package dev.sigstore;

import com.google.api.client.util.Preconditions;
import com.google.common.hash.Hashing;
import com.google.common.io.Files;
import dev.sigstore.KeylessVerificationRequest;
import dev.sigstore.VerificationMaterial;
import dev.sigstore.encryption.certificates.Certificates;
import dev.sigstore.encryption.signers.Verifiers;
import dev.sigstore.fulcio.client.FulcioCertificateVerifier;
import dev.sigstore.fulcio.client.FulcioVerificationException;
import dev.sigstore.fulcio.client.FulcioVerifier;
import dev.sigstore.fulcio.client.SigningCertificate;
import dev.sigstore.rekor.client.HashedRekordRequest;
import dev.sigstore.rekor.client.RekorClient;
import dev.sigstore.rekor.client.RekorEntry;
import dev.sigstore.rekor.client.RekorVerificationException;
import dev.sigstore.rekor.client.RekorVerifier;
import java.io.IOException;
import java.net.URI;
import java.nio.file.Path;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.sql.Date;
import java.time.Instant;
import java.util.Arrays;
import java.util.Optional;
import org.bouncycastle.util.encoders.Hex;

/* loaded from: input_file:dev/sigstore/KeylessVerifier.class */
public class KeylessVerifier {
    private final FulcioVerifier fulcioVerifier;
    private final RekorVerifier rekorVerifier;
    private final RekorClient rekorClient;

    /* loaded from: input_file:dev/sigstore/KeylessVerifier$Builder.class */
    public static class Builder {
        private FulcioVerifier fulcioVerifier;
        private RekorClient rekorClient;
        private RekorVerifier rekorVerifier;

        public Builder fulcioVerifier(FulcioVerifier fulcioVerifier) {
            this.fulcioVerifier = fulcioVerifier;
            return this;
        }

        public Builder rekorClient(RekorClient rekorClient, RekorVerifier rekorVerifier) {
            this.rekorClient = rekorClient;
            this.rekorVerifier = rekorVerifier;
            return this;
        }

        public KeylessVerifier build() {
            Preconditions.checkNotNull(this.fulcioVerifier);
            Preconditions.checkNotNull(this.rekorVerifier);
            Preconditions.checkNotNull(this.rekorClient);
            return new KeylessVerifier(this.fulcioVerifier, this.rekorClient, this.rekorVerifier);
        }

        public Builder sigstorePublicDefaults() throws IOException, InvalidAlgorithmParameterException, CertificateException, InvalidKeySpecException, NoSuchAlgorithmException {
            fulcioVerifier(FulcioVerifier.newFulcioVerifier(VerificationMaterial.Production.fulioCert(), VerificationMaterial.Production.ctfePublicKeys()));
            rekorClient(RekorClient.builder().build(), RekorVerifier.newRekorVerifier(VerificationMaterial.Production.rekorPublicKey()));
            return this;
        }

        public Builder sigstoreStagingDefaults() throws IOException, InvalidAlgorithmParameterException, CertificateException, InvalidKeySpecException, NoSuchAlgorithmException {
            fulcioVerifier(FulcioVerifier.newFulcioVerifier(VerificationMaterial.Staging.fulioCert(), VerificationMaterial.Staging.ctfePublicKeys()));
            rekorClient(RekorClient.builder().setServerUrl(URI.create(RekorClient.STAGING_REKOR_SERVER)).build(), RekorVerifier.newRekorVerifier(VerificationMaterial.Staging.rekorPublicKey()));
            return this;
        }
    }

    private KeylessVerifier(FulcioVerifier fulcioVerifier, RekorClient rekorClient, RekorVerifier rekorVerifier) {
        this.fulcioVerifier = fulcioVerifier;
        this.rekorClient = rekorClient;
        this.rekorVerifier = rekorVerifier;
    }

    public static Builder builder() {
        return new Builder();
    }

    @Deprecated
    public void verifyOnline(byte[] bArr, byte[] bArr2, byte[] bArr3) throws KeylessVerificationException {
        try {
            verify(bArr, KeylessVerificationRequest.builder().keylessSignature(KeylessSignature.builder().signature(bArr3).certPath(Certificates.fromPemChain(bArr2)).digest(bArr).build()).verificationOptions(KeylessVerificationRequest.VerificationOptions.builder().isOnline(true).build()).build());
        } catch (CertificateException e) {
            throw new KeylessVerificationException("Certificate was not valid: " + e.getMessage(), e);
        }
    }

