package dev.sigstore.plugin;

import com.google.api.client.auth.oauth2.AuthorizationCodeFlow;
import com.google.api.client.auth.oauth2.BearerToken;
import com.google.api.client.auth.oauth2.ClientParametersAuthentication;
import com.google.api.client.auth.oauth2.Credential;
import com.google.api.client.auth.oauth2.TokenResponse;
import com.google.api.client.auth.openidconnect.IdToken;
import com.google.api.client.auth.openidconnect.IdTokenVerifier;
import com.google.api.client.extensions.java6.auth.oauth2.AuthorizationCodeInstalledApp;
import com.google.api.client.extensions.jetty.auth.oauth2.LocalServerReceiver;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpResponse;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.apache.v2.ApacheHttpTransport;
import com.google.api.client.http.json.JsonHttpContent;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.util.PemReader;
import com.google.api.client.util.store.MemoryDataStoreFactory;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.InvalidObjectException;
import java.net.URL;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.cert.CertPath;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.ECGenParameterSpec;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.zip.ZipFile;
import jdk.security.jarsigner.JarSigner;
import org.apache.commons.io.output.TeeOutputStream;
import org.apache.commons.validator.routines.EmailValidator;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugins.annotations.LifecyclePhase;
import org.apache.maven.plugins.annotations.Mojo;
import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.project.MavenProject;
import org.apache.maven.shared.jarsigner.JarSignerUtil;

@Mojo(name = "jarsign", defaultPhase = LifecyclePhase.PACKAGE)
/* loaded from: input_file:dev/sigstore/plugin/JarSign.class */
public class JarSign extends AbstractMojo {

    @Parameter(defaultValue = "${project}", readonly = true, required = true)
    private MavenProject project;

    @Parameter(property = "input-jar")
    private File inputJar;

    @Parameter(property = "output-signed-jar")
    private File outputSignedJar;

    @Parameter(defaultValue = "${project.build.directory}/signingCert.pem", property = "output-signing-cert", required = true)
    private File outputSigningCert;

    @Parameter(defaultValue = "sigstore", property = "signer-name", required = true)
    private String signerName;

    @Parameter(defaultValue = "EC", property = "signing-algorithm", required = true)
    private String signingAlgorithm;

    @Parameter(defaultValue = "secp256r1", property = "signing-algorithm-spec", required = true)
    private String signingAlgorithmSpec;

    @Parameter(defaultValue = "true", property = "ssl-verification", required = true)
    private boolean sslVerfication;

    @Parameter(defaultValue = "https://fulcio.sigstore.dev", property = "fulcio-instance-url", required = true)
    private URL fulcioInstanceURL;

    @Parameter(defaultValue = "false", property = "oidc-device-code", required = true)
    private boolean oidcDeviceCodeFlow;

    @Parameter(defaultValue = "sigstore", property = "oidc-client-id", required = true)
    private String oidcClientID;

    @Parameter(defaultValue = "https://oauth2.sigstore.dev/auth/auth", property = "oidc-auth-url", required = true)
    private URL oidcAuthURL;

    @Parameter(defaultValue = "https://oauth2.sigstore.dev/auth/token", property = "oidc-token-url", required = true)
    private URL oidcTokenURL;

    @Parameter(defaultValue = "https://oauth2.sigstore.dev/auth/device/code", property = "oidc-device-code-url", required = true)
    private URL oidcDeviceCodeURL;

    @Parameter(defaultValue = "https://rekor.sigstore.dev", property = "rekor-instance-url", required = true)
    private URL rekorInstanceURL;

    @Parameter(property = "email-address")
    private String emailAddress;

