package dev.sigstore.fulcio.client;

import dev.sigstore.VerificationOptions;
import dev.sigstore.strings.StringMatcher;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.util.encoders.Hex;
import org.immutables.value.Value;

@Value.Immutable
/* loaded from: input_file:dev/sigstore/fulcio/client/FulcioCertificateMatcher.class */
public abstract class FulcioCertificateMatcher implements VerificationOptions.CertificateMatcher {
    private static final Logger log = Logger.getLogger(FulcioCertificateMatcher.class.getName());
    private static final String FULCIO_ISSUER_OLD_OID = "1.3.6.1.4.1.57264.1.1";
    private static final String FULCIO_ISSUER_OID = "1.3.6.1.4.1.57264.1.8";

    public abstract StringMatcher getIssuer();

    public abstract StringMatcher getSubjectAlternativeName();

    /* renamed from: getOidRawStrings */
    public abstract Map<String, StringMatcher> mo110getOidRawStrings();

    /* renamed from: getOidDerAsn1Strings */
    public abstract Map<String, StringMatcher> mo109getOidDerAsn1Strings();

    /* renamed from: getOidBytes */
    public abstract Map<String, byte[]> mo108getOidBytes();

    private static void logMismatch(String str, String str2, String str3) {
        log.fine(str + " value did not match - expected:" + str2 + ", actual:" + str3);
    }

    public String toString() {
        String str = "{issuer:" + getIssuer() + ",san:" + getSubjectAlternativeName();
        if (!mo110getOidRawStrings().isEmpty()) {
            str = str + ",oidRawStrings:{" + ((String) mo110getOidRawStrings().entrySet().stream().map(entry -> {
                return ((String) entry.getKey()) + ":" + entry.getValue();
            }).collect(Collectors.joining(","))) + "}";
        }
        if (!mo109getOidDerAsn1Strings().isEmpty()) {
            str = str + ",oidDerAsn1Strings:{" + ((String) mo109getOidDerAsn1Strings().entrySet().stream().map(entry2 -> {
                return ((String) entry2.getKey()) + ":" + entry2.getValue();
            }).collect(Collectors.joining(","))) + "}";
        }
        if (!mo108getOidBytes().isEmpty()) {
            str = str + ",oidBytes:{" + ((String) mo108getOidBytes().entrySet().stream().map(entry3 -> {
                return ((String) entry3.getKey()) + ":" + hexOrNull((byte[]) entry3.getValue());
            }).collect(Collectors.joining(","))) + "}";
        }
        return str + "}";
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // dev.sigstore.VerificationOptions.CertificateMatcher, java.util.function.Predicate
    public boolean test(X509Certificate x509Certificate) throws VerificationOptions.UncheckedCertificateException {
        try {
            String extractSan = extractSan(x509Certificate);
            if (!getSubjectAlternativeName().test(extractSan)) {
                logMismatch("san", getSubjectAlternativeName().toString(), extractSan);
                return false;
            }
            String extractIssuer = extractIssuer(x509Certificate);
            if (!getIssuer().test(extractIssuer)) {
                logMismatch("issuer", getIssuer().toString(), extractIssuer);
                return false;
            }
            for (String str : mo110getOidRawStrings().keySet()) {
                String extensionValueRawUtf8 = getExtensionValueRawUtf8(x509Certificate, str);
                StringMatcher stringMatcher = mo110getOidRawStrings().get(str);
                if (!stringMatcher.test(extensionValueRawUtf8)) {
                    logMismatch(str, stringMatcher.toString(), extensionValueRawUtf8);
                    return false;
                }
            }
            for (String str2 : mo109getOidDerAsn1Strings().keySet()) {
                String extensionValueDerAsn1Utf8 = getExtensionValueDerAsn1Utf8(x509Certificate, str2);
                StringMatcher stringMatcher2 = mo109getOidDerAsn1Strings().get(str2);
                if (!stringMatcher2.test(extensionValueDerAsn1Utf8)) {
                    logMismatch(str2, stringMatcher2.toString(), extensionValueDerAsn1Utf8);
                    return false;
                }
            }
            for (String str3 : mo108getOidBytes().keySet()) {
                byte[] extensionValue = x509Certificate.getExtensionValue(str3);
                byte[] bArr = mo108getOidBytes().get(str3);
                if (!Arrays.equals(extensionValue, bArr)) {
                    logMismatch(str3, hexOrNull(bArr), hexOrNull(extensionValue));
                    return false;
                }
            }
            return true;
        } catch (CertificateException e) {
            throw new VerificationOptions.UncheckedCertificateException("Failed to process certificate ", e);
        }
    }

