package dev.sigstore.fulcio.client;

import dev.sigstore.VerificationOptions;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.logging.Logger;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DEROctetString;

/* loaded from: input_file:dev/sigstore/fulcio/client/FulcioCertificateVerifier.class */
public class FulcioCertificateVerifier {
    private static final String FULCIO_ISSUER_OID = "1.3.6.1.4.1.57264.1.1";
    private static final Logger log = Logger.getLogger(FulcioCertificateVerifier.class.getName());

    public void verifyCertificateMatches(X509Certificate x509Certificate, List<VerificationOptions.CertificateIdentity> list) throws FulcioVerificationException {
        Iterator<VerificationOptions.CertificateIdentity> it = list.iterator();
        while (it.hasNext()) {
            if (certificateMatches(x509Certificate, it.next())) {
                return;
            }
        }
        throw new FulcioVerificationException("No provided certificate identities matched values in certificate");
    }

    private boolean certificateMatches(X509Certificate x509Certificate, VerificationOptions.CertificateIdentity certificateIdentity) throws FulcioVerificationException {
        String extractSan = extractSan(x509Certificate);
        String extensionValueRawUtf8 = getExtensionValueRawUtf8(x509Certificate, FULCIO_ISSUER_OID);
        if (!Objects.equals(certificateIdentity.getSubjectAlternativeName(), extractSan)) {
            log.fine("san did not match (" + extractSan + "," + certificateIdentity.getSubjectAlternativeName() + ")");
            return false;
        }
        if (!Objects.equals(certificateIdentity.getIssuer(), extensionValueRawUtf8)) {
            log.fine("issuer did not match (" + extensionValueRawUtf8 + "," + certificateIdentity.getIssuer() + ")");
            return false;
        }
        for (String str : certificateIdentity.mo6257getOther().keySet()) {
            String extensionValueRawUtf82 = getExtensionValueRawUtf8(x509Certificate, str);
            if (!Objects.equals(extensionValueRawUtf82, certificateIdentity.mo6257getOther().get(str))) {
                log.fine(str + " did not match (" + extensionValueRawUtf82 + "," + certificateIdentity.mo6257getOther().get(str) + ")");
                return false;
            }
        }
        return true;
    }

    private String extractSan(X509Certificate x509Certificate) throws FulcioVerificationException {
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames.size() == 0) {
                throw new FulcioVerificationException("No SANs found in fulcio certificate");
            }
            if (subjectAlternativeNames.size() > 1) {
                throw new FulcioVerificationException("Fulcio certificate must only have 1 SAN, but found " + subjectAlternativeNames.size());
            }
            List<?> list = subjectAlternativeNames.stream().findFirst().get();
            Integer num = (Integer) list.get(0);
            if (num.equals(1) || num.equals(6)) {
                return (String) list.get(1);
            }
            throw new FulcioVerificationException("Fulcio certificates SAN must be of type rfc822 or URI");
        } catch (CertificateParsingException e) {
            throw new FulcioVerificationException("Could not parse SAN from fulcio certificate", e);
        }
    }

    private String getExtensionValueRawUtf8(X509Certificate x509Certificate, String str) throws FulcioVerificationException {
        if (x509Certificate.getExtensionValue(str) == null) {
            return null;
        }
        try {
            DEROctetString fromByteArray = ASN1Sequence.fromByteArray(x509Certificate.getExtensionValue(str));
            if (fromByteArray instanceof DEROctetString) {
                return new String(fromByteArray.getOctets(), StandardCharsets.UTF_8);
            }
            throw new FulcioVerificationException("Could not parse extension " + str + " in certificate because it was not an octet string");
        } catch (IOException e) {
            throw new FulcioVerificationException("Could not parse extension " + str + " in certificate", e);
        }
    }
}
