package com.android.builder.internal.packaging.sign;

import com.android.builder.internal.packaging.zip.StoredEntry;
import com.android.builder.internal.packaging.zip.ZFileExtension;
import com.android.builder.internal.utils.IOExceptionRunnable;
import com.google.common.base.Charsets;
import com.google.common.base.Objects;
import com.google.common.base.Preconditions;
import com.google.common.collect.Sets;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Locale;
import java.util.Set;
import java.util.jar.Attributes;
import java.util.jar.Manifest;
import java.util.stream.Collectors;
import org.apache.commons.codec.binary.Base64;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DEROutputStream;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

/* loaded from: input_file:com/android/builder/internal/packaging/sign/SignatureExtension.class */
public class SignatureExtension {
    private static final String SIGNATURE_BASE = "META-INF/CERT";
    private static final String SIGNATURE_VERSION_NAME = "Signature-Version";
    private static final String SIGNATURE_VERSION_VALUE = "1.0";
    private static final String SIGNATURE_CREATED_BY_NAME = "Created-By";
    private static final String SIGNATURE_CREATED_BY_VALUE = "1.0 (Android)";
    private static final String SIGNATURE_ANDROID_APK_SIGNED_NAME = "X-Android-APK-Signed";
    public static final String SIGNATURE_ANDROID_APK_SIGNER_VALUE_WHEN_V2_SIGNED = "2";
    private final ManifestGenerationExtension mManifestExtension;
    private final MessageDigest mMessageDigest;
    private final Manifest mSignatureFile = new Manifest();
    private boolean mDirty = false;
    private final X509Certificate mCertificate;
    private final PrivateKey mPrivateKey;
    private final SignatureAlgorithm mSignatureAlgorithm;
    private final DigestAlgorithm mDigestAlgorithm;
    private final String mApkSignedHeaderValue;
    private ZFileExtension mExtension;
    private static final String SIGNATURE_FILE = "META-INF/CERT.SF";
    private static final Set<String> IGNORED_FILES = Sets.newHashSet(new String[]{ManifestGenerationExtension.MANIFEST_NAME, SIGNATURE_FILE});
    private static final Set<String> IGNORED_FILES_LC = Sets.newHashSet((Iterable) IGNORED_FILES.stream().map(str -> {
        return str.toLowerCase(Locale.US);
    }).collect(Collectors.toSet()));
    private static final Set<String> IGNORED_PREFIXES = Sets.newHashSet(new String[]{"SIG-"});
    private static final Set<String> IGNORED_PREFIXES_LC = Sets.newHashSet((Iterable) IGNORED_PREFIXES.stream().map(str -> {
        return str.toLowerCase(Locale.US);
    }).collect(Collectors.toSet()));
    private static final Set<String> IGNORED_SUFFIXES = Sets.newHashSet(new String[]{".SF", ".DSA", ".RSA", ".EC"});
    private static final Set<String> IGNORED_SUFFIXES_LC = Sets.newHashSet((Iterable) IGNORED_SUFFIXES.stream().map(str -> {
        return str.toLowerCase(Locale.US);
    }).collect(Collectors.toSet()));

    public SignatureExtension(ManifestGenerationExtension manifestGenerationExtension, int i, X509Certificate x509Certificate, PrivateKey privateKey, String str) throws NoSuchAlgorithmException {
        this.mManifestExtension = manifestGenerationExtension;
        this.mCertificate = x509Certificate;
        this.mPrivateKey = privateKey;
        this.mApkSignedHeaderValue = str;
        this.mSignatureAlgorithm = SignatureAlgorithm.fromKeyAlgorithm(privateKey.getAlgorithm(), i);
        this.mDigestAlgorithm = DigestAlgorithm.findBest(i, this.mSignatureAlgorithm);
        this.mMessageDigest = MessageDigest.getInstance(this.mDigestAlgorithm.messageDigestName);
    }

    public void register() throws IOException {
        Preconditions.checkState(this.mExtension == null, "register() already invoked");
        this.mExtension = new ZFileExtension() { // from class: com.android.builder.internal.packaging.sign.SignatureExtension.1
            @Override // com.android.builder.internal.packaging.zip.ZFileExtension
            public IOExceptionRunnable beforeUpdate() {
                SignatureExtension signatureExtension = SignatureExtension.this;
                return () -> {
                    signatureExtension.updateSignatureIfNeeded();
                };
            }

