package dev.sigstore;

import com.google.api.client.util.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.hash.Hashing;
import com.google.common.io.Files;
import com.google.errorprone.annotations.CanIgnoreReturnValue;
import com.google.errorprone.annotations.CheckReturnValue;
import com.google.errorprone.annotations.concurrent.GuardedBy;
import dev.sigstore.bundle.Bundle;
import dev.sigstore.bundle.ImmutableBundle;
import dev.sigstore.encryption.certificates.Certificates;
import dev.sigstore.encryption.signers.Signer;
import dev.sigstore.encryption.signers.Signers;
import dev.sigstore.fulcio.client.CertificateRequest;
import dev.sigstore.fulcio.client.FulcioClient;
import dev.sigstore.fulcio.client.FulcioVerificationException;
import dev.sigstore.fulcio.client.FulcioVerifier;
import dev.sigstore.fulcio.client.UnsupportedAlgorithmException;
import dev.sigstore.oidc.client.OidcClients;
import dev.sigstore.oidc.client.OidcException;
import dev.sigstore.oidc.client.OidcToken;
import dev.sigstore.rekor.client.HashedRekordRequest;
import dev.sigstore.rekor.client.RekorClient;
import dev.sigstore.rekor.client.RekorParseException;
import dev.sigstore.rekor.client.RekorResponse;
import dev.sigstore.rekor.client.RekorVerificationException;
import dev.sigstore.rekor.client.RekorVerifier;
import dev.sigstore.trustroot.SigstoreTrustedRoot;
import dev.sigstore.tuf.SigstoreTufClient;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.cert.CertPath;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.concurrent.locks.ReentrantReadWriteLock;

/* loaded from: input_file:dev/sigstore/KeylessSigner.class */
public class KeylessSigner implements AutoCloseable {
    public static final Duration DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME = Duration.ofMinutes(5);
    private final FulcioClient fulcioClient;
    private final FulcioVerifier fulcioVerifier;
    private final RekorClient rekorClient;
    private final RekorVerifier rekorVerifier;
    private final OidcClients oidcClients;
    private final List<OidcIdentity> oidcIdentities;
    private final Signer signer;
    private final Duration minSigningCertificateLifetime;

    @GuardedBy("lock")
    private CertPath signingCert;

    @GuardedBy("lock")
    private byte[] signingCertPemBytes;
    private final ReentrantReadWriteLock lock = new ReentrantReadWriteLock();

    /* loaded from: input_file:dev/sigstore/KeylessSigner$Builder.class */
    public static class Builder {
        private TrustedRootProvider trustedRootProvider;
        private OidcClients oidcClients;
        private Signer signer;
        private URI fulcioUri;
        private URI rekorUri;
        private List<OidcIdentity> oidcIdentities = Collections.emptyList();
        private Duration minSigningCertificateLifetime = KeylessSigner.DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME;

        @CanIgnoreReturnValue
        public Builder fulcioUrl(URI uri) {
            this.fulcioUri = uri;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder rekorUrl(URI uri) {
            this.rekorUri = uri;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder trustedRoot(Path path) {
            this.trustedRootProvider = TrustedRootProvider.from(path);
            return this;
        }

        @CanIgnoreReturnValue
        public Builder oidcClients(OidcClients oidcClients) {
            this.oidcClients = oidcClients;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder allowedOidcIdentities(List<OidcIdentity> list) {
            this.oidcIdentities = ImmutableList.copyOf(list);
            return this;
        }

        @CanIgnoreReturnValue
        public Builder signer(Signer signer) {
            this.signer = signer;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder minSigningCertificateLifetime(Duration duration) {
            this.minSigningCertificateLifetime = duration;
            return this;
        }

