package dev.sigstore.bundle;

import com.google.common.collect.Iterables;
import com.google.protobuf.ByteString;
import com.google.protobuf.InvalidProtocolBufferException;
import com.google.protobuf.util.JsonFormat;
import dev.sigstore.bundle.Bundle;
import dev.sigstore.proto.ProtoMutators;
import dev.sigstore.proto.bundle.v1.Bundle;
import dev.sigstore.proto.bundle.v1.VerificationMaterial;
import dev.sigstore.proto.common.v1.HashOutput;
import dev.sigstore.proto.common.v1.LogId;
import dev.sigstore.proto.common.v1.MessageSignature;
import dev.sigstore.proto.rekor.v1.Checkpoint;
import dev.sigstore.proto.rekor.v1.InclusionPromise;
import dev.sigstore.proto.rekor.v1.InclusionProof;
import dev.sigstore.proto.rekor.v1.KindVersion;
import dev.sigstore.proto.rekor.v1.TransparencyLogEntry;
import dev.sigstore.rekor.client.RekorEntry;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.List;
import java.util.stream.Collectors;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:dev/sigstore/bundle/BundleWriter.class */
public class BundleWriter {
    static final JsonFormat.Printer JSON_PRINTER = JsonFormat.printer();

    BundleWriter() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String writeBundle(Bundle bundle) {
        dev.sigstore.proto.bundle.v1.Bundle m6574build = createBundleBuilder(bundle).m6574build();
        try {
            String print = JSON_PRINTER.print(m6574build);
            List<String> findMissingFields = BundleVerifier.findMissingFields(m6574build);
            if (findMissingFields.isEmpty()) {
                return print;
            }
            throw new IllegalStateException("Some of the fields were not initialized: " + String.join(", ", findMissingFields) + "; bundle JSON: " + print);
        } catch (InvalidProtocolBufferException e) {
            throw new IllegalArgumentException("Can't serialize signing result to Sigstore Bundle JSON", e);
        }
    }

    static Bundle.Builder createBundleBuilder(Bundle bundle) {
        if (bundle.getMessageSignature().isEmpty()) {
            throw new IllegalStateException("can only serialize bundles with message signatures");
        }
        Bundle.MessageSignature messageSignature = bundle.getMessageSignature().get();
        if (messageSignature.getMessageDigest().isEmpty()) {
            throw new IllegalStateException("keyless signature must have artifact digest when serializing to bundle");
        }
        return dev.sigstore.proto.bundle.v1.Bundle.newBuilder().setMediaType(bundle.getMediaType()).setVerificationMaterial(buildVerificationMaterial(bundle)).setMessageSignature(MessageSignature.newBuilder().setMessageDigest(HashOutput.newBuilder().setAlgorithm(ProtoMutators.from(messageSignature.getMessageDigest().get().getHashAlgorithm())).setDigest(ByteString.copyFrom(messageSignature.getMessageDigest().get().getDigest()))).setSignature(ByteString.copyFrom(messageSignature.getSignature())));
    }

    private static VerificationMaterial.Builder buildVerificationMaterial(Bundle bundle) {
        Certificate certificate = (Certificate) Iterables.getLast(bundle.getCertPath().getCertificates());
        try {
            VerificationMaterial.Builder certificate2 = VerificationMaterial.newBuilder().setCertificate(ProtoMutators.fromCert((X509Certificate) certificate));
            if (bundle.mo6266getEntries().size() != 1) {
                throw new IllegalArgumentException("Exactly 1 rekor entry must be present in the signing result");
            }
            certificate2.addTlogEntries(buildTlogEntries(bundle.mo6266getEntries().get(0)));
            return certificate2;
        } catch (CertificateEncodingException e) {
            throw new IllegalArgumentException("Cannot encode certificate " + certificate, e);
        }
    }

    private static TransparencyLogEntry.Builder buildTlogEntries(RekorEntry rekorEntry) {
        TransparencyLogEntry.Builder canonicalizedBody = TransparencyLogEntry.newBuilder().setLogIndex(rekorEntry.getLogIndex()).setLogId(LogId.newBuilder().setKeyId(ByteString.fromHex(rekorEntry.getLogID()))).setKindVersion(KindVersion.newBuilder().setKind(rekorEntry.getBodyDecoded().getKind()).setVersion(rekorEntry.getBodyDecoded().getApiVersion())).setIntegratedTime(rekorEntry.getIntegratedTime()).setInclusionPromise(InclusionPromise.newBuilder().setSignedEntryTimestamp(ByteString.copyFrom(Base64.getDecoder().decode(rekorEntry.getVerification().getSignedEntryTimestamp())))).setCanonicalizedBody(ByteString.copyFrom(Base64.getDecoder().decode(rekorEntry.getBody())));
        addInclusionProof(canonicalizedBody, rekorEntry);
        return canonicalizedBody;
    }

    private static void addInclusionProof(TransparencyLogEntry.Builder builder, RekorEntry rekorEntry) {
        RekorEntry.InclusionProof inclusionProof = rekorEntry.getVerification().getInclusionProof();
        builder.setInclusionProof(InclusionProof.newBuilder().setLogIndex(inclusionProof.getLogIndex().longValue()).setRootHash(ByteString.fromHex(inclusionProof.getRootHash())).setTreeSize(inclusionProof.getTreeSize().longValue()).addAllHashes((Iterable) inclusionProof.mo7591getHashes().stream().map(ByteString::fromHex).collect(Collectors.toList())).setCheckpoint(Checkpoint.newBuilder().setEnvelope(inclusionProof.getCheckpoint())));
    }
}