    @Parameter(defaultValue = "https://rekor.sigstore.dev/api/v1/timestamp", property = "tsa-url", required = true)
    private URL tsaURL;

    public void execute() throws MojoExecutionException {
        KeyPair generateKeyPair = generateKeyPair(this.signingAlgorithm, this.signingAlgorithmSpec);
        CertPath signingCert = getSigningCert(signEmailAddress(this.emailAddress, generateKeyPair.getPrivate()), generateKeyPair.getPublic(), getIDToken(this.emailAddress));
        byte[] signJarFile = signJarFile(generateKeyPair.getPrivate(), signingCert);
        writeSigningCertToFile(signingCert, this.outputSigningCert);
        submitToRekor(signJarFile);
    }

    public KeyPair generateKeyPair(String str, String str2) throws MojoExecutionException {
        getLog().info(String.format("generating keypair using %s with %s parameters", str, str2));
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str);
            boolean z = -1;
            switch (str.hashCode()) {
                case 2206:
                    if (str.equals("EC")) {
                        z = false;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    keyPairGenerator.initialize(new ECGenParameterSpec(str2), new SecureRandom());
                    return keyPairGenerator.generateKeyPair();
                default:
                    throw new IllegalArgumentException(String.format("unable to create signing algorithm spec for signing algorithm %s", str));
            }
        } catch (Exception e) {
            throw new MojoExecutionException("Error creating keypair:", e);
        }
    }

    public String signEmailAddress(String str, PrivateKey privateKey) throws MojoExecutionException {
        try {
            if (privateKey == null) {
                throw new IllegalArgumentException("private key must be specified");
            }
            if (str == null) {
                throw new IllegalArgumentException("email address must not be null");
            }
            if (!EmailValidator.getInstance().isValid(str)) {
                throw new IllegalArgumentException(String.format("email address specified '%s' is invalid", str));
            }
            getLog().info(String.format("signing email address '%s' as proof of possession of private key", str));
            String algorithm = privateKey.getAlgorithm();
            boolean z = -1;
            switch (algorithm.hashCode()) {
                case 2206:
                    if (algorithm.equals("EC")) {
                        z = false;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    Signature signature = Signature.getInstance("SHA256withECDSA");
                    signature.initSign(privateKey);
                    signature.update(str.getBytes());
                    return Base64.getEncoder().encodeToString(signature.sign());
                default:
                    throw new NoSuchAlgorithmException(String.format("unable to generate signature for signing algorithm %s", this.signingAlgorithm));
            }
        } catch (Exception e) {
            throw new MojoExecutionException(String.format("Error signing '%s': %s", str, e.getMessage()), e);
        }
    }

    public HttpTransport getHttpTransport() {
        HttpClientBuilder newDefaultHttpClientBuilder = ApacheHttpTransport.newDefaultHttpClientBuilder();
        if (!this.sslVerfication) {
            newDefaultHttpClientBuilder = newDefaultHttpClientBuilder.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
        }
        return new ApacheHttpTransport(newDefaultHttpClientBuilder.build());
    }

    public String getIDToken(String str) throws MojoExecutionException {
        try {
            GsonFactory gsonFactory = new GsonFactory();
            HttpTransport httpTransport = getHttpTransport();
            final MemoryDataStoreFactory memoryDataStoreFactory = new MemoryDataStoreFactory();
            if (!this.oidcDeviceCodeFlow) {
                new AuthorizationCodeInstalledApp(new AuthorizationCodeFlow.Builder(BearerToken.authorizationHeaderAccessMethod(), httpTransport, gsonFactory, new GenericUrl(this.oidcTokenURL.toString()), new ClientParametersAuthentication(this.oidcClientID, (String) null), this.oidcClientID, this.oidcAuthURL.toString()).enablePKCE().setScopes(List.of("openid", "email")).setCredentialCreatedListener(new AuthorizationCodeFlow.CredentialCreatedListener() { // from class: dev.sigstore.plugin.JarSign.1
                    public void onCredentialCreated(Credential credential, TokenResponse tokenResponse) throws IOException {
                        memoryDataStoreFactory.getDataStore("user").set("id_token", tokenResponse.get("id_token").toString());
                    }
                }).build(), new LocalServerReceiver()).authorize("user");
            }
            String str2 = (String) memoryDataStoreFactory.getDataStore("user").get("id_token");
            IdTokenVerifier idTokenVerifier = new IdTokenVerifier();
            IdToken parse = IdToken.parse(gsonFactory, str2);
            if (!idTokenVerifier.verify(parse)) {
                throw new InvalidObjectException("id token could not be verified");
            }
            String str3 = (String) parse.getPayload().get("email");
            Boolean bool = (Boolean) parse.getPayload().get("email_verified");
            if (str != null && !str3.equals(str)) {
                throw new InvalidObjectException(String.format("email in ID token '%s' does not match address specified to plugin '%s'", str3, this.emailAddress));
            }
            if (Boolean.FALSE.equals(bool)) {
                throw new InvalidObjectException(String.format("identity provider '%s' reports email address '%s' has not been verified", parse.getPayload().getIssuer(), this.emailAddress));
            }
            this.emailAddress = str3;
            return str2;
        } catch (Exception e) {
            throw new MojoExecutionException("Error signing email address:", e);
        }
    }

