package android.util.jar;

import android.security.keystore.KeyProperties;
import android.telephony.SmsManager;
import android.util.jar.StrictJarManifest;
import java.io.IOException;
import java.io.OutputStream;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Locale;
import java.util.Map;
import java.util.StringTokenizer;
import java.util.jar.Attributes;
import sun.security.jca.Providers;
import sun.security.pkcs.PKCS7;
import sun.security.pkcs.SignerInfo;

/* loaded from: classes3.dex */
class StrictJarVerifier {
    private static final String[] DIGEST_ALGORITHMS = {KeyProperties.DIGEST_SHA512, KeyProperties.DIGEST_SHA384, KeyProperties.DIGEST_SHA256, "SHA1"};
    private static final String SF_ATTRIBUTE_ANDROID_APK_SIGNED_NAME = "X-Android-APK-Signed";
    private final String jarName;
    private final int mainAttributesEnd;
    private final StrictJarManifest manifest;
    private final HashMap<String, byte[]> metaEntries;
    private final boolean signatureSchemeRollbackProtectionsEnforced;
    private final Hashtable<String, HashMap<String, Attributes>> signatures = new Hashtable<>(5);
    private final Hashtable<String, Certificate[]> certificates = new Hashtable<>(5);
    private final Hashtable<String, Certificate[][]> verifiedEntries = new Hashtable<>();

    /* loaded from: classes3.dex */
    static class VerifierEntry extends OutputStream {
        private final Certificate[][] certChains;
        private final MessageDigest digest;
        private final byte[] hash;
        private final String name;
        private final Hashtable<String, Certificate[][]> verifiedEntries;

        VerifierEntry(String str, MessageDigest messageDigest, byte[] bArr, Certificate[][] certificateArr, Hashtable<String, Certificate[][]> hashtable) {
            this.name = str;
            this.digest = messageDigest;
            this.hash = bArr;
            this.certChains = certificateArr;
            this.verifiedEntries = hashtable;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void verify() {
            if (StrictJarVerifier.verifyMessageDigest(this.digest.digest(), this.hash)) {
                this.verifiedEntries.put(this.name, this.certChains);
            } else {
                String str = this.name;
                throw StrictJarVerifier.invalidDigest("META-INF/MANIFEST.MF", str, str);
            }
        }

        @Override // java.io.OutputStream
        public void write(int i) {
            this.digest.update((byte) i);
        }

        @Override // java.io.OutputStream
        public void write(byte[] bArr, int i, int i2) {
            this.digest.update(bArr, i, i2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public StrictJarVerifier(String str, StrictJarManifest strictJarManifest, HashMap<String, byte[]> hashMap, boolean z) {
        this.jarName = str;
        this.manifest = strictJarManifest;
        this.metaEntries = hashMap;
        this.mainAttributesEnd = strictJarManifest.getMainAttributesEnd();
        this.signatureSchemeRollbackProtectionsEnforced = z;
    }

    private static SecurityException failedVerification(String str, String str2) {
        throw new SecurityException(str + " failed verification of " + str2);
    }

    private static SecurityException failedVerification(String str, String str2, Throwable th) {
        throw new SecurityException(str + " failed verification of " + str2, th);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static SecurityException invalidDigest(String str, String str2, String str3) {
        throw new SecurityException(str + " has invalid digest for " + str2 + " in " + str3);
    }

    private boolean verify(Attributes attributes, String str, byte[] bArr, int i, int i2, boolean z, boolean z2) {
        int i3 = 0;
        while (true) {
            String[] strArr = DIGEST_ALGORITHMS;
            if (i3 >= strArr.length) {
                return z2;
            }
            String str2 = strArr[i3];
            String value = attributes.getValue(str2 + str);
            if (value != null) {
                try {
                    MessageDigest messageDigest = MessageDigest.getInstance(str2);
                    if (z && bArr[i2 - 1] == 10 && bArr[i2 - 2] == 10) {
                        messageDigest.update(bArr, i, (i2 - 1) - i);
                    } else {
                        messageDigest.update(bArr, i, i2 - i);
                    }
                    return verifyMessageDigest(messageDigest.digest(), value.getBytes(StandardCharsets.ISO_8859_1));
                } catch (NoSuchAlgorithmException e) {
                }
            }
            i3++;
        }
    }