        @CheckReturnValue
        public KeylessSigner build() throws CertificateException, IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, InvalidAlgorithmParameterException {
            Preconditions.checkNotNull(this.trustedRootProvider);
            SigstoreTrustedRoot sigstoreTrustedRoot = this.trustedRootProvider.get();
            Preconditions.checkNotNull(this.fulcioUri);
            Preconditions.checkNotNull(this.rekorUri);
            Preconditions.checkNotNull(this.oidcClients);
            Preconditions.checkNotNull(this.oidcIdentities);
            Preconditions.checkNotNull(this.signer);
            Preconditions.checkNotNull(this.minSigningCertificateLifetime);
            return new KeylessSigner(FulcioClient.builder().setUri(this.fulcioUri).build(), FulcioVerifier.newFulcioVerifier(sigstoreTrustedRoot), RekorClient.builder().setUri(this.rekorUri).build(), RekorVerifier.newRekorVerifier(sigstoreTrustedRoot), this.oidcClients, this.oidcIdentities, this.signer, this.minSigningCertificateLifetime);
        }

        @CanIgnoreReturnValue
        public Builder sigstorePublicDefaults() {
            this.trustedRootProvider = TrustedRootProvider.from(SigstoreTufClient.builder().usePublicGoodInstance());
            this.fulcioUri = FulcioClient.PUBLIC_GOOD_URI;
            this.rekorUri = RekorClient.PUBLIC_GOOD_URI;
            oidcClients(OidcClients.PUBLIC_GOOD);
            signer(Signers.newEcdsaSigner());
            minSigningCertificateLifetime(KeylessSigner.DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME);
            return this;
        }

        @CanIgnoreReturnValue
        public Builder sigstoreStagingDefaults() {
            this.trustedRootProvider = TrustedRootProvider.from(SigstoreTufClient.builder().useStagingInstance());
            this.fulcioUri = FulcioClient.STAGING_URI;
            this.rekorUri = RekorClient.STAGING_URI;
            oidcClients(OidcClients.STAGING);
            signer(Signers.newEcdsaSigner());
            minSigningCertificateLifetime(KeylessSigner.DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME);
            return this;
        }
    }

    private KeylessSigner(FulcioClient fulcioClient, FulcioVerifier fulcioVerifier, RekorClient rekorClient, RekorVerifier rekorVerifier, OidcClients oidcClients, List<OidcIdentity> list, Signer signer, Duration duration) {
        this.fulcioClient = fulcioClient;
        this.fulcioVerifier = fulcioVerifier;
        this.rekorClient = rekorClient;
        this.rekorVerifier = rekorVerifier;
        this.oidcClients = oidcClients;
        this.oidcIdentities = list;
        this.signer = signer;
        this.minSigningCertificateLifetime = duration;
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        this.lock.writeLock().lock();
        try {
            this.signingCert = null;
            this.signingCertPemBytes = null;
        } finally {
            this.lock.writeLock().unlock();
        }
    }

    @CheckReturnValue
    public static Builder builder() {
        return new Builder();
    }

    @CheckReturnValue
    public List<Bundle> sign(List<byte[]> list) throws KeylessSignerException {
        if (list.size() == 0) {
            throw new IllegalArgumentException("Require one or more digests");
        }
        ImmutableList.Builder builder = ImmutableList.builder();
        for (byte[] bArr : list) {
            try {
                byte[] signDigest = this.signer.signDigest(bArr);
                try {
                    renewSigningCertificate();
                    this.lock.readLock().lock();
                    try {
                        CertPath certPath = this.signingCert;
                        byte[] bArr2 = this.signingCertPemBytes;
                        if (certPath == null) {
                            throw new IllegalStateException("Signing certificate is null");
                        }
                        try {
                            RekorResponse putEntry = this.rekorClient.putEntry(HashedRekordRequest.newHashedRekordRequest(bArr, bArr2, signDigest));
                            try {
                                this.rekorVerifier.verifyEntry(putEntry.getEntry());
                                builder.add(ImmutableBundle.builder().certPath(certPath).addEntries(putEntry.getEntry()).messageSignature(Bundle.MessageSignature.of(Bundle.HashAlgorithm.SHA2_256, bArr, signDigest)).build());
                            } catch (RekorVerificationException e) {
                                throw new KeylessSignerException("Failed to validate rekor response after signing", e);
                            }
                        } catch (RekorParseException | IOException e2) {
                            throw new KeylessSignerException("Failed to put entry in rekor", e2);
                        }
                    } finally {
                        this.lock.readLock().unlock();
                    }
                } catch (FulcioVerificationException | UnsupportedAlgorithmException | OidcException | IOException | InterruptedException | InvalidKeyException | NoSuchAlgorithmException | SignatureException | CertificateException e3) {
                    throw new KeylessSignerException("Failed to obtain signing certificate", e3);
                }
            } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e4) {
                throw new KeylessSignerException("Failed to sign artifact", e4);
            }
        }
        return builder.build();
    }

