package android.util.apk;

import android.util.Pair;
import android.util.Slog;
import android.util.jar.StrictJarFile;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.RandomAccessFile;
import java.nio.BufferUnderflowException;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import java.util.zip.ZipEntry;
import libcore.io.IoUtils;

/* loaded from: input_file:android/util/apk/SourceStampVerifier.class */
public abstract class SourceStampVerifier {
    private static final String TAG = "SourceStampVerifier";
    private static final int APK_SIGNATURE_SCHEME_V2_BLOCK_ID = 1896449818;
    private static final int APK_SIGNATURE_SCHEME_V3_BLOCK_ID = -262969152;
    private static final int SOURCE_STAMP_BLOCK_ID = 722016414;
    private static final String SOURCE_STAMP_CERTIFICATE_HASH_ZIP_ENTRY_NAME = "stamp-cert-sha256";

    private SourceStampVerifier() {
    }

    public static SourceStampVerificationResult verify(List<String> list) {
        Certificate certificate = null;
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            SourceStampVerificationResult verify = verify(it.next());
            if (!verify.isPresent() || !verify.isVerified()) {
                return verify;
            }
            if (certificate != null && !certificate.equals(verify.getCertificate())) {
                return SourceStampVerificationResult.notVerified();
            }
            certificate = verify.getCertificate();
        }
        return SourceStampVerificationResult.verified(certificate);
    }

    public static SourceStampVerificationResult verify(String str) {
        try {
            try {
                RandomAccessFile randomAccessFile = new RandomAccessFile(str, "r");
                try {
                    StrictJarFile strictJarFile = new StrictJarFile(str, false, false);
                    byte[] sourceStampCertificateDigest = getSourceStampCertificateDigest(strictJarFile);
                    if (sourceStampCertificateDigest == null) {
                        SourceStampVerificationResult notPresent = SourceStampVerificationResult.notPresent();
                        randomAccessFile.close();
                        closeApkJar(strictJarFile);
                        return notPresent;
                    }
                    SourceStampVerificationResult verify = verify(randomAccessFile, sourceStampCertificateDigest);
                    randomAccessFile.close();
                    closeApkJar(strictJarFile);
                    return verify;
                } catch (Throwable th) {
                    try {
                        randomAccessFile.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } catch (IOException e) {
                SourceStampVerificationResult notPresent2 = SourceStampVerificationResult.notPresent();
                closeApkJar(null);
                return notPresent2;
            }
        } catch (Throwable th3) {
            closeApkJar(null);
            throw th3;
        }
    }

    private static SourceStampVerificationResult verify(RandomAccessFile randomAccessFile, byte[] bArr) {
        try {
            return verify(ApkSigningBlockUtils.findSignature(randomAccessFile, SOURCE_STAMP_BLOCK_ID), getApkContentDigests(randomAccessFile), bArr);
        } catch (SignatureNotFoundException | IOException e) {
            return SourceStampVerificationResult.notVerified();
        }
    }

    private static SourceStampVerificationResult verify(SignatureInfo signatureInfo, Map<Integer, byte[]> map, byte[] bArr) throws SecurityException, IOException {
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            byte[] encodeApkContentDigests = encodeApkContentDigests((List) map.entrySet().stream().sorted(Map.Entry.comparingByKey()).map(entry -> {
                return Pair.create((Integer) entry.getKey(), (byte[]) entry.getValue());
            }).collect(Collectors.toList()));
            ByteBuffer lengthPrefixedSlice = ApkSigningBlockUtils.getLengthPrefixedSlice(signatureInfo.signatureBlock);
            byte[] readLengthPrefixedByteArray = ApkSigningBlockUtils.readLengthPrefixedByteArray(lengthPrefixedSlice);
            try {
                VerbatimX509Certificate verbatimX509Certificate = new VerbatimX509Certificate((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(readLengthPrefixedByteArray)), readLengthPrefixedByteArray);
                try {
                    MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
                    messageDigest.update(readLengthPrefixedByteArray);
                    if (!Arrays.equals(bArr, messageDigest.digest())) {
                        throw new SecurityException("Certificate mismatch between APK and signature block");
                    }
                    ByteBuffer lengthPrefixedSlice2 = ApkSigningBlockUtils.getLengthPrefixedSlice(lengthPrefixedSlice);
                    int i = 0;
                    int i2 = -1;
                    byte[] bArr2 = null;
                    while (lengthPrefixedSlice2.hasRemaining()) {
                        i++;
                        try {
                            ByteBuffer lengthPrefixedSlice3 = ApkSigningBlockUtils.getLengthPrefixedSlice(lengthPrefixedSlice2);
                            if (lengthPrefixedSlice3.remaining() < 8) {
                                throw new SecurityException("Signature record too short");
                            }
                            int i3 = lengthPrefixedSlice3.getInt();
                            if (ApkSigningBlockUtils.isSupportedSignatureAlgorithm(i3)) {
                                if (i2 == -1 || ApkSigningBlockUtils.compareSignatureAlgorithm(i3, i2) > 0) {
                                    i2 = i3;
                                    bArr2 = ApkSigningBlockUtils.readLengthPrefixedByteArray(lengthPrefixedSlice3);
                                }
                            }
                        } catch (IOException | BufferUnderflowException e) {
                            throw new SecurityException("Failed to parse signature record #" + i, e);
                        }
                    }
                    if (i2 == -1) {
                        if (i == 0) {
                            throw new SecurityException("No signatures found");
                        }
                        throw new SecurityException("No supported signatures found");
                    }
                    Pair<String, ? extends AlgorithmParameterSpec> signatureAlgorithmJcaSignatureAlgorithm = ApkSigningBlockUtils.getSignatureAlgorithmJcaSignatureAlgorithm(i2);
                    String str = signatureAlgorithmJcaSignatureAlgorithm.first;
                    AlgorithmParameterSpec algorithmParameterSpec = (AlgorithmParameterSpec) signatureAlgorithmJcaSignatureAlgorithm.second;
                    PublicKey publicKey = verbatimX509Certificate.getPublicKey();
                    try {
                        Signature signature = Signature.getInstance(str);
                        signature.initVerify(publicKey);
                        if (algorithmParameterSpec != null) {
                            signature.setParameter(algorithmParameterSpec);
                        }
                        signature.update(encodeApkContentDigests);
                        if (signature.verify(bArr2)) {
                            return SourceStampVerificationResult.verified(verbatimX509Certificate);
                        }
                        throw new SecurityException(str + " signature did not verify");
                    } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | SignatureException e2) {
                        throw new SecurityException("Failed to verify " + str + " signature", e2);
                    }
                } catch (NoSuchAlgorithmException e3) {
                    throw new SecurityException("Failed to find SHA-256", e3);
                }
            } catch (CertificateException e4) {
                throw new SecurityException("Failed to decode certificate", e4);
            }
        } catch (CertificateException e5) {
            throw new RuntimeException("Failed to obtain X.509 CertificateFactory", e5);
        }
    }

