package dev.sigstore.tuf;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.hash.Hashing;
import dev.sigstore.json.GsonSupplier;
import dev.sigstore.tuf.InvalidHashesException;
import dev.sigstore.tuf.encryption.Verifiers;
import dev.sigstore.tuf.model.Hashes;
import dev.sigstore.tuf.model.Key;
import dev.sigstore.tuf.model.Role;
import dev.sigstore.tuf.model.Root;
import dev.sigstore.tuf.model.RootRole;
import dev.sigstore.tuf.model.Signature;
import dev.sigstore.tuf.model.SignedTufMeta;
import dev.sigstore.tuf.model.Snapshot;
import dev.sigstore.tuf.model.SnapshotMeta;
import dev.sigstore.tuf.model.TargetMeta;
import dev.sigstore.tuf.model.Targets;
import dev.sigstore.tuf.model.Timestamp;
import dev.sigstore.tuf.model.TufMeta;
import java.io.IOException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.spec.InvalidKeySpecException;
import java.time.Clock;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import org.bouncycastle.util.encoders.DecoderException;
import org.bouncycastle.util.encoders.Hex;

/* loaded from: input_file:dev/sigstore/tuf/Updater.class */
public class Updater {
    private static final int MAX_UPDATES = 1024;
    private static final Logger log = Logger.getLogger(Updater.class.getName());
    private final Clock clock;
    private final Verifiers.Supplier verifiers;
    private final MetaFetcher metaFetcher;
    private final Fetcher targetFetcher;
    private final RootProvider trustedRootPath;
    private final TrustedMetaStore trustedMetaStore;
    private final TargetStore targetStore;
    private ZonedDateTime updateStartTime;

    /* loaded from: input_file:dev/sigstore/tuf/Updater$Builder.class */
    public static class Builder {
        private Clock clock = Clock.systemUTC();
        private Verifiers.Supplier verifiers = Verifiers::newVerifier;
        private MetaFetcher metaFetcher;
        private Fetcher targetFetcher;
        private RootProvider trustedRootPath;
        private TrustedMetaStore trustedMetaStore;
        private TargetStore targetStore;

        public Builder setClock(Clock clock) {
            this.clock = clock;
            return this;
        }

        public Builder setVerifiers(Verifiers.Supplier supplier) {
            this.verifiers = supplier;
            return this;
        }

        public Builder setTrustedMetaStore(TrustedMetaStore trustedMetaStore) {
            this.trustedMetaStore = trustedMetaStore;
            return this;
        }

        public Builder setTargetStore(TargetStore targetStore) {
            this.targetStore = targetStore;
            return this;
        }

        public Builder setTrustedRootPath(RootProvider rootProvider) {
            this.trustedRootPath = rootProvider;
            return this;
        }

        public Builder setMetaFetcher(MetaFetcher metaFetcher) {
            this.metaFetcher = metaFetcher;
            return this;
        }

        public Builder setTargetFetcher(Fetcher fetcher) {
            this.targetFetcher = fetcher;
            return this;
        }

        public Updater build() {
            return new Updater(this.clock, this.verifiers, this.metaFetcher, this.targetFetcher, this.trustedRootPath, this.trustedMetaStore, this.targetStore);
        }
    }

    Updater(Clock clock, Verifiers.Supplier supplier, MetaFetcher metaFetcher, Fetcher fetcher, RootProvider rootProvider, TrustedMetaStore trustedMetaStore, TargetStore targetStore) {
        this.clock = clock;
        this.verifiers = supplier;
        this.trustedRootPath = rootProvider;
        this.metaFetcher = metaFetcher;
        this.targetFetcher = fetcher;
        this.trustedMetaStore = trustedMetaStore;
        this.targetStore = targetStore;
    }

    public static Builder builder() {
        return new Builder();
    }

    public void update() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException {
        updateMeta();
        downloadTargets(this.trustedMetaStore.getTargets());
    }

    public void updateMeta() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
        updateRoot();
        Optional<Timestamp> findTimestamp = this.trustedMetaStore.findTimestamp();
        updateTimestamp();
        if (!Objects.equals(findTimestamp.orElse(null), this.trustedMetaStore.getTimestamp()) || this.trustedMetaStore.findSnapshot().isEmpty() || this.trustedMetaStore.findTargets().isEmpty()) {
            updateSnapshot();
            updateTargets();
        }
    }