    private void renewSigningCertificate() throws InterruptedException, CertificateException, IOException, UnsupportedAlgorithmException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, FulcioVerificationException, OidcException, KeylessSignerException {
        this.lock.readLock().lock();
        try {
            if (this.signingCert != null) {
                if (Certificates.getLeaf(this.signingCert).getNotAfter().getTime() - System.currentTimeMillis() > this.minSigningCertificateLifetime.toMillis()) {
                    return;
                }
            }
            this.lock.writeLock().lock();
            try {
                this.signingCert = null;
                this.signingCertPemBytes = null;
                OidcToken iDToken = this.oidcClients.getIDToken();
                if (!this.oidcIdentities.isEmpty()) {
                    OidcIdentity from = OidcIdentity.from(iDToken);
                    if (!this.oidcIdentities.contains(OidcIdentity.from(iDToken))) {
                        throw new KeylessSignerException("Obtained Oidc Token " + from + " does not match any identities in allow list");
                    }
                }
                CertPath trimTrustedParent = this.fulcioVerifier.trimTrustedParent(this.fulcioClient.signingCertificate(CertificateRequest.newCertificateRequest(this.signer.getPublicKey(), iDToken.getIdToken(), this.signer.sign(iDToken.getSubjectAlternativeName().getBytes(StandardCharsets.UTF_8)))));
                this.fulcioVerifier.verifySigningCertificate(trimTrustedParent);
                this.signingCert = trimTrustedParent;
                this.signingCertPemBytes = Certificates.toPemBytes(this.signingCert);
                this.lock.writeLock().unlock();
            } catch (Throwable th) {
                this.lock.writeLock().unlock();
                throw th;
            }
        } finally {
            this.lock.readLock().unlock();
        }
    }

    @CheckReturnValue
    public Bundle sign(byte[] bArr) throws KeylessSignerException {
        return sign(List.of(bArr)).get(0);
    }

    @CheckReturnValue
    public Map<Path, Bundle> signFiles(List<Path> list) throws KeylessSignerException {
        if (list.size() == 0) {
            throw new IllegalArgumentException("Require one or more paths");
        }
        ArrayList arrayList = new ArrayList(list.size());
        for (Path path : list) {
            try {
                arrayList.add(Files.asByteSource(path.toFile()).hash(Hashing.sha256()).asBytes());
            } catch (IOException e) {
                throw new KeylessSignerException("Failed to hash artifact " + path);
            }
        }
        List<Bundle> sign = sign(arrayList);
        ImmutableMap.Builder builder = ImmutableMap.builder();
        for (int i = 0; i < list.size(); i++) {
            builder.put(list.get(i), sign.get(i));
        }
        return builder.build();
    }

    @CheckReturnValue
    public KeylessSignature signFile(Path path) throws KeylessSignerException {
        return signFiles(List.of(path)).get(path).toKeylessSignature();
    }

    public Bundle signFile2(Path path) throws KeylessSignerException {
        return signFiles(List.of(path)).get(path);
    }
}
