package dev.sigstore.bundle;

import com.google.common.collect.Iterables;
import com.google.protobuf.ByteString;
import com.google.protobuf.util.JsonFormat;
import dev.sigstore.KeylessSignature;
import dev.sigstore.proto.ProtoMutators;
import dev.sigstore.proto.bundle.v1.Bundle;
import dev.sigstore.proto.bundle.v1.VerificationMaterial;
import dev.sigstore.proto.common.v1.HashAlgorithm;
import dev.sigstore.proto.common.v1.HashOutput;
import dev.sigstore.proto.common.v1.LogId;
import dev.sigstore.proto.common.v1.MessageSignature;
import dev.sigstore.proto.rekor.v1.Checkpoint;
import dev.sigstore.proto.rekor.v1.InclusionPromise;
import dev.sigstore.proto.rekor.v1.InclusionProof;
import dev.sigstore.proto.rekor.v1.KindVersion;
import dev.sigstore.proto.rekor.v1.TransparencyLogEntry;
import dev.sigstore.rekor.client.ImmutableInclusionProof;
import dev.sigstore.rekor.client.ImmutableRekorEntry;
import dev.sigstore.rekor.client.ImmutableVerification;
import dev.sigstore.rekor.client.RekorEntry;
import java.io.IOException;
import java.io.Reader;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.List;
import java.util.stream.Collectors;
import org.bouncycastle.util.encoders.Hex;

/* loaded from: input_file:dev/sigstore/bundle/BundleFactoryInternal.class */
class BundleFactoryInternal {
    static final JsonFormat.Printer JSON_PRINTER = JsonFormat.printer();
    private static final String BUNDLE_V_0_1 = "application/vnd.dev.sigstore.bundle+json;version=0.1";
    private static final String BUNDLE_V_0_2 = "application/vnd.dev.sigstore.bundle+json;version=0.2";
    private static final String BUNDLE_V_0_3 = "application/vnd.dev.sigstore.bundle+json;version=0.3";
    private static final String BUNDLE_V_0_3_1 = "application/vnd.dev.sigstore.bundle.v0.3+json";
    private static final List<String> SUPPORTED_MEDIA_TYPES = List.of(BUNDLE_V_0_1, BUNDLE_V_0_2, BUNDLE_V_0_3, BUNDLE_V_0_3_1);

    BundleFactoryInternal() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Bundle.Builder createBundleBuilder(KeylessSignature keylessSignature) {
        if (keylessSignature.getDigest().length == 0) {
            throw new IllegalStateException("keyless signature must have artifact digest when serializing to bundle");
        }
        return Bundle.newBuilder().setMediaType(BUNDLE_V_0_3_1).setVerificationMaterial(buildVerificationMaterial(keylessSignature)).setMessageSignature(MessageSignature.newBuilder().setMessageDigest(HashOutput.newBuilder().setAlgorithm(HashAlgorithm.SHA2_256).setDigest(ByteString.copyFrom(keylessSignature.getDigest()))).setSignature(ByteString.copyFrom(keylessSignature.getSignature())));
    }

    private static VerificationMaterial.Builder buildVerificationMaterial(KeylessSignature keylessSignature) {
        Certificate certificate = (Certificate) Iterables.getLast(keylessSignature.getCertPath().getCertificates());
        try {
            VerificationMaterial.Builder certificate2 = VerificationMaterial.newBuilder().setCertificate(ProtoMutators.fromCert((X509Certificate) certificate));
            if (keylessSignature.getEntry().isEmpty()) {
                throw new IllegalArgumentException("A log entry must be present in the signing result");
            }
            certificate2.addTlogEntries(buildTlogEntries(keylessSignature.getEntry().get()));
            return certificate2;
        } catch (CertificateEncodingException e) {
            throw new IllegalArgumentException("Cannot encode certificate " + certificate, e);
        }
    }

    private static TransparencyLogEntry.Builder buildTlogEntries(RekorEntry rekorEntry) {
        TransparencyLogEntry.Builder canonicalizedBody = TransparencyLogEntry.newBuilder().setLogIndex(rekorEntry.getLogIndex()).setLogId(LogId.newBuilder().setKeyId(ByteString.fromHex(rekorEntry.getLogID()))).setKindVersion(KindVersion.newBuilder().setKind(rekorEntry.getBodyDecoded().getKind()).setVersion(rekorEntry.getBodyDecoded().getApiVersion())).setIntegratedTime(rekorEntry.getIntegratedTime()).setInclusionPromise(InclusionPromise.newBuilder().setSignedEntryTimestamp(ByteString.copyFrom(Base64.getDecoder().decode(rekorEntry.getVerification().getSignedEntryTimestamp())))).setCanonicalizedBody(ByteString.copyFrom(Base64.getDecoder().decode(rekorEntry.getBody())));
        addInclusionProof(canonicalizedBody, rekorEntry);
        return canonicalizedBody;
    }

