package dev.sigstore.rekor.client;

import dev.sigstore.KeylessVerificationException;
import dev.sigstore.TrustedRootProvider;
import dev.sigstore.encryption.certificates.Certificates;
import dev.sigstore.tuf.SigstoreTufClient;
import java.io.IOException;
import java.nio.file.Path;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.sql.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;

/* loaded from: input_file:dev/sigstore/rekor/client/RekorEntryFetcher.class */
public class RekorEntryFetcher {
    private final List<RekorClient> rekorClients;

    public static RekorEntryFetcher sigstoreStaging() throws InvalidAlgorithmParameterException, CertificateException, InvalidKeySpecException, NoSuchAlgorithmException, IOException, InvalidKeyException {
        return fromTrustedRoot(TrustedRootProvider.from(SigstoreTufClient.builder().useStagingInstance()));
    }

    public static RekorEntryFetcher sigstorePublicGood() throws InvalidAlgorithmParameterException, CertificateException, InvalidKeySpecException, NoSuchAlgorithmException, IOException, InvalidKeyException {
        return fromTrustedRoot(TrustedRootProvider.from(SigstoreTufClient.builder().usePublicGoodInstance()));
    }

    public static RekorEntryFetcher fromTrustedRoot(Path path) throws InvalidAlgorithmParameterException, CertificateException, InvalidKeySpecException, NoSuchAlgorithmException, IOException, InvalidKeyException {
        return fromTrustedRoot(TrustedRootProvider.from(path));
    }

    public static RekorEntryFetcher fromTrustedRoot(TrustedRootProvider trustedRootProvider) throws InvalidAlgorithmParameterException, CertificateException, InvalidKeySpecException, NoSuchAlgorithmException, IOException, InvalidKeyException {
        return new RekorEntryFetcher((List) trustedRootProvider.get().mo1421getTLogs().stream().map((v0) -> {
            return v0.getBaseUrl();
        }).distinct().map(uri -> {
            return RekorClientHttp.builder().setUri(uri).build();
        }).collect(Collectors.toList()));
    }

    public RekorEntryFetcher(List<RekorClient> list) {
        this.rekorClients = list;
    }

    public RekorEntry getEntryFromRekor(byte[] bArr, X509Certificate x509Certificate, byte[] bArr2) throws KeylessVerificationException {
        try {
            HashedRekordRequest newHashedRekordRequest = HashedRekordRequest.newHashedRekordRequest(bArr, Certificates.toPemBytes(x509Certificate), bArr2);
            try {
                Iterator<RekorClient> it = this.rekorClients.iterator();
                while (it.hasNext()) {
                    Optional<RekorEntry> entry = it.next().getEntry(newHashedRekordRequest);
                    if (entry.isPresent()) {
                        try {
                            x509Certificate.checkValidity(Date.from(entry.get().getIntegratedTimeInstant()));
                            return entry.get();
                        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                        }
                    }
                }
                throw new KeylessVerificationException("No valid rekor entry was not found in any known logs");
            } catch (RekorParseException | IOException e2) {
                throw new KeylessVerificationException("Could not retrieve rekor entry", e2);
            }
        } catch (IOException e3) {
            throw new KeylessVerificationException("Could not convert certificate to PEM when recreating hashrekord", e3);
        }
    }
}
