package dev.sigstore.tuf;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.hash.Hashing;
import dev.sigstore.encryption.Keys;
import dev.sigstore.encryption.signers.Verifiers;
import dev.sigstore.json.GsonSupplier;
import dev.sigstore.tuf.InvalidHashesException;
import dev.sigstore.tuf.model.Hashes;
import dev.sigstore.tuf.model.Key;
import dev.sigstore.tuf.model.Role;
import dev.sigstore.tuf.model.Root;
import dev.sigstore.tuf.model.RootRole;
import dev.sigstore.tuf.model.Signature;
import dev.sigstore.tuf.model.SignedTufMeta;
import dev.sigstore.tuf.model.Snapshot;
import dev.sigstore.tuf.model.SnapshotMeta;
import dev.sigstore.tuf.model.TargetMeta;
import dev.sigstore.tuf.model.Targets;
import dev.sigstore.tuf.model.Timestamp;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.spec.InvalidKeySpecException;
import java.time.Clock;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import org.bouncycastle.util.encoders.Hex;

/* loaded from: input_file:dev/sigstore/tuf/Updater.class */
public class Updater {
    private static final int MAX_UPDATES = 1024;
    private Clock clock;
    private Verifiers.Supplier verifiers;
    private MetaFetcher fetcher;
    private ZonedDateTime updateStartTime;
    private Path trustedRootPath;
    private MutableTufStore localStore;

    /* loaded from: input_file:dev/sigstore/tuf/Updater$Builder.class */
    public static class Builder {
        private Clock clock = Clock.systemUTC();
        private Verifiers.Supplier verifiers = Verifiers::newVerifier;
        private MetaFetcher fetcher;
        private Path trustedRootPath;
        private MutableTufStore localStore;

        public Builder setClock(Clock clock) {
            this.clock = clock;
            return this;
        }

        public Builder setVerifiers(Verifiers.Supplier supplier) {
            this.verifiers = supplier;
            return this;
        }

        public Builder setLocalStore(MutableTufStore mutableTufStore) {
            this.localStore = mutableTufStore;
            return this;
        }

        public Builder setTrustedRootPath(Path path) {
            this.trustedRootPath = path;
            return this;
        }

        public Builder setFetcher(MetaFetcher metaFetcher) {
            this.fetcher = metaFetcher;
            return this;
        }

        public Updater build() {
            return new Updater(this.clock, this.verifiers, this.fetcher, this.trustedRootPath, this.localStore);
        }
    }

    Updater(Clock clock, Verifiers.Supplier supplier, MetaFetcher metaFetcher, Path path, MutableTufStore mutableTufStore) {
        this.clock = clock;
        this.verifiers = supplier;
        this.trustedRootPath = path;
        this.localStore = mutableTufStore;
        this.fetcher = metaFetcher;
    }

    public static Builder builder() {
        return new Builder();
    }

    public void update() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException {
        Root updateRoot = updateRoot();
        Optional<Timestamp> updateTimestamp = updateTimestamp(updateRoot);
        if (updateTimestamp.isPresent()) {
            downloadTargets(updateTargets(updateRoot, updateSnapshot(updateRoot, updateTimestamp.get())));
        }
    }

    Root updateRoot() throws IOException, RoleExpiredException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, FileExceedsMaxLengthException, RollbackVersionException, SignatureVerificationException {
        this.updateStartTime = ZonedDateTime.now(this.clock);
        Optional<Root> loadTrustedRoot = this.localStore.loadTrustedRoot();
        Root root = loadTrustedRoot.isPresent() ? loadTrustedRoot.get() : (Root) GsonSupplier.GSON.get().fromJson(Files.readString(this.trustedRootPath), Root.class);
        int version = root.getSignedMeta().getVersion();
        RootRole rootRole = root.getSignedMeta().mo370getRoles().get("snapshot");
        RootRole rootRole2 = root.getSignedMeta().mo370getRoles().get("timestamp");
        for (int i = version + 1; i < version + MAX_UPDATES; i++) {
            Optional<MetaFetchResult<Root>> rootAtVersion = this.fetcher.getRootAtVersion(i);
            if (rootAtVersion.isEmpty()) {
                break;
            }
            Root metaResource = rootAtVersion.get().getMetaResource();
            verifyDelegate(root, metaResource);
            verifyDelegate(metaResource, metaResource);
            if (metaResource.getSignedMeta().getVersion() != i) {
                throw new RollbackVersionException(i, metaResource.getSignedMeta().getVersion());
            }
            root = metaResource;
            this.localStore.storeTrustedRoot(root);
        }
        throwIfExpired(root.getSignedMeta().getExpiresAsDate());
        if (hasNewKeys(rootRole, root.getSignedMeta().getRole(Role.Name.SNAPSHOT)) || hasNewKeys(rootRole2, root.getSignedMeta().getRole(Role.Name.TIMESTAMP))) {
            this.localStore.clearMetaDueToKeyRotation();
        }
        return root;
    }

