package android.util.apk;

import android.content.pm.PackageManager;
import android.content.pm.PackageParser;
import android.content.pm.Signature;
import android.os.Trace;
import android.util.apk.ApkSignatureSchemeV2Verifier;
import android.util.apk.ApkSignatureSchemeV3Verifier;
import android.util.apk.ApkSignatureSchemeV4Verifier;
import android.util.jar.StrictJarFile;
import com.android.internal.util.ArrayUtils;
import java.io.IOException;
import java.io.InputStream;
import java.security.DigestException;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.atomic.AtomicReference;
import java.util.zip.ZipEntry;
import libcore.io.IoUtils;

/* loaded from: input_file:android/util/apk/ApkSignatureVerifier.class */
public class ApkSignatureVerifier {
    private static final AtomicReference<byte[]> sBuffer = new AtomicReference<>();

    /* loaded from: input_file:android/util/apk/ApkSignatureVerifier$Result.class */
    public static class Result {
        public final Certificate[][] certs;
        public final Signature[] sigs;
        public final int signatureSchemeVersion;

        public Result(Certificate[][] certificateArr, Signature[] signatureArr, int i) {
            this.certs = certificateArr;
            this.sigs = signatureArr;
            this.signatureSchemeVersion = i;
        }
    }

    /* loaded from: input_file:android/util/apk/ApkSignatureVerifier$SigningDetailsWithDigests.class */
    public static class SigningDetailsWithDigests {
        public final PackageParser.SigningDetails signingDetails;
        public final Map<Integer, byte[]> contentDigests;

        SigningDetailsWithDigests(PackageParser.SigningDetails signingDetails, Map<Integer, byte[]> map) {
            this.signingDetails = signingDetails;
            this.contentDigests = map;
        }
    }

    public static PackageParser.SigningDetails verify(String str, @PackageParser.SigningDetails.SignatureSchemeVersion int i) throws PackageParser.PackageParserException {
        return verifySignatures(str, i, true);
    }

    public static PackageParser.SigningDetails unsafeGetCertsWithoutVerification(String str, int i) throws PackageParser.PackageParserException {
        return verifySignatures(str, i, false);
    }

    private static PackageParser.SigningDetails verifySignatures(String str, @PackageParser.SigningDetails.SignatureSchemeVersion int i, boolean z) throws PackageParser.PackageParserException {
        return verifySignaturesInternal(str, i, z).signingDetails;
    }

    public static SigningDetailsWithDigests verifySignaturesInternal(String str, @PackageParser.SigningDetails.SignatureSchemeVersion int i, boolean z) throws PackageParser.PackageParserException {
        if (i > 4) {
            throw new PackageParser.PackageParserException(-103, "No signature found in package of version " + i + " or newer for package " + str);
        }
        try {
            return verifyV4Signature(str, i, z);
        } catch (SignatureNotFoundException e) {
            if (i >= 4) {
                throw new PackageParser.PackageParserException(-103, "No APK Signature Scheme v4 signature in package " + str, e);
            }
            if (i > 3) {
                throw new PackageParser.PackageParserException(-103, "No signature found in package of version " + i + " or newer for package " + str);
            }
            return verifyV3AndBelowSignatures(str, i, z);
        }
    }

