package com.huawei.signclient.hap.verify;

import com.huawei.signclient.hap.entity.SigningBlock;
import com.huawei.signclient.hap.ext.PKCS7Ext;
import com.huawei.signclient.hap.sign.ContentDigestAlgorithm;
import com.huawei.signclient.hap.sign.SignatureAlgorithm;
import com.huawei.signclient.hap.utils.DigestUtils;
import com.huawei.signclient.hap.utils.HapUtils;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.security.DigestException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAKey;
import java.security.interfaces.DSAParams;
import java.security.interfaces.ECKey;
import java.security.interfaces.RSAKey;
import java.text.SimpleDateFormat;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import sun.security.pkcs.PKCS7;
import sun.security.pkcs.ParsingException;
import sun.security.pkcs.SignerInfo;

/* loaded from: input_file:com/huawei/signclient/hap/verify/HapVerifyV2.class */
public class HapVerifyV2 {
    private static final Logger LOGGER = LogManager.getLogger((Class<?>) HapVerifyV2.class);
    private ByteBuffer beforeApkSigningBlock;
    private ByteBuffer signatureSchemeBlock;
    private ByteBuffer centralDirectoryBlock;
    private ByteBuffer eocd;
    private List<SigningBlock> optionalBlocks;
    private Map<ContentDigestAlgorithm, byte[]> digestMap = new HashMap();

    public HapVerifyV2(ByteBuffer byteBuffer, ByteBuffer byteBuffer2, ByteBuffer byteBuffer3, ByteBuffer byteBuffer4, List<SigningBlock> list) {
        this.beforeApkSigningBlock = byteBuffer;
        this.signatureSchemeBlock = byteBuffer2;
        this.centralDirectoryBlock = byteBuffer3;
        this.eocd = byteBuffer4;
        this.optionalBlocks = list;
    }

    public boolean verify(String str, String str2, String str3) throws CertificateEncodingException, NoSuchAlgorithmException, SignatureException, DigestException {
        return parserSigner(this.signatureSchemeBlock, str) && outputProofsAndProvision(str2, str3);
    }

    private PKCS7 getPKCS7(ByteBuffer byteBuffer) throws SignatureException {
        byte[] bArr = new byte[byteBuffer.remaining()];
        byteBuffer.get(bArr);
        try {
            return new PKCS7Ext(bArr);
        } catch (ParsingException e) {
            throw new SignatureException("create PKCS7 failed.", e);
        }
    }

    private byte[] getContentBytesFromPKCS7(PKCS7 pkcs7) throws SignatureException {
        try {
            return pkcs7.getContentInfo().getContentBytes();
        } catch (IOException e) {
            throw new SignatureException("get Content Bytes from PKCS7 failed.", e);
        }
    }

    private boolean checkCRL(X509CRL x509crl, X509Certificate[] x509CertificateArr) {
        boolean z = false;
        int length = x509CertificateArr.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            X509Certificate x509Certificate = x509CertificateArr[i];
            if (x509crl.getIssuerDN().getName().equals(x509Certificate.getIssuerDN().getName())) {
                if (x509crl.getRevokedCertificate(x509Certificate) != null) {
                    LOGGER.info("cert(subject DN = {}) is revoked by crl (IssuerDN = {})", x509Certificate.getSubjectDN().getName(), x509crl.getIssuerDN().getName());
                    z = false;
                    break;
                }
                z = true;
            }
            i++;
        }
        return z;
    }

    private boolean verifyCRL(X509CRL x509crl, X509Certificate x509Certificate, X509Certificate[] x509CertificateArr) throws SignatureException {
        try {
            x509crl.verify(x509Certificate.getPublicKey());
            return checkCRL(x509crl, x509CertificateArr);
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CRLException e) {
            throw new SignatureException("crl verify failed.", e);
        }
    }

