package sun.security.util;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.CodeSigner;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.Timestamp;
import java.security.cert.CertPath;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.jar.Attributes;
import java.util.jar.JarException;
import java.util.jar.JarFile;
import java.util.jar.Manifest;
import jdk.internal.util.xml.XMLStreamWriter;
import org.apache.commons.compress.archivers.ArchiveStreamFactory;
import sun.security.jca.Providers;
import sun.security.pkcs.PKCS7;
import sun.security.pkcs.SignerInfo;
import sun.security.util.ManifestDigester;

/* loaded from: input_file:BOOT-INF/lib/java.base-2020-09-25.jar:META-INF/modules/java.base/classes/sun/security/util/SignatureFileVerifier.class */
public class SignatureFileVerifier {
    private ArrayList<CodeSigner[]> signerCache;
    private PKCS7 block;
    private byte[] sfBytes;
    private String name;
    private ManifestDigester md;
    private HashMap<String, MessageDigest> createdDigests;
    private CertificateFactory certificateFactory;
    private static final Debug debug = Debug.getInstance(ArchiveStreamFactory.JAR);
    private static final String ATTR_DIGEST = "-DIGEST-" + ManifestDigester.MF_MAIN_ATTRS.toUpperCase(Locale.ENGLISH);
    private static final char[] hexc = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
    private boolean workaround = false;
    private Map<String, Boolean> permittedAlgs = new HashMap();
    private Timestamp timestamp = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/java.base-2020-09-25.jar:META-INF/modules/java.base/classes/sun/security/util/SignatureFileVerifier$ConfigurationHolder.class */
    public static class ConfigurationHolder {
        static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK = new DisabledAlgorithmConstraints(DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS);

        private ConfigurationHolder() {
        }
    }

    public SignatureFileVerifier(ArrayList<CodeSigner[]> arrayList, ManifestDigester manifestDigester, String str, byte[] bArr) throws IOException, CertificateException {
        this.certificateFactory = null;
        Object obj = null;
        try {
            obj = Providers.startJarVerification();
            this.block = new PKCS7(bArr);
            this.sfBytes = this.block.getContentInfo().getData();
            this.certificateFactory = CertificateFactory.getInstance("X509");
            Providers.stopJarVerification(obj);
            this.name = str.substring(0, str.lastIndexOf(46)).toUpperCase(Locale.ENGLISH);
            this.md = manifestDigester;
            this.signerCache = arrayList;
        } catch (Throwable th) {
            Providers.stopJarVerification(obj);
            throw th;
        }
    }

    public boolean needSignatureFileBytes() {
        return this.sfBytes == null;
    }

    public boolean needSignatureFile(String str) {
        return this.name.equalsIgnoreCase(str);
    }

    public void setSignatureFile(byte[] bArr) {
        this.sfBytes = bArr;
    }

    public static boolean isBlockOrSF(String str) {
        return str.endsWith(".SF") || str.endsWith(".DSA") || str.endsWith(".RSA") || str.endsWith(".EC");
    }

    public static boolean isSigningRelated(String str) {
        String upperCase = str.toUpperCase(Locale.ENGLISH);
        if (!upperCase.startsWith("META-INF/")) {
            return false;
        }
        String substring = upperCase.substring(9);
        if (substring.indexOf(47) != -1) {
            return false;
        }
        if (isBlockOrSF(substring) || substring.equals("MANIFEST.MF")) {
            return true;
        }
        if (!substring.startsWith("SIG-")) {
            return false;
        }
        int lastIndexOf = substring.lastIndexOf(46);
        if (lastIndexOf == -1) {
            return true;
        }
        String substring2 = substring.substring(lastIndexOf + 1);
        if (substring2.length() > 3 || substring2.length() < 1) {
            return false;
        }
        for (int i = 0; i < substring2.length(); i++) {
            char charAt = substring2.charAt(i);
            if ((charAt < 'A' || charAt > 'Z') && (charAt < '0' || charAt > '9')) {
                return false;
            }
        }
        return true;
    }

    private MessageDigest getDigest(String str) throws SignatureException {
        if (this.createdDigests == null) {
            this.createdDigests = new HashMap<>();
        }
        MessageDigest messageDigest = this.createdDigests.get(str);
        if (messageDigest == null) {
            try {
                messageDigest = MessageDigest.getInstance(str);
                this.createdDigests.put(str, messageDigest);
            } catch (NoSuchAlgorithmException e) {
            }
        }
        return messageDigest;
    }

    public void process(Hashtable<String, CodeSigner[]> hashtable, List<Object> list) throws IOException, SignatureException, NoSuchAlgorithmException, JarException, CertificateException {
        Object obj = null;
        try {
            obj = Providers.startJarVerification();
            processImpl(hashtable, list);
            Providers.stopJarVerification(obj);
        } catch (Throwable th) {
            Providers.stopJarVerification(obj);
            throw th;
        }
    }