    public void downloadTarget(String str) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
        TargetMeta.TargetData targetData = this.trustedMetaStore.getTargets().getSignedMeta().mo1453getTargets().get(str);
        if (targetData == null) {
            throw new TargetMetadataMissingException(str);
        }
        downloadTarget(str, targetData);
    }

    void updateRoot() throws IOException, RoleExpiredException, NoSuchAlgorithmException, InvalidKeySpecException, FileExceedsMaxLengthException, RollbackVersionException, SignatureVerificationException {
        Root root;
        this.updateStartTime = ZonedDateTime.now(this.clock);
        Optional<Root> findRoot = this.trustedMetaStore.findRoot();
        if (findRoot.isPresent()) {
            root = findRoot.get();
        } else {
            root = (Root) GsonSupplier.GSON.get().fromJson(this.trustedRootPath.get(), Root.class);
            this.trustedMetaStore.setRoot(root);
        }
        verifyDelegate(root, root);
        int version = root.getSignedMeta().getVersion();
        RootRole rootRole = root.getSignedMeta().mo1450getRoles().get(RootRole.SNAPSHOT);
        RootRole rootRole2 = root.getSignedMeta().mo1450getRoles().get(RootRole.TIMESTAMP);
        for (int i = version + 1; i < version + MAX_UPDATES; i++) {
            Optional<MetaFetchResult<Root>> rootAtVersion = this.metaFetcher.getRootAtVersion(i);
            if (rootAtVersion.isEmpty()) {
                break;
            }
            Root metaResource = rootAtVersion.get().getMetaResource();
            verifyDelegate(root, metaResource);
            verifyDelegate(metaResource, metaResource);
            if (metaResource.getSignedMeta().getVersion() != i) {
                throw new RollbackVersionException(i, metaResource.getSignedMeta().getVersion());
            }
            root = metaResource;
            this.trustedMetaStore.setRoot(root);
        }
        throwIfExpired(root.getSignedMeta().getExpiresAsDate());
        if (hasNewKeys(rootRole, root.getSignedMeta().mo1450getRoles().get(RootRole.SNAPSHOT)) || hasNewKeys(rootRole2, root.getSignedMeta().mo1450getRoles().get(RootRole.TIMESTAMP))) {
            this.trustedMetaStore.clearMetaDueToKeyRotation();
        }
    }

    private void throwIfExpired(ZonedDateTime zonedDateTime) {
        if (zonedDateTime.isBefore(this.updateStartTime)) {
            throw new RoleExpiredException(this.metaFetcher.getSource(), this.updateStartTime, zonedDateTime);
        }
    }

    private boolean hasNewKeys(RootRole rootRole, RootRole rootRole2) {
        return !rootRole2.mo1444getKeyids().stream().allMatch(str -> {
            return rootRole.mo1444getKeyids().contains(str);
        });
    }

    void verifyDelegate(Root root, SignedTufMeta<? extends TufMeta> signedTufMeta) throws SignatureVerificationException, IOException {
        verifyDelegate(signedTufMeta.mo1449getSignatures(), root.getSignedMeta().mo1451getKeys(), root.getSignedMeta().mo1450getRoles().get(signedTufMeta.getSignedMeta().getType()), signedTufMeta.getCanonicalSignedBytes());
    }

    @VisibleForTesting
    void verifyDelegate(List<Signature> list, Map<String, Key> map, Role role, byte[] bArr) throws IOException {
        HashSet hashSet = new HashSet((role.mo1444getKeyids().size() * 4) / 3);
        for (String str : role.mo1444getKeyids()) {
            List list2 = (List) list.stream().filter(signature -> {
                return signature.getKeyId().equals(str);
            }).collect(Collectors.toList());
            if (list2.size() > 1) {
                throw new DuplicateKeyIdsException(list2, str);
            }
            if (list2.size() == 1) {
                Signature signature2 = (Signature) list2.get(0);
                Key key = map.get(signature2.getKeyId());
                if (key != null) {
                    try {
                        if (this.verifiers.newVerifier(key).verify(bArr, Hex.decode(signature2.getSignature()))) {
                            hashSet.add(signature2.getKeyId());
                        } else {
                            log.log(Level.FINE, () -> {
                                return String.format(Locale.ROOT, "TUF: ignored failed signature verification: '%s' for keyid: '%s'", signature2.getSignature(), signature2.getKeyId());
                            });
                        }
                    } catch (DecoderException | InvalidKeyException | NoSuchAlgorithmException e) {
                        log.log(Level.WARNING, (Throwable) e, () -> {
                            return String.format(Locale.ROOT, "TUF: ignored invalid signature: '%s' for keyid: '%s', because '%s'", signature2.getSignature(), str, e.getMessage());
                        });
                    } catch (SignatureException e2) {
                        log.log(Level.FINE, () -> {
                            return String.format(Locale.ROOT, "TUF: ignored unverifiable signature: '%s' for keyid: '%s', because '%s'", signature2.getSignature(), signature2.getKeyId(), e2.getMessage());
                        });
                    }
                }
            }
        }
        if (hashSet.size() < role.getThreshold()) {
            throw new SignatureVerificationException(role.getThreshold(), hashSet.size());
        }
    }

