package dev.sigstore.tuf.encryption;

import dev.sigstore.tuf.model.Key;
import java.io.IOException;
import java.io.StringReader;
import java.security.InvalidKeyException;
import java.security.PublicKey;
import java.security.Security;
import org.bouncycastle.asn1.edec.EdECObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
import org.bouncycastle.crypto.params.ECKeyParameters;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.crypto.util.PublicKeyFactory;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.util.encoders.DecoderException;
import org.bouncycastle.util.encoders.Hex;

/* loaded from: input_file:dev/sigstore/tuf/encryption/Verifiers.class */
public class Verifiers {

    @FunctionalInterface
    /* loaded from: input_file:dev/sigstore/tuf/encryption/Verifiers$Supplier.class */
    public interface Supplier {
        Verifier newVerifier(Key key) throws IOException, InvalidKeyException;
    }

    public static Verifier newVerifier(Key key) throws IOException, InvalidKeyException {
        PublicKey parsePublicKey = parsePublicKey(key);
        if (key.getKeyType().equals("rsa") && key.getScheme().equals("rsassa-pss-sha256")) {
            return new RsaPssVerifier(parsePublicKey);
        }
        if (isEcdsaKey(key) && key.getScheme().equals("ecdsa-sha2-nistp256")) {
            return new EcdsaVerifier(parsePublicKey);
        }
        if (key.getKeyType().equals("ed25519") && key.getScheme().equals("ed25519")) {
            return new Ed25519Verifier(parsePublicKey);
        }
        throw new InvalidKeyException("Unsupported tuf key type and scheme combination: " + key.getKeyType() + "/" + key.getScheme());
    }

    private static PublicKey parsePublicKey(Key key) throws IOException, InvalidKeyException {
        String keyType = key.getKeyType();
        if (!keyType.equals("rsa") && !isEcdsaKey(key)) {
            if (!keyType.equals("ed25519")) {
                throw new InvalidKeyException("Unsupported tuf key type" + key.getKeyType());
            }
            try {
                return new JcaPEMKeyConverter().getPublicKey(new SubjectPublicKeyInfo(new AlgorithmIdentifier(EdECObjectIdentifiers.id_Ed25519), Hex.decode(key.mo1447getKeyVal().get("public"))));
            } catch (DecoderException e) {
                throw new InvalidKeyException("Could not parse hex encoded ed25519 public key");
            }
        }
        try {
            PEMParser pEMParser = new PEMParser(new StringReader(key.mo1447getKeyVal().get("public")));
            try {
                Object readObject = pEMParser.readObject();
                if (readObject == null) {
                    throw new InvalidKeyException("tuf " + key.getKeyType() + " keys must be a single PEM encoded section");
                }
                if (readObject instanceof SubjectPublicKeyInfo) {
                    AsymmetricKeyParameter createKey = PublicKeyFactory.createKey((SubjectPublicKeyInfo) readObject);
                    if ((keyType.equals("rsa") && (createKey instanceof RSAKeyParameters)) || (isEcdsaKey(key) && (createKey instanceof ECKeyParameters))) {
                        PublicKey publicKey = new JcaPEMKeyConverter().getPublicKey((SubjectPublicKeyInfo) readObject);
                        pEMParser.close();
                        return publicKey;
                    }
                }
                throw new InvalidKeyException("Could not parse PEM section into " + keyType + " public key");
            } finally {
            }
        } catch (DecoderException e2) {
            throw new InvalidKeyException("Could not parse PEM section in " + keyType + " public key");
        }
    }

    private static boolean isEcdsaKey(Key key) {
        return key.getKeyType().equals("ecdsa-sha2-nistp256") || key.getKeyType().equals("ecdsa");
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