    public void verify(Path path, KeylessVerificationRequest keylessVerificationRequest) throws KeylessVerificationException {
        try {
            verify(Files.asByteSource(path.toFile()).hash(Hashing.sha256()).asBytes(), keylessVerificationRequest);
        } catch (IOException e) {
            throw new KeylessVerificationException("Could not hash provided artifact path: " + path);
        }
    }

    public void verify(byte[] bArr, KeylessVerificationRequest keylessVerificationRequest) throws KeylessVerificationException {
        SigningCertificate from = SigningCertificate.from(keylessVerificationRequest.getKeylessSignature().getCertPath());
        X509Certificate leafCertificate = from.getLeafCertificate();
        if (!Arrays.equals(bArr, keylessVerificationRequest.getKeylessSignature().getDigest())) {
            throw new KeylessVerificationException("Provided artifact sha256 digest does not match digest used for verification\nprovided(hex) : " + Hex.toHexString(bArr) + "\nverification  : " + Hex.toHexString(keylessVerificationRequest.getKeylessSignature().getDigest()));
        }
        try {
            this.fulcioVerifier.verifyCertChain(from);
            try {
                this.fulcioVerifier.verifySct(from);
                if (keylessVerificationRequest.getVerificationOptions().mo1getCertificateIdentities().size() > 0) {
                    try {
                        new FulcioCertificateVerifier().verifyCertificateMatches(leafCertificate, keylessVerificationRequest.getVerificationOptions().mo1getCertificateIdentities());
                    } catch (FulcioVerificationException e) {
                        throw new KeylessVerificationException("Could not verify certificate identities: " + e.getMessage(), e);
                    }
                }
                byte[] signature = keylessVerificationRequest.getKeylessSignature().getSignature();
                RekorEntry entryFromRekor = keylessVerificationRequest.getVerificationOptions().isOnline() ? getEntryFromRekor(bArr, leafCertificate, signature) : keylessVerificationRequest.getKeylessSignature().getEntry().orElseThrow(() -> {
                    return new KeylessVerificationException("No rekor entry was provided for offline verification");
                });
                try {
                    this.rekorVerifier.verifyEntry(entryFromRekor);
                    if (entryFromRekor.getVerification().getInclusionProof().isPresent()) {
                        try {
                            this.rekorVerifier.verifyInclusionProof(entryFromRekor);
                        } catch (RekorVerificationException e2) {
                            throw new KeylessVerificationException("Rekor entry inclusion proof was not valid");
                        }
                    } else if (keylessVerificationRequest.getVerificationOptions().isOnline()) {
                        throw new KeylessVerificationException("Fetched rekor entry did not contain inclusion proof");
                    }
                    try {
                        leafCertificate.checkValidity(Date.from(Instant.ofEpochSecond(entryFromRekor.getIntegratedTime())));
                        try {
                            if (Verifiers.newVerifier(leafCertificate.getPublicKey()).verifyDigest(bArr, signature)) {
                            } else {
                                throw new KeylessVerificationException("Artifact signature was not valid");
                            }
                        } catch (InvalidKeyException | NoSuchAlgorithmException e3) {
                            throw new RuntimeException(e3);
                        } catch (SignatureException e4) {
                            throw new KeylessVerificationException("Signature could not be processed: " + e4.getMessage(), e4);
                        }
                    } catch (CertificateExpiredException e5) {
                        throw new KeylessVerificationException("Signing time was after certificate expiry", e5);
                    } catch (CertificateNotYetValidException e6) {
                        throw new KeylessVerificationException("Signing time was before certificate validity", e6);
                    }
                } catch (RekorVerificationException e7) {
                    throw new KeylessVerificationException("Rekor entry signature was not valid");
                }
            } catch (FulcioVerificationException e8) {
                throw new KeylessVerificationException("Fulcio certificate SCT was not valid: " + e8.getMessage(), e8);
            }
        } catch (FulcioVerificationException e9) {
            throw new KeylessVerificationException("Fulcio certificate was not valid: " + e9.getMessage(), e9);
        }
    }

    private RekorEntry getEntryFromRekor(byte[] bArr, Certificate certificate, byte[] bArr2) throws KeylessVerificationException {
        try {
            try {
                Optional<RekorEntry> entry = this.rekorClient.getEntry(HashedRekordRequest.newHashedRekordRequest(bArr, Certificates.toPemBytes(certificate), bArr2));
                if (entry.isEmpty()) {
                    throw new KeylessVerificationException("Rekor entry was not found");
                }
                return entry.get();
            } catch (IOException e) {
                throw new KeylessVerificationException("Could not retreive rekor entry", e);
            }
        } catch (IOException e2) {
            throw new KeylessVerificationException("Could not convert certificate to PEM when recreating hashrekord", e2);
        }
    }
}