    void updateTimestamp() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, FileNotFoundException, SignatureVerificationException {
        Timestamp timestamp = (Timestamp) ((MetaFetchResult) this.metaFetcher.getMeta(RootRole.TIMESTAMP, Timestamp.class).orElseThrow(() -> {
            return new FileNotFoundException("timestamp.json", this.metaFetcher.getSource());
        })).getMetaResource();
        verifyDelegate(this.trustedMetaStore.getRoot(), timestamp);
        Optional<Timestamp> findTimestamp = this.trustedMetaStore.findTimestamp();
        if (findTimestamp.isPresent()) {
            Timestamp timestamp2 = findTimestamp.get();
            if (timestamp2.getSignedMeta().getVersion() > timestamp.getSignedMeta().getVersion()) {
                throw new RollbackVersionException(timestamp2.getSignedMeta().getVersion(), timestamp.getSignedMeta().getVersion());
            }
            if (timestamp2.getSignedMeta().getVersion() == timestamp.getSignedMeta().getVersion()) {
                return;
            }
        }
        throwIfExpired(timestamp.getSignedMeta().getExpiresAsDate());
        this.trustedMetaStore.setTimestamp(timestamp);
    }

    void updateSnapshot() throws IOException, FileNotFoundException, InvalidHashesException, SignatureVerificationException, NoSuchAlgorithmException, InvalidKeySpecException {
        int version = this.trustedMetaStore.getTimestamp().getSignedMeta().getSnapshotMeta().getVersion();
        Optional meta = this.metaFetcher.getMeta(RootRole.SNAPSHOT, version, Snapshot.class, this.trustedMetaStore.getTimestamp().getSignedMeta().getSnapshotMeta().getLengthOrDefault());
        if (meta.isEmpty()) {
            throw new FileNotFoundException(version + ".snapshot.json", this.metaFetcher.getSource());
        }
        MetaFetchResult metaFetchResult = (MetaFetchResult) meta.get();
        if (this.trustedMetaStore.getTimestamp().getSignedMeta().getSnapshotMeta().getHashes().isPresent()) {
            verifyHashes(RootRole.SNAPSHOT, metaFetchResult.getRawBytes(), this.trustedMetaStore.getTimestamp().getSignedMeta().getSnapshotMeta().getHashes().get());
        }
        verifyDelegate(this.trustedMetaStore.getRoot(), metaFetchResult.getMetaResource());
        int version2 = ((Snapshot) metaFetchResult.getMetaResource()).getSignedMeta().getVersion();
        if (version2 != version) {
            throw new SnapshotVersionMismatchException(version, version2);
        }
        Optional<Snapshot> findSnapshot = this.trustedMetaStore.findSnapshot();
        if (findSnapshot.isPresent()) {
            for (Map.Entry<String, SnapshotMeta.SnapshotTarget> entry : findSnapshot.get().getSignedMeta().mo1452getMeta().entrySet()) {
                SnapshotMeta.SnapshotTarget snapshotTarget = ((Snapshot) metaFetchResult.getMetaResource()).getSignedMeta().mo1452getMeta().get(entry.getKey());
                if (snapshotTarget == null) {
                    throw new SnapshotTargetMissingException(entry.getKey());
                }
                if (snapshotTarget.getVersion() < entry.getValue().getVersion()) {
                    throw new SnapshotTargetVersionException(entry.getKey(), snapshotTarget.getVersion(), entry.getValue().getVersion());
                }
            }
        }
        throwIfExpired(((Snapshot) metaFetchResult.getMetaResource()).getSignedMeta().getExpiresAsDate());
        this.trustedMetaStore.setSnapshot((Snapshot) metaFetchResult.getMetaResource());
    }

