package com.bytedance.pangle.r;

import android.util.ArrayMap;
import android.util.Pair;
import androidx.annotation.RequiresApi;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.RandomAccessFile;
import java.nio.BufferUnderflowException;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import k.d.a.a.a;

@RequiresApi(api = 21)
/* loaded from: classes6.dex */
public class bh {

    /* renamed from: com.bytedance.pangle.r.bh$do, reason: invalid class name */
    /* loaded from: classes6.dex */
    public static class Cdo {
        public final byte[] bh;

        /* renamed from: do, reason: not valid java name */
        public final X509Certificate[][] f1519do;

        public Cdo(X509Certificate[][] x509CertificateArr, byte[] bArr) {
            this.f1519do = x509CertificateArr;
            this.bh = bArr;
        }
    }

    /* renamed from: do, reason: not valid java name */
    private static Cdo m3758do(RandomAccessFile randomAccessFile, yj yjVar, boolean z2) throws SecurityException, IOException {
        ArrayMap arrayMap = new ArrayMap();
        ArrayList arrayList = new ArrayList();
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            try {
                ByteBuffer m3775do = gu.m3775do(yjVar.f1534do);
                int i2 = 0;
                while (m3775do.hasRemaining()) {
                    i2++;
                    try {
                        arrayList.add(m3761do(gu.m3775do(m3775do), arrayMap, certificateFactory));
                    } catch (IOException | SecurityException | BufferUnderflowException e2) {
                        throw new SecurityException(a.A("Failed to parse/verify signer #", i2, " block"), e2);
                    }
                }
                if (i2 <= 0) {
                    throw new SecurityException("No signers found");
                }
                if (arrayMap.isEmpty()) {
                    throw new SecurityException("No content digests found");
                }
                if (z2) {
                    gu.m3781do(arrayMap, randomAccessFile, yjVar);
                }
                return new Cdo((X509Certificate[][]) arrayList.toArray(new X509Certificate[arrayList.size()]), arrayMap.containsKey(3) ? gu.m3783do((byte[]) arrayMap.get(3), randomAccessFile.length(), yjVar) : null);
            } catch (IOException e3) {
                throw new SecurityException("Failed to read list of signers", e3);
            }
        } catch (CertificateException e4) {
            throw new RuntimeException("Failed to obtain X.509 CertificateFactory", e4);
        }
    }

    /* renamed from: do, reason: not valid java name */
    private static void m3759do(ByteBuffer byteBuffer) throws SecurityException, IOException {
        while (byteBuffer.hasRemaining()) {
            ByteBuffer m3775do = gu.m3775do(byteBuffer);
            if (m3775do.remaining() < 4) {
                throw new IOException("Remaining buffer too short to contain additional attribute ID. Remaining: " + m3775do.remaining());
            }
            if (m3775do.getInt() == -1091571699) {
                if (m3775do.remaining() < 4) {
                    throw new IOException("V2 Signature Scheme Stripping Protection Attribute  value too small. Expected 4 bytes, but found " + m3775do.remaining());
                }
                if (m3775do.getInt() == 3) {
                    throw new SecurityException("V2 signature indicates APK is signed using APK Signature Scheme v3, but none was found. Signature stripped?");
                }
            }
        }
    }

    /* renamed from: do, reason: not valid java name */
    private static boolean m3760do(int i2) {
        if (i2 == 513 || i2 == 514 || i2 == 769 || i2 == 1057 || i2 == 1059 || i2 == 1061) {
            return true;
        }
        switch (i2) {
            case 257:
            case 258:
            case 259:
            case 260:
                return true;
            default:
                return false;
        }
    }