    private void processImpl(Hashtable<String, CodeSigner[]> hashtable, List<Object> list) throws IOException, SignatureException, NoSuchAlgorithmException, JarException, CertificateException {
        Manifest manifest = new Manifest();
        manifest.read(new ByteArrayInputStream(this.sfBytes));
        String value = manifest.getMainAttributes().getValue(Attributes.Name.SIGNATURE_VERSION);
        if (value == null || !value.equalsIgnoreCase(XMLStreamWriter.DEFAULT_XML_VERSION)) {
            return;
        }
        SignerInfo[] verify = this.block.verify(this.sfBytes);
        if (verify == null) {
            throw new SecurityException("cannot verify signature block file " + this.name);
        }
        CodeSigner[] signers = getSigners(verify, this.block);
        if (signers == null) {
            return;
        }
        int length = signers.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            CodeSigner codeSigner = signers[i];
            if (debug != null) {
                debug.println("Gathering timestamp for:  " + codeSigner.toString());
            }
            if (codeSigner.getTimestamp() == null) {
                this.timestamp = null;
                break;
            }
            if (this.timestamp == null) {
                this.timestamp = codeSigner.getTimestamp();
            } else if (this.timestamp.getTimestamp().before(codeSigner.getTimestamp().getTimestamp())) {
                this.timestamp = codeSigner.getTimestamp();
            }
            i++;
        }
        boolean verifyManifestHash = verifyManifestHash(manifest, this.md, list);
        if (!verifyManifestHash && !verifyManifestMainAttrs(manifest, this.md)) {
            throw new SecurityException("Invalid signature file digest for Manifest main attributes");
        }
        for (Map.Entry<String, Attributes> entry : manifest.getEntries().entrySet()) {
            String key = entry.getKey();
            if (verifyManifestHash || verifySection(entry.getValue(), key, this.md)) {
                if (key.startsWith("./")) {
                    key = key.substring(2);
                }
                if (key.startsWith("/")) {
                    key = key.substring(1);
                }
                updateSigners(signers, hashtable, key);
                if (debug != null) {
                    debug.println("processSignature signed name = " + key);
                }
            } else if (debug != null) {
                debug.println("processSignature unsigned name = " + key);
            }
        }
        updateSigners(signers, hashtable, JarFile.MANIFEST_NAME);
    }

    boolean permittedCheck(String str, String str2) {
        Boolean bool = this.permittedAlgs.get(str2);
        if (bool != null) {
            return bool.booleanValue();
        }
        try {
            ConfigurationHolder.JAR_DISABLED_CHECK.permits(str2, new ConstraintsParameters(this.timestamp));
            this.permittedAlgs.put(str2, Boolean.TRUE);
            return true;
        } catch (GeneralSecurityException e) {
            this.permittedAlgs.put(str2, Boolean.FALSE);
            this.permittedAlgs.put(str.toUpperCase(), Boolean.FALSE);
            if (debug == null) {
                return false;
            }
            if (e.getMessage() != null) {
                debug.println(str + ":  " + e.getMessage());
                return false;
            }
            debug.println("Debug info only. " + str + ":  " + str2 + " was disabled, no exception msg given.");
            e.printStackTrace();
            return false;
        }
    }

    String getWeakAlgorithms(String str) {
        String str2 = "";
        try {
            for (String str3 : this.permittedAlgs.keySet()) {
                if (str3.endsWith(str)) {
                    str2 = str2 + str3.substring(0, str3.length() - str.length()) + " ";
                }
            }
        } catch (RuntimeException e) {
            str2 = "Unknown Algorithm(s).  Error processing " + str + ".  " + e.getMessage();
        }
        return str2.isEmpty() ? "Unknown Algorithm(s)" : str2;
    }