    private String extractSan(X509Certificate x509Certificate) throws CertificateParsingException {
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames.size() == 0) {
                throw new CertificateParsingException("No SANs found in fulcio certificate");
            }
            if (subjectAlternativeNames.size() > 1) {
                throw new CertificateParsingException("Fulcio certificate must only have 1 SAN, but found " + subjectAlternativeNames.size());
            }
            List<?> list = subjectAlternativeNames.stream().findFirst().get();
            Integer num = (Integer) list.get(0);
            if (num.equals(1) || num.equals(6)) {
                return (String) list.get(1);
            }
            throw new CertificateParsingException("Fulcio certificates SAN must be of type rfc822 or URI");
        } catch (CertificateParsingException e) {
            throw new CertificateParsingException("Could not parse SAN from fulcio certificate", e);
        }
    }

    private String extractIssuer(X509Certificate x509Certificate) throws CertificateParsingException {
        String extensionValueDerAsn1Utf8 = getExtensionValueDerAsn1Utf8(x509Certificate, FULCIO_ISSUER_OID);
        if (extensionValueDerAsn1Utf8 == null) {
            extensionValueDerAsn1Utf8 = getExtensionValueRawUtf8(x509Certificate, FULCIO_ISSUER_OLD_OID);
        }
        if (extensionValueDerAsn1Utf8 == null) {
            throw new CertificateParsingException("No issuer found in fulcio certificate");
        }
        return extensionValueDerAsn1Utf8;
    }

    private String getExtensionValueRawUtf8(X509Certificate x509Certificate, String str) throws CertificateParsingException {
        if (x509Certificate.getExtensionValue(str) == null) {
            return null;
        }
        try {
            DEROctetString fromByteArray = ASN1Sequence.fromByteArray(x509Certificate.getExtensionValue(str));
            if (fromByteArray instanceof DEROctetString) {
                return new String(fromByteArray.getOctets(), StandardCharsets.UTF_8);
            }
            throw new CertificateParsingException("Could not parse extension " + str + " in certificate because it was not a properly formatted extension sequence");
        } catch (IOException e) {
            throw new CertificateParsingException("Could not parse extension " + str + " in certificate", e);
        }
    }

    private String getExtensionValueDerAsn1Utf8(X509Certificate x509Certificate, String str) throws CertificateParsingException {
        if (x509Certificate.getExtensionValue(str) == null) {
            return null;
        }
        try {
            DEROctetString fromByteArray = ASN1Sequence.fromByteArray(x509Certificate.getExtensionValue(str));
            if (!(fromByteArray instanceof DEROctetString)) {
                throw new CertificateParsingException("Could not parse extension " + str + " in certificate because it was not a properly formatted extension sequence");
            }
            ASN1String fromByteArray2 = ASN1Sequence.fromByteArray(fromByteArray.getOctets());
            if (fromByteArray2 instanceof ASN1String) {
                return fromByteArray2.getString();
            }
            throw new CertificateParsingException("Could not parse extension " + str + " in certificate because it was not a DER encoded ASN.1 string");
        } catch (IOException e) {
            throw new CertificateParsingException("Could not parse extension " + str + " in certificate", e);
        }
    }

    private String hexOrNull(byte[] bArr) {
        return bArr == null ? "NULL" : "'hex: " + Hex.toHexString(bArr) + "'";
    }
}
