package dev.sigstore.fulcio.client;

import com.google.common.annotations.VisibleForTesting;
import com.google.protobuf.ByteString;
import dev.sigstore.fulcio.v2.CAGrpc;
import dev.sigstore.fulcio.v2.CertificateChain;
import dev.sigstore.fulcio.v2.CreateSigningCertificateRequest;
import dev.sigstore.fulcio.v2.Credentials;
import dev.sigstore.fulcio.v2.PublicKey;
import dev.sigstore.fulcio.v2.PublicKeyRequest;
import dev.sigstore.fulcio.v2.SigningCertificate;
import dev.sigstore.http.GrpcChannels;
import dev.sigstore.http.HttpParams;
import dev.sigstore.http.ImmutableHttpParams;
import io.grpc.ManagedChannel;
import java.io.ByteArrayInputStream;
import java.net.URI;
import java.security.cert.CertPath;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Iterator;
import java.util.concurrent.TimeUnit;

/* loaded from: input_file:dev/sigstore/fulcio/client/FulcioClientGrpc.class */
public class FulcioClientGrpc implements FulcioClient {
    private final HttpParams httpParams;
    private final URI uri;

    /* loaded from: input_file:dev/sigstore/fulcio/client/FulcioClientGrpc$Builder.class */
    public static class Builder {
        private URI uri = FulcioClient.PUBLIC_GOOD_URI;
        private HttpParams httpParams = ImmutableHttpParams.builder().build();

        private Builder() {
        }

        public Builder setHttpParams(HttpParams httpParams) {
            this.httpParams = httpParams;
            return this;
        }

        public Builder setUri(URI uri) {
            this.uri = uri;
            return this;
        }

        public FulcioClientGrpc build() {
            return new FulcioClientGrpc(this.httpParams, this.uri);
        }
    }

    public static Builder builder() {
        return new Builder();
    }

    private FulcioClientGrpc(HttpParams httpParams, URI uri) {
        this.uri = uri;
        this.httpParams = httpParams;
    }

    @Override // dev.sigstore.fulcio.client.FulcioClient
    public CertPath signingCertificate(CertificateRequest certificateRequest) throws InterruptedException, CertificateException {
        ManagedChannel newManagedChannel = GrpcChannels.newManagedChannel(this.uri.getAuthority(), this.httpParams);
        try {
            SigningCertificate createSigningCertificate = CAGrpc.newBlockingStub(newManagedChannel).withDeadlineAfter(this.httpParams.getTimeout(), TimeUnit.SECONDS).createSigningCertificate(CreateSigningCertificateRequest.newBuilder().setCredentials(Credentials.newBuilder().setOidcIdentityToken(certificateRequest.getIdToken()).m186build()).setPublicKeyRequest(PublicKeyRequest.newBuilder().setPublicKey(PublicKey.newBuilder().setAlgorithm(certificateRequest.getPublicKeyAlgorithm()).setContent("-----BEGIN PUBLIC KEY-----\n" + Base64.getEncoder().encodeToString(certificateRequest.getPublicKey().getEncoded()) + "\n-----END PUBLIC KEY-----").m238build()).setProofOfPossession(ByteString.copyFrom(certificateRequest.getProofOfPossession())).m265build()).m159build());
            if (createSigningCertificate.getCertificateCase() == SigningCertificate.CertificateCase.SIGNED_CERTIFICATE_DETACHED_SCT) {
                throw new CertificateException("Detached SCTs are not supported");
            }
            CertPath decodeCerts = decodeCerts(createSigningCertificate.getSignedCertificateEmbeddedSct().getChain());
            newManagedChannel.shutdownNow().awaitTermination(5L, TimeUnit.SECONDS);
            return decodeCerts;
        } catch (Throwable th) {
            newManagedChannel.shutdownNow().awaitTermination(5L, TimeUnit.SECONDS);
            throw th;
        }
    }

    @VisibleForTesting
    CertPath decodeCerts(CertificateChain certificateChain) throws CertificateException {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        ArrayList arrayList = new ArrayList();
        if (certificateChain.getCertificatesCount() == 0) {
            throw new CertificateParsingException("no valid PEM certificates were found in response from Fulcio");
        }
        Iterator it = certificateChain.mo120getCertificatesList().asByteStringList().iterator();
        while (it.hasNext()) {
            arrayList.add((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(((ByteString) it.next()).toByteArray())));
        }
        return certificateFactory.generateCertPath(arrayList);
    }
}