    private boolean verifyManifestHash(Manifest manifest, ManifestDigester manifestDigester, List<Object> list) throws IOException, SignatureException {
        boolean z = false;
        boolean z2 = true;
        boolean z3 = false;
        for (Map.Entry<Object, Object> entry : manifest.getMainAttributes().entrySet()) {
            String obj = entry.getKey().toString();
            if (obj.toUpperCase(Locale.ENGLISH).endsWith("-DIGEST-MANIFEST")) {
                String substring = obj.substring(0, obj.length() - 16);
                z3 = true;
                if (permittedCheck(obj, substring)) {
                    z2 = false;
                    list.add(obj);
                    list.add(entry.getValue());
                    MessageDigest digest = getDigest(substring);
                    if (digest != null) {
                        byte[] manifestDigest = manifestDigester.manifestDigest(digest);
                        byte[] decode = Base64.getMimeDecoder().decode((String) entry.getValue());
                        if (debug != null) {
                            debug.println("Signature File: Manifest digest " + substring);
                            debug.println("  sigfile  " + toHex(decode));
                            debug.println("  computed " + toHex(manifestDigest));
                            debug.println();
                        }
                        if (MessageDigest.isEqual(manifestDigest, decode)) {
                            z = true;
                        }
                    }
                }
            }
        }
        if (debug != null) {
            debug.println("PermittedAlgs mapping: ");
            for (String str : this.permittedAlgs.keySet()) {
                debug.println(str + " : " + this.permittedAlgs.get(str).toString());
            }
        }
        if (z3 && z2) {
            throw new SignatureException("Manifest hash check failed (DIGEST-MANIFEST). Disabled algorithm(s) used: " + getWeakAlgorithms("-DIGEST-MANIFEST"));
        }
        return z;
    }

    private boolean verifyManifestMainAttrs(Manifest manifest, ManifestDigester manifestDigester) throws IOException, SignatureException {
        boolean z = true;
        boolean z2 = true;
        boolean z3 = false;
        Iterator<Map.Entry<Object, Object>> it = manifest.getMainAttributes().entrySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Map.Entry<Object, Object> next = it.next();
            String obj = next.getKey().toString();
            if (obj.toUpperCase(Locale.ENGLISH).endsWith(ATTR_DIGEST)) {
                String substring = obj.substring(0, obj.length() - ATTR_DIGEST.length());
                z3 = true;
                if (permittedCheck(obj, substring)) {
                    z2 = false;
                    MessageDigest digest = getDigest(substring);
                    if (digest != null) {
                        byte[] digest2 = manifestDigester.getMainAttsEntry(false).digest(digest);
                        byte[] decode = Base64.getMimeDecoder().decode((String) next.getValue());
                        if (debug != null) {
                            debug.println("Signature File: Manifest Main Attributes digest " + digest.getAlgorithm());
                            debug.println("  sigfile  " + toHex(decode));
                            debug.println("  computed " + toHex(digest2));
                            debug.println();
                        }
                        if (!MessageDigest.isEqual(digest2, decode)) {
                            z = false;
                            if (debug != null) {
                                debug.println("Verification of Manifest main attributes failed");
                                debug.println();
                            }
                        }
                    } else {
                        continue;
                    }
                } else {
                    continue;
                }
            }
        }
        if (debug != null) {
            debug.println("PermittedAlgs mapping: ");
            for (String str : this.permittedAlgs.keySet()) {
                debug.println(str + " : " + this.permittedAlgs.get(str).toString());
            }
        }
        if (z3 && z2) {
            throw new SignatureException("Manifest Main Attribute check failed (" + ATTR_DIGEST + ").  Disabled algorithm(s) used: " + getWeakAlgorithms(ATTR_DIGEST));
        }
        return z;
    }

    private boolean verifySection(Attributes attributes, String str, ManifestDigester manifestDigester) throws IOException, SignatureException {
        boolean z = false;
        ManifestDigester.Entry entry = manifestDigester.get(str, this.block.isOldStyle());
        boolean z2 = true;
        boolean z3 = false;
        if (entry == null) {
            throw new SecurityException("no manifest section for signature file entry " + str);
        }
        if (attributes != null) {
            for (Map.Entry<Object, Object> entry2 : attributes.entrySet()) {
                String obj = entry2.getKey().toString();
                if (obj.toUpperCase(Locale.ENGLISH).endsWith("-DIGEST")) {
                    String substring = obj.substring(0, obj.length() - 7);
                    z3 = true;
                    if (permittedCheck(obj, substring)) {
                        z2 = false;
                        MessageDigest digest = getDigest(substring);
                        if (digest != null) {
                            boolean z4 = false;
                            byte[] decode = Base64.getMimeDecoder().decode((String) entry2.getValue());
                            byte[] digestWorkaround = this.workaround ? entry.digestWorkaround(digest) : entry.digest(digest);
                            if (debug != null) {
                                debug.println("Signature Block File: " + str + " digest=" + digest.getAlgorithm());
                                debug.println("  expected " + toHex(decode));
                                debug.println("  computed " + toHex(digestWorkaround));
                                debug.println();
                            }
                            if (MessageDigest.isEqual(digestWorkaround, decode)) {
                                z = true;
                                z4 = true;
                            } else if (!this.workaround) {
                                byte[] digestWorkaround2 = entry.digestWorkaround(digest);
                                if (MessageDigest.isEqual(digestWorkaround2, decode)) {
                                    if (debug != null) {
                                        debug.println("  re-computed " + toHex(digestWorkaround2));
                                        debug.println();
                                    }
                                    this.workaround = true;
                                    z = true;
                                    z4 = true;
                                }
                            }
                            if (!z4) {
                                throw new SecurityException("invalid " + digest.getAlgorithm() + " signature file digest for " + str);
                            }
                        } else {
                            continue;
                        }
                    } else {
                        continue;
                    }
                }
            }
        }
        if (debug != null) {
            debug.println("PermittedAlgs mapping: ");
            for (String str2 : this.permittedAlgs.keySet()) {
                debug.println(str2 + " : " + this.permittedAlgs.get(str2).toString());
            }
        }
        if (z3 && z2) {
            throw new SignatureException("Manifest Main Attribute check failed (DIGEST).  Disabled algorithm(s) used: " + getWeakAlgorithms("DIGEST"));
        }
        return z;
    }

