package dev.sigstore.bundle;

import com.google.protobuf.util.JsonFormat;
import dev.sigstore.bundle.Bundle;
import dev.sigstore.bundle.ImmutableBundle;
import dev.sigstore.bundle.ImmutableDsseEnvelope;
import dev.sigstore.proto.ProtoMutators;
import dev.sigstore.proto.bundle.v1.Bundle;
import dev.sigstore.proto.common.v1.HashAlgorithm;
import dev.sigstore.proto.common.v1.RFC3161SignedTimestamp;
import dev.sigstore.proto.rekor.v1.InclusionProof;
import dev.sigstore.proto.rekor.v1.TransparencyLogEntry;
import dev.sigstore.rekor.client.ImmutableInclusionProof;
import dev.sigstore.rekor.client.ImmutableRekorEntry;
import dev.sigstore.rekor.client.ImmutableVerification;
import io.intoto.EnvelopeOuterClass;
import java.io.IOException;
import java.io.Reader;
import java.security.cert.CertPath;
import java.security.cert.CertificateException;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
import org.bouncycastle.util.encoders.Hex;

/* loaded from: input_file:dev/sigstore/bundle/BundleReader.class */
class BundleReader {
    BundleReader() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Bundle readBundle(Reader reader) throws BundleParseException {
        CertPath certPath;
        Bundle.Builder newBuilder = dev.sigstore.proto.bundle.v1.Bundle.newBuilder();
        try {
            JsonFormat.parser().merge(reader, newBuilder);
            dev.sigstore.proto.bundle.v1.Bundle m408build = newBuilder.m408build();
            ImmutableBundle.Builder builder = ImmutableBundle.builder();
            if (!Bundle.SUPPORTED_MEDIA_TYPES.contains(m408build.getMediaType())) {
                throw new BundleParseException("Unsupported bundle media type: " + m408build.getMediaType());
            }
            builder.mediaType(m408build.getMediaType());
            if (m408build.getVerificationMaterial().getTlogEntriesCount() == 0) {
                throw new BundleParseException("Could not find any tlog entries in bundle json");
            }
            for (TransparencyLogEntry transparencyLogEntry : m408build.getVerificationMaterial().getTlogEntriesList()) {
                if (!transparencyLogEntry.hasInclusionProof()) {
                    throw new BundleParseException("Could not find an inclusion proof");
                }
                InclusionProof inclusionProof = transparencyLogEntry.getInclusionProof();
                builder.addEntries(ImmutableRekorEntry.builder().integratedTime(transparencyLogEntry.getIntegratedTime()).logID(Hex.toHexString(transparencyLogEntry.getLogId().getKeyId().toByteArray())).logIndex(transparencyLogEntry.getLogIndex()).body(Base64.getEncoder().encodeToString(transparencyLogEntry.getCanonicalizedBody().toByteArray())).verification(ImmutableVerification.builder().signedEntryTimestamp(Base64.getEncoder().encodeToString(transparencyLogEntry.getInclusionPromise().getSignedEntryTimestamp().toByteArray())).inclusionProof(ImmutableInclusionProof.builder().logIndex(Long.valueOf(inclusionProof.getLogIndex())).rootHash(Hex.toHexString(inclusionProof.getRootHash().toByteArray())).treeSize(Long.valueOf(inclusionProof.getTreeSize())).checkpoint(inclusionProof.getCheckpoint().getEnvelope()).addAllHashes((Iterable) inclusionProof.getHashesList().stream().map((v0) -> {
                    return v0.toByteArray();
                }).map(Hex::toHexString).collect(Collectors.toList())).build()).build()).build());
            }
            if (m408build.hasDsseEnvelope()) {
                EnvelopeOuterClass.Envelope dsseEnvelope = m408build.getDsseEnvelope();
                ImmutableDsseEnvelope.Builder payloadType = ImmutableDsseEnvelope.builder().payload(dsseEnvelope.getPayload().toByteArray()).payloadType(dsseEnvelope.getPayloadType());
                for (int i = 0; i < dsseEnvelope.getSignaturesCount(); i++) {
                    payloadType.addSignatures(ImmutableSignature.builder().sig(dsseEnvelope.getSignatures(i).getSig().toByteArray()).build());
                }
                builder.dsseEnvelope(payloadType.build());
            } else {
                if (!m408build.hasMessageSignature()) {
                    throw new BundleParseException("A MessageSignature or DSSEEnvelope must be provided");
                }
                byte[] byteArray = m408build.getMessageSignature().getSignature().toByteArray();
                if (m408build.getMessageSignature().hasMessageDigest()) {
                    HashAlgorithm algorithm = m408build.getMessageSignature().getMessageDigest().getAlgorithm();
                    if (algorithm != HashAlgorithm.SHA2_256) {
                        throw new BundleParseException("Cannot read message digests of type " + algorithm + ", only " + HashAlgorithm.SHA2_256 + " is supported");
                    }
                    builder.messageSignature(ImmutableMessageSignature.builder().messageDigest(ImmutableMessageDigest.builder().hashAlgorithm(Bundle.HashAlgorithm.SHA2_256).digest(m408build.getMessageSignature().getMessageDigest().getDigest().toByteArray()).build()).signature(byteArray).build());
                } else {
                    builder.messageSignature(ImmutableMessageSignature.builder().signature(byteArray).build());
                }
            }
            try {
                if (m408build.getVerificationMaterial().hasCertificate()) {
                    certPath = ProtoMutators.toCertPath(List.of(m408build.getVerificationMaterial().getCertificate()));
                } else {
                    if (!m408build.getVerificationMaterial().hasX509CertificateChain()) {
                        if (m408build.getVerificationMaterial().hasPublicKey()) {
                            throw new BundleParseException("Plain public keys are not supported by this client");
                        }
                        throw new BundleParseException("Could not find a certificate or certificate chain");
                    }
                    certPath = ProtoMutators.toCertPath(m408build.getVerificationMaterial().getX509CertificateChain().getCertificatesList());
                }
                builder.certPath(certPath);
                if (m408build.getVerificationMaterial().hasTimestampVerificationData()) {
                    Iterator<RFC3161SignedTimestamp> it = m408build.getVerificationMaterial().getTimestampVerificationData().getRfc3161TimestampsList().iterator();
                    while (it.hasNext()) {
                        builder.addTimestamps(ImmutableTimestamp.builder().rfc3161Timestamp(it.next().toByteArray()).build());
                    }
                }
                return builder.build();
            } catch (CertificateException e) {
                throw new BundleParseException("Could not parse bundle certificate chain", e);
            }
        } catch (IOException e2) {
            throw new BundleParseException("Could not process bundle json", e2);
        }
    }
}
