package com.android.apksig.internal.apk.v4;

import com.android.apksig.ApkVerifier;
import com.android.apksig.internal.apk.ApkSigningBlockUtils;
import com.android.apksig.internal.apk.ContentDigestAlgorithm;
import com.android.apksig.internal.apk.SignatureAlgorithm;
import com.android.apksig.internal.asn1.Asn1BerParser;
import com.android.apksig.internal.asn1.Asn1DecodingException;
import com.android.apksig.internal.pkcs7.AlgorithmIdentifier;
import com.android.apksig.internal.pkcs7.ContentInfo;
import com.android.apksig.internal.pkcs7.Pkcs7Constants;
import com.android.apksig.internal.pkcs7.SignedData;
import com.android.apksig.internal.pkcs7.SignerInfo;
import com.android.apksig.internal.util.ByteBufferUtils;
import com.android.apksig.internal.util.Pair;
import com.android.apksig.internal.x509.Certificate;
import com.android.apksig.util.DataSource;
import java.io.DataInputStream;
import java.io.EOFException;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;

/* loaded from: input_file:com/android/apksig/internal/apk/v4/V4SchemeVerifier.class */
public abstract class V4SchemeVerifier {
    private V4SchemeVerifier() {
    }

    public static ApkSigningBlockUtils.Result verify(DataSource dataSource, File file) throws IOException, NoSuchAlgorithmException {
        V4Signature v4Signature = null;
        byte[] bArr = null;
        try {
            DataInputStream dataInputStream = new DataInputStream(new FileInputStream(file));
            Throwable th = null;
            try {
                try {
                    v4Signature = V4Signature.readFrom(dataInputStream);
                    bArr = V4Signature.readBytes(dataInputStream);
                    if (dataInputStream != null) {
                        if (0 != 0) {
                            try {
                                dataInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            dataInputStream.close();
                        }
                    }
                } finally {
                }
            } finally {
            }
        } catch (EOFException e) {
        }
        ApkSigningBlockUtils.Result result = new ApkSigningBlockUtils.Result(4);
        if (v4Signature == null) {
            result.addError(ApkVerifier.Issue.V4_SIG_NO_SIGNATURES, "Signature file does not contain a v4 signature.");
            return result;
        }
        if (v4Signature.version != 1) {
            result.addWarning(ApkVerifier.Issue.V4_SIG_VERSION_NOT_CURRENT, Integer.valueOf(v4Signature.version), 1);
        }
        result.signers.add(parseAndVerifySignatureBlock(ByteBuffer.wrap(v4Signature.pkcs7SignatureBlock).order(ByteOrder.LITTLE_ENDIAN), ByteBuffer.wrap(v4Signature.verityRootHash), ByteBuffer.wrap(v4Signature.v3Digest)));
        if (result.containsErrors()) {
            return result;
        }
        verifyRootHashAndTree(dataSource, result, v4Signature.verityRootHash, bArr);
        if (!result.containsErrors()) {
            result.verified = true;
        }
        result.signers.get(0).contentDigests.add(new ApkSigningBlockUtils.Result.SignerInfo.ContentDigest(0, v4Signature.v3Digest));
        return result;
    }

    private static ApkSigningBlockUtils.Result.SignerInfo parseAndVerifySignatureBlock(ByteBuffer byteBuffer, ByteBuffer byteBuffer2, ByteBuffer byteBuffer3) {
        ApkSigningBlockUtils.Result.SignerInfo signerInfo = new ApkSigningBlockUtils.Result.SignerInfo();
        try {
            ContentInfo contentInfo = (ContentInfo) Asn1BerParser.parse(byteBuffer, ContentInfo.class);
            if (!Pkcs7Constants.OID_SIGNED_DATA.equals(contentInfo.contentType)) {
                signerInfo.addError(ApkVerifier.Issue.V4_SIG_MALFORMED_PKCS7, "Unsupported ContentInfo.contentType: " + contentInfo.contentType);
            }
            SignedData signedData = (SignedData) Asn1BerParser.parse(contentInfo.content.getEncoded(), SignedData.class);
            if (signedData.signerInfos.isEmpty()) {
                signerInfo.addError(ApkVerifier.Issue.V4_SIG_NO_SIGNER, new Object[0]);
                return signerInfo;
            }
            if (signedData.signerInfos.size() != 1) {
                signerInfo.addError(ApkVerifier.Issue.V4_SIG_MULTIPLE_SIGNERS, new Object[0]);
                return signerInfo;
            }
            ByteBuffer byteBuffer4 = signedData.encapContentInfo.content;
            byte[] bArr = new byte[byteBuffer2.array().length];
            byteBuffer4.get(bArr);
            if (!Arrays.equals(bArr, byteBuffer2.array())) {
                signerInfo.addError(ApkVerifier.Issue.V4_SIG_ROOT_HASH_MISMATCH_WITH_ATTACHED_DATA, new Object[0]);
                return signerInfo;
            }
            byte[] bArr2 = new byte[byteBuffer3.array().length];
            byteBuffer4.get(bArr2);
            if (!Arrays.equals(bArr2, byteBuffer3.array())) {
                signerInfo.addError(ApkVerifier.Issue.V4_SIG_V3_DIGEST_MISMATCH_WITH_ATTACHED_DATA, new Object[0]);
                return signerInfo;
            }
            byteBuffer4.flip();
            try {
                verifySignerInfo(Certificate.parseCertificates(signedData.certificates), signedData.signerInfos.get(0), byteBuffer4, signerInfo);
                return signerInfo;
            } catch (CertificateException e) {
                signerInfo.addError(ApkVerifier.Issue.V4_SIG_MALFORMED_CERTIFICATE, e);
                return signerInfo;
            }
        } catch (Asn1DecodingException e2) {
            signerInfo.addError(ApkVerifier.Issue.V4_SIG_MALFORMED_PKCS7, e2);
            return signerInfo;
        }
    }