    private static void addInclusionProof(TransparencyLogEntry.Builder builder, RekorEntry rekorEntry) {
        RekorEntry.InclusionProof inclusionProof = rekorEntry.getVerification().getInclusionProof();
        builder.setInclusionProof(InclusionProof.newBuilder().setLogIndex(inclusionProof.getLogIndex().longValue()).setRootHash(ByteString.fromHex(inclusionProof.getRootHash())).setTreeSize(inclusionProof.getTreeSize().longValue()).addAllHashes((Iterable) inclusionProof.mo7614getHashes().stream().map(ByteString::fromHex).collect(Collectors.toList())).setCheckpoint(Checkpoint.newBuilder().setEnvelope(inclusionProof.getCheckpoint())));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeylessSignature readBundle(Reader reader) throws BundleParseException {
        Bundle.Builder newBuilder = Bundle.newBuilder();
        try {
            JsonFormat.parser().merge(reader, newBuilder);
            Bundle m6597build = newBuilder.m6597build();
            if (!SUPPORTED_MEDIA_TYPES.contains(m6597build.getMediaType())) {
                throw new BundleParseException("Unsupported bundle media type: " + m6597build.getMediaType());
            }
            if (m6597build.getVerificationMaterial().getTlogEntriesCount() == 0) {
                throw new BundleParseException("Could not find any tlog entries in bundle json");
            }
            TransparencyLogEntry tlogEntries = m6597build.getVerificationMaterial().getTlogEntries(0);
            if (!tlogEntries.hasInclusionProof()) {
                throw new BundleParseException("Could not find an inclusion proof");
            }
            InclusionProof inclusionProof = tlogEntries.getInclusionProof();
            ImmutableRekorEntry build = ImmutableRekorEntry.builder().integratedTime(tlogEntries.getIntegratedTime()).logID(Hex.toHexString(tlogEntries.getLogId().getKeyId().toByteArray())).logIndex(tlogEntries.getLogIndex()).body(Base64.getEncoder().encodeToString(tlogEntries.getCanonicalizedBody().toByteArray())).verification(ImmutableVerification.builder().signedEntryTimestamp(Base64.getEncoder().encodeToString(tlogEntries.getInclusionPromise().getSignedEntryTimestamp().toByteArray())).inclusionProof(ImmutableInclusionProof.builder().logIndex(Long.valueOf(inclusionProof.getLogIndex())).rootHash(Hex.toHexString(inclusionProof.getRootHash().toByteArray())).treeSize(Long.valueOf(inclusionProof.getTreeSize())).checkpoint(inclusionProof.getCheckpoint().getEnvelope()).addAllHashes((Iterable) inclusionProof.getHashesList().stream().map((v0) -> {
                return v0.toByteArray();
            }).map(Hex::toHexString).collect(Collectors.toList())).build()).build()).build();
            if (m6597build.hasDsseEnvelope()) {
                throw new BundleParseException("DSSE envelope signatures are not supported by this client");
            }
            byte[] bArr = new byte[0];
            if (m6597build.getMessageSignature().hasMessageDigest()) {
                HashAlgorithm algorithm = m6597build.getMessageSignature().getMessageDigest().getAlgorithm();
                if (algorithm != HashAlgorithm.SHA2_256) {
                    throw new BundleParseException("Cannot read message digests of type " + algorithm + ", only " + HashAlgorithm.SHA2_256 + " is supported");
                }
                bArr = m6597build.getMessageSignature().getMessageDigest().getDigest().toByteArray();
            }
            try {
                return KeylessSignature.builder().digest(bArr).certPath(m6597build.getVerificationMaterial().hasCertificate() ? ProtoMutators.toCertPath(List.of(m6597build.getVerificationMaterial().getCertificate())) : ProtoMutators.toCertPath(m6597build.getVerificationMaterial().getX509CertificateChain().getCertificatesList())).signature(m6597build.getMessageSignature().getSignature().toByteArray()).entry(build).build();
            } catch (CertificateException e) {
                throw new BundleParseException("Could not parse bundle certificate chain", e);
            }
        } catch (IOException e2) {
            throw new BundleParseException("Could not process bundle json", e2);
        }
    }
}
