package dev.sigstore;

import com.google.api.client.util.Preconditions;
import com.google.common.hash.Hashing;
import com.google.common.io.Files;
import dev.sigstore.encryption.certificates.Certificates;
import dev.sigstore.encryption.signers.Verifiers;
import dev.sigstore.fulcio.client.FulcioCertificateVerifier;
import dev.sigstore.fulcio.client.FulcioVerificationException;
import dev.sigstore.fulcio.client.FulcioVerifier;
import dev.sigstore.rekor.client.HashedRekordRequest;
import dev.sigstore.rekor.client.RekorClient;
import dev.sigstore.rekor.client.RekorEntry;
import dev.sigstore.rekor.client.RekorParseException;
import dev.sigstore.rekor.client.RekorVerificationException;
import dev.sigstore.rekor.client.RekorVerifier;
import dev.sigstore.trustroot.SigstoreTrustedRoot;
import dev.sigstore.tuf.SigstoreTufClient;
import java.io.IOException;
import java.nio.file.Path;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.cert.CertPath;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.sql.Date;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import org.bouncycastle.util.encoders.Hex;

/* loaded from: input_file:dev/sigstore/KeylessVerifier.class */
public class KeylessVerifier {
    private final FulcioVerifier fulcioVerifier;
    private final RekorVerifier rekorVerifier;
    private final List<RekorClient> rekorClients;

    /* loaded from: input_file:dev/sigstore/KeylessVerifier$Builder.class */
    public static class Builder {
        private TrustedRootProvider trustedRootProvider;

        public KeylessVerifier build() throws InvalidAlgorithmParameterException, CertificateException, InvalidKeySpecException, NoSuchAlgorithmException, IOException, InvalidKeyException {
            Preconditions.checkNotNull(this.trustedRootProvider);
            SigstoreTrustedRoot sigstoreTrustedRoot = this.trustedRootProvider.get();
            return new KeylessVerifier(FulcioVerifier.newFulcioVerifier(sigstoreTrustedRoot), (List) sigstoreTrustedRoot.mo7617getTLogs().stream().map((v0) -> {
                return v0.getBaseUrl();
            }).distinct().map(uri -> {
                return RekorClient.builder().setUri(uri).build();
            }).collect(Collectors.toList()), RekorVerifier.newRekorVerifier(sigstoreTrustedRoot));
        }

        public Builder sigstorePublicDefaults() {
            this.trustedRootProvider = TrustedRootProvider.from(SigstoreTufClient.builder().usePublicGoodInstance());
            return this;
        }

        public Builder sigstoreStagingDefaults() {
            this.trustedRootProvider = TrustedRootProvider.from(SigstoreTufClient.builder().useStagingInstance());
            return this;
        }

        public Builder fromTrustedRoot(Path path) {
            this.trustedRootProvider = TrustedRootProvider.from(path);
            return this;
        }
    }

    private KeylessVerifier(FulcioVerifier fulcioVerifier, List<RekorClient> list, RekorVerifier rekorVerifier) {
        this.fulcioVerifier = fulcioVerifier;
        this.rekorVerifier = rekorVerifier;
        this.rekorClients = list;
    }

    public static Builder builder() {
        return new Builder();
    }

    public void verify(Path path, KeylessVerificationRequest keylessVerificationRequest) throws KeylessVerificationException {
        try {
            verify(Files.asByteSource(path.toFile()).hash(Hashing.sha256()).asBytes(), keylessVerificationRequest);
        } catch (IOException e) {
            throw new KeylessVerificationException("Could not hash provided artifact path: " + path);
        }
    }

    public void verify(byte[] bArr, KeylessVerificationRequest keylessVerificationRequest) throws KeylessVerificationException {
        CertPath certPath = keylessVerificationRequest.getKeylessSignature().getCertPath();
        X509Certificate leaf = Certificates.getLeaf(certPath);
        byte[] digest = keylessVerificationRequest.getKeylessSignature().getDigest();
        if (digest.length > 0 && !Arrays.equals(bArr, digest)) {
            throw new KeylessVerificationException("Provided artifact sha256 digest does not match digest used for verification\nprovided(hex) : " + Hex.toHexString(bArr) + "\nverification  : " + Hex.toHexString(digest));
        }
        try {
            this.fulcioVerifier.verifySigningCertificate(certPath);
            if (keylessVerificationRequest.getVerificationOptions().mo6286getCertificateIdentities().size() > 0) {
                try {
                    new FulcioCertificateVerifier().verifyCertificateMatches(leaf, keylessVerificationRequest.getVerificationOptions().mo6286getCertificateIdentities());
                } catch (FulcioVerificationException e) {
                    throw new KeylessVerificationException("Could not verify certificate identities: " + e.getMessage(), e);
                }
            }
            byte[] signature = keylessVerificationRequest.getKeylessSignature().getSignature();
            RekorEntry entryFromRekor = (keylessVerificationRequest.getVerificationOptions().alwaysUseRemoteRekorEntry() || keylessVerificationRequest.getKeylessSignature().getEntry().isEmpty()) ? getEntryFromRekor(bArr, leaf, signature) : keylessVerificationRequest.getKeylessSignature().getEntry().orElseThrow(() -> {
                return new KeylessVerificationException("No rekor entry was provided for offline verification");
            });
            try {
                this.rekorVerifier.verifyEntry(entryFromRekor);
                try {
                    leaf.checkValidity(Date.from(entryFromRekor.getIntegratedTimeInstant()));
                    try {
                        if (Verifiers.newVerifier(leaf.getPublicKey()).verifyDigest(bArr, signature)) {
                        } else {
                            throw new KeylessVerificationException("Artifact signature was not valid");
                        }
                    } catch (InvalidKeyException | NoSuchAlgorithmException e2) {
                        throw new RuntimeException(e2);
                    } catch (SignatureException e3) {
                        throw new KeylessVerificationException("Signature could not be processed: " + e3.getMessage(), e3);
                    }
                } catch (CertificateExpiredException e4) {
                    throw new KeylessVerificationException("Signing time was after certificate expiry", e4);
                } catch (CertificateNotYetValidException e5) {
                    throw new KeylessVerificationException("Signing time was before certificate validity", e5);
                }
            } catch (RekorVerificationException e6) {
                throw new KeylessVerificationException("Rekor entry signature was not valid", e6);
            }
        } catch (FulcioVerificationException | IOException e7) {
            throw new KeylessVerificationException("Fulcio certificate was not valid: " + e7.getMessage(), e7);
        }
    }

    private RekorEntry getEntryFromRekor(byte[] bArr, X509Certificate x509Certificate, byte[] bArr2) throws KeylessVerificationException {
        try {
            HashedRekordRequest newHashedRekordRequest = HashedRekordRequest.newHashedRekordRequest(bArr, Certificates.toPemBytes(x509Certificate), bArr2);
            try {
                Iterator<RekorClient> it = this.rekorClients.iterator();
                while (it.hasNext()) {
                    Optional<RekorEntry> entry = it.next().getEntry(newHashedRekordRequest);
                    if (entry.isPresent()) {
                        try {
                            x509Certificate.checkValidity(Date.from(entry.get().getIntegratedTimeInstant()));
                            return entry.get();
                        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                        }
                    }
                }
                throw new KeylessVerificationException("No valid rekor entry was not found in any known logs");
            } catch (RekorParseException | IOException e2) {
                throw new KeylessVerificationException("Could not retrieve rekor entry", e2);
            }
        } catch (IOException e3) {
            throw new KeylessVerificationException("Could not convert certificate to PEM when recreating hashrekord", e3);
        }
    }
}
