package dev.sigstore.bundle;

import com.google.protobuf.ByteString;
import com.google.protobuf.util.JsonFormat;
import dev.sigstore.KeylessSignature;
import dev.sigstore.encryption.certificates.Certificates;
import dev.sigstore.proto.bundle.v1.Bundle;
import dev.sigstore.proto.bundle.v1.VerificationMaterial;
import dev.sigstore.proto.common.v1.HashAlgorithm;
import dev.sigstore.proto.common.v1.HashOutput;
import dev.sigstore.proto.common.v1.LogId;
import dev.sigstore.proto.common.v1.MessageSignature;
import dev.sigstore.proto.common.v1.X509Certificate;
import dev.sigstore.proto.common.v1.X509CertificateChain;
import dev.sigstore.proto.rekor.v1.Checkpoint;
import dev.sigstore.proto.rekor.v1.InclusionPromise;
import dev.sigstore.proto.rekor.v1.InclusionProof;
import dev.sigstore.proto.rekor.v1.KindVersion;
import dev.sigstore.proto.rekor.v1.TransparencyLogEntry;
import dev.sigstore.rekor.client.ImmutableInclusionProof;
import dev.sigstore.rekor.client.ImmutableRekorEntry;
import dev.sigstore.rekor.client.ImmutableVerification;
import dev.sigstore.rekor.client.RekorEntry;
import java.io.IOException;
import java.io.Reader;
import java.security.cert.CertPath;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import org.bouncycastle.util.encoders.Hex;

/* loaded from: input_file:dev/sigstore/bundle/BundleFactoryInternal.class */
class BundleFactoryInternal {
    static final JsonFormat.Printer JSON_PRINTER = JsonFormat.printer();

    BundleFactoryInternal() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Bundle.Builder createBundleBuilder(KeylessSignature keylessSignature) {
        return Bundle.newBuilder().setMediaType("application/vnd.dev.sigstore.bundle+json;version=0.1").setVerificationMaterial(buildVerificationMaterial(keylessSignature)).setMessageSignature(MessageSignature.newBuilder().setMessageDigest(HashOutput.newBuilder().setAlgorithm(HashAlgorithm.SHA2_256).setDigest(ByteString.copyFrom(keylessSignature.getDigest()))).setSignature(ByteString.copyFrom(keylessSignature.getSignature())));
    }

    private static VerificationMaterial.Builder buildVerificationMaterial(KeylessSignature keylessSignature) {
        VerificationMaterial.Builder x509CertificateChain = VerificationMaterial.newBuilder().setX509CertificateChain(X509CertificateChain.newBuilder().addAllCertificates((Iterable) keylessSignature.getCertPath().getCertificates().stream().map(certificate -> {
            try {
                return X509Certificate.newBuilder().setRawBytes(ByteString.copyFrom(certificate.getEncoded())).build();
            } catch (CertificateEncodingException e) {
                throw new IllegalArgumentException("Cannot encode certificate " + certificate, e);
            }
        }).collect(Collectors.toList())));
        if (keylessSignature.getEntry().isPresent()) {
            x509CertificateChain.addTlogEntries(buildTlogEntries(keylessSignature.getEntry().get()));
        }
        return x509CertificateChain;
    }

    private static TransparencyLogEntry.Builder buildTlogEntries(RekorEntry rekorEntry) {
        TransparencyLogEntry.Builder canonicalizedBody = TransparencyLogEntry.newBuilder().setLogIndex(rekorEntry.getLogIndex()).setLogId(LogId.newBuilder().setKeyId(ByteString.fromHex(rekorEntry.getLogID()))).setKindVersion(KindVersion.newBuilder().setKind(rekorEntry.getBodyDecoded().getKind()).setVersion(rekorEntry.getBodyDecoded().getApiVersion())).setIntegratedTime(rekorEntry.getIntegratedTime()).setInclusionPromise(InclusionPromise.newBuilder().setSignedEntryTimestamp(ByteString.copyFrom(Base64.getDecoder().decode(rekorEntry.getVerification().getSignedEntryTimestamp())))).setCanonicalizedBody(ByteString.copyFrom(Base64.getDecoder().decode(rekorEntry.getBody())));
        addInclusionProof(canonicalizedBody, rekorEntry);
        return canonicalizedBody;
    }

