package dev.sigstore.fulcio.client;

import com.google.common.annotations.VisibleForTesting;
import dev.sigstore.encryption.certificates.Certificates;
import dev.sigstore.encryption.certificates.transparency.CTLogInfo;
import dev.sigstore.encryption.certificates.transparency.CTVerificationResult;
import dev.sigstore.encryption.certificates.transparency.CTVerifier;
import dev.sigstore.encryption.certificates.transparency.SignedCertificateTimestamp;
import dev.sigstore.encryption.certificates.transparency.VerifiedSCT;
import dev.sigstore.trustroot.CertificateAuthorities;
import dev.sigstore.trustroot.CertificateAuthority;
import dev.sigstore.trustroot.SigstoreTrustedRoot;
import dev.sigstore.trustroot.TransparencyLog;
import dev.sigstore.trustroot.TransparencyLogs;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.spec.InvalidKeySpecException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;

/* loaded from: input_file:dev/sigstore/fulcio/client/FulcioVerifier.class */
public class FulcioVerifier {
    private final CertificateAuthorities cas;
    private final TransparencyLogs ctLogs;
    private final CTVerifier ctVerifier;

    public static FulcioVerifier newFulcioVerifier(SigstoreTrustedRoot sigstoreTrustedRoot) throws InvalidAlgorithmParameterException, CertificateException, InvalidKeySpecException, NoSuchAlgorithmException {
        return newFulcioVerifier(sigstoreTrustedRoot.getCAs(), sigstoreTrustedRoot.getCTLogs());
    }

    public static FulcioVerifier newFulcioVerifier(CertificateAuthorities certificateAuthorities, TransparencyLogs transparencyLogs) throws InvalidKeySpecException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, CertificateException {
        ArrayList arrayList = new ArrayList();
        for (TransparencyLog transparencyLog : transparencyLogs.all()) {
            arrayList.add(new CTLogInfo(transparencyLog.getPublicKey().toJavaPublicKey(), "CT Log", transparencyLog.getBaseUrl().toString()));
        }
        CTVerifier cTVerifier = new CTVerifier(bArr -> {
            return (CTLogInfo) arrayList.stream().filter(cTLogInfo -> {
                return Arrays.equals(cTLogInfo.getID(), bArr);
            }).findFirst().orElse(null);
        });
        Iterator<CertificateAuthority> it = certificateAuthorities.all().iterator();
        while (it.hasNext()) {
            it.next().asTrustAnchor();
        }
        return new FulcioVerifier(certificateAuthorities, transparencyLogs, cTVerifier);
    }

    private FulcioVerifier(CertificateAuthorities certificateAuthorities, TransparencyLogs transparencyLogs, CTVerifier cTVerifier) {
        this.cas = certificateAuthorities;
        this.ctLogs = transparencyLogs;
        this.ctVerifier = cTVerifier;
    }

    @VisibleForTesting
    void verifySct(CertPath certPath) throws FulcioVerificationException {
        if (this.ctLogs.size() == 0) {
            throw new FulcioVerificationException("No ct logs were provided to verifier");
        }
        if (!Certificates.getEmbeddedSCTs(Certificates.getLeaf(certPath)).isPresent()) {
            throw new FulcioVerificationException("No valid SCTs were found during verification");
        }
        verifyEmbeddedScts(certPath);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void verifyEmbeddedScts(CertPath certPath) throws FulcioVerificationException {
        try {
            CTVerificationResult verifySignedCertificateTimestamps = this.ctVerifier.verifySignedCertificateTimestamps(certPath.getCertificates(), null, null);
            Iterator<VerifiedSCT> it = verifySignedCertificateTimestamps.getValidSCTs().iterator();
            while (it.hasNext()) {
                SignedCertificateTimestamp signedCertificateTimestamp = it.next().sct;
                if (this.ctLogs.find(signedCertificateTimestamp.getLogID(), Instant.ofEpochMilli(signedCertificateTimestamp.getTimestamp())).isPresent()) {
                    return;
                }
            }
            throw new FulcioVerificationException("No valid SCTs were found, all(" + (verifySignedCertificateTimestamps.getValidSCTs().size() + verifySignedCertificateTimestamps.getInvalidSCTs().size()) + ") SCTs were invalid");
        } catch (CertificateEncodingException e) {
            throw new FulcioVerificationException("Certificates could not be parsed during SCT verification");
        }
    }

    public void verifySigningCertificate(CertPath certPath) throws FulcioVerificationException, IOException {
        verifySct(validateCertPath(certPath));
    }

    CertPath validateCertPath(CertPath certPath) throws FulcioVerificationException {
        CertPath append;
        try {
            CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
            List<CertificateAuthority> find = this.cas.find(Certificates.getLeaf(certPath).getNotBefore().toInstant());
            if (find.size() == 0) {
                throw new FulcioVerificationException("No valid Certificate Authorities found when validating certificate");
            }
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            for (CertificateAuthority certificateAuthority : find) {
                try {
                    PKIXParameters pKIXParameters = new PKIXParameters((Set<TrustAnchor>) Collections.singleton(certificateAuthority.asTrustAnchor()));
                    pKIXParameters.setRevocationEnabled(false);
                    pKIXParameters.setDate(new Date(Certificates.getLeaf(certPath).getNotBefore().getTime()));
                    try {
                    } catch (InvalidAlgorithmParameterException | CertPathValidatorException | CertificateException e) {
                        linkedHashMap.put(certificateAuthority.getUri().toString(), e.getMessage());
                    }
                    if (!Certificates.isSelfSigned(certPath)) {
                        append = Certificates.append(certificateAuthority.getCertPath(), certPath);
                    } else if (Certificates.containsParent(certPath, certificateAuthority.getCertPath())) {
                        append = certPath;
                    } else {
                        linkedHashMap.put(certificateAuthority.getUri().toString(), "Trusted root in chain does not match");
                    }
                    certPathValidator.validate(append, pKIXParameters);
                    return append;
                } catch (InvalidAlgorithmParameterException | CertificateException e2) {
                    throw new RuntimeException("Can't create PKIX parameters for fulcioRoot. This should have been checked when generating a verifier instance", e2);
                }
            }
            throw new FulcioVerificationException("Certificate was not verifiable against CAs\n" + ((String) linkedHashMap.entrySet().stream().map(entry -> {
                return ((String) entry.getKey()) + " (" + ((String) entry.getValue()) + ")";
            }).collect(Collectors.joining("\n"))));
        } catch (NoSuchAlgorithmException e3) {
            throw new RuntimeException("No PKIX CertPathValidator, we probably shouldn't be here, but this seems to be a system library error not a program control flow issue", e3);
        }
    }
}
