefaults() throws IOException, InvalidAlgorithmParameterException, CertificateException, InvalidKeySpecException, NoSuchAlgorithmException {
            fulcioVerifier(FulcioVerifier.newFulcioVerifier(VerificationMaterial.Production.fulioCert(), VerificationMaterial.Production.ctfePublicKeys()));
            rekorClient(RekorClient.builder().build(), RekorVerifier.newRekorVerifier(VerificationMaterial.Production.rekorPublicKey()));
            return this;
        }

        public Builder sigstoreStagingDefaults() throws IOException, InvalidAlgorithmParameterException, CertificateException, InvalidKeySpecException, NoSuchAlgorithmException {
            fulcioVerifier(FulcioVerifier.newFulcioVerifier(VerificationMaterial.Staging.fulioCert(), VerificationMaterial.Staging.ctfePublicKeys()));
            rekorClient(RekorClient.builder().setServerUrl(URI.create(RekorClient.STAGING_REKOR_SERVER)).build(), RekorVerifier.newRekorVerifier(VerificationMaterial.Staging.rekorPublicKey()));
            return this;
        }
    }

    private KeylessVerifier(FulcioVerifier fulcioVerifier, RekorClient rekorClient, RekorVerifier rekorVerifier) {
        this.fulcioVerifier = fulcioVerifier;
        this.rekorClient = rekorClient;
        this.rekorVerifier = rekorVerifier;
    }

    public static Builder builder() {
        return new Builder();
    }

    public void verifyOnline(byte[] bArr, byte[] bArr2, byte[] bArr3) throws KeylessVerificationException, IOException {
        try {
            SigningCertificate from = SigningCertificate.from(Certificates.fromPemChain(bArr2));
            X509Certificate leafCertificate = from.getLeafCertificate();
            try {
                this.fulcioVerifier.verifyCertChain(from);
                try {
                    this.fulcioVerifier.verifySct(from);
                    Optional<RekorEntry> entry = this.rekorClient.getEntry(HashedRekordRequest.newHashedRekordRequest(bArr, Certificates.toPemBytes(leafCertificate), bArr3));
                    if (entry.isEmpty()) {
                        throw new KeylessVerificationException("Rekor entry was not found");
                    }
                    try {
                        this.rekorVerifier.verifyEntry(entry.get());
                        try {
                            this.rekorVerifier.verifyInclusionProof(entry.get());
                            try {
                                leafCertificate.checkValidity(Date.from(Instant.ofEpochSecond(entry.get().getIntegratedTime())));
                                try {
                                    if (Verifiers.newVerifier(leafCertificate.getPublicKey()).verifyDigest(bArr, bArr3)) {
                                    } else {
                                        throw new KeylessVerificationException("Artifact signature was not valid");
                                    }
                                } catch (InvalidKeyException | NoSuchAlgorithmException e) {
                                    throw new RuntimeException(e);
                                } catch (SignatureException e2) {
                                    throw new KeylessVerificationException("Signature could not be processed: " + e2.getMessage(), e2);
                                }
                            } catch (CertificateExpiredException e3) {
                                throw new KeylessVerificationException("Signing time was after certificate expiry", e3);
                            } catch (CertificateNotYetValidException e4) {
                                throw new KeylessVerificationException("Signing time was before certificate validity", e4);
                            }
                        } catch (RekorVerificationException e5) {
                            throw new KeylessVerificationException("Rekor entry inclusion proof was not valid");
                        }
                    } catch (RekorVerificationException e6) {
                        throw new KeylessVerificationException("Rekor entry signature was not valid");
                    }
                } catch (FulcioVerificationException e7) {
                    throw new KeylessVerificationException("Fulcio certificate SCT was not valid: " + e7.getMessage(), e7);
                }
            } catch (FulcioVerificationException e8) {
                throw new KeylessVerificationException("Fulcio certificate was not valid: " + e8.getMessage(), e8);
            }
        } catch (CertificateException e9) {
            throw new KeylessVerificationException("Certificate was not valid: " + e9.getMessage(), e9);
        }
    }
}
