package com.topjohnwu.signing;

import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.FilterInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;

/* loaded from: classes2.dex */
public class SignBoot {
    private static final int BOOT_IMAGE_HEADER_SIZE_MAXIMUM = 2048;
    private static final int BOOT_IMAGE_HEADER_V1_RECOVERY_DTBO_SIZE_OFFSET = 1632;
    private static final int BOOT_IMAGE_HEADER_V2_DTB_SIZE_OFFSET = 1648;
    private static final int BOOT_IMAGE_HEADER_VERSION_MAXIMUM = 8;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes2.dex */
    public static class BootSignature extends ASN1Object {
        private static final int FORMAT_VERSION = 1;
        private AlgorithmIdentifier algId;
        private ASN1Encodable certificate;
        private ASN1Integer formatVersion;
        private ASN1Integer length;
        private PublicKey publicKey;
        private DEROctetString signature;
        private DERPrintableString target;

        public BootSignature(String str, int i) {
            this.formatVersion = new ASN1Integer(1L);
            this.target = new DERPrintableString(str);
            this.length = new ASN1Integer(i);
        }

        public BootSignature(byte[] bArr) throws Exception {
            ASN1Sequence aSN1Sequence = (ASN1Sequence) new ASN1InputStream(bArr).readObject();
            ASN1Integer aSN1Integer = (ASN1Integer) aSN1Sequence.getObjectAt(0);
            this.formatVersion = aSN1Integer;
            if (aSN1Integer.getValue().intValue() != 1) {
                throw new IllegalArgumentException("Unsupported format version");
            }
            ASN1Encodable objectAt = aSN1Sequence.getObjectAt(1);
            this.certificate = objectAt;
            this.publicKey = ((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(((ASN1Object) objectAt).getEncoded()))).getPublicKey();
            this.algId = new AlgorithmIdentifier((ASN1ObjectIdentifier) ((ASN1Sequence) aSN1Sequence.getObjectAt(2)).getObjectAt(0));
            ASN1Sequence aSN1Sequence2 = (ASN1Sequence) aSN1Sequence.getObjectAt(3);
            this.target = (DERPrintableString) aSN1Sequence2.getObjectAt(0);
            this.length = (ASN1Integer) aSN1Sequence2.getObjectAt(1);
            this.signature = (DEROctetString) aSN1Sequence.getObjectAt(4);
        }

        public ASN1Object getAuthenticatedAttributes() {
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            aSN1EncodableVector.add(this.target);
            aSN1EncodableVector.add(this.length);
            return new DERSequence(aSN1EncodableVector);
        }

        public byte[] getEncodedAuthenticatedAttributes() throws IOException {
            return getAuthenticatedAttributes().getEncoded();
        }

        public void setCertificate(X509Certificate x509Certificate) throws CertificateEncodingException, IOException {
            this.certificate = new ASN1InputStream(x509Certificate.getEncoded()).readObject();
            this.publicKey = x509Certificate.getPublicKey();
        }

        public void setSignature(byte[] bArr, AlgorithmIdentifier algorithmIdentifier) {
            this.algId = algorithmIdentifier;
            this.signature = new DEROctetString(bArr);
        }

        public byte[] sign(PrivateKey privateKey, InputStream inputStream, int i) throws Exception {
            Signature signature = Signature.getInstance(CryptoUtils.getSignatureAlgorithm(privateKey));
            signature.initSign(privateKey);
            byte[] bArr = new byte[4096];
            while (true) {
                int read = inputStream.read(bArr, 0, Math.min(i, bArr.length));
                if (read <= 0) {
                    signature.update(getEncodedAuthenticatedAttributes());
                    return signature.sign();
                }
                signature.update(bArr, 0, read);
                i -= read;
            }
        }