            @Override // com.android.builder.internal.packaging.zip.ZFileExtension
            public IOExceptionRunnable added(StoredEntry storedEntry, StoredEntry storedEntry2) {
                if (storedEntry2 != null) {
                    Preconditions.checkArgument(storedEntry.getCentralDirectoryHeader().getName().equals(storedEntry2.getCentralDirectoryHeader().getName()));
                }
                if (SignatureExtension.isIgnoredFile(storedEntry.getCentralDirectoryHeader().getName())) {
                    return null;
                }
                return () -> {
                    if (storedEntry2 != null) {
                        SignatureExtension.this.removed(storedEntry2);
                    }
                    SignatureExtension.this.added(storedEntry);
                };
            }

            @Override // com.android.builder.internal.packaging.zip.ZFileExtension
            public IOExceptionRunnable removed(StoredEntry storedEntry) {
                if (SignatureExtension.isIgnoredFile(storedEntry.getCentralDirectoryHeader().getName())) {
                    return null;
                }
                return () -> {
                    SignatureExtension.this.removed(storedEntry);
                };
            }
        };
        this.mManifestExtension.zFile().addZFileExtension(this.mExtension);
        readSignatureFile();
    }

    private void readSignatureFile() throws IOException {
        boolean z = false;
        StoredEntry storedEntry = this.mManifestExtension.zFile().get(SIGNATURE_FILE);
        if (storedEntry != null) {
            this.mSignatureFile.read(new ByteArrayInputStream(storedEntry.read()));
            Attributes mainAttributes = this.mSignatureFile.getMainAttributes();
            String value = mainAttributes.getValue(SIGNATURE_VERSION_NAME);
            String value2 = mainAttributes.getValue("Created-By");
            String value3 = mainAttributes.getValue(SIGNATURE_ANDROID_APK_SIGNED_NAME);
            if (!"1.0".equals(value) || !SIGNATURE_CREATED_BY_VALUE.equals(value2) || mainAttributes.getValue(this.mDigestAlgorithm.manifestAttributeName) == null || !Objects.equal(this.mApkSignedHeaderValue, value3)) {
                z = true;
            }
        } else {
            z = true;
        }
        if (z) {
            Attributes mainAttributes2 = this.mSignatureFile.getMainAttributes();
            mainAttributes2.putValue("Created-By", SIGNATURE_CREATED_BY_VALUE);
            mainAttributes2.putValue(SIGNATURE_VERSION_NAME, "1.0");
            if (this.mApkSignedHeaderValue != null) {
                mainAttributes2.putValue(SIGNATURE_ANDROID_APK_SIGNED_NAME, this.mApkSignedHeaderValue);
            } else {
                mainAttributes2.remove(SIGNATURE_ANDROID_APK_SIGNED_NAME);
            }
            this.mDirty = true;
        }
        Set<StoredEntry> set = (Set) this.mManifestExtension.zFile().entries().stream().filter(storedEntry2 -> {
            return !isIgnoredFile(storedEntry2.getCentralDirectoryHeader().getName());
        }).collect(Collectors.toSet());
        HashSet newHashSet = Sets.newHashSet(this.mSignatureFile.getEntries().keySet());
        HashSet newHashSet2 = Sets.newHashSet(this.mManifestExtension.allEntries().keySet());
        for (StoredEntry storedEntry3 : set) {
            setDigestForEntry(storedEntry3);
            newHashSet.remove(storedEntry3.getCentralDirectoryHeader().getName());
            newHashSet2.remove(storedEntry3.getCentralDirectoryHeader().getName());
        }
        Iterator it = newHashSet.iterator();
        while (it.hasNext()) {
            this.mSignatureFile.getEntries().remove((String) it.next());
            this.mDirty = true;
        }
        Iterator it2 = newHashSet2.iterator();
        while (it2.hasNext()) {
            this.mManifestExtension.removeEntry((String) it2.next());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void updateSignatureIfNeeded() throws IOException {
        String str = new String(Base64.encodeBase64(this.mMessageDigest.digest(this.mManifestExtension.getManifestBytes())), Charsets.US_ASCII);
        if (!str.equals(this.mSignatureFile.getMainAttributes().getValue(this.mDigestAlgorithm.manifestAttributeName))) {
            this.mSignatureFile.getMainAttributes().putValue(this.mDigestAlgorithm.manifestAttributeName, str);
            this.mDirty = true;
        }
        if (this.mDirty) {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            this.mSignatureFile.write(byteArrayOutputStream);
            this.mManifestExtension.zFile().add(SIGNATURE_FILE, new ByteArrayInputStream(byteArrayOutputStream.toByteArray()));
            try {
                this.mManifestExtension.zFile().add("META-INF/CERT." + this.mPrivateKey.getAlgorithm(), new ByteArrayInputStream(computePkcs7Signature(byteArrayOutputStream.toByteArray())));
                this.mDirty = false;
            } catch (CertificateEncodingException | OperatorCreationException | CMSException e) {
                throw new IOException("Failed to digitally sign signature file.", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void added(StoredEntry storedEntry) throws IOException {
        setDigestForEntry(storedEntry);
    }