    private static void addInclusionProof(TransparencyLogEntry.Builder builder, RekorEntry rekorEntry) {
        RekorEntry.InclusionProof orElse = rekorEntry.getVerification().getInclusionProof().orElse(null);
        if (orElse == null) {
            return;
        }
        builder.setInclusionProof(InclusionProof.newBuilder().setLogIndex(orElse.getLogIndex().longValue()).setRootHash(ByteString.fromHex(orElse.getRootHash())).setTreeSize(orElse.getTreeSize().longValue()).addAllHashes((Iterable) orElse.mo514getHashes().stream().map(ByteString::fromHex).collect(Collectors.toList())).setCheckpoint(Checkpoint.newBuilder().setEnvelope(orElse.getCheckpoint())));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeylessSignature readBundle(Reader reader) throws BundleParseException {
        Bundle.Builder newBuilder = Bundle.newBuilder();
        try {
            JsonFormat.parser().merge(reader, newBuilder);
            Bundle build = newBuilder.build();
            if (build.getVerificationMaterial().getTlogEntriesCount() == 0) {
                throw new BundleParseException("Could not find any tlog entries in bundle json");
            }
            TransparencyLogEntry tlogEntries = build.getVerificationMaterial().getTlogEntries(0);
            InclusionProof inclusionProof = tlogEntries.getInclusionProof();
            ImmutableInclusionProof immutableInclusionProof = null;
            if (tlogEntries.hasInclusionProof()) {
                immutableInclusionProof = ImmutableInclusionProof.builder().logIndex(Long.valueOf(inclusionProof.getLogIndex())).rootHash(Hex.toHexString(inclusionProof.getRootHash().toByteArray())).treeSize(Long.valueOf(inclusionProof.getTreeSize())).checkpoint(inclusionProof.getCheckpoint().getEnvelope()).addAllHashes((Iterable) inclusionProof.getHashesList().stream().map((v0) -> {
                    return v0.toByteArray();
                }).map(Hex::toHexString).collect(Collectors.toList())).build();
            }
            ImmutableRekorEntry build2 = ImmutableRekorEntry.builder().integratedTime(tlogEntries.getIntegratedTime()).logID(Hex.toHexString(tlogEntries.getLogId().getKeyId().toByteArray())).logIndex(tlogEntries.getLogIndex()).body(Base64.getEncoder().encodeToString(tlogEntries.getCanonicalizedBody().toByteArray())).verification(ImmutableVerification.builder().signedEntryTimestamp(Base64.getEncoder().encodeToString(tlogEntries.getInclusionPromise().getSignedEntryTimestamp().toByteArray())).inclusionProof(Optional.ofNullable(immutableInclusionProof)).build()).build();
            HashAlgorithm algorithm = build.getMessageSignature().getMessageDigest().getAlgorithm();
            if (algorithm != HashAlgorithm.SHA2_256) {
                throw new BundleParseException("Cannot read message digests of type " + algorithm + ", only " + HashAlgorithm.SHA2_256 + " is supported");
            }
            try {
                return KeylessSignature.builder().digest(build.getMessageSignature().getMessageDigest().getDigest().toByteArray()).certPath(toCertPath(build.getVerificationMaterial().getX509CertificateChain().getCertificatesList())).signature(build.getMessageSignature().getSignature().toByteArray()).entry(build2).build();
            } catch (CertificateException e) {
                throw new BundleParseException("Could not parse bundle certificate chain", e);
            }
        } catch (IOException e2) {
            throw new BundleParseException("Could not read bundle json", e2);
        }
    }

    private static CertPath toCertPath(List<X509Certificate> list) throws CertificateException {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<X509Certificate> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(Certificates.fromDer(it.next().getRawBytes().toByteArray()));
        }
        return certificateFactory.generateCertPath(arrayList);
    }
}
