package com.android.apksig.internal.apk.v4;

import com.android.apksig.apk.ApkFormatException;
import com.android.apksig.apk.ApkUtils;
import com.android.apksig.internal.apk.ApkSigningBlockUtils;
import com.android.apksig.internal.apk.ContentDigestAlgorithm;
import com.android.apksig.internal.apk.SignatureAlgorithm;
import com.android.apksig.internal.apk.v3.V3SchemeSigner;
import com.android.apksig.internal.apk.v3.V3SchemeVerifier;
import com.android.apksig.internal.asn1.Asn1DerEncoder;
import com.android.apksig.internal.asn1.Asn1EncodingException;
import com.android.apksig.internal.oid.OidConstants;
import com.android.apksig.internal.pkcs7.AlgorithmIdentifier;
import com.android.apksig.internal.util.Pair;
import com.android.apksig.util.DataSource;
import com.android.apksig.zip.ZipFormatException;
import java.io.DataOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.interfaces.ECKey;
import java.security.interfaces.RSAKey;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;

/* loaded from: input_file:com/android/apksig/internal/apk/v4/V4SchemeSigner.class */
public abstract class V4SchemeSigner {
    private V4SchemeSigner() {
    }

    public static SignatureAlgorithm getSuggestedSignatureAlgorithm(PublicKey publicKey) throws InvalidKeyException {
        String algorithm = publicKey.getAlgorithm();
        if ("RSA".equalsIgnoreCase(algorithm)) {
            if (((RSAKey) publicKey).getModulus().bitLength() <= 3072) {
                return SignatureAlgorithm.VERITY_RSA_PKCS1_V1_5_WITH_SHA256;
            }
            throw new InvalidKeyException("Key requires SHA-512 signature algorithm, not yet supported with verity");
        }
        if ("DSA".equalsIgnoreCase(algorithm)) {
            return SignatureAlgorithm.VERITY_DSA_WITH_SHA256;
        }
        if (!"EC".equalsIgnoreCase(algorithm)) {
            throw new InvalidKeyException("Unsupported key algorithm: " + algorithm);
        }
        if (((ECKey) publicKey).getParams().getOrder().bitLength() <= 256) {
            return SignatureAlgorithm.VERITY_ECDSA_WITH_SHA256;
        }
        throw new InvalidKeyException("Key requires SHA-512 signature algorithm, not yet supported with verity");
    }

    public static void generateV4Signature(DataSource dataSource, ApkSigningBlockUtils.SignerConfig signerConfig, File file) throws IOException, InvalidKeyException, NoSuchAlgorithmException {
        HashMap hashMap = new HashMap();
        ApkSigningBlockUtils.computeChunkVerityTreeAndDigest(dataSource, hashMap);
        try {
            try {
                Pair<V4Signature, byte[]> generateSignatureObject = generateSignatureObject(signerConfig, hashMap, getV3Digest(dataSource));
                V4Signature first = generateSignatureObject.getFirst();
                byte[] second = generateSignatureObject.getSecond();
                DataOutputStream dataOutputStream = new DataOutputStream(new FileOutputStream(file));
                Throwable th = null;
                try {
                    try {
                        first.writeTo(dataOutputStream);
                        if (second != null && second.length != 0) {
                            V4Signature.writeBytes(dataOutputStream, second);
                        }
                        if (dataOutputStream != null) {
                            if (0 == 0) {
                                dataOutputStream.close();
                                return;
                            }
                            try {
                                dataOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                    } catch (Throwable th3) {
                        th = th3;
                        throw th3;
                    }
                } catch (Throwable th4) {
                    if (dataOutputStream != null) {
                        if (th != null) {
                            try {
                                dataOutputStream.close();
                            } catch (Throwable th5) {
                                th.addSuppressed(th5);
                            }
                        } else {
                            dataOutputStream.close();
                        }
                    }
                    throw th4;
                }
            } catch (Asn1EncodingException | InvalidKeyException | SignatureException | CertificateEncodingException e) {
                throw new InvalidKeyException("Signer failed", e);
            }
        } catch (ApkFormatException | ApkSigningBlockUtils.SignatureNotFoundException | SignatureException e2) {
            throw new IOException("Failed to parse V3-signed apk to read its V3 digest");
        }
    }

