package com.android.tools.build.bundletool.transparency;

import com.android.apksig.ApkVerifier;
import com.android.apksig.apk.ApkFormatException;
import com.android.tools.build.bundletool.model.exceptions.CommandExecutionException;
import com.google.auto.value.AutoValue;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.UnmodifiableIterator;
import java.io.IOException;
import java.nio.file.Path;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.Optional;

/* loaded from: input_file:com/android/tools/build/bundletool/transparency/ApkSignatureVerifier.class */
final class ApkSignatureVerifier {

    /* JADX INFO: Access modifiers changed from: package-private */
    @AutoValue
    /* loaded from: input_file:com/android/tools/build/bundletool/transparency/ApkSignatureVerifier$Result.class */
    public static abstract class Result {
        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract Optional<String> apkSigningKeyCertificateFingerprint();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract Optional<String> errorMessage();

        /* JADX INFO: Access modifiers changed from: package-private */
        public boolean verified() {
            return apkSigningKeyCertificateFingerprint().isPresent() && !errorMessage().isPresent();
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public String getApkSigningKeyCertificateFingerprint() {
            return apkSigningKeyCertificateFingerprint().orElse("");
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public String getErrorMessage() {
            return errorMessage().orElse("");
        }

        static Result success(String str) {
            return new AutoValue_ApkSignatureVerifier_Result(Optional.of(str), Optional.empty());
        }

        static Result failure(String str) {
            return new AutoValue_ApkSignatureVerifier_Result(Optional.empty(), Optional.of(str));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Result verify(ImmutableList<Path> immutableList) {
        Preconditions.checkArgument(!immutableList.isEmpty(), "Expected non-empty list of device-specific APKs.");
        Optional empty = Optional.empty();
        try {
            UnmodifiableIterator<Path> it = immutableList.iterator();
            while (it.hasNext()) {
                Path next = it.next();
                ApkVerifier.Result verify = new ApkVerifier.Builder(next.toFile()).build().verify();
                if (!verify.isVerified()) {
                    return Result.failure("APK signature invalid for " + next.getFileName());
                }
                X509Certificate x509Certificate = verify.getSignerCertificates().get(0);
                if (!empty.isPresent()) {
                    empty = Optional.of(x509Certificate);
                } else if (!((X509Certificate) empty.get()).equals(x509Certificate)) {
                    return Result.failure("APK signature verification failed: the keys used to sign the given set of device specific APKs do not match.");
                }
            }
            return Result.success(CodeTransparencyCryptoUtils.getCertificateFingerprint((X509Certificate) empty.get()));
        } catch (ApkFormatException | IOException | NoSuchAlgorithmException e) {
            throw CommandExecutionException.builder().withInternalMessage("Exception during APK signature verification.").withCause(e).build();
        }
    }

    private ApkSignatureVerifier() {
    }
}