    private CodeSigner[] getSigners(SignerInfo[] signerInfoArr, PKCS7 pkcs7) throws IOException, NoSuchAlgorithmException, SignatureException, CertificateException {
        ArrayList arrayList = null;
        for (SignerInfo signerInfo : signerInfoArr) {
            ArrayList<X509Certificate> certificateChain = signerInfo.getCertificateChain(pkcs7);
            CertPath generateCertPath = this.certificateFactory.generateCertPath(certificateChain);
            if (arrayList == null) {
                arrayList = new ArrayList();
            }
            arrayList.add(new CodeSigner(generateCertPath, signerInfo.getTimestamp()));
            if (debug != null) {
                debug.println("Signature Block Certificate: " + ((Object) certificateChain.get(0)));
            }
        }
        if (arrayList != null) {
            return (CodeSigner[]) arrayList.toArray(new CodeSigner[arrayList.size()]);
        }
        return null;
    }

    static String toHex(byte[] bArr) {
        StringBuilder sb = new StringBuilder(bArr.length * 2);
        for (int i = 0; i < bArr.length; i++) {
            sb.append(hexc[(bArr[i] >> 4) & 15]);
            sb.append(hexc[bArr[i] & 15]);
        }
        return sb.toString();
    }

    static boolean contains(CodeSigner[] codeSignerArr, CodeSigner codeSigner) {
        for (CodeSigner codeSigner2 : codeSignerArr) {
            if (codeSigner2.equals(codeSigner)) {
                return true;
            }
        }
        return false;
    }

    static boolean isSubSet(CodeSigner[] codeSignerArr, CodeSigner[] codeSignerArr2) {
        if (codeSignerArr2 == codeSignerArr) {
            return true;
        }
        for (CodeSigner codeSigner : codeSignerArr) {
            if (!contains(codeSignerArr2, codeSigner)) {
                return false;
            }
        }
        return true;
    }

    static boolean matches(CodeSigner[] codeSignerArr, CodeSigner[] codeSignerArr2, CodeSigner[] codeSignerArr3) {
        if (codeSignerArr2 == null && codeSignerArr == codeSignerArr3) {
            return true;
        }
        if ((codeSignerArr2 != null && !isSubSet(codeSignerArr2, codeSignerArr)) || !isSubSet(codeSignerArr3, codeSignerArr)) {
            return false;
        }
        for (int i = 0; i < codeSignerArr.length; i++) {
            if (!((codeSignerArr2 != null && contains(codeSignerArr2, codeSignerArr[i])) || contains(codeSignerArr3, codeSignerArr[i]))) {
                return false;
            }
        }
        return true;
    }

    void updateSigners(CodeSigner[] codeSignerArr, Hashtable<String, CodeSigner[]> hashtable, String str) {
        CodeSigner[] codeSignerArr2;
        CodeSigner[] codeSignerArr3 = hashtable.get(str);
        for (int size = this.signerCache.size() - 1; size != -1; size--) {
            CodeSigner[] codeSignerArr4 = this.signerCache.get(size);
            if (matches(codeSignerArr4, codeSignerArr3, codeSignerArr)) {
                hashtable.put(str, codeSignerArr4);
                return;
            }
        }
        if (codeSignerArr3 == null) {
            codeSignerArr2 = codeSignerArr;
        } else {
            codeSignerArr2 = new CodeSigner[codeSignerArr3.length + codeSignerArr.length];
            System.arraycopy(codeSignerArr3, 0, codeSignerArr2, 0, codeSignerArr3.length);
            System.arraycopy(codeSignerArr, 0, codeSignerArr2, codeSignerArr3.length, codeSignerArr.length);
        }
        this.signerCache.add(codeSignerArr2);
        hashtable.put(str, codeSignerArr2);
    }
}
