package android.util.apk;

import android.os.Build;
import android.util.ArrayMap;
import android.util.Pair;
import android.util.apk.ApkSigningBlockUtils;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.RandomAccessFile;
import java.nio.BufferUnderflowException;
import java.nio.ByteBuffer;
import java.security.DigestException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.OptionalInt;

/* loaded from: classes3.dex */
public class ApkSignatureSchemeV3Verifier {
    static final int APK_SIGNATURE_SCHEME_V31_BLOCK_ID = 462663009;
    static final int APK_SIGNATURE_SCHEME_V3_BLOCK_ID = -262969152;
    private static final int PROOF_OF_ROTATION_ATTR_ID = 1000370060;
    private static final int ROTATION_MIN_SDK_VERSION_ATTR_ID = 1436519170;
    private static final int ROTATION_ON_DEV_RELEASE_ATTR_ID = -1029262406;
    public static final int SF_ATTRIBUTE_ANDROID_APK_SIGNED_ID = 3;
    private final RandomAccessFile mApk;
    private int mBlockId;
    private OptionalInt mOptionalRotationMinSdkVersion = OptionalInt.empty();
    private int mSignerMinSdkVersion;
    private final boolean mVerifyIntegrity;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes3.dex */
    public static class PlatformNotSupportedException extends Exception {
        PlatformNotSupportedException(String str) {
            super(str);
        }
    }

    /* loaded from: classes3.dex */
    public static class VerifiedSigner {
        public final int blockId;
        public final X509Certificate[] certs;
        public final Map<Integer, byte[]> contentDigests;
        public final ApkSigningBlockUtils.VerifiedProofOfRotation por;
        public final byte[] verityRootHash;

        public VerifiedSigner(X509Certificate[] x509CertificateArr, ApkSigningBlockUtils.VerifiedProofOfRotation verifiedProofOfRotation, byte[] bArr, Map<Integer, byte[]> map, int i) {
            this.certs = x509CertificateArr;
            this.por = verifiedProofOfRotation;
            this.verityRootHash = bArr;
            this.contentDigests = map;
            this.blockId = i;
        }
    }

    private ApkSignatureSchemeV3Verifier(RandomAccessFile randomAccessFile, boolean z) {
        this.mApk = randomAccessFile;
        this.mVerifyIntegrity = z;
    }

    public static SignatureInfo findSignature(RandomAccessFile randomAccessFile) throws IOException, SignatureNotFoundException {
        return findSignature(randomAccessFile, APK_SIGNATURE_SCHEME_V3_BLOCK_ID);
    }

    private static SignatureInfo findSignature(RandomAccessFile randomAccessFile, int i) throws IOException, SignatureNotFoundException {
        return ApkSigningBlockUtils.findSignature(randomAccessFile, i);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] generateApkVerity(String str, ByteBufferFactory byteBufferFactory) throws IOException, SignatureNotFoundException, SecurityException, DigestException, NoSuchAlgorithmException {
        RandomAccessFile randomAccessFile = new RandomAccessFile(str, "r");
        try {
            byte[] generateApkVerity = VerityBuilder.generateApkVerity(str, byteBufferFactory, findSignature(randomAccessFile));
            randomAccessFile.close();
            return generateApkVerity;
        } catch (Throwable th) {
            try {
                randomAccessFile.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] getVerityRootHash(String str) throws IOException, SignatureNotFoundException, SecurityException {
        RandomAccessFile randomAccessFile = new RandomAccessFile(str, "r");
        try {
            findSignature(randomAccessFile);
            byte[] bArr = verify(randomAccessFile, false).verityRootHash;
            randomAccessFile.close();
            return bArr;
        } catch (Throwable th) {
            try {
                randomAccessFile.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public static boolean hasSignature(String str) throws IOException {
        try {
            RandomAccessFile randomAccessFile = new RandomAccessFile(str, "r");
            try {
                findSignature(randomAccessFile);
                randomAccessFile.close();
                return true;
            } finally {
            }
        } catch (SignatureNotFoundException e) {
            return false;
        }
    }