    private void setDigestForEntry(StoredEntry storedEntry) throws IOException {
        String name = storedEntry.getCentralDirectoryHeader().getName();
        String str = new String(Base64.encodeBase64(this.mMessageDigest.digest(storedEntry.read())), Charsets.US_ASCII);
        Attributes attributes = this.mSignatureFile.getEntries().get(name);
        if (attributes == null) {
            attributes = new Attributes();
            this.mSignatureFile.getEntries().put(name, attributes);
            this.mDirty = true;
        }
        if (!str.equals(attributes.getValue(this.mDigestAlgorithm.entryAttributeName))) {
            attributes.putValue(this.mDigestAlgorithm.entryAttributeName, str);
            this.mDirty = true;
        }
        this.mManifestExtension.setAttribute(name, this.mDigestAlgorithm.entryAttributeName, str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void removed(StoredEntry storedEntry) {
        this.mSignatureFile.getEntries().remove(storedEntry.getCentralDirectoryHeader().getName());
        this.mManifestExtension.removeEntry(storedEntry.getCentralDirectoryHeader().getName());
        this.mDirty = true;
    }

    public static boolean isIgnoredFile(String str) {
        if (!(str.startsWith("META-INF/") && !str.substring("META-INF/".length()).contains("/"))) {
            return false;
        }
        String lowerCase = str.toLowerCase(Locale.US);
        if (IGNORED_FILES_LC.contains(lowerCase)) {
            return true;
        }
        Iterator<String> it = IGNORED_PREFIXES_LC.iterator();
        while (it.hasNext()) {
            if (lowerCase.startsWith(it.next())) {
                return true;
            }
        }
        Iterator<String> it2 = IGNORED_SUFFIXES_LC.iterator();
        while (it2.hasNext()) {
            if (lowerCase.endsWith(it2.next())) {
                return true;
            }
        }
        return false;
    }

    private byte[] computePkcs7Signature(byte[] bArr) throws IOException, CertificateEncodingException, OperatorCreationException, CMSException {
        ASN1InputStream aSN1InputStream;
        Throwable th;
        CMSProcessableByteArray cMSProcessableByteArray = new CMSProcessableByteArray(bArr);
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.mCertificate);
        JcaCertStore jcaCertStore = new JcaCertStore(arrayList);
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        cMSSignedDataGenerator.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build()).setDirectSignature(true).build(new JcaContentSignerBuilder(this.mSignatureAlgorithm.signatureAlgorithmName(this.mDigestAlgorithm)).build(this.mPrivateKey), this.mCertificate));
        cMSSignedDataGenerator.addCertificates(jcaCertStore);
        CMSSignedData generate = cMSSignedDataGenerator.generate(cMSProcessableByteArray, false);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        DEROutputStream dEROutputStream = null;
        try {
            aSN1InputStream = new ASN1InputStream(generate.getEncoded());
            th = null;
        } catch (IOException e) {
            if (dEROutputStream != null) {
                try {
                    dEROutputStream.close();
                } catch (IOException e2) {
                    e.addSuppressed(e2);
                }
            }
        }
        try {
            try {
                DEROutputStream dEROutputStream2 = new DEROutputStream(byteArrayOutputStream);
                dEROutputStream2.writeObject(aSN1InputStream.readObject());
                dEROutputStream = null;
                dEROutputStream2.close();
                if (aSN1InputStream != null) {
                    if (0 != 0) {
                        try {
                            aSN1InputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        aSN1InputStream.close();
                    }
                }
                return byteArrayOutputStream.toByteArray();
            } finally {
            }
        } finally {
        }
    }
}