    /* renamed from: do, reason: not valid java name */
    private static X509Certificate[] m3761do(ByteBuffer byteBuffer, Map<Integer, byte[]> map, CertificateFactory certificateFactory) throws SecurityException, IOException {
        ByteBuffer m3775do = gu.m3775do(byteBuffer);
        ByteBuffer m3775do2 = gu.m3775do(byteBuffer);
        byte[] bh = gu.bh(byteBuffer);
        ArrayList arrayList = new ArrayList();
        byte[] bArr = null;
        byte[] bArr2 = null;
        int i2 = -1;
        int i3 = 0;
        while (m3775do2.hasRemaining()) {
            i3++;
            try {
                ByteBuffer m3775do3 = gu.m3775do(m3775do2);
                if (m3775do3.remaining() < 8) {
                    throw new SecurityException("Signature record too short");
                }
                int i4 = m3775do3.getInt();
                arrayList.add(Integer.valueOf(i4));
                if (m3760do(i4) && (i2 == -1 || gu.m3770do(i4, i2) > 0)) {
                    bArr2 = gu.bh(m3775do3);
                    i2 = i4;
                }
            } catch (IOException | BufferUnderflowException e2) {
                throw new SecurityException("Failed to parse signature record #".concat(String.valueOf(i3)), e2);
            }
        }
        if (i2 == -1) {
            if (i3 == 0) {
                throw new SecurityException("No signatures found");
            }
            throw new SecurityException("No supported signatures found");
        }
        String p2 = gu.p(i2);
        Pair<String, ? extends AlgorithmParameterSpec> o2 = gu.o(i2);
        String str = (String) o2.first;
        AlgorithmParameterSpec algorithmParameterSpec = (AlgorithmParameterSpec) o2.second;
        try {
            PublicKey generatePublic = KeyFactory.getInstance(p2).generatePublic(new X509EncodedKeySpec(bh));
            Signature signature = Signature.getInstance(str);
            signature.initVerify(generatePublic);
            if (algorithmParameterSpec != null) {
                signature.setParameter(algorithmParameterSpec);
            }
            signature.update(m3775do);
            if (!signature.verify(bArr2)) {
                throw new SecurityException(a.M(str, " signature did not verify"));
            }
            m3775do.clear();
            ByteBuffer m3775do4 = gu.m3775do(m3775do);
            ArrayList arrayList2 = new ArrayList();
            int i5 = 0;
            while (m3775do4.hasRemaining()) {
                i5++;
                try {
                    ByteBuffer m3775do5 = gu.m3775do(m3775do4);
                    if (m3775do5.remaining() < 8) {
                        throw new IOException("Record too short");
                    }
                    int i6 = m3775do5.getInt();
                    arrayList2.add(Integer.valueOf(i6));
                    if (i6 == i2) {
                        bArr = gu.bh(m3775do5);
                    }
                } catch (IOException | BufferUnderflowException e3) {
                    throw new IOException("Failed to parse digest record #".concat(String.valueOf(i5)), e3);
                }
            }
            if (!arrayList.equals(arrayList2)) {
                throw new SecurityException("Signature algorithms don't match between digests and signatures records");
            }
            int m3769do = gu.m3769do(i2);
            byte[] put = map.put(Integer.valueOf(m3769do), bArr);
            if (put != null && !MessageDigest.isEqual(put, bArr)) {
                throw new SecurityException(gu.bh(m3769do) + " contents digest does not match the digest specified by a preceding signer");
            }
            ByteBuffer m3775do6 = gu.m3775do(m3775do);
            ArrayList arrayList3 = new ArrayList();
            int i7 = 0;
            while (m3775do6.hasRemaining()) {
                i7++;
                byte[] bh2 = gu.bh(m3775do6);
                try {
                    arrayList3.add(new j((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(bh2)), bh2));
                } catch (CertificateException e4) {
                    throw new SecurityException("Failed to decode certificate #".concat(String.valueOf(i7)), e4);
                }
            }
            if (arrayList3.isEmpty()) {
                throw new SecurityException("No certificates listed");
            }
            if (!Arrays.equals(bh, ((X509Certificate) arrayList3.get(0)).getPublicKey().getEncoded())) {
                throw new SecurityException("Public key mismatch between certificate and signature record");
            }
            m3759do(gu.m3775do(m3775do));
            return (X509Certificate[]) arrayList3.toArray(new X509Certificate[arrayList3.size()]);
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | SignatureException | InvalidKeySpecException e5) {
            throw new SecurityException(a.O("Failed to verify ", str, " signature"), e5);
        }
    }

    /* renamed from: do, reason: not valid java name */
    public static X509Certificate[][] m3762do(RandomAccessFile randomAccessFile, String str) throws f, SecurityException, IOException {
        yj yjVar = gu.f1523do.get(str).get(1896449818);
        if (yjVar != null) {
            return m3758do(randomAccessFile, yjVar, true).f1519do;
        }
        throw new f("findVerifiedSigner, No APK Signature Scheme v2 signature in package");
    }
}