    public CertPath getSigningCert(String str, PublicKey publicKey, String str2) throws MojoExecutionException {
        try {
            HttpTransport httpTransport = getHttpTransport();
            String encodeToString = Base64.getEncoder().encodeToString(publicKey.getEncoded());
            HashMap hashMap = new HashMap();
            HashMap hashMap2 = new HashMap();
            hashMap2.put("content", encodeToString);
            if (publicKey.getAlgorithm().equals("EC")) {
                hashMap2.put("algorithm", "ecdsa");
            }
            hashMap.put("signedEmailAddress", str);
            hashMap.put("publicKey", hashMap2);
            JsonHttpContent jsonHttpContent = new JsonHttpContent(new GsonFactory(), hashMap);
            jsonHttpContent.writeTo(new ByteArrayOutputStream());
            GenericUrl genericUrl = new GenericUrl(this.fulcioInstanceURL + "/api/v1/signingCert");
            HttpRequest buildPostRequest = httpTransport.createRequestFactory().buildPostRequest(genericUrl, jsonHttpContent);
            buildPostRequest.getHeaders().set("Accept", "application/pem-certificate-chain");
            buildPostRequest.getHeaders().set("Authorization", "Bearer " + str2);
            getLog().info("requesting signing certificate");
            HttpResponse execute = buildPostRequest.execute();
            if (execute.getStatusCode() != 201) {
                throw new IOException(String.format("bad response from fulcio @ '%s' : %s", genericUrl, execute.parseAsString()));
            }
            getLog().info("parsing signing certificate");
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            ArrayList arrayList = new ArrayList();
            PemReader pemReader = new PemReader(new InputStreamReader(execute.getContent()));
            while (true) {
                PemReader.Section readNextSection = pemReader.readNextSection();
                if (readNextSection == null) {
                    break;
                }
                arrayList.add((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(readNextSection.getBase64DecodedBytes())));
            }
            if (arrayList.isEmpty()) {
                throw new IOException("no certificates were found in response from Fulcio instance");
            }
            return certificateFactory.generateCertPath(arrayList);
        } catch (Exception e) {
            throw new MojoExecutionException(String.format("Error obtaining signing certificate from Fulcio @%s:", this.fulcioInstanceURL), e);
        }
    }

