package com.bytedance.mira.signature;

import android.util.ArrayMap;
import android.util.Pair;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.RandomAccessFile;
import java.nio.BufferUnderflowException;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Map;

/* loaded from: classes9.dex */
public class ApkSignatureSchemeV3Verifier {

    /* loaded from: classes9.dex */
    private static class PlatformNotSupportedException extends Exception {
        PlatformNotSupportedException(String str) {
            super(str);
        }
    }

    /* loaded from: classes9.dex */
    public static class a {

        /* renamed from: a, reason: collision with root package name */
        public final List<X509Certificate> f39248a;

        /* renamed from: b, reason: collision with root package name */
        public final List<Integer> f39249b;

        public a(List<X509Certificate> list, List<Integer> list2) {
            this.f39248a = list;
            this.f39249b = list2;
        }
    }

    /* loaded from: classes9.dex */
    public static class b {

        /* renamed from: a, reason: collision with root package name */
        public final X509Certificate[] f39250a;

        /* renamed from: b, reason: collision with root package name */
        public final a f39251b;

        /* renamed from: c, reason: collision with root package name */
        public byte[] f39252c;

        public b(X509Certificate[] x509CertificateArr, a aVar) {
            this.f39250a = x509CertificateArr;
            this.f39251b = aVar;
        }
    }

    private static l a(RandomAccessFile randomAccessFile) throws IOException, SignatureNotFoundException {
        return e.g(randomAccessFile, -262969152);
    }

    private static boolean b(int i14) {
        if (i14 == 513 || i14 == 514 || i14 == 769 || i14 == 1057 || i14 == 1059 || i14 == 1061) {
            return true;
        }
        switch (i14) {
            case 257:
            case 258:
            case 259:
            case 260:
                return true;
            default:
                return false;
        }
    }

    private static b c(RandomAccessFile randomAccessFile, l lVar, boolean z14) throws SecurityException, IOException {
        ArrayMap arrayMap = new ArrayMap();
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            try {
                ByteBuffer n14 = e.n(lVar.f39277a);
                int i14 = 0;
                b bVar = null;
                while (n14.hasRemaining()) {
                    try {
                        bVar = i(e.n(n14), arrayMap, certificateFactory);
                        i14++;
                    } catch (PlatformNotSupportedException unused) {
                    } catch (IOException e14) {
                        e = e14;
                        throw new SecurityException("Failed to parse/verify signer #" + i14 + " block", e);
                    } catch (SecurityException e15) {
                        e = e15;
                        throw new SecurityException("Failed to parse/verify signer #" + i14 + " block", e);
                    } catch (BufferUnderflowException e16) {
                        e = e16;
                        throw new SecurityException("Failed to parse/verify signer #" + i14 + " block", e);
                    }
                }
                if (i14 < 1 || bVar == null) {
                    throw new SecurityException("No signers found");
                }
                if (i14 != 1) {
                    throw new SecurityException("APK Signature Scheme V3 only supports one signer: multiple signers found.");
                }
                if (arrayMap.isEmpty()) {
                    throw new SecurityException("No content digests found");
                }
                if (z14) {
                    e.v(arrayMap, randomAccessFile, lVar);
                }
                if (arrayMap.containsKey(3)) {
                    bVar.f39252c = e.r((byte[]) arrayMap.get(3), randomAccessFile.length(), lVar);
                }
                return bVar;
            } catch (IOException e17) {
                throw new SecurityException("Failed to read list of signers", e17);
            }
        } catch (CertificateException e18) {
            throw new RuntimeException("Failed to obtain X.509 CertificateFactory", e18);
        }
    }

    private static b d(RandomAccessFile randomAccessFile, boolean z14) throws SignatureNotFoundException, SecurityException, IOException {
        return c(randomAccessFile, a(randomAccessFile), z14);
    }

    public static b e(String str) throws SignatureNotFoundException, SecurityException, IOException {
        return f(str, true);
    }

    private static b f(String str, boolean z14) throws SignatureNotFoundException, SecurityException, IOException {
        RandomAccessFile randomAccessFile = new RandomAccessFile(str, "r");
        try {
            b d14 = d(randomAccessFile, z14);
            randomAccessFile.close();
            return d14;
        } catch (Throwable th4) {
            try {
                throw th4;
            } catch (Throwable th5) {
                try {
                    randomAccessFile.close();
                } catch (Throwable th6) {
                    th4.addSuppressed(th6);
                }
                throw th5;
            }
        }
    }