    private static SigningDetailsWithDigests verifyV3AndBelowSignatures(String str, @PackageParser.SigningDetails.SignatureSchemeVersion int i, boolean z) throws PackageParser.PackageParserException {
        try {
            return verifyV3Signature(str, z);
        } catch (SignatureNotFoundException e) {
            if (i >= 3) {
                throw new PackageParser.PackageParserException(-103, "No APK Signature Scheme v3 signature in package " + str, e);
            }
            if (i > 2) {
                throw new PackageParser.PackageParserException(-103, "No signature found in package of version " + i + " or newer for package " + str);
            }
            try {
                return verifyV2Signature(str, z);
            } catch (SignatureNotFoundException e2) {
                if (i >= 2) {
                    throw new PackageParser.PackageParserException(-103, "No APK Signature Scheme v2 signature in package " + str, e2);
                }
                if (i > 1) {
                    throw new PackageParser.PackageParserException(-103, "No signature found in package of version " + i + " or newer for package " + str);
                }
                return verifyV1Signature(str, z);
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v52, types: [java.security.cert.Certificate[]] */
    /* JADX WARN: Type inference failed for: r0v8, types: [java.security.cert.Certificate[], java.security.cert.Certificate[][]] */
    private static SigningDetailsWithDigests verifyV4Signature(String str, @PackageParser.SigningDetails.SignatureSchemeVersion int i, boolean z) throws SignatureNotFoundException, PackageParser.PackageParserException {
        Map<Integer, byte[]> map;
        X509Certificate[][] x509CertificateArr;
        Trace.traceBegin(262144L, z ? "verifyV4" : "certsOnlyV4");
        try {
            try {
                try {
                    ApkSignatureSchemeV4Verifier.VerifiedSigner extractCertificates = ApkSignatureSchemeV4Verifier.extractCertificates(str);
                    Signature[] convertToSignatures = convertToSignatures(new Certificate[]{extractCertificates.certs});
                    if (z) {
                        try {
                            ApkSignatureSchemeV3Verifier.VerifiedSigner unsafeGetCertsWithoutVerification = ApkSignatureSchemeV3Verifier.unsafeGetCertsWithoutVerification(str);
                            map = unsafeGetCertsWithoutVerification.contentDigests;
                            x509CertificateArr = new Certificate[]{unsafeGetCertsWithoutVerification.certs};
                        } catch (SignatureNotFoundException e) {
                            try {
                                ApkSignatureSchemeV2Verifier.VerifiedSigner verify = ApkSignatureSchemeV2Verifier.verify(str, false);
                                map = verify.contentDigests;
                                x509CertificateArr = verify.certs;
                            } catch (SignatureNotFoundException e2) {
                                throw new SecurityException("V4 verification failed to collect V2/V3 certificates from : " + str, e2);
                            }
                        }
                        Signature[] convertToSignatures2 = convertToSignatures(x509CertificateArr);
                        if (convertToSignatures2.length != convertToSignatures.length) {
                            throw new SecurityException("Invalid number of certificates: " + convertToSignatures2.length);
                        }
                        int length = convertToSignatures.length;
                        for (int i2 = 0; i2 < length; i2++) {
                            if (!convertToSignatures2[i2].equals(convertToSignatures[i2])) {
                                throw new SecurityException("V4 signature certificate does not match V2/V3");
                            }
                        }
                        boolean z2 = false;
                        Iterator<byte[]> it = map.values().iterator();
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            if (ArrayUtils.equals(extractCertificates.apkDigest, it.next(), extractCertificates.apkDigest.length)) {
                                z2 = true;
                                break;
                            }
                        }
                        if (!z2) {
                            throw new SecurityException("APK digest in V4 signature does not match V2/V3");
                        }
                    }
                    SigningDetailsWithDigests signingDetailsWithDigests = new SigningDetailsWithDigests(new PackageParser.SigningDetails(convertToSignatures, 4), extractCertificates.contentDigests);
                    Trace.traceEnd(262144L);
                    return signingDetailsWithDigests;
                } catch (Exception e3) {
                    throw new PackageParser.PackageParserException(-103, "Failed to collect certificates from " + str + " using APK Signature Scheme v4", e3);
                }
            } catch (SignatureNotFoundException e4) {
                throw e4;
            }
        } catch (Throwable th) {
            Trace.traceEnd(262144L);
            throw th;
        }
    }