    private void throwIfExpired(ZonedDateTime zonedDateTime) {
        if (zonedDateTime.isBefore(this.updateStartTime)) {
            throw new RoleExpiredException(this.fetcher.getSource(), this.updateStartTime, zonedDateTime);
        }
    }

    private boolean hasNewKeys(RootRole rootRole, RootRole rootRole2) {
        return !rootRole2.mo364getKeyids().stream().allMatch(str -> {
            return rootRole.mo364getKeyids().contains(str);
        });
    }

    void verifyDelegate(Root root, SignedTufMeta signedTufMeta) throws SignatureVerificationException, IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException {
        verifyDelegate(signedTufMeta.mo369getSignatures(), root.getSignedMeta().mo371getKeys(), root.getSignedMeta().getRole(Role.Name.valueOf(signedTufMeta.getSignedMeta().getType().toUpperCase(Locale.ROOT))), signedTufMeta.getCanonicalSignedBytes());
    }

    @VisibleForTesting
    void verifyDelegate(List<Signature> list, Map<String, Key> map, Role role, byte[] bArr) throws SignatureVerificationException, NoSuchAlgorithmException, InvalidKeyException, InvalidKeySpecException, IOException {
        HashSet hashSet = new HashSet((role.mo364getKeyids().size() * 4) / 3);
        for (String str : role.mo364getKeyids()) {
            Optional<Signature> findFirst = list.stream().filter(signature -> {
                return signature.getKeyId().equals(str);
            }).findFirst();
            if (findFirst.isPresent()) {
                Signature signature2 = findFirst.get();
                Key key = map.get(signature2.getKeyId());
                if (key != null) {
                    String str2 = key.mo367getKeyVal().get("public");
                    try {
                        if (this.verifiers.newVerifier(str2.startsWith("-----BEGIN PUBLIC KEY-----") ? Keys.parsePublicKey(str2.getBytes(StandardCharsets.UTF_8)) : Keys.constructTufPublicKey(Hex.decode(str2), key.getScheme())).verify(bArr, Hex.decode(signature2.getSignature()))) {
                            hashSet.add(signature2.getKeyId());
                        }
                    } catch (SignatureException e) {
                        throw new TufException(e);
                    }
                } else {
                    continue;
                }
            }
        }
        if (hashSet.size() < role.getThreshold()) {
            throw new SignatureVerificationException(role.getThreshold(), hashSet.size());
        }
    }

    Optional<Timestamp> updateTimestamp(Root root) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, FileNotFoundException, SignatureVerificationException {
        Timestamp timestamp = (Timestamp) ((MetaFetchResult) this.fetcher.getMeta(Role.Name.TIMESTAMP, Timestamp.class).orElseThrow(() -> {
            return new FileNotFoundException("timestamp.json", this.fetcher.getSource());
        })).getMetaResource();
        verifyDelegate(root, timestamp);
        Optional<Timestamp> loadTimestamp = this.localStore.loadTimestamp();
        if (loadTimestamp.isPresent()) {
            Timestamp timestamp2 = loadTimestamp.get();
            if (timestamp2.getSignedMeta().getVersion() > timestamp.getSignedMeta().getVersion()) {
                throw new RollbackVersionException(timestamp2.getSignedMeta().getVersion(), timestamp.getSignedMeta().getVersion());
            }
            if (timestamp2.getSignedMeta().getVersion() == timestamp.getSignedMeta().getVersion()) {
                return Optional.empty();
            }
        }
        throwIfExpired(timestamp.getSignedMeta().getExpiresAsDate());
        this.localStore.storeMeta(timestamp);
        return Optional.of(timestamp);
    }