        @Override // org.bouncycastle.asn1.ASN1Object, org.bouncycastle.asn1.ASN1Encodable
        public ASN1Primitive toASN1Primitive() {
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            aSN1EncodableVector.add(this.formatVersion);
            aSN1EncodableVector.add(this.certificate);
            aSN1EncodableVector.add(this.algId);
            aSN1EncodableVector.add(getAuthenticatedAttributes());
            aSN1EncodableVector.add(this.signature);
            return new DERSequence(aSN1EncodableVector);
        }

        public boolean verify(byte[] bArr, int i) throws Exception {
            if (this.length.getValue().intValue() != i) {
                throw new IllegalArgumentException("Invalid image length");
            }
            String str = CryptoUtils.ID_TO_ALG.get(this.algId.getAlgorithm().getId());
            if (str == null) {
                throw new IllegalArgumentException("Unsupported algorithm " + this.algId.getAlgorithm());
            }
            Signature signature = Signature.getInstance(str);
            signature.initVerify(this.publicKey);
            signature.update(bArr, 0, i);
            signature.update(getEncodedAuthenticatedAttributes());
            return signature.verify(this.signature.getOctets());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes2.dex */
    public static class PushBackRWStream extends FilterInputStream {
        private byte[] backBuf;
        private OutputStream out;
        private int pos;

        PushBackRWStream(InputStream inputStream, OutputStream outputStream) {
            super(inputStream);
            this.pos = 0;
            this.out = outputStream;
        }

        @Override // java.io.FilterInputStream, java.io.InputStream
        public int read() throws IOException {
            byte[] bArr = this.backBuf;
            if (bArr != null) {
                int length = bArr.length;
                int i = this.pos;
                if (length > i) {
                    this.pos = i + 1;
                    return bArr[i];
                }
            }
            int read = super.read();
            this.out.write(read);
            return read;
        }

        @Override // java.io.FilterInputStream, java.io.InputStream
        public int read(byte[] bArr, int i, int i2) throws IOException {
            int i3 = 0;
            byte[] bArr2 = this.backBuf;
            if (bArr2 != null) {
                int length = bArr2.length;
                int i4 = this.pos;
                if (length > i4) {
                    i3 = Math.min(i2, bArr2.length - i4);
                    System.arraycopy(this.backBuf, this.pos, bArr, i, i3);
                    this.pos += i3;
                    i += i3;
                    i2 -= i3;
                }
            }
            if (i2 <= 0) {
                return i3;
            }
            int read = super.read(bArr, i, i2);
            int i5 = i3 + read;
            this.out.write(bArr, i, read);
            return i5;
        }

        void unread(byte[] bArr) {
            this.backBuf = bArr;
        }
    }

    public static boolean doSignature(X509Certificate x509Certificate, PrivateKey privateKey, InputStream inputStream, OutputStream outputStream, String str) {
        try {
            PushBackRWStream pushBackRWStream = new PushBackRWStream(inputStream, outputStream);
            byte[] bArr = new byte[2048];
            fullRead(pushBackRWStream, bArr);
            int signableImageSize = getSignableImageSize(bArr);
            pushBackRWStream.unread(bArr);
            BootSignature bootSignature = new BootSignature(str, signableImageSize);
            if (x509Certificate == null) {
                x509Certificate = CryptoUtils.readCertificate(new ByteArrayInputStream(KeyData.verityCert()));
            }
            bootSignature.setCertificate(x509Certificate);
            if (privateKey == null) {
                privateKey = CryptoUtils.readPrivateKey(new ByteArrayInputStream(KeyData.verityKey()));
            }
            bootSignature.setSignature(bootSignature.sign(privateKey, pushBackRWStream, signableImageSize), CryptoUtils.getSignatureAlgorithmIdentifier(privateKey));
            outputStream.write(bootSignature.getEncoded());
            outputStream.flush();
            return true;
        } catch (Exception e) {
            e.printStackTrace();
            return false;
        }
    }

    private static int fullRead(InputStream inputStream, byte[] bArr) throws IOException {
        return fullRead(inputStream, bArr, 0, bArr.length);
    }

    private static int fullRead(InputStream inputStream, byte[] bArr, int i, int i2) throws IOException {
        int i3 = 0;
        while (i3 < i2) {
            int read = inputStream.read(bArr, i + i3, i2 - i3);
            if (read <= 0) {
                break;
            }
            i3 += read;
        }
        return i3;
    }