    private static b g(ByteBuffer byteBuffer, List<X509Certificate> list, CertificateFactory certificateFactory) throws IOException {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) list.toArray(new X509Certificate[list.size()]);
        a aVar = null;
        while (byteBuffer.hasRemaining()) {
            ByteBuffer n14 = e.n(byteBuffer);
            if (n14.remaining() < 4) {
                throw new IOException("Remaining buffer too short to contain additional attribute ID. Remaining: " + n14.remaining());
            }
            if (n14.getInt() == 1000370060) {
                if (aVar != null) {
                    throw new SecurityException("Encountered multiple Proof-of-rotation records when verifying APK Signature Scheme v3 signature");
                }
                aVar = h(n14, certificateFactory);
                try {
                    if (aVar.f39248a.size() > 0) {
                        if (!Arrays.equals(aVar.f39248a.get(r1.size() - 1).getEncoded(), x509CertificateArr[0].getEncoded())) {
                            throw new SecurityException("Terminal certificate in Proof-of-rotation record does not match APK signing certificate");
                        }
                    } else {
                        continue;
                    }
                } catch (CertificateEncodingException e14) {
                    throw new SecurityException("Failed to encode certificate when comparing Proof-of-rotation record and signing certificate", e14);
                }
            }
        }
        return new b(x509CertificateArr, aVar);
    }

    private static a h(ByteBuffer byteBuffer, CertificateFactory certificateFactory) throws SecurityException, IOException {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        int i14 = 0;
        try {
            byteBuffer.getInt();
            HashSet hashSet = new HashSet();
            int i15 = -1;
            VerbatimX509Certificate verbatimX509Certificate = null;
            while (byteBuffer.hasRemaining()) {
                i14++;
                ByteBuffer n14 = e.n(byteBuffer);
                ByteBuffer n15 = e.n(n14);
                int i16 = n14.getInt();
                int i17 = n14.getInt();
                byte[] s14 = e.s(n14);
                if (verbatimX509Certificate != null) {
                    Pair<String, ? extends AlgorithmParameterSpec> q14 = e.q(i15);
                    PublicKey publicKey = verbatimX509Certificate.getPublicKey();
                    Signature signature = Signature.getInstance((String) q14.first);
                    signature.initVerify(publicKey);
                    Object obj = q14.second;
                    if (obj != null) {
                        signature.setParameter((AlgorithmParameterSpec) obj);
                    }
                    signature.update(n15);
                    if (!signature.verify(s14)) {
                        throw new SecurityException("Unable to verify signature of certificate #" + i14 + " using " + ((String) q14.first) + " when verifying Proof-of-rotation record");
                    }
                }
                n15.rewind();
                byte[] s15 = e.s(n15);
                int i18 = n15.getInt();
                if (verbatimX509Certificate != null && i15 != i18) {
                    throw new SecurityException("Signing algorithm ID mismatch for certificate #" + i14 + " when verifying Proof-of-rotation record");
                }
                verbatimX509Certificate = new VerbatimX509Certificate((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(s15)), s15);
                if (hashSet.contains(verbatimX509Certificate)) {
                    throw new SecurityException("Encountered duplicate entries in Proof-of-rotation record at certificate #" + i14 + ".  All signing certificates should be unique");
                }
                hashSet.add(verbatimX509Certificate);
                arrayList.add(verbatimX509Certificate);
                arrayList2.add(Integer.valueOf(i16));
                i15 = i17;
            }
            return new a(arrayList, arrayList2);
        } catch (IOException e14) {
            e = e14;
            throw new IOException("Failed to parse Proof-of-rotation record", e);
        } catch (BufferUnderflowException e15) {
            e = e15;
            throw new IOException("Failed to parse Proof-of-rotation record", e);
        } catch (InvalidAlgorithmParameterException e16) {
            e = e16;
            throw new SecurityException("Failed to verify signature over signed data for certificate #0 when verifying Proof-of-rotation record", e);
        } catch (InvalidKeyException e17) {
            e = e17;
            throw new SecurityException("Failed to verify signature over signed data for certificate #0 when verifying Proof-of-rotation record", e);
        } catch (NoSuchAlgorithmException e18) {
            e = e18;
            throw new SecurityException("Failed to verify signature over signed data for certificate #0 when verifying Proof-of-rotation record", e);
        } catch (SignatureException e19) {
            e = e19;
            throw new SecurityException("Failed to verify signature over signed data for certificate #0 when verifying Proof-of-rotation record", e);
        } catch (CertificateException e24) {
            throw new SecurityException("Failed to decode certificate #0 when verifying Proof-of-rotation record", e24);
        }
    }