    public static VerifiedSigner unsafeGetCertsWithoutVerification(String str) throws SignatureNotFoundException, SecurityException, IOException {
        return verify(str, false);
    }

    private VerifiedSigner verify(SignatureInfo signatureInfo, int i) throws SecurityException, IOException, PlatformNotSupportedException {
        this.mBlockId = i;
        int i2 = 0;
        ArrayMap arrayMap = new ArrayMap();
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            try {
                ByteBuffer lengthPrefixedSlice = ApkSigningBlockUtils.getLengthPrefixedSlice(signatureInfo.signatureBlock);
                Pair<X509Certificate[], ApkSigningBlockUtils.VerifiedProofOfRotation> pair = null;
                while (lengthPrefixedSlice.hasRemaining()) {
                    try {
                        pair = verifySigner(ApkSigningBlockUtils.getLengthPrefixedSlice(lengthPrefixedSlice), arrayMap, certificateFactory);
                        i2++;
                    } catch (PlatformNotSupportedException e) {
                    } catch (IOException | SecurityException | BufferUnderflowException e2) {
                        throw new SecurityException("Failed to parse/verify signer #" + i2 + " block", e2);
                    }
                }
                if (i2 < 1 || pair == null) {
                    if (i == APK_SIGNATURE_SCHEME_V3_BLOCK_ID) {
                        throw new SecurityException("No signers found");
                    }
                    throw new PlatformNotSupportedException("None of the signers support the current platform version");
                }
                if (i2 != 1) {
                    throw new SecurityException("APK Signature Scheme V3 only supports one signer: multiple signers found.");
                }
                if (arrayMap.isEmpty()) {
                    throw new SecurityException("No content digests found");
                }
                if (this.mVerifyIntegrity) {
                    ApkSigningBlockUtils.verifyIntegrity(arrayMap, this.mApk, signatureInfo);
                }
                return new VerifiedSigner(pair.first, pair.second, arrayMap.containsKey(3) ? ApkSigningBlockUtils.parseVerityDigestAndVerifySourceLength(arrayMap.get(3), this.mApk.getChannel().size(), signatureInfo) : null, arrayMap, i);
            } catch (IOException e3) {
                throw new SecurityException("Failed to read list of signers", e3);
            }
        } catch (CertificateException e4) {
            throw new RuntimeException("Failed to obtain X.509 CertificateFactory", e4);
        }
    }

    private static VerifiedSigner verify(RandomAccessFile randomAccessFile, boolean z) throws SignatureNotFoundException, SecurityException, IOException {
        ApkSignatureSchemeV3Verifier apkSignatureSchemeV3Verifier = new ApkSignatureSchemeV3Verifier(randomAccessFile, z);
        try {
            return apkSignatureSchemeV3Verifier.verify(findSignature(randomAccessFile, APK_SIGNATURE_SCHEME_V31_BLOCK_ID), APK_SIGNATURE_SCHEME_V31_BLOCK_ID);
        } catch (PlatformNotSupportedException | SignatureNotFoundException e) {
            try {
                return apkSignatureSchemeV3Verifier.verify(findSignature(randomAccessFile, APK_SIGNATURE_SCHEME_V3_BLOCK_ID), APK_SIGNATURE_SCHEME_V3_BLOCK_ID);
            } catch (PlatformNotSupportedException e2) {
                throw new SecurityException(e2);
            }
        }
    }

    public static VerifiedSigner verify(String str) throws SignatureNotFoundException, SecurityException, IOException {
        return verify(str, true);
    }

