package dev.sigstore;

import com.google.api.client.util.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.hash.Hashing;
import com.google.common.io.Files;
import com.google.errorprone.annotations.CanIgnoreReturnValue;
import com.google.errorprone.annotations.CheckReturnValue;
import com.google.errorprone.annotations.InlineMe;
import com.google.errorprone.annotations.concurrent.GuardedBy;
import dev.sigstore.VerificationMaterial;
import dev.sigstore.encryption.certificates.Certificates;
import dev.sigstore.encryption.signers.Signer;
import dev.sigstore.encryption.signers.Signers;
import dev.sigstore.fulcio.client.CertificateRequest;
import dev.sigstore.fulcio.client.FulcioClient;
import dev.sigstore.fulcio.client.FulcioVerificationException;
import dev.sigstore.fulcio.client.FulcioVerifier;
import dev.sigstore.fulcio.client.SigningCertificate;
import dev.sigstore.fulcio.client.UnsupportedAlgorithmException;
import dev.sigstore.oidc.client.OidcClient;
import dev.sigstore.oidc.client.OidcClients;
import dev.sigstore.oidc.client.OidcException;
import dev.sigstore.oidc.client.OidcToken;
import dev.sigstore.rekor.client.HashedRekordRequest;
import dev.sigstore.rekor.client.RekorClient;
import dev.sigstore.rekor.client.RekorResponse;
import dev.sigstore.rekor.client.RekorVerificationException;
import dev.sigstore.rekor.client.RekorVerifier;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.locks.ReentrantReadWriteLock;

/* loaded from: input_file:dev/sigstore/KeylessSigner.class */
public class KeylessSigner implements AutoCloseable {
    public static final Duration DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME = Duration.ofMinutes(5);
    private final FulcioClient fulcioClient;
    private final FulcioVerifier fulcioVerifier;
    private final RekorClient rekorClient;
    private final RekorVerifier rekorVerifier;
    private final OidcClients oidcClients;
    private final Signer signer;
    private final Duration minSigningCertificateLifetime;

    @GuardedBy("lock")
    private SigningCertificate signingCert;

    @GuardedBy("lock")
    private byte[] signingCertPemBytes;
    private final ReentrantReadWriteLock lock = new ReentrantReadWriteLock();

    /* loaded from: input_file:dev/sigstore/KeylessSigner$Builder.class */
    public static class Builder {
        private FulcioClient fulcioClient;
        private FulcioVerifier fulcioVerifier;
        private RekorClient rekorClient;
        private RekorVerifier rekorVerifier;
        private OidcClients oidcClients;
        private Signer signer;
        private Duration minSigningCertificateLifetime = KeylessSigner.DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME;

        @CanIgnoreReturnValue
        public Builder fulcioClient(FulcioClient fulcioClient, FulcioVerifier fulcioVerifier) {
            this.fulcioClient = fulcioClient;
            this.fulcioVerifier = fulcioVerifier;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder rekorClient(RekorClient rekorClient, RekorVerifier rekorVerifier) {
            this.rekorClient = rekorClient;
            this.rekorVerifier = rekorVerifier;
            return this;
        }

        @CanIgnoreReturnValue
        @InlineMe(replacement = "this.oidcClients(OidcClients.of(oidcClient))", imports = {"dev.sigstore.oidc.client.OidcClients"})
        @Deprecated
        public final Builder oidcClient(OidcClient oidcClient) {
            return oidcClients(OidcClients.of(oidcClient));
        }

        @CanIgnoreReturnValue
        public Builder oidcClients(OidcClients oidcClients) {
            this.oidcClients = oidcClients;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder signer(Signer signer) {
            this.signer = signer;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder minSigningCertificateLifetime(Duration duration) {
            this.minSigningCertificateLifetime = duration;
            return this;
        }

        @CheckReturnValue
        public KeylessSigner build() {
            Preconditions.checkNotNull(this.fulcioClient, "fulcioClient");
            Preconditions.checkNotNull(this.fulcioVerifier, "fulcioVerifier");
            Preconditions.checkNotNull(this.rekorClient, "rekorClient");
            Preconditions.checkNotNull(this.rekorVerifier, "rekorVerifier");
            Preconditions.checkNotNull(this.oidcClients, "oidcClients");
            Preconditions.checkNotNull(this.signer, "signer");
            return new KeylessSigner(this.fulcioClient, this.fulcioVerifier, this.rekorClient, this.rekorVerifier, this.oidcClients, this.signer, this.minSigningCertificateLifetime);
        }

        @CanIgnoreReturnValue
        public Builder sigstorePublicDefaults() throws IOException, InvalidAlgorithmParameterException, CertificateException, InvalidKeySpecException, NoSuchAlgorithmException {
            fulcioClient(FulcioClient.builder().build(), FulcioVerifier.newFulcioVerifier(VerificationMaterial.Production.fulioCert(), VerificationMaterial.Production.ctfePublicKeys()));
            rekorClient(RekorClient.builder().build(), RekorVerifier.newRekorVerifier(VerificationMaterial.Production.rekorPublicKey()));
            oidcClients(OidcClients.DEFAULTS);
            signer(Signers.newEcdsaSigner());
            minSigningCertificateLifetime(KeylessSigner.DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME);
            return this;
        }