    private static b i(ByteBuffer byteBuffer, Map<Integer, byte[]> map, CertificateFactory certificateFactory) throws SecurityException, IOException, PlatformNotSupportedException {
        ByteBuffer n14 = e.n(byteBuffer);
        int i14 = byteBuffer.getInt();
        int i15 = byteBuffer.getInt();
        ByteBuffer n15 = e.n(byteBuffer);
        byte[] s14 = e.s(byteBuffer);
        ArrayList arrayList = new ArrayList();
        byte[] bArr = null;
        byte[] bArr2 = null;
        int i16 = -1;
        int i17 = 0;
        while (n15.hasRemaining()) {
            i17++;
            try {
                ByteBuffer n16 = e.n(n15);
                if (n16.remaining() < 8) {
                    throw new SecurityException("Signature record too short");
                }
                int i18 = n16.getInt();
                arrayList.add(Integer.valueOf(i18));
                if (b(i18) && (i16 == -1 || e.c(i18, i16) > 0)) {
                    bArr2 = e.s(n16);
                    i16 = i18;
                }
            } catch (IOException | BufferUnderflowException e14) {
                throw new SecurityException("Failed to parse signature record #" + i17, e14);
            }
        }
        if (i16 == -1) {
            if (i17 == 0) {
                throw new SecurityException("No signatures found");
            }
            throw new SecurityException("No supported signatures found");
        }
        String p14 = e.p(i16);
        Pair<String, ? extends AlgorithmParameterSpec> q14 = e.q(i16);
        String str = (String) q14.first;
        AlgorithmParameterSpec algorithmParameterSpec = (AlgorithmParameterSpec) q14.second;
        try {
            PublicKey generatePublic = KeyFactory.getInstance(p14).generatePublic(new X509EncodedKeySpec(s14));
            Signature signature = Signature.getInstance(str);
            signature.initVerify(generatePublic);
            if (algorithmParameterSpec != null) {
                signature.setParameter(algorithmParameterSpec);
            }
            signature.update(n14);
            if (!signature.verify(bArr2)) {
                throw new SecurityException(str + " signature did not verify");
            }
            n14.clear();
            ByteBuffer n17 = e.n(n14);
            ArrayList arrayList2 = new ArrayList();
            int i19 = 0;
            while (n17.hasRemaining()) {
                i19++;
                try {
                    ByteBuffer n18 = e.n(n17);
                    if (n18.remaining() < 8) {
                        throw new IOException("Record too short");
                    }
                    int i24 = n18.getInt();
                    arrayList2.add(Integer.valueOf(i24));
                    if (i24 == i16) {
                        bArr = e.s(n18);
                    }
                } catch (IOException | BufferUnderflowException e15) {
                    throw new IOException("Failed to parse digest record #" + i19, e15);
                }
            }
            if (!arrayList.equals(arrayList2)) {
                throw new SecurityException("Signature algorithms don't match between digests and signatures records");
            }
            int o14 = e.o(i16);
            byte[] put = map.put(Integer.valueOf(o14), bArr);
            if (put != null && !MessageDigest.isEqual(put, bArr)) {
                throw new SecurityException(e.k(o14) + " contents digest does not match the digest specified by a preceding signer");
            }
            ByteBuffer n19 = e.n(n14);
            ArrayList arrayList3 = new ArrayList();
            int i25 = 0;
            while (n19.hasRemaining()) {
                i25++;
                byte[] s15 = e.s(n19);
                try {
                    arrayList3.add(new VerbatimX509Certificate((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(s15)), s15));
                } catch (CertificateException e16) {
                    throw new SecurityException("Failed to decode certificate #" + i25, e16);
                }
            }
            if (arrayList3.isEmpty()) {
                throw new SecurityException("No certificates listed");
            }
            if (!Arrays.equals(s14, ((X509Certificate) arrayList3.get(0)).getPublicKey().getEncoded())) {
                throw new SecurityException("Public key mismatch between certificate and signature record");
            }
            if (n14.getInt() != i14) {
                throw new SecurityException("minSdkVersion mismatch between signed and unsigned in v3 signer block.");
            }
            if (n14.getInt() == i15) {
                return g(e.n(n14), arrayList3, certificateFactory);
            }
            throw new SecurityException("maxSdkVersion mismatch between signed and unsigned in v3 signer block.");
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | SignatureException | InvalidKeySpecException e17) {
            throw new SecurityException("Failed to verify " + str + " signature", e17);
        }
    }
}
