package dev.sigstore.encryption.certificates;

import com.google.api.client.util.PemReader;
import com.google.common.collect.ImmutableList;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;

/* loaded from: input_file:dev/sigstore/encryption/certificates/Certificates.class */
public class Certificates {
    private static final String SCT_X509_OID = "1.3.6.1.4.1.11129.2.4.2";

    public static String toPemString(Certificate certificate) throws IOException {
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        try {
            jcaPEMWriter.writeObject(certificate);
            jcaPEMWriter.flush();
            jcaPEMWriter.close();
            return stringWriter.toString();
        } catch (Throwable th) {
            try {
                jcaPEMWriter.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public static byte[] toPemBytes(Certificate certificate) throws IOException {
        return toPemString(certificate).getBytes(StandardCharsets.UTF_8);
    }

    public static Certificate fromPem(String str) throws CertificateException {
        List<? extends Certificate> certificates = fromPemChain(str).getCertificates();
        if (certificates.size() > 1) {
            throw new CertificateException("Found chain of length " + certificates.size() + " when parsing a single cert");
        }
        return certificates.get(0);
    }

    public static Certificate fromPem(byte[] bArr) throws CertificateException {
        return fromPem(new String(bArr, StandardCharsets.UTF_8));
    }

    public static Certificate fromDer(byte[] bArr) throws CertificateException {
        return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr));
    }

    public static CertPath fromDer(List<byte[]> list) throws CertificateException {
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<byte[]> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(fromDer(it.next()));
        }
        return CertificateFactory.getInstance("X.509").generateCertPath(arrayList);
    }

    public static String toPemString(CertPath certPath) throws IOException {
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        try {
            Iterator<? extends Certificate> it = certPath.getCertificates().iterator();
            while (it.hasNext()) {
                jcaPEMWriter.writeObject(it.next());
            }
            jcaPEMWriter.flush();
            jcaPEMWriter.close();
            return stringWriter.toString();
        } catch (Throwable th) {
            try {
                jcaPEMWriter.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public static byte[] toPemBytes(CertPath certPath) throws IOException {
        return toPemString(certPath).getBytes(StandardCharsets.UTF_8);
    }

    public static CertPath fromPemChain(String str) throws CertificateException {
        PemReader pemReader = null;
        try {
            pemReader = new PemReader(new StringReader(str));
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            ArrayList arrayList = new ArrayList();
            while (true) {
                try {
                    PemReader.Section readNextSection = pemReader.readNextSection();
                    if (readNextSection == null) {
                        break;
                    }
                    arrayList.add((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(readNextSection.getBase64DecodedBytes())));
                } catch (IOException | IllegalArgumentException e) {
                    throw new CertificateParsingException("Error reading PEM section in cert chain", e);
                }
            }
            if (arrayList.isEmpty()) {
                throw new CertificateParsingException("no valid PEM certificates were found");
            }
            CertPath generateCertPath = certificateFactory.generateCertPath(arrayList);
            if (pemReader != null) {
                try {
                    pemReader.close();
                } catch (IOException e2) {
                }
            }
            return generateCertPath;
        } catch (Throwable th) {
            if (pemReader != null) {
                try {
                    pemReader.close();
                } catch (IOException e3) {
                }
            }
            throw th;
        }
    }

    public static CertPath fromPemChain(byte[] bArr) throws CertificateException {
        return fromPemChain(new String(bArr, StandardCharsets.UTF_8));
    }

    public static CertPath toCertPath(Certificate certificate) throws CertificateException {
        return CertificateFactory.getInstance("X.509").generateCertPath(Collections.singletonList(certificate));
    }

    public static CertPath append(CertPath certPath, CertPath certPath2) throws CertificateException {
        return CertificateFactory.getInstance("X.509").generateCertPath((List<? extends Certificate>) ImmutableList.builder().addAll(certPath2.getCertificates()).addAll(certPath.getCertificates()).build());
    }

    public static CertPath trimParent(CertPath certPath, CertPath certPath2) throws CertificateException {
        if (!containsParent(certPath, certPath2)) {
            throw new IllegalArgumentException("trim path was not the parent of the provider chain");
        }
        List<? extends Certificate> certificates = certPath.getCertificates();
        return CertificateFactory.getInstance("X.509").generateCertPath(certificates.subList(0, certificates.size() - certPath2.getCertificates().size()));
    }

    public static boolean containsParent(CertPath certPath, CertPath certPath2) {
        List<? extends Certificate> certificates = certPath.getCertificates();
        List<? extends Certificate> certificates2 = certPath2.getCertificates();
        return certificates2.size() <= certificates.size() && certificates.subList(certificates.size() - certificates2.size(), certificates.size()).equals(certificates2);
    }

    public static Optional<byte[]> getEmbeddedSCTs(Certificate certificate) {
        return Optional.ofNullable(((X509Certificate) certificate).getExtensionValue("1.3.6.1.4.1.11129.2.4.2"));
    }

    public static boolean isSelfSigned(Certificate certificate) {
        return ((X509Certificate) certificate).getIssuerX500Principal().equals(((X509Certificate) certificate).getSubjectX500Principal());
    }

    public static boolean isSelfSigned(CertPath certPath) {
        return isSelfSigned(certPath.getCertificates().get(certPath.getCertificates().size() - 1));
    }

    public static X509Certificate getLeaf(CertPath certPath) {
        return (X509Certificate) certPath.getCertificates().get(0);
    }
}