        @CanIgnoreReturnValue
        public Builder sigstoreStagingDefaults() throws IOException, InvalidAlgorithmParameterException, CertificateException, InvalidKeySpecException, NoSuchAlgorithmException {
            fulcioClient(FulcioClient.builder().setServerUrl(URI.create(FulcioClient.STAGING_FULCIO_SERVER)).build(), FulcioVerifier.newFulcioVerifier(VerificationMaterial.Staging.fulioCert(), VerificationMaterial.Staging.ctfePublicKeys()));
            rekorClient(RekorClient.builder().setServerUrl(URI.create(RekorClient.STAGING_REKOR_SERVER)).build(), RekorVerifier.newRekorVerifier(VerificationMaterial.Staging.rekorPublicKey()));
            oidcClients(OidcClients.STAGING_DEFAULTS);
            signer(Signers.newEcdsaSigner());
            minSigningCertificateLifetime(KeylessSigner.DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME);
            return this;
        }
    }

    private KeylessSigner(FulcioClient fulcioClient, FulcioVerifier fulcioVerifier, RekorClient rekorClient, RekorVerifier rekorVerifier, OidcClients oidcClients, Signer signer, Duration duration) {
        this.fulcioClient = fulcioClient;
        this.fulcioVerifier = fulcioVerifier;
        this.rekorClient = rekorClient;
        this.rekorVerifier = rekorVerifier;
        this.oidcClients = oidcClients;
        this.signer = signer;
        this.minSigningCertificateLifetime = duration;
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        this.lock.writeLock().lock();
        try {
            this.signingCert = null;
            this.signingCertPemBytes = null;
        } finally {
            this.lock.writeLock().unlock();
        }
    }

    @CheckReturnValue
    public static Builder builder() {
        return new Builder();
    }

    @CheckReturnValue
    public List<KeylessSignature> sign(List<byte[]> list) throws OidcException, NoSuchAlgorithmException, SignatureException, InvalidKeyException, UnsupportedAlgorithmException, CertificateException, IOException, FulcioVerificationException, RekorVerificationException, InterruptedException {
        if (list.size() == 0) {
            throw new IllegalArgumentException("Require one or more digests");
        }
        ImmutableList.Builder builder = ImmutableList.builder();
        for (byte[] bArr : list) {
            byte[] signDigest = this.signer.signDigest(bArr);
            renewSigningCertificate();
            this.lock.readLock().lock();
            try {
                SigningCertificate signingCertificate = this.signingCert;
                byte[] bArr2 = this.signingCertPemBytes;
                if (signingCertificate == null) {
                    throw new IllegalStateException("Signing certificate is null");
                }
                RekorResponse putEntry = this.rekorClient.putEntry(HashedRekordRequest.newHashedRekordRequest(bArr, bArr2, signDigest));
                this.rekorVerifier.verifyEntry(putEntry.getEntry());
                builder.add(ImmutableKeylessSignature.builder().digest(bArr).certPath(signingCertificate.getCertPath()).signature(signDigest).entry(putEntry.getEntry()).build());
            } finally {
                this.lock.readLock().unlock();
            }
        }
        return builder.build();
    }

    private void renewSigningCertificate() throws InterruptedException, CertificateException, IOException, UnsupportedAlgorithmException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, FulcioVerificationException, OidcException {
        this.lock.readLock().lock();
        try {
            if (this.signingCert != null) {
                if (this.signingCert.getLeafCertificate().getNotAfter().getTime() - System.currentTimeMillis() > this.minSigningCertificateLifetime.toMillis()) {
                    return;
                }
            }
            this.lock.writeLock().lock();
            try {
                this.signingCert = null;
                this.signingCertPemBytes = null;
                OidcToken iDToken = this.oidcClients.getIDToken();
                SigningCertificate signingCertificate = this.fulcioClient.signingCertificate(CertificateRequest.newCertificateRequest(this.signer.getPublicKey(), iDToken.getIdToken(), this.signer.sign(iDToken.getSubjectAlternativeName().getBytes(StandardCharsets.UTF_8))));
                this.fulcioVerifier.verifyCertChain(signingCertificate);
                this.fulcioVerifier.verifySct(signingCertificate);
                this.signingCert = signingCertificate;
                this.signingCertPemBytes = Certificates.toPemBytes(signingCertificate.getLeafCertificate());
                this.lock.writeLock().unlock();
            } catch (Throwable th) {
                this.lock.writeLock().unlock();
                throw th;
            }
        } finally {
            this.lock.readLock().unlock();
        }
    }

    @CheckReturnValue
    public KeylessSignature sign(byte[] bArr) throws FulcioVerificationException, RekorVerificationException, UnsupportedAlgorithmException, CertificateException, NoSuchAlgorithmException, SignatureException, IOException, OidcException, InvalidKeyException, InterruptedException {
        return sign(List.of(bArr)).get(0);
    }

    @CheckReturnValue
    public Map<Path, KeylessSignature> signFiles(List<Path> list) throws FulcioVerificationException, RekorVerificationException, UnsupportedAlgorithmException, CertificateException, NoSuchAlgorithmException, SignatureException, IOException, OidcException, InvalidKeyException, InterruptedException {
        if (list.size() == 0) {
            throw new IllegalArgumentException("Require one or more paths");
        }
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<Path> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(Files.asByteSource(it.next().toFile()).hash(Hashing.sha256()).asBytes());
        }
        List<KeylessSignature> sign = sign(arrayList);
        ImmutableMap.Builder builder = ImmutableMap.builder();
        for (int i = 0; i < list.size(); i++) {
            builder.put(list.get(i), sign.get(i));
        }
        return builder.build();
    }

    @CheckReturnValue
    public KeylessSignature signFile(Path path) throws FulcioVerificationException, RekorVerificationException, UnsupportedAlgorithmException, CertificateException, NoSuchAlgorithmException, SignatureException, IOException, OidcException, InvalidKeyException, InterruptedException {
        return signFiles(List.of(path)).get(path);
    }
}