    private static Pair<V4Signature, byte[]> generateSignatureObject(ApkSigningBlockUtils.SignerConfig signerConfig, Map<ContentDigestAlgorithm, Pair<byte[], byte[]>> map, byte[] bArr) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException, CertificateEncodingException, Asn1EncodingException {
        if (signerConfig.certificates.isEmpty()) {
            throw new SignatureException("No certificates configured for signer");
        }
        PublicKey publicKey = signerConfig.certificates.get(0).getPublicKey();
        if (ApkSigningBlockUtils.encodeCertificates(signerConfig.certificates).size() != 1) {
            throw new CertificateEncodingException("Should only have one certificate");
        }
        if (signerConfig.signatureAlgorithms.size() != 1) {
            throw new SignatureException("Should only be one signature algorithm");
        }
        Pair<byte[], byte[]> pair = map.get(signerConfig.signatureAlgorithms.get(0).getContentDigestAlgorithm());
        if (pair == null) {
            throw new SignatureException("Cannot find computed digest");
        }
        byte[] first = pair.getFirst();
        byte[] second = pair.getSecond();
        byte[] array = ByteBuffer.allocate(second.length + bArr.length).put(second).put(bArr).array();
        List<Pair<Integer, byte[]>> generateSignaturesOverData = ApkSigningBlockUtils.generateSignaturesOverData(signerConfig, array);
        if (generateSignaturesOverData.size() != 1) {
            throw new SignatureException("Should only be one signature generated");
        }
        return Pair.of(new V4Signature(1, second, bArr, ApkSigningBlockUtils.generatePkcs7DerEncodedMessage(generateSignaturesOverData.get(0).getSecond(), ByteBuffer.wrap(array), signerConfig.certificates, new AlgorithmIdentifier(OidConstants.OID_DIGEST_SHA256, Asn1DerEncoder.ASN1_DER_NULL), getSignatureAlgorithmIdentifier(publicKey))), first);
    }

    private static byte[] getV3Digest(DataSource dataSource) throws ApkFormatException, IOException, ApkSigningBlockUtils.SignatureNotFoundException, NoSuchAlgorithmException, SignatureException {
        ContentDigestAlgorithm contentDigestAlgorithm;
        HashSet hashSet = new HashSet(1);
        ApkSigningBlockUtils.Result result = new ApkSigningBlockUtils.Result(3);
        try {
            V3SchemeVerifier.parseSigners(ApkSigningBlockUtils.findSignature(dataSource, ApkUtils.findZipSections(dataSource), V3SchemeSigner.APK_SIGNATURE_SCHEME_V3_BLOCK_ID, result).signatureBlock, hashSet, result);
            if (result.signers.size() != 1) {
                throw new SignatureException("Should only have one signer");
            }
            List<ApkSigningBlockUtils.Result.SignerInfo.ContentDigest> list = result.signers.get(0).contentDigests;
            if (list.isEmpty()) {
                throw new SignatureException("Should have at least one digest");
            }
            for (ApkSigningBlockUtils.Result.SignerInfo.ContentDigest contentDigest : list) {
                SignatureAlgorithm findById = SignatureAlgorithm.findById(contentDigest.getSignatureAlgorithmId());
                if (findById != null && (contentDigestAlgorithm = findById.getContentDigestAlgorithm()) != null && (contentDigestAlgorithm == ContentDigestAlgorithm.CHUNKED_SHA256 || contentDigestAlgorithm == ContentDigestAlgorithm.CHUNKED_SHA512)) {
                    return contentDigest.getValue();
                }
            }
            throw new SignatureException("Failed to find any V3 digest in the source APK");
        } catch (ZipFormatException e) {
            throw new ApkFormatException("Malformed APK: not a ZIP archive", e);
        }
    }

    private static AlgorithmIdentifier getSignatureAlgorithmIdentifier(PublicKey publicKey) throws InvalidKeyException {
        String algorithm = publicKey.getAlgorithm();
        if ("RSA".equalsIgnoreCase(algorithm)) {
            return new AlgorithmIdentifier(OidConstants.OID_SIG_RSA, Asn1DerEncoder.ASN1_DER_NULL);
        }
        if ("DSA".equalsIgnoreCase(algorithm)) {
            return new AlgorithmIdentifier(OidConstants.OID_SIG_SHA256_WITH_DSA, Asn1DerEncoder.ASN1_DER_NULL);
        }
        if ("EC".equalsIgnoreCase(algorithm)) {
            return new AlgorithmIdentifier(OidConstants.OID_SIG_EC_PUBLIC_KEY, Asn1DerEncoder.ASN1_DER_NULL);
        }
        throw new InvalidKeyException("Unsupported key algorithm: " + algorithm);
    }
}
