package com.android.apksig.internal.apk.stamp;

import com.android.apksig.ApkVerifier;
import com.android.apksig.apk.ApkFormatException;
import com.android.apksig.internal.apk.ApkSigningBlockUtils;
import com.android.apksig.internal.apk.SignatureAlgorithm;
import com.android.apksig.internal.util.GuaranteedEncodedFormX509Certificate;
import com.android.apksig.internal.util.X509CertificateUtils;
import java.nio.BufferUnderflowException;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes.dex */
public class SourceStampVerifier {
    private SourceStampVerifier() {
    }

    private static X509Certificate verifySourceStampCertificate(ByteBuffer byteBuffer, CertificateFactory certificateFactory, byte[] bArr, ApkSigningBlockUtils.Result.SignerInfo signerInfo) throws NoSuchAlgorithmException, ApkFormatException {
        byte[] readLengthPrefixedByteArray = ApkSigningBlockUtils.readLengthPrefixedByteArray(byteBuffer);
        try {
            GuaranteedEncodedFormX509Certificate guaranteedEncodedFormX509Certificate = new GuaranteedEncodedFormX509Certificate(X509CertificateUtils.generateCertificate(readLengthPrefixedByteArray, certificateFactory), readLengthPrefixedByteArray);
            signerInfo.certs.add(guaranteedEncodedFormX509Certificate);
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(readLengthPrefixedByteArray);
            byte[] digest = messageDigest.digest();
            if (Arrays.equals(bArr, digest)) {
                return guaranteedEncodedFormX509Certificate;
            }
            signerInfo.addWarning(ApkVerifier.Issue.SOURCE_STAMP_CERTIFICATE_MISMATCH_BETWEEN_SIGNATURE_BLOCK_AND_APK, ApkSigningBlockUtils.toHex(digest), ApkSigningBlockUtils.toHex(bArr));
            return null;
        } catch (CertificateException e) {
            signerInfo.addWarning(ApkVerifier.Issue.SOURCE_STAMP_MALFORMED_CERTIFICATE, e);
            return null;
        }
    }

    private static void verifySourceStampSignature(byte[] bArr, int i, int i2, X509Certificate x509Certificate, ByteBuffer byteBuffer, ApkSigningBlockUtils.Result.SignerInfo signerInfo) throws ApkFormatException {
        ByteBuffer lengthPrefixedSlice = ApkSigningBlockUtils.getLengthPrefixedSlice(byteBuffer);
        ArrayList arrayList = new ArrayList(1);
        int i3 = 0;
        while (lengthPrefixedSlice.hasRemaining()) {
            i3++;
            try {
                ByteBuffer lengthPrefixedSlice2 = ApkSigningBlockUtils.getLengthPrefixedSlice(lengthPrefixedSlice);
                int i4 = lengthPrefixedSlice2.getInt();
                byte[] readLengthPrefixedByteArray = ApkSigningBlockUtils.readLengthPrefixedByteArray(lengthPrefixedSlice2);
                SignatureAlgorithm findById = SignatureAlgorithm.findById(i4);
                if (findById == null) {
                    signerInfo.addWarning(ApkVerifier.Issue.SOURCE_STAMP_UNKNOWN_SIG_ALGORITHM, Integer.valueOf(i4));
                } else {
                    arrayList.add(new ApkSigningBlockUtils.SupportedSignature(findById, readLengthPrefixedByteArray));
                }
            } catch (ApkFormatException | BufferUnderflowException unused) {
                signerInfo.addWarning(ApkVerifier.Issue.SOURCE_STAMP_MALFORMED_SIGNATURE, Integer.valueOf(i3));
                return;
            }
        }
        if (arrayList.isEmpty()) {
            signerInfo.addWarning(ApkVerifier.Issue.SOURCE_STAMP_NO_SIGNATURE, new Object[0]);
            return;
        }
        try {
            for (ApkSigningBlockUtils.SupportedSignature supportedSignature : ApkSigningBlockUtils.getSignaturesToVerify(arrayList, i, i2)) {
                SignatureAlgorithm signatureAlgorithm = supportedSignature.algorithm;
                String first = signatureAlgorithm.getJcaSignatureAlgorithmAndParams().getFirst();
                AlgorithmParameterSpec second = signatureAlgorithm.getJcaSignatureAlgorithmAndParams().getSecond();
                PublicKey publicKey = x509Certificate.getPublicKey();
                try {
                    Signature signature = Signature.getInstance(first);
                    signature.initVerify(publicKey);
                    if (second != null) {
                        signature.setParameter(second);
                    }
                    signature.update(bArr);
                    signature.verify(supportedSignature.signature);
                    if (1 == 0) {
                        signerInfo.addWarning(ApkVerifier.Issue.SOURCE_STAMP_DID_NOT_VERIFY, signatureAlgorithm);
                        return;
                    }
                } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
                    signerInfo.addWarning(ApkVerifier.Issue.SOURCE_STAMP_VERIFY_EXCEPTION, signatureAlgorithm, e);
                    return;
                }
            }
        } catch (ApkSigningBlockUtils.NoSupportedSignaturesException unused2) {
            signerInfo.addWarning(ApkVerifier.Issue.SOURCE_STAMP_NO_SUPPORTED_SIGNATURE, new Object[0]);
        }
    }

    public static void verifyV1SourceStamp(ByteBuffer byteBuffer, CertificateFactory certificateFactory, ApkSigningBlockUtils.Result.SignerInfo signerInfo, byte[] bArr, byte[] bArr2, int i, int i2) throws ApkFormatException, NoSuchAlgorithmException {
        X509Certificate verifySourceStampCertificate = verifySourceStampCertificate(byteBuffer, certificateFactory, bArr2, signerInfo);
        if (signerInfo.containsWarnings() || signerInfo.containsErrors()) {
            return;
        }
        verifySourceStampSignature(bArr, i, i2, verifySourceStampCertificate, byteBuffer, signerInfo);
    }

    public static void verifyV2SourceStamp(ByteBuffer byteBuffer, CertificateFactory certificateFactory, ApkSigningBlockUtils.Result.SignerInfo signerInfo, Map<Integer, byte[]> map, byte[] bArr, int i, int i2) throws ApkFormatException, NoSuchAlgorithmException {
        X509Certificate verifySourceStampCertificate = verifySourceStampCertificate(byteBuffer, certificateFactory, bArr, signerInfo);
        if (signerInfo.containsWarnings() || signerInfo.containsErrors()) {
            return;
        }
        ByteBuffer lengthPrefixedSlice = ApkSigningBlockUtils.getLengthPrefixedSlice(byteBuffer);
        HashMap hashMap = new HashMap();
        while (lengthPrefixedSlice.hasRemaining()) {
            ByteBuffer lengthPrefixedSlice2 = ApkSigningBlockUtils.getLengthPrefixedSlice(lengthPrefixedSlice);
            hashMap.put(Integer.valueOf(lengthPrefixedSlice2.getInt()), lengthPrefixedSlice2);
        }
        for (Map.Entry<Integer, byte[]> entry : map.entrySet()) {
            if (!hashMap.containsKey(entry.getKey())) {
                signerInfo.addWarning(ApkVerifier.Issue.SOURCE_STAMP_NO_SIGNATURE, new Object[0]);
                return;
            }
            verifySourceStampSignature(entry.getValue(), i, i2, verifySourceStampCertificate, (ByteBuffer) hashMap.get(entry.getKey()), signerInfo);
            if (signerInfo.containsWarnings() || signerInfo.containsWarnings()) {
                return;
            }
        }
    }
}