    public byte[] signJarFile(PrivateKey privateKey, CertPath certPath) throws MojoExecutionException {
        File createTempFile;
        try {
            File file = this.inputJar != null ? this.inputJar : this.project.getArtifact().getFile();
            getLog().info("signing (with jarsigner) JAR file " + file.getAbsolutePath());
            boolean z = true;
            if (this.outputSignedJar != null) {
                createTempFile = this.outputSignedJar;
                z = false;
            } else {
                createTempFile = File.createTempFile("signingTemp", ".jar", file.getParentFile());
            }
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            JarSigner.Builder eventHandler = new JarSigner.Builder(privateKey, certPath).digestAlgorithm("SHA-256").signatureAlgorithm("SHA256withECDSA").setProperty("internalsf", "true").signerName(this.signerName).eventHandler((str, str2) -> {
                getLog().debug(String.format("%s %s", str, str2));
            });
            if (this.tsaURL.toString().equals("")) {
                eventHandler = eventHandler.tsa(this.tsaURL.toURI());
            }
            JarSigner build = eventHandler.build();
            ZipFile zipFile = new ZipFile(file);
            try {
                FileOutputStream fileOutputStream = new FileOutputStream(createTempFile);
                try {
                    TeeOutputStream teeOutputStream = new TeeOutputStream(fileOutputStream, byteArrayOutputStream);
                    try {
                        build.sign(zipFile, teeOutputStream);
                        if (z) {
                            if (!createTempFile.renameTo(file)) {
                                throw new IOException("error overwriting unsigned JAR");
                            }
                            createTempFile = file;
                        }
                        getLog().info("wrote signed JAR to " + createTempFile.getAbsolutePath());
                        if (!JarSignerUtil.isArchiveSigned(createTempFile)) {
                            throw new VerifyError("JAR signing verification failed: archive does not contain signature");
                        }
                        teeOutputStream.close();
                        fileOutputStream.close();
                        zipFile.close();
                        return byteArrayOutputStream.toByteArray();
                    } catch (Throwable th) {
                        try {
                            teeOutputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                        throw th;
                    }
                } catch (Throwable th3) {
                    try {
                        fileOutputStream.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                    throw th3;
                }
            } finally {
            }
        } catch (Exception e) {
            throw new MojoExecutionException("Error signing JAR file:", e);
        }
    }

    public void writeSigningCertToFile(CertPath certPath, File file) throws MojoExecutionException {
        getLog().info("writing signing certificate to " + file.getAbsolutePath());
        try {
            String property = System.getProperty("line.separator");
            String str = "-----BEGIN CERTIFICATE-----" + property + new String(Base64.getMimeEncoder(64, property.getBytes()).encode(certPath.getCertificates().get(0).getEncoded())) + property + "-----END CERTIFICATE-----";
            if (!file.createNewFile()) {
                throw new IOException(String.format("file at %s already exists; will not overwrite", file.getAbsolutePath()));
            }
            FileWriter fileWriter = new FileWriter(file);
            try {
                fileWriter.write(str);
                fileWriter.close();
            } finally {
            }
        } catch (Exception e) {
            throw new MojoExecutionException(String.format("Error writing signing certificate to file '%s':", file.getAbsolutePath()), e);
        }
    }

    public URL submitToRekor(byte[] bArr) throws MojoExecutionException {
        try {
            HttpTransport httpTransport = getHttpTransport();
            String encodeToString = Base64.getEncoder().encodeToString(bArr);
            HashMap hashMap = new HashMap();
            HashMap hashMap2 = new HashMap();
            HashMap hashMap3 = new HashMap();
            hashMap3.put("content", encodeToString);
            hashMap2.put("archive", hashMap3);
            hashMap.put("kind", "jar");
            hashMap.put("apiVersion", "0.0.1");
            hashMap.put("spec", hashMap2);
            JsonHttpContent jsonHttpContent = new JsonHttpContent(new GsonFactory(), hashMap);
            jsonHttpContent.writeTo(new ByteArrayOutputStream());
            HttpRequest buildPostRequest = httpTransport.createRequestFactory().buildPostRequest(new GenericUrl(this.rekorInstanceURL + "/api/v1/log/entries"), jsonHttpContent);
            buildPostRequest.getHeaders().set("Accept", "application/json");
            buildPostRequest.getHeaders().set("Content-Type", "application/json");
            HttpResponse execute = buildPostRequest.execute();
            if (execute.getStatusCode() != 201) {
                throw new IOException("bad response from rekor: " + execute.parseAsString());
            }
            URL url = new URL(this.rekorInstanceURL, execute.getHeaders().getLocation());
            getLog().info(String.format("Created entry in transparency log for JAR @ '%s'", url));
            return url;
        } catch (Exception e) {
            throw new MojoExecutionException(String.format("Error in submitting entry to Rekor @ %s:", this.rekorInstanceURL), e);
        }
    }
}