    /* JADX WARN: Type inference failed for: r0v10, types: [java.security.cert.Certificate[], java.security.cert.Certificate[][]] */
    private static SigningDetailsWithDigests verifyV3Signature(String str, boolean z) throws SignatureNotFoundException, PackageParser.PackageParserException {
        Trace.traceBegin(262144L, z ? "verifyV3" : "certsOnlyV3");
        try {
            try {
                try {
                    ApkSignatureSchemeV3Verifier.VerifiedSigner verify = z ? ApkSignatureSchemeV3Verifier.verify(str) : ApkSignatureSchemeV3Verifier.unsafeGetCertsWithoutVerification(str);
                    Signature[] convertToSignatures = convertToSignatures(new Certificate[]{verify.certs});
                    Signature[] signatureArr = null;
                    if (verify.por != null) {
                        signatureArr = new Signature[verify.por.certs.size()];
                        for (int i = 0; i < signatureArr.length; i++) {
                            signatureArr[i] = new Signature(verify.por.certs.get(i).getEncoded());
                            signatureArr[i].setFlags(verify.por.flagsList.get(i).intValue());
                        }
                    }
                    SigningDetailsWithDigests signingDetailsWithDigests = new SigningDetailsWithDigests(new PackageParser.SigningDetails(convertToSignatures, 3, signatureArr), verify.contentDigests);
                    Trace.traceEnd(262144L);
                    return signingDetailsWithDigests;
                } catch (SignatureNotFoundException e) {
                    throw e;
                }
            } catch (Exception e2) {
                throw new PackageParser.PackageParserException(-103, "Failed to collect certificates from " + str + " using APK Signature Scheme v3", e2);
            }
        } catch (Throwable th) {
            Trace.traceEnd(262144L);
            throw th;
        }
    }

    private static SigningDetailsWithDigests verifyV2Signature(String str, boolean z) throws SignatureNotFoundException, PackageParser.PackageParserException {
        Trace.traceBegin(262144L, z ? "verifyV2" : "certsOnlyV2");
        try {
            try {
                ApkSignatureSchemeV2Verifier.VerifiedSigner verify = ApkSignatureSchemeV2Verifier.verify(str, z);
                SigningDetailsWithDigests signingDetailsWithDigests = new SigningDetailsWithDigests(new PackageParser.SigningDetails(convertToSignatures(verify.certs), 2), verify.contentDigests);
                Trace.traceEnd(262144L);
                return signingDetailsWithDigests;
            } catch (SignatureNotFoundException e) {
                throw e;
            } catch (Exception e2) {
                throw new PackageParser.PackageParserException(-103, "Failed to collect certificates from " + str + " using APK Signature Scheme v2", e2);
            }
        } catch (Throwable th) {
            Trace.traceEnd(262144L);
            throw th;
        }
    }

    private static SigningDetailsWithDigests verifyV1Signature(String str, boolean z) throws PackageParser.PackageParserException {
        try {
            try {
                Trace.traceBegin(262144L, "strictJarFileCtor");
                StrictJarFile strictJarFile = new StrictJarFile(str, true, z);
                ArrayList<ZipEntry> arrayList = new ArrayList();
                ZipEntry findEntry = strictJarFile.findEntry("AndroidManifest.xml");
                if (findEntry == null) {
                    throw new PackageParser.PackageParserException(-101, "Package " + str + " has no manifest");
                }
                Certificate[][] loadCertificates = loadCertificates(strictJarFile, findEntry);
                if (ArrayUtils.isEmpty(loadCertificates)) {
                    throw new PackageParser.PackageParserException(-103, "Package " + str + " has no certificates at entry AndroidManifest.xml");
                }
                Signature[] convertToSignatures = convertToSignatures(loadCertificates);
                if (z) {
                    Iterator<ZipEntry> it = strictJarFile.iterator();
                    while (it.hasNext()) {
                        ZipEntry next = it.next();
                        if (!next.isDirectory()) {
                            String name = next.getName();
                            if (!name.startsWith("META-INF/") && !name.equals("AndroidManifest.xml")) {
                                arrayList.add(next);
                            }
                        }
                    }
                    for (ZipEntry zipEntry : arrayList) {
                        Certificate[][] loadCertificates2 = loadCertificates(strictJarFile, zipEntry);
                        if (ArrayUtils.isEmpty(loadCertificates2)) {
                            throw new PackageParser.PackageParserException(-103, "Package " + str + " has no certificates at entry " + zipEntry.getName());
                        }
                        if (!Signature.areExactMatch(convertToSignatures, convertToSignatures(loadCertificates2))) {
                            throw new PackageParser.PackageParserException(PackageManager.INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES, "Package " + str + " has mismatched certificates at entry " + zipEntry.getName());
                        }
                    }
                }
                SigningDetailsWithDigests signingDetailsWithDigests = new SigningDetailsWithDigests(new PackageParser.SigningDetails(convertToSignatures, 1), null);
                Trace.traceEnd(262144L);
                closeQuietly(strictJarFile);
                return signingDetailsWithDigests;
            } catch (IOException | RuntimeException e) {
                throw new PackageParser.PackageParserException(-103, "Failed to collect certificates from " + str, e);
            } catch (GeneralSecurityException e2) {
                throw new PackageParser.PackageParserException(PackageManager.INSTALL_PARSE_FAILED_CERTIFICATE_ENCODING, "Failed to collect certificates from " + str, e2);
            }
        } catch (Throwable th) {
            Trace.traceEnd(262144L);
            closeQuietly(null);
            throw th;
        }
    }