    private boolean verifyCRLs(X509CRL[] x509crlArr, X509Certificate[] x509CertificateArr) throws SignatureException {
        if (x509crlArr == null) {
            return true;
        }
        boolean z = true;
        for (X509CRL x509crl : x509crlArr) {
            for (X509Certificate x509Certificate : x509CertificateArr) {
                if (x509crl.getIssuerDN().getName().equals(x509Certificate.getSubjectDN().getName()) && !verifyCRL(x509crl, x509Certificate, x509CertificateArr)) {
                    z = false;
                }
            }
        }
        return z;
    }

    private boolean parserSigner(ByteBuffer byteBuffer, String str) throws NoSuchAlgorithmException, SignatureException, DigestException, CertificateEncodingException {
        PKCS7 pkcs7 = getPKCS7(byteBuffer);
        SignerInfo[] signerInfos = pkcs7.getSignerInfos();
        for (int i = 0; i < signerInfos.length; i++) {
            signerInfos[i] = HapUtils.tanslateSignerInfo(signerInfos[i]);
        }
        if (pkcs7.verify() == null) {
            throw new SignatureException("PKCS7 cms data verify faild!");
        }
        LOGGER.info("hap PKCS cms data verify success!");
        X509CRL[] cRLs = pkcs7.getCRLs();
        byte[] contentBytesFromPKCS7 = getContentBytesFromPKCS7(pkcs7);
        pkcs7.getDigestAlgorithmIds();
        X509Certificate[] certificates = pkcs7.getCertificates();
        if (certificates == null || certificates.length == 0) {
            throw new SignatureException("no certificate in PKCS7.");
        }
        for (int i2 = 0; i2 < certificates.length; i2++) {
            LOGGER.info("+++++++++++++++++++++++++++certificate #{} +++++++++++++++++++++++++++++++", Integer.valueOf(i2));
            printCert(certificates[i2]);
        }
        if (verifyCRLs(cRLs, certificates)) {
            return parserContentinfo(contentBytesFromPKCS7) && writeCertificate(str, (X509Certificate[]) Objects.requireNonNull(certificates));
        }
        LOGGER.error("Certificate is revoked!");
        return false;
    }

    private boolean outputProofsAndProvision(String str, String str2) {
        boolean z = false;
        for (SigningBlock signingBlock : this.optionalBlocks) {
            if (signingBlock.getType() == 536870913) {
                LOGGER.info("Write proof file ret = {}", Boolean.valueOf(writeOptionalBlock(str2, signingBlock)));
            }
            if (signingBlock.getType() == 536870914) {
                z = writeOptionalBlock(str, signingBlock);
                LOGGER.info("Write provision file ret = {}", Boolean.valueOf(z));
            }
        }
        return z;
    }

    private boolean writeOptionalBlock(String str, SigningBlock signingBlock) {
        try {
            FileOutputStream fileOutputStream = new FileOutputStream(str);
            Throwable th = null;
            if (signingBlock != null) {
                try {
                    try {
                        fileOutputStream.write(signingBlock.getValue());
                    } finally {
                    }
                } finally {
                }
            }
            if (fileOutputStream != null) {
                if (0 != 0) {
                    try {
                        fileOutputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    fileOutputStream.close();
                }
            }
            return true;
        } catch (IOException e) {
            LOGGER.error("write optional block failed", (Throwable) e);
            return false;
        }
    }

    private boolean writeCertificate(String str, X509Certificate[] x509CertificateArr) {
        try {
            JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(new FileWriter(str));
            Throwable th = null;
            try {
                for (X509Certificate x509Certificate : x509CertificateArr) {
                    jcaPEMWriter.write(x509Certificate.getSubjectDN().toString() + System.lineSeparator());
                    jcaPEMWriter.writeObject(x509Certificate);
                }
                LOGGER.info("Write certificate chain success!");
                if (jcaPEMWriter != null) {
                    if (0 != 0) {
                        try {
                            jcaPEMWriter.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        jcaPEMWriter.close();
                    }
                }
                return true;
            } finally {
            }
        } catch (IOException e) {
            LOGGER.error("Write certificate chain failed!", (Throwable) e);
            return false;
        }
    }