    private static VerifiedSigner verify(String str, boolean z) throws SignatureNotFoundException, SecurityException, IOException {
        RandomAccessFile randomAccessFile = new RandomAccessFile(str, "r");
        try {
            VerifiedSigner verify = verify(randomAccessFile, z);
            randomAccessFile.close();
            return verify;
        } catch (Throwable th) {
            try {
                randomAccessFile.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private Pair<X509Certificate[], ApkSigningBlockUtils.VerifiedProofOfRotation> verifyAdditionalAttributes(ByteBuffer byteBuffer, List<X509Certificate> list, CertificateFactory certificateFactory) throws IOException, PlatformNotSupportedException {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) list.toArray(new X509Certificate[list.size()]);
        ApkSigningBlockUtils.VerifiedProofOfRotation verifiedProofOfRotation = null;
        while (byteBuffer.hasRemaining()) {
            ByteBuffer lengthPrefixedSlice = ApkSigningBlockUtils.getLengthPrefixedSlice(byteBuffer);
            if (lengthPrefixedSlice.remaining() < 4) {
                throw new IOException("Remaining buffer too short to contain additional attribute ID. Remaining: " + lengthPrefixedSlice.remaining());
            }
            switch (lengthPrefixedSlice.getInt()) {
                case ROTATION_ON_DEV_RELEASE_ATTR_ID /* -1029262406 */:
                    if (this.mBlockId == APK_SIGNATURE_SCHEME_V31_BLOCK_ID && Build.VERSION.SDK_INT == this.mSignerMinSdkVersion && "REL".equals(Build.VERSION.CODENAME)) {
                        this.mOptionalRotationMinSdkVersion = OptionalInt.of(this.mSignerMinSdkVersion);
                        throw new PlatformNotSupportedException("The device is running a release version of " + this.mSignerMinSdkVersion + ", but the signer is targeting a dev release");
                    }
                    break;
                case PROOF_OF_ROTATION_ATTR_ID /* 1000370060 */:
                    if (verifiedProofOfRotation != null) {
                        throw new SecurityException("Encountered multiple Proof-of-rotation records when verifying APK Signature Scheme v3 signature");
                    }
                    verifiedProofOfRotation = ApkSigningBlockUtils.verifyProofOfRotationStruct(lengthPrefixedSlice, certificateFactory);
                    try {
                        if (verifiedProofOfRotation.certs.size() > 0 && !Arrays.equals(verifiedProofOfRotation.certs.get(verifiedProofOfRotation.certs.size() - 1).getEncoded(), x509CertificateArr[0].getEncoded())) {
                            throw new SecurityException("Terminal certificate in Proof-of-rotation record does not match APK signing certificate");
                        }
                    } catch (CertificateEncodingException e) {
                        throw new SecurityException("Failed to encode certificate when comparing Proof-of-rotation record and signing certificate", e);
                    }
                    break;
                case ROTATION_MIN_SDK_VERSION_ATTR_ID /* 1436519170 */:
                    if (lengthPrefixedSlice.remaining() < 4) {
                        throw new IOException("Remaining buffer too short to contain rotation minSdkVersion value. Remaining: " + lengthPrefixedSlice.remaining());
                    }
                    int i = lengthPrefixedSlice.getInt();
                    if (!this.mOptionalRotationMinSdkVersion.isPresent()) {
                        throw new SecurityException("Expected a v3.1 signing block targeting SDK version " + i + ", but a v3.1 block was not found");
                    }
                    int asInt = this.mOptionalRotationMinSdkVersion.getAsInt();
                    if (asInt != i) {
                        throw new SecurityException("Expected a v3.1 signing block targeting SDK version " + i + ", but the v3.1 block was targeting " + asInt);
                    }
                    break;
            }
        }
        return Pair.create(x509CertificateArr, verifiedProofOfRotation);
    }