    private static Certificate[][] loadCertificates(StrictJarFile strictJarFile, ZipEntry zipEntry) throws PackageParser.PackageParserException {
        InputStream inputStream = null;
        try {
            try {
                inputStream = strictJarFile.getInputStream(zipEntry);
                readFullyIgnoringContents(inputStream);
                Certificate[][] certificateChains = strictJarFile.getCertificateChains(zipEntry);
                IoUtils.closeQuietly(inputStream);
                return certificateChains;
            } catch (IOException | RuntimeException e) {
                throw new PackageParser.PackageParserException(-102, "Failed reading " + zipEntry.getName() + " in " + strictJarFile, e);
            }
        } catch (Throwable th) {
            IoUtils.closeQuietly(inputStream);
            throw th;
        }
    }

    private static void readFullyIgnoringContents(InputStream inputStream) throws IOException {
        byte[] andSet = sBuffer.getAndSet(null);
        if (andSet == null) {
            andSet = new byte[4096];
        }
        int i = 0;
        while (true) {
            int i2 = i;
            int read = inputStream.read(andSet, 0, andSet.length);
            if (read == -1) {
                sBuffer.set(andSet);
                return;
            }
            i = i2 + read;
        }
    }

    private static Signature[] convertToSignatures(Certificate[][] certificateArr) throws CertificateEncodingException {
        Signature[] signatureArr = new Signature[certificateArr.length];
        for (int i = 0; i < certificateArr.length; i++) {
            signatureArr[i] = new Signature(certificateArr[i]);
        }
        return signatureArr;
    }

    private static void closeQuietly(StrictJarFile strictJarFile) {
        if (strictJarFile != null) {
            try {
                strictJarFile.close();
            } catch (Exception e) {
            }
        }
    }

    public static int getMinimumSignatureSchemeVersionForTargetSdk(int i) {
        return i >= 30 ? 2 : 1;
    }

    public static byte[] getVerityRootHash(String str) throws IOException, SecurityException {
        try {
            return ApkSignatureSchemeV3Verifier.getVerityRootHash(str);
        } catch (SignatureNotFoundException e) {
            try {
                return ApkSignatureSchemeV2Verifier.getVerityRootHash(str);
            } catch (SignatureNotFoundException e2) {
                return null;
            }
        }
    }

    public static byte[] generateApkVerity(String str, ByteBufferFactory byteBufferFactory) throws IOException, SignatureNotFoundException, SecurityException, DigestException, NoSuchAlgorithmException {
        try {
            return ApkSignatureSchemeV3Verifier.generateApkVerity(str, byteBufferFactory);
        } catch (SignatureNotFoundException e) {
            return ApkSignatureSchemeV2Verifier.generateApkVerity(str, byteBufferFactory);
        }
    }

    public static byte[] generateApkVerityRootHash(String str) throws NoSuchAlgorithmException, DigestException, IOException {
        try {
            return ApkSignatureSchemeV3Verifier.generateApkVerityRootHash(str);
        } catch (SignatureNotFoundException e) {
            try {
                return ApkSignatureSchemeV2Verifier.generateApkVerityRootHash(str);
            } catch (SignatureNotFoundException e2) {
                return null;
            }
        }
    }
}