    private boolean parserContentinfo(byte[] bArr) throws DigestException, SignatureException {
        boolean z = true;
        ByteBuffer order = ByteBuffer.wrap(bArr).order(ByteOrder.LITTLE_ENDIAN);
        while (order.remaining() > 4) {
            LOGGER.info("version is: {}, number of block is: {}", Integer.valueOf(order.getInt()), Integer.valueOf(order.getInt()));
            int i = order.getInt();
            int i2 = order.getInt();
            int i3 = order.getInt();
            if (i != i3 + 8) {
                throw new SignatureException("digestBlockLen: " + i + ", digestDatalen: " + i3);
            }
            ByteBuffer sliceBuffer = HapUtils.sliceBuffer(order, i3);
            byte[] bArr2 = new byte[sliceBuffer.remaining()];
            sliceBuffer.get(bArr2);
            SignatureAlgorithm findById = SignatureAlgorithm.findById(i2);
            if (findById == null) {
                throw new SignatureException("Unsupported SignatureAlgorithm ID : " + i2);
            }
            this.digestMap.put(findById.getContentDigestAlgorithm(), bArr2);
        }
        Map<ContentDigestAlgorithm, byte[]> computeDigests = HapUtils.computeDigests(this.digestMap.keySet(), new ByteBuffer[]{this.beforeApkSigningBlock, this.centralDirectoryBlock, this.eocd}, this.optionalBlocks);
        for (Map.Entry<ContentDigestAlgorithm, byte[]> entry : this.digestMap.entrySet()) {
            ContentDigestAlgorithm key = entry.getKey();
            byte[] value = entry.getValue();
            byte[] bArr3 = computeDigests.get(key);
            if (!Arrays.equals(bArr3, value)) {
                z = false;
                LOGGER.error("degist data do not match! DigestAlgorithm: {}, actualDigest: <{}> VS exceptDigest : <{}>", key.getDigestAlgorithm(), HapUtils.toHex(bArr3, ""), HapUtils.toHex(value, ""));
            }
            LOGGER.info("Digest verify result: {}, DigestAlgorithm: {}", Boolean.valueOf(z), key.getDigestAlgorithm());
        }
        return z;
    }

    private void printCert(X509Certificate x509Certificate) throws CertificateEncodingException {
        byte[] encoded = x509Certificate.getEncoded();
        LOGGER.info("Subject: {}", x509Certificate.getSubjectX500Principal());
        LOGGER.info("Issuer: {}", x509Certificate.getIssuerX500Principal());
        LOGGER.info("SerialNumber: {}", x509Certificate.getSerialNumber().toString(16));
        LOGGER.info("Validity: {} ~ {}", formatDateTime(x509Certificate.getNotBefore()), formatDateTime(x509Certificate.getNotAfter()));
        LOGGER.info("SHA256: {}", HapUtils.toHex(DigestUtils.sha256Digest(encoded), ParameterizedMessage.ERROR_MSG_SEPARATOR));
        LOGGER.info("Signature Algorithm: {}", x509Certificate.getSigAlgName());
        PublicKey publicKey = x509Certificate.getPublicKey();
        LOGGER.info("Key: {}, key length: {} bits", publicKey.getAlgorithm(), Integer.valueOf(getKeySize(publicKey)));
        LOGGER.info("Cert Version: V{}", Integer.valueOf(x509Certificate.getVersion()));
    }

    private int getKeySize(PublicKey publicKey) {
        DSAParams params;
        if (publicKey instanceof RSAKey) {
            return ((RSAKey) publicKey).getModulus().bitLength();
        }
        if (publicKey instanceof ECKey) {
            return ((ECKey) publicKey).getParams().getOrder().bitLength();
        }
        if (!(publicKey instanceof DSAKey) || (params = ((DSAKey) publicKey).getParams()) == null) {
            return -1;
        }
        return params.getP().bitLength();
    }

    private String formatDateTime(Date date) {
        return null != date ? new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(date) : "";
    }
}