    static Certificate[] verifyBytes(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
        try {
            try {
                Object startJarVerification = Providers.startJarVerification();
                PKCS7 pkcs7 = new PKCS7(bArr);
                SignerInfo[] verify = pkcs7.verify(bArr2);
                if (verify == null || verify.length == 0) {
                    throw new GeneralSecurityException("Failed to verify signature: no verified SignerInfos");
                }
                ArrayList certificateChain = verify[0].getCertificateChain(pkcs7);
                if (certificateChain == null) {
                    throw new GeneralSecurityException("Failed to find verified SignerInfo certificate chain");
                }
                if (certificateChain.isEmpty()) {
                    throw new GeneralSecurityException("Verified SignerInfo certificate chain is emtpy");
                }
                Certificate[] certificateArr = (Certificate[]) certificateChain.toArray(new X509Certificate[certificateChain.size()]);
                Providers.stopJarVerification(startJarVerification);
                return certificateArr;
            } catch (IOException e) {
                throw new GeneralSecurityException("IO exception verifying jar cert", e);
            }
        } catch (Throwable th) {
            Providers.stopJarVerification((Object) null);
            throw th;
        }
    }

    private void verifyCertificate(String str) {
        byte[] bArr;
        HashMap<String, Attributes> hashMap;
        String value;
        String str2 = str.substring(0, str.lastIndexOf(46)) + ".SF";
        byte[] bArr2 = this.metaEntries.get(str2);
        if (bArr2 == null || (bArr = this.metaEntries.get("META-INF/MANIFEST.MF")) == null) {
            return;
        }
        byte[] bArr3 = this.metaEntries.get(str);
        try {
            Certificate[] verifyBytes = verifyBytes(bArr3, bArr2);
            if (verifyBytes != null) {
                try {
                    this.certificates.put(str2, verifyBytes);
                } catch (GeneralSecurityException e) {
                    e = e;
                    throw failedVerification(this.jarName, str2, e);
                }
            }
            Attributes attributes = new Attributes();
            HashMap<String, Attributes> hashMap2 = new HashMap<>();
            try {
                new StrictJarManifestReader(bArr2, attributes).readEntries(hashMap2, null);
                if (this.signatureSchemeRollbackProtectionsEnforced && (value = attributes.getValue(SF_ATTRIBUTE_ANDROID_APK_SIGNED_NAME)) != null) {
                    boolean z = false;
                    boolean z2 = false;
                    StringTokenizer stringTokenizer = new StringTokenizer(value, SmsManager.REGEX_PREFIX_DELIMITER);
                    while (true) {
                        if (!stringTokenizer.hasMoreTokens()) {
                            break;
                        }
                        String trim = stringTokenizer.nextToken().trim();
                        if (!trim.isEmpty()) {
                            try {
                                int parseInt = Integer.parseInt(trim);
                                if (parseInt != 2) {
                                    if (parseInt == 3) {
                                        z2 = true;
                                        break;
                                    }
                                } else {
                                    z = true;
                                    break;
                                }
                            } catch (Exception e2) {
                            }
                        }
                    }
                    if (z) {
                        throw new SecurityException(str2 + " indicates " + this.jarName + " is signed using APK Signature Scheme v2, but no such signature was found. Signature stripped?");
                    }
                    if (z2) {
                        throw new SecurityException(str2 + " indicates " + this.jarName + " is signed using APK Signature Scheme v3, but no such signature was found. Signature stripped?");
                    }
                }
                if (attributes.get(Attributes.Name.SIGNATURE_VERSION) == null) {
                    return;
                }
                String value2 = attributes.getValue("Created-By");
                boolean z3 = value2 != null ? value2.indexOf("signtool") != -1 : false;
                int i = this.mainAttributesEnd;
                if (i <= 0 || z3) {
                    hashMap = hashMap2;
                } else {
                    hashMap = hashMap2;
                    if (!verify(attributes, "-Digest-Manifest-Main-Attributes", bArr, 0, i, false, true)) {
                        throw failedVerification(this.jarName, str2);
                    }
                }
                if (!verify(attributes, z3 ? "-Digest" : "-Digest-Manifest", bArr, 0, bArr.length, false, false)) {
                    for (Map.Entry<String, Attributes> entry : hashMap.entrySet()) {
                        StrictJarManifest.Chunk chunk = this.manifest.getChunk(entry.getKey());
                        if (chunk == null) {
                            return;
                        }
                        Attributes attributes2 = attributes;
                        byte[] bArr4 = bArr3;
                        byte[] bArr5 = bArr;
                        if (!verify(entry.getValue(), "-Digest", bArr, chunk.start, chunk.end, z3, false)) {
                            throw invalidDigest(str2, entry.getKey(), this.jarName);
                        }
                        attributes = attributes2;
                        bArr3 = bArr4;
                        bArr = bArr5;
                    }
                }
                this.metaEntries.put(str2, null);
                this.signatures.put(str2, hashMap);
            } catch (IOException e3) {
            }
        } catch (GeneralSecurityException e4) {
            e = e4;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean verifyMessageDigest(byte[] bArr, byte[] bArr2) {
        try {
            return MessageDigest.isEqual(bArr, Base64.getDecoder().decode(bArr2));
        } catch (IllegalArgumentException e) {
            return false;
        }
    }