    private static void verifySignerInfo(List<X509Certificate> list, SignerInfo signerInfo, ByteBuffer byteBuffer, ApkSigningBlockUtils.Result.SignerInfo signerInfo2) {
        String str = signerInfo.digestAlgorithm.algorithm;
        String str2 = signerInfo.signatureAlgorithm.algorithm;
        X509Certificate findCertificate = Certificate.findCertificate(list, signerInfo.sid);
        signerInfo2.certs.clear();
        signerInfo2.certs.add(findCertificate);
        if (findCertificate == null) {
            signerInfo2.addError(ApkVerifier.Issue.V4_SIG_NO_CERTIFICATE, new Object[0]);
            return;
        }
        if (findCertificate.hasUnsupportedCriticalExtension()) {
            signerInfo2.addError(ApkVerifier.Issue.V4_SIG_MALFORMED_CERTIFICATE, "Signing certificate has unsupported critical extensions");
            return;
        }
        boolean[] keyUsage = findCertificate.getKeyUsage();
        if (keyUsage != null) {
            boolean z = keyUsage.length >= 1 && keyUsage[0];
            boolean z2 = keyUsage.length >= 2 && keyUsage[1];
            if (!z && !z2) {
                signerInfo2.addError(ApkVerifier.Issue.V4_SIG_MALFORMED_CERTIFICATE, "Signing certificate not authorized for use in digital signatures: keyUsage extension missing digitalSignature and nonRepudiation");
                return;
            }
        }
        try {
            Signature signature = Signature.getInstance(AlgorithmIdentifier.getJcaSignatureAlgorithm(str, str2));
            if (signerInfo.signedAttrs != null) {
                signerInfo2.addError(ApkVerifier.Issue.V4_SIG_MALFORMED_SIGNERS, "Should not contain signed attributes");
            }
            try {
                signature.initVerify(findCertificate.getPublicKey());
                signature.update(byteBuffer);
                if (!signature.verify(ByteBufferUtils.toByteArray(signerInfo.signature.slice()))) {
                    signerInfo2.addError(ApkVerifier.Issue.V4_SIG_DID_NOT_VERIFY, new Object[0]);
                }
            } catch (InvalidKeyException | SignatureException e) {
                signerInfo2.addError(ApkVerifier.Issue.V4_SIG_VERIFY_EXCEPTION, new Object[0]);
            }
        } catch (NoSuchAlgorithmException | SignatureException e2) {
            signerInfo2.addError(ApkVerifier.Issue.V4_SIG_UNKNOWN_SIG_ALGORITHM, new Object[0]);
        }
    }

    private static void verifyRootHashAndTree(DataSource dataSource, ApkSigningBlockUtils.Result result, byte[] bArr, byte[] bArr2) throws IOException, NoSuchAlgorithmException {
        ContentDigestAlgorithm contentDigestAlgorithm;
        HashMap hashMap = new HashMap();
        ApkSigningBlockUtils.computeChunkVerityTreeAndDigest(dataSource, hashMap);
        if (result.signers.size() != 1) {
            throw new IllegalStateException("There should only be one signer for V4");
        }
        ApkSigningBlockUtils.Result.SignerInfo signerInfo = result.signers.get(0);
        for (ApkSigningBlockUtils.Result.SignerInfo.ContentDigest contentDigest : signerInfo.contentDigests) {
            SignatureAlgorithm findById = SignatureAlgorithm.findById(contentDigest.getSignatureAlgorithmId());
            if (findById != null && (contentDigestAlgorithm = findById.getContentDigestAlgorithm()) == ContentDigestAlgorithm.VERITY_CHUNKED_SHA256) {
                byte[] value = contentDigest.getValue();
                byte[] bArr3 = (byte[]) ((Pair) hashMap.get(contentDigestAlgorithm)).getSecond();
                byte[] bArr4 = (byte[]) ((Pair) hashMap.get(contentDigestAlgorithm)).getFirst();
                if (!Arrays.equals(value, bArr3) || !Arrays.equals(value, bArr)) {
                    signerInfo.addError(ApkVerifier.Issue.V4_SIG_APK_ROOT_DID_NOT_VERIFY, contentDigestAlgorithm, ApkSigningBlockUtils.toHex(value), ApkSigningBlockUtils.toHex(bArr3));
                } else if (bArr2 == null || Arrays.equals(bArr2, bArr4)) {
                    signerInfo.verifiedContentDigests.put(contentDigestAlgorithm, bArr3);
                } else {
                    signerInfo.addError(ApkVerifier.Issue.V4_SIG_APK_TREE_DID_NOT_VERIFY, contentDigestAlgorithm, ApkSigningBlockUtils.toHex(value), ApkSigningBlockUtils.toHex(bArr3));
                }
            }
        }
    }
}