    Snapshot updateSnapshot(Root root, Timestamp timestamp) throws IOException, FileNotFoundException, InvalidHashesException, SignatureVerificationException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException {
        int version = timestamp.getSignedMeta().getSnapshotMeta().getVersion();
        Optional meta = this.fetcher.getMeta(Role.Name.SNAPSHOT, version, Snapshot.class, Integer.valueOf(timestamp.getSignedMeta().getSnapshotMeta().getLength()));
        if (meta.isEmpty()) {
            throw new FileNotFoundException(version + ".snapshot.json", this.fetcher.getSource());
        }
        MetaFetchResult metaFetchResult = (MetaFetchResult) meta.get();
        verifyHashes("snapshot", metaFetchResult.getRawBytes(), timestamp.getSignedMeta().getSnapshotMeta().getHashes());
        verifyDelegate(root, metaFetchResult.getMetaResource());
        int version2 = ((Snapshot) metaFetchResult.getMetaResource()).getSignedMeta().getVersion();
        if (version2 != version) {
            throw new SnapshotVersionMismatchException(version, version2);
        }
        Optional<Snapshot> loadSnapshot = this.localStore.loadSnapshot();
        if (loadSnapshot.isPresent()) {
            for (Map.Entry<String, SnapshotMeta.SnapshotTarget> entry : loadSnapshot.get().getSignedMeta().mo372getMeta().entrySet()) {
                SnapshotMeta.SnapshotTarget snapshotTarget = ((Snapshot) metaFetchResult.getMetaResource()).getSignedMeta().mo372getMeta().get(entry.getKey());
                if (snapshotTarget == null) {
                    throw new SnapshotTargetMissingException(entry.getKey());
                }
                if (snapshotTarget.getVersion() < entry.getValue().getVersion()) {
                    throw new SnapshotTargetVersionException(entry.getKey(), snapshotTarget.getVersion(), entry.getValue().getVersion());
                }
            }
        }
        throwIfExpired(((Snapshot) metaFetchResult.getMetaResource()).getSignedMeta().getExpiresAsDate());
        this.localStore.storeMeta(metaFetchResult.getMetaResource());
        return (Snapshot) metaFetchResult.getMetaResource();
    }

    @VisibleForTesting
    static void verifyHashes(String str, byte[] bArr, Hashes hashes) throws InvalidHashesException {
        ArrayList arrayList = new ArrayList(2);
        String sha512 = hashes.getSha512();
        String sha256 = hashes.getSha256();
        if (sha256 == null && sha512 == null) {
            throw new IllegalArgumentException(String.format(Locale.ROOT, "hashes parameter for %s must contain at least one of sha512 or sha256.", str));
        }
        String hashCode = Hashing.sha512().hashBytes(bArr).toString();
        if (sha512 != null && !hashCode.equals(sha512)) {
            arrayList.add(new InvalidHashesException.InvalidHash("sha512", sha512, hashCode));
        }
        String hashCode2 = Hashing.sha256().hashBytes(bArr).toString();
        if (sha256 != null && !hashCode2.equals(sha256)) {
            arrayList.add(new InvalidHashesException.InvalidHash("sha256", sha256, hashCode2));
        }
        if (!arrayList.isEmpty()) {
            throw new InvalidHashesException(str, (InvalidHashesException.InvalidHash[]) arrayList.toArray(i -> {
                return new InvalidHashesException.InvalidHash[i];
            }));
        }
    }

    Targets updateTargets(Root root, Snapshot snapshot) throws IOException, FileNotFoundException, InvalidHashesException, SignatureVerificationException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, FileExceedsMaxLengthException {
        SnapshotMeta.SnapshotTarget targetMeta = snapshot.getSignedMeta().getTargetMeta("targets.json");
        Optional meta = this.fetcher.getMeta(Role.Name.TARGETS, targetMeta.getVersion(), Targets.class, Integer.valueOf(targetMeta.getLength()));
        if (meta.isEmpty()) {
            throw new FileNotFoundException(targetMeta.getVersion() + ".targets.json", this.fetcher.getSource());
        }
        MetaFetchResult metaFetchResult = (MetaFetchResult) meta.get();
        verifyHashes(targetMeta.getVersion() + ".targets.json", metaFetchResult.getRawBytes(), targetMeta.getHashes());
        verifyDelegate(root, metaFetchResult.getMetaResource());
        int version = ((Targets) metaFetchResult.getMetaResource()).getSignedMeta().getVersion();
        int version2 = targetMeta.getVersion();
        if (version != version2) {
            throw new SnapshotVersionMismatchException(version2, version);
        }
        throwIfExpired(((Targets) metaFetchResult.getMetaResource()).getSignedMeta().getExpiresAsDate());
        this.localStore.storeMeta(metaFetchResult.getMetaResource());
        return (Targets) metaFetchResult.getMetaResource();
    }

    void downloadTargets(Targets targets) throws IOException, TargetMetadataMissingException, FileNotFoundException {
        for (Map.Entry<String, TargetMeta.TargetData> entry : targets.getSignedMeta().mo373getTargets().entrySet()) {
            String key = entry.getKey();
            if (entry.getValue() == null) {
                throw new TargetMetadataMissingException(key);
            }
            TargetMeta.TargetData value = entry.getValue();
            String str = value.getHashes().getSha512() + "." + key;
            byte[] fetchResource = this.fetcher.fetchResource("targets/" + str, value.getLength());
            if (fetchResource == null) {
                throw new FileNotFoundException(key, this.fetcher.getSource());
            }
            verifyHashes(entry.getKey(), fetchResource, value.getHashes());
            this.localStore.storeTargetFile(str, fetchResource);
        }
    }

    @VisibleForTesting
    MutableTufStore getLocalStore() {
        return this.localStore;
    }
}