    void addMetaEntry(String str, byte[] bArr) {
        this.metaEntries.put(str.toUpperCase(Locale.US), bArr);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Certificate[][] getCertificateChains(String str) {
        return this.verifiedEntries.get(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public VerifierEntry initEntry(String str) {
        Attributes attributes;
        if (this.manifest == null || this.signatures.isEmpty() || (attributes = this.manifest.getAttributes(str)) == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (Map.Entry<String, HashMap<String, Attributes>> entry : this.signatures.entrySet()) {
            if (entry.getValue().get(str) != null) {
                Certificate[] certificateArr = this.certificates.get(entry.getKey());
                if (certificateArr != null) {
                    arrayList.add(certificateArr);
                }
            }
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        Certificate[][] certificateArr2 = (Certificate[][]) arrayList.toArray(new Certificate[arrayList.size()]);
        int i = 0;
        while (true) {
            String[] strArr = DIGEST_ALGORITHMS;
            if (i >= strArr.length) {
                return null;
            }
            String str2 = strArr[i];
            String value = attributes.getValue(str2 + "-Digest");
            if (value != null) {
                try {
                    try {
                        return new VerifierEntry(str, MessageDigest.getInstance(str2), value.getBytes(StandardCharsets.ISO_8859_1), certificateArr2, this.verifiedEntries);
                    } catch (NoSuchAlgorithmException e) {
                    }
                } catch (NoSuchAlgorithmException e2) {
                }
            }
            i++;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isSignedJar() {
        return this.certificates.size() > 0;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized boolean readCertificates() {
        if (this.metaEntries.isEmpty()) {
            return false;
        }
        Iterator<String> it = this.metaEntries.keySet().iterator();
        while (it.hasNext()) {
            String next = it.next();
            if (next.endsWith(".DSA") || next.endsWith(".RSA") || next.endsWith(".EC")) {
                verifyCertificate(next);
                it.remove();
            }
        }
        return true;
    }

    void removeMetaEntries() {
        this.metaEntries.clear();
    }
}