    private Pair<X509Certificate[], ApkSigningBlockUtils.VerifiedProofOfRotation> verifySigner(ByteBuffer byteBuffer, Map<Integer, byte[]> map, CertificateFactory certificateFactory) throws SecurityException, IOException, PlatformNotSupportedException {
        ByteBuffer lengthPrefixedSlice = ApkSigningBlockUtils.getLengthPrefixedSlice(byteBuffer);
        int i = byteBuffer.getInt();
        int i2 = byteBuffer.getInt();
        if (Build.VERSION.SDK_INT >= i && Build.VERSION.SDK_INT <= i2) {
            ByteBuffer lengthPrefixedSlice2 = ApkSigningBlockUtils.getLengthPrefixedSlice(byteBuffer);
            byte[] readLengthPrefixedByteArray = ApkSigningBlockUtils.readLengthPrefixedByteArray(byteBuffer);
            ArrayList arrayList = new ArrayList();
            byte[] bArr = null;
            int i3 = -1;
            int i4 = 0;
            while (lengthPrefixedSlice2.hasRemaining()) {
                i4++;
                try {
                    ByteBuffer lengthPrefixedSlice3 = ApkSigningBlockUtils.getLengthPrefixedSlice(lengthPrefixedSlice2);
                    if (lengthPrefixedSlice3.remaining() < 8) {
                        throw new SecurityException("Signature record too short");
                    }
                    int i5 = lengthPrefixedSlice3.getInt();
                    arrayList.add(Integer.valueOf(i5));
                    if (ApkSigningBlockUtils.isSupportedSignatureAlgorithm(i5)) {
                        if (i3 == -1 || ApkSigningBlockUtils.compareSignatureAlgorithm(i5, i3) > 0) {
                            i3 = i5;
                            bArr = ApkSigningBlockUtils.readLengthPrefixedByteArray(lengthPrefixedSlice3);
                        }
                    }
                } catch (IOException | BufferUnderflowException e) {
                    throw new SecurityException("Failed to parse signature record #" + i4, e);
                }
            }
            if (i3 == -1) {
                if (i4 == 0) {
                    throw new SecurityException("No signatures found");
                }
                throw new SecurityException("No supported signatures found");
            }
            String signatureAlgorithmJcaKeyAlgorithm = ApkSigningBlockUtils.getSignatureAlgorithmJcaKeyAlgorithm(i3);
            Pair<String, ? extends AlgorithmParameterSpec> signatureAlgorithmJcaSignatureAlgorithm = ApkSigningBlockUtils.getSignatureAlgorithmJcaSignatureAlgorithm(i3);
            String str = signatureAlgorithmJcaSignatureAlgorithm.first;
            AlgorithmParameterSpec algorithmParameterSpec = (AlgorithmParameterSpec) signatureAlgorithmJcaSignatureAlgorithm.second;
            try {
                try {
                    PublicKey generatePublic = KeyFactory.getInstance(signatureAlgorithmJcaKeyAlgorithm).generatePublic(new X509EncodedKeySpec(readLengthPrefixedByteArray));
                    Signature signature = Signature.getInstance(str);
                    signature.initVerify(generatePublic);
                    if (algorithmParameterSpec != null) {
                        try {
                            signature.setParameter(algorithmParameterSpec);
                        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | SignatureException | InvalidKeySpecException e2) {
                            e = e2;
                            throw new SecurityException("Failed to verify " + str + " signature", e);
                        }
                    }
                    signature.update(lengthPrefixedSlice);
                    if (!signature.verify(bArr)) {
                        throw new SecurityException(str + " signature did not verify");
                    }
                    lengthPrefixedSlice.clear();
                    ByteBuffer lengthPrefixedSlice4 = ApkSigningBlockUtils.getLengthPrefixedSlice(lengthPrefixedSlice);
                    ArrayList arrayList2 = new ArrayList();
                    int i6 = 0;
                    byte[] bArr2 = null;
                    while (lengthPrefixedSlice4.hasRemaining()) {
                        int i7 = i4;
                        int i8 = i6 + 1;
                        try {
                            ByteBuffer lengthPrefixedSlice5 = ApkSigningBlockUtils.getLengthPrefixedSlice(lengthPrefixedSlice4);
                            byte[] bArr3 = bArr;
                            try {
                                AlgorithmParameterSpec algorithmParameterSpec2 = algorithmParameterSpec;
                                if (lengthPrefixedSlice5.remaining() < 8) {
                                    throw new IOException("Record too short");
                                }
                                try {
                                    int i9 = lengthPrefixedSlice5.getInt();
                                    String str2 = signatureAlgorithmJcaKeyAlgorithm;
                                    ArrayList arrayList3 = arrayList2;
                                    try {
                                        arrayList3.add(Integer.valueOf(i9));
                                        if (i9 == i3) {