    public static int getSignableImageSize(byte[] bArr) throws Exception {
        int i;
        if (!Arrays.equals(Arrays.copyOfRange(bArr, 0, 8), "ANDROID!".getBytes("US-ASCII"))) {
            throw new IllegalArgumentException("Invalid image header: missing magic");
        }
        ByteBuffer wrap = ByteBuffer.wrap(bArr);
        wrap.order(ByteOrder.LITTLE_ENDIAN);
        wrap.getLong();
        int i2 = wrap.getInt();
        wrap.getInt();
        int i3 = wrap.getInt();
        wrap.getInt();
        int i4 = wrap.getInt();
        wrap.getLong();
        int i5 = wrap.getInt();
        if (i5 >= 33554432) {
            throw new IllegalArgumentException("Invalid image header: PXA header detected");
        }
        int i6 = ((((i2 + i5) - 1) / i5) * i5) + i5 + ((((i3 + i5) - 1) / i5) * i5) + ((((i4 + i5) - 1) / i5) * i5);
        int i7 = wrap.getInt();
        if (i7 <= 0 || i7 >= 8) {
            i = i6 + ((((i7 + i5) - 1) / i5) * i5);
        } else {
            wrap.position(BOOT_IMAGE_HEADER_V1_RECOVERY_DTBO_SIZE_OFFSET);
            i = i6 + ((((wrap.getInt() + i5) - 1) / i5) * i5);
            wrap.getLong();
            int i8 = wrap.getInt();
            if (i7 == 2) {
                wrap.position(BOOT_IMAGE_HEADER_V2_DTB_SIZE_OFFSET);
                i += (((wrap.getInt() + i5) - 1) / i5) * i5;
                wrap.getLong();
            }
            if (wrap.position() != i8) {
                throw new IllegalArgumentException("Invalid image header: invalid header length");
            }
        }
        int i9 = (((i + i5) - 1) / i5) * i5;
        if (i9 > 0) {
            return i9;
        }
        throw new IllegalArgumentException("Invalid image header: invalid length");
    }

    public static void main(String[] strArr) throws Exception {
        if (strArr.length > 0 && "-verify".equals(strArr[0])) {
            System.exit(!verifySignature(System.in, strArr.length >= 2 ? CryptoUtils.readCertificate(new FileInputStream(strArr[1])) : null) ? 1 : 0);
            return;
        }
        if (strArr.length <= 0 || !"-sign".equals(strArr[0])) {
            System.err.println("BootSigner <actions> [args]\nInput from stdin, output to stdout\n\nActions:\n   -verify [x509.pem]\n      verify image. cert is optional.\n   -sign [x509.pem] [pk8] [name]\n      sign image. name and the cert/key pair are optional.\n      name should be either /boot (default) or /recovery.\n");
            return;
        }
        X509Certificate x509Certificate = null;
        PrivateKey privateKey = null;
        String str = "/boot";
        if (strArr.length >= 3) {
            x509Certificate = CryptoUtils.readCertificate(new FileInputStream(strArr[1]));
            privateKey = CryptoUtils.readPrivateKey(new FileInputStream(strArr[2]));
        }
        if (strArr.length == 2) {
            str = strArr[1];
        } else if (strArr.length >= 4) {
            str = strArr[3];
        }
        System.exit(!doSignature(x509Certificate, privateKey, System.in, System.out, str) ? 1 : 0);
    }

    public static boolean verifySignature(InputStream inputStream, X509Certificate x509Certificate) {
        try {
            byte[] bArr = new byte[2048];
            if (fullRead(inputStream, bArr) != bArr.length) {
                System.err.println("Unable to read image header");
                return false;
            }
            int signableImageSize = getSignableImageSize(bArr);
            byte[] copyOf = Arrays.copyOf(bArr, signableImageSize);
            int length = signableImageSize - bArr.length;
            if (fullRead(inputStream, copyOf, bArr.length, length) != length) {
                System.err.println("Unable to read image");
                return false;
            }
            byte[] bArr2 = new byte[4096];
            if (inputStream.read(bArr2) != -1 && !Arrays.equals(bArr2, new byte[bArr2.length])) {
                BootSignature bootSignature = new BootSignature(bArr2);
                if (x509Certificate != null) {
                    bootSignature.setCertificate(x509Certificate);
                }
                if (bootSignature.verify(copyOf, signableImageSize)) {
                    System.err.println("Signature is VALID");
                    return true;
                }
                System.err.println("Signature is INVALID");
                return false;
            }
            System.err.println("Invalid image: not signed");
            return false;
        } catch (Exception e) {
            e.printStackTrace();
            return false;
        }
    }
}