    @VisibleForTesting
    static void verifyHashes(String str, byte[] bArr, Hashes hashes) throws InvalidHashesException {
        ArrayList arrayList = new ArrayList(2);
        String sha512 = hashes.getSha512();
        String sha256 = hashes.getSha256();
        if (sha256 == null && sha512 == null) {
            throw new IllegalArgumentException(String.format(Locale.ROOT, "hashes parameter for %s must contain at least one of sha512 or sha256.", str));
        }
        String hashCode = Hashing.sha512().hashBytes(bArr).toString();
        if (sha512 != null && !hashCode.equals(sha512)) {
            arrayList.add(new InvalidHashesException.InvalidHash("sha512", sha512, hashCode));
        }
        String hashCode2 = Hashing.sha256().hashBytes(bArr).toString();
        if (sha256 != null && !hashCode2.equals(sha256)) {
            arrayList.add(new InvalidHashesException.InvalidHash("sha256", sha256, hashCode2));
        }
        if (!arrayList.isEmpty()) {
            throw new InvalidHashesException(str, (InvalidHashesException.InvalidHash[]) arrayList.toArray(i -> {
                return new InvalidHashesException.InvalidHash[i];
            }));
        }
    }

    void updateTargets() throws IOException, FileNotFoundException, InvalidHashesException, SignatureVerificationException, NoSuchAlgorithmException, InvalidKeySpecException, FileExceedsMaxLengthException {
        SnapshotMeta.SnapshotTarget targetMeta = this.trustedMetaStore.getSnapshot().getSignedMeta().getTargetMeta("targets.json");
        Optional meta = this.metaFetcher.getMeta(RootRole.TARGETS, targetMeta.getVersion(), Targets.class, targetMeta.getLengthOrDefault());
        if (meta.isEmpty()) {
            throw new FileNotFoundException(targetMeta.getVersion() + ".targets.json", this.metaFetcher.getSource());
        }
        MetaFetchResult metaFetchResult = (MetaFetchResult) meta.get();
        if (targetMeta.getHashes().isPresent()) {
            verifyHashes(targetMeta.getVersion() + ".targets.json", metaFetchResult.getRawBytes(), targetMeta.getHashes().get());
        }
        verifyDelegate(this.trustedMetaStore.getRoot(), metaFetchResult.getMetaResource());
        int version = ((Targets) metaFetchResult.getMetaResource()).getSignedMeta().getVersion();
        int version2 = targetMeta.getVersion();
        if (version != version2) {
            throw new SnapshotVersionMismatchException(version2, version);
        }
        throwIfExpired(((Targets) metaFetchResult.getMetaResource()).getSignedMeta().getExpiresAsDate());
        this.trustedMetaStore.setTargets((Targets) metaFetchResult.getMetaResource());
    }

    void downloadTargets(Targets targets) throws IOException, TargetMetadataMissingException, FileNotFoundException {
        for (Map.Entry<String, TargetMeta.TargetData> entry : targets.getSignedMeta().mo1453getTargets().entrySet()) {
            String key = entry.getKey();
            if (entry.getValue() == null) {
                throw new TargetMetadataMissingException(key);
            }
            downloadTarget(key, entry.getValue());
        }
    }

    void downloadTarget(String str, TargetMeta.TargetData targetData) throws IOException {
        String str2 = str;
        String str3 = "";
        if (str.contains("/")) {
            Path path = Paths.get(str, new String[0]);
            str2 = path.getFileName().toString();
            str3 = path.getParent().toString();
            if (!str3.endsWith("/")) {
                str3 = str3 + "/";
            }
        }
        byte[] fetchResource = this.targetFetcher.fetchResource(targetData.getHashes().getSha512() != null ? str3 + targetData.getHashes().getSha512() + "." + str2 : str3 + targetData.getHashes().getSha256() + "." + str2, targetData.getLength());
        if (fetchResource == null) {
            throw new FileNotFoundException(str, this.targetFetcher.getSource());
        }
        verifyHashes(str, fetchResource, targetData.getHashes());
        this.targetStore.writeTarget(str, fetchResource);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public TargetStore getTargetStore() {
        return this.targetStore;
    }

    @VisibleForTesting
    TrustedMetaStore getMetaStore() {
        return this.trustedMetaStore;
    }
}