                                            bArr2 = ApkSigningBlockUtils.readLengthPrefixedByteArray(lengthPrefixedSlice5);
                                        }
                                        i6 = i8;
                                        arrayList2 = arrayList3;
                                        i4 = i7;
                                        bArr = bArr3;
                                        algorithmParameterSpec = algorithmParameterSpec2;
                                        signatureAlgorithmJcaKeyAlgorithm = str2;
                                    } catch (IOException | BufferUnderflowException e3) {
                                        e = e3;
                                    }
                                } catch (IOException | BufferUnderflowException e4) {
                                    e = e4;
                                }
                                e = e3;
                            } catch (IOException | BufferUnderflowException e5) {
                                e = e5;
                            }
                        } catch (IOException | BufferUnderflowException e6) {
                            e = e6;
                        }
                        throw new IOException("Failed to parse digest record #" + i8, e);
                    }
                    if (!arrayList.equals(arrayList2)) {
                        throw new SecurityException("Signature algorithms don't match between digests and signatures records");
                    }
                    int signatureAlgorithmContentDigestAlgorithm = ApkSigningBlockUtils.getSignatureAlgorithmContentDigestAlgorithm(i3);
                    byte[] put = map.put(Integer.valueOf(signatureAlgorithmContentDigestAlgorithm), bArr2);
                    if (put != null && !MessageDigest.isEqual(put, bArr2)) {
                        throw new SecurityException(ApkSigningBlockUtils.getContentDigestAlgorithmJcaDigestAlgorithm(signatureAlgorithmContentDigestAlgorithm) + " contents digest does not match the digest specified by a preceding signer");
                    }
                    ArrayList arrayList4 = new ArrayList();
                    int i10 = 0;
                    for (ByteBuffer lengthPrefixedSlice6 = ApkSigningBlockUtils.getLengthPrefixedSlice(lengthPrefixedSlice); lengthPrefixedSlice6.hasRemaining(); lengthPrefixedSlice6 = lengthPrefixedSlice6) {
                        int i11 = signatureAlgorithmContentDigestAlgorithm;
                        int i12 = i10 + 1;
                        int i13 = i3;
                        byte[] readLengthPrefixedByteArray2 = ApkSigningBlockUtils.readLengthPrefixedByteArray(lengthPrefixedSlice6);
                        try {
                            arrayList4.add(new VerbatimX509Certificate((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(readLengthPrefixedByteArray2)), readLengthPrefixedByteArray2));
                            i10 = i12;
                            signatureAlgorithmContentDigestAlgorithm = i11;
                            i3 = i13;
                        } catch (CertificateException e7) {
                            throw new SecurityException("Failed to decode certificate #" + i12, e7);
                        }
                    }
                    if (arrayList4.isEmpty()) {
                        throw new SecurityException("No certificates listed");
                    }
                    if (!Arrays.equals(readLengthPrefixedByteArray, arrayList4.get(0).getPublicKey().getEncoded())) {
                        throw new SecurityException("Public key mismatch between certificate and signature record");
                    }
                    int i14 = lengthPrefixedSlice.getInt();
                    if (i14 != i) {
                        throw new SecurityException("minSdkVersion mismatch between signed and unsigned in v3 signer block.");
                    }
                    this.mSignerMinSdkVersion = i14;
                    if (lengthPrefixedSlice.getInt() == i2) {
                        return verifyAdditionalAttributes(ApkSigningBlockUtils.getLengthPrefixedSlice(lengthPrefixedSlice), arrayList4, certificateFactory);
                    }
                    throw new SecurityException("maxSdkVersion mismatch between signed and unsigned in v3 signer block.");
                } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | SignatureException | InvalidKeySpecException e8) {
                    e = e8;
                }
            } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | SignatureException | InvalidKeySpecException e9) {
                e = e9;
            }
        }
        if (this.mBlockId == APK_SIGNATURE_SCHEME_V31_BLOCK_ID && (!this.mOptionalRotationMinSdkVersion.isPresent() || this.mOptionalRotationMinSdkVersion.getAsInt() > i)) {
            this.mOptionalRotationMinSdkVersion = OptionalInt.of(i);
        }
        throw new PlatformNotSupportedException("Signer not supported by this platform version. This platform: " + Build.VERSION.SDK_INT + ", signer minSdkVersion: " + i + ", maxSdkVersion: " + i2);
    }
}