    private static Map<Integer, byte[]> getApkContentDigests(RandomAccessFile randomAccessFile) throws IOException, SignatureNotFoundException {
        try {
            return getApkContentDigestsFromSignatureBlock(ApkSigningBlockUtils.findSignature(randomAccessFile, APK_SIGNATURE_SCHEME_V3_BLOCK_ID).signatureBlock);
        } catch (SignatureNotFoundException e) {
            return getApkContentDigestsFromSignatureBlock(ApkSigningBlockUtils.findSignature(randomAccessFile, APK_SIGNATURE_SCHEME_V2_BLOCK_ID).signatureBlock);
        }
    }

    private static Map<Integer, byte[]> getApkContentDigestsFromSignatureBlock(ByteBuffer byteBuffer) throws IOException {
        HashMap hashMap = new HashMap();
        ByteBuffer lengthPrefixedSlice = ApkSigningBlockUtils.getLengthPrefixedSlice(byteBuffer);
        while (lengthPrefixedSlice.hasRemaining()) {
            ByteBuffer lengthPrefixedSlice2 = ApkSigningBlockUtils.getLengthPrefixedSlice(ApkSigningBlockUtils.getLengthPrefixedSlice(ApkSigningBlockUtils.getLengthPrefixedSlice(lengthPrefixedSlice)));
            while (lengthPrefixedSlice2.hasRemaining()) {
                ByteBuffer lengthPrefixedSlice3 = ApkSigningBlockUtils.getLengthPrefixedSlice(lengthPrefixedSlice2);
                int i = lengthPrefixedSlice3.getInt();
                hashMap.put(Integer.valueOf(ApkSigningBlockUtils.getSignatureAlgorithmContentDigestAlgorithm(i)), ApkSigningBlockUtils.readLengthPrefixedByteArray(lengthPrefixedSlice3));
            }
        }
        return hashMap;
    }

    private static byte[] getSourceStampCertificateDigest(StrictJarFile strictJarFile) throws IOException {
        InputStream inputStream = null;
        try {
            ZipEntry findEntry = strictJarFile.findEntry(SOURCE_STAMP_CERTIFICATE_HASH_ZIP_ENTRY_NAME);
            if (findEntry == null) {
                IoUtils.closeQuietly((AutoCloseable) null);
                return null;
            }
            inputStream = strictJarFile.getInputStream(findEntry);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            byte[] bArr = new byte[1024];
            byteArrayOutputStream.write(bArr, 0, inputStream.read(bArr, 0, bArr.length));
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            IoUtils.closeQuietly(inputStream);
            return byteArray;
        } catch (Throwable th) {
            IoUtils.closeQuietly(inputStream);
            throw th;
        }
    }

    private static byte[] encodeApkContentDigests(List<Pair<Integer, byte[]>> list) {
        int i = 0;
        Iterator<Pair<Integer, byte[]>> it = list.iterator();
        while (it.hasNext()) {
            i += 12 + it.next().second.length;
        }
        ByteBuffer allocate = ByteBuffer.allocate(i);
        allocate.order(ByteOrder.LITTLE_ENDIAN);
        for (Pair<Integer, byte[]> pair : list) {
            byte[] bArr = pair.second;
            allocate.putInt(8 + bArr.length);
            allocate.putInt(pair.first.intValue());
            allocate.putInt(bArr.length);
            allocate.put(bArr);
        }
        return allocate.array();
    }

    private static void closeApkJar(StrictJarFile strictJarFile) {
        if (strictJarFile == null) {
            return;
        }
        try {
            strictJarFile.close();
        } catch (IOException e) {
            Slog.e(TAG, "Could not close APK jar", e);
        }
    }
}
