package com.microej.security.command;

import com.microej.security.util.DerFormatException;
import com.microej.security.util.DerInputStreamHelper;
import com.microej.security.util.DerValueInputStream;
import java.io.EOFException;
import java.io.IOException;
import java.io.InputStream;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import org.eclipse.core.runtime.IProgressMonitor;
import org.eclipse.core.runtime.SubMonitor;

/* loaded from: input_file:com/microej/security/command/CommandUnwrapperVerifier.class */
public class CommandUnwrapperVerifier implements CommandUnwrapper {
    private static final String ALG_SHA256withRSA = "SHA256withRSA";
    private static final String ALG_SHA256withECDSA = "SHA256withECDSA";
    public static final String OID_SHA256withRSA = "1.2.840.113549.1.1.11";
    public static final String OID_SHA256withECDSA = "1.2.840.10045.4.3.2";
    public static final String OID_HEX_SHA256withRSA = "2a864886f70d01010b";
    private InputStream is;
    private static final byte COMMAND_TAG_MASK = -96;
    private final CertificateChainValidator certificateChainValidator;
    private static final int VERSION = 1;

    CommandUnwrapperVerifier(CertificateChainValidator certificateChainValidator) {
        this.certificateChainValidator = certificateChainValidator;
    }

    public CommandUnwrapperVerifier() {
        this.certificateChainValidator = new DefaultCertificateChainValidator();
    }

    public Command unwrapCommand(InputStream inputStream, IProgressMonitor iProgressMonitor) throws IOException, InvalidCommandFormatException {
        final SubMonitor convert = SubMonitor.convert(iProgressMonitor, 100);
        try {
            this.is = inputStream;
            convert.subTask("Checking headers");
            int read = this.is.read();
            int readDERLength = DerInputStreamHelper.readDERLength(inputStream);
            if (readDERLength <= 0) {
                throw new InvalidCommandFormatException("Inconsistent length.");
            }
            if (read != 48) {
                int i = readDERLength <= 127 ? readDERLength - 2 : readDERLength <= 255 ? readDERLength - 3 : readDERLength <= 65535 ? readDERLength - 4 : readDERLength <= 16777215 ? readDERLength - 5 : readDERLength - 6;
                int expectTag = DerInputStreamHelper.expectTag((byte) 48, inputStream);
                if (expectTag != i) {
                    throw new InvalidCommandFormatException("Inconsistent length: got " + expectTag + " while expecting " + i);
                }
            }
            checkVersion();
            convert.worked(5);
            final Signature algId = algId();
            convert.worked(5);
            convert.subTask("Checking certpath");
            certPath(algId);
            convert.worked(15);
            DerValueInputStream derValueInputStream = new DerValueInputStream(inputStream) { // from class: com.microej.security.command.CommandUnwrapperVerifier.1
                protected void onStreamEnd() throws InvalidSignatureException, IOException {
                    convert.subTask("Checking signature");
                    CommandUnwrapperVerifier.this.validateSignature(algId);
                    convert.subTask("Finalizing operation");
                }

                protected void onDataRead(byte[] bArr, int i2, int i3) throws InvalidSignatureException {
                    try {
                        algId.update(bArr, i2, i3);
                        convert.worked(i3);
                    } catch (SignatureException e) {
                        throw new InvalidSignatureException(e);
                    }
                }

                protected void onDataRead(byte b) throws InvalidSignatureException {
                    try {
                        algId.update(b);
                        convert.worked(CommandUnwrapperVerifier.VERSION);
                    } catch (SignatureException e) {
                        throw new InvalidSignatureException(e);
                    }
                }
            };
            convert.setWorkRemaining((derValueInputStream.remainingLength() * 110) / 100);
            return new Command(derValueInputStream, derValueInputStream.getTag() & 95);
        } catch (InvalidKeyException | NoSuchAlgorithmException | CertificateException | DerFormatException e) {
            throw new InvalidCommandFormatException(e.getCause());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void validateSignature(Signature signature) throws IOException {
        try {
            try {
                if (signature.verify(DerInputStreamHelper.readBitString(this.is))) {
                } else {
                    throw new InvalidSignatureException("Command signature does not match with trusted certificate.");
                }
            } catch (SignatureException e) {
                throw new InvalidSignatureException("Problem while verifying signature.", e);
            }
        } catch (DerFormatException | EOFException e2) {
            throw new InvalidCommandFormatException(e2);
        }
    }

    private void checkVersion() throws IOException, DerFormatException {
        try {
            int readInteger = DerInputStreamHelper.readInteger(this.is);
            if (VERSION != readInteger) {
                throw new InvalidCommandFormatException("Stream version (" + readInteger + ") is not supported. Supported version is (" + VERSION + ").");
            }
        } catch (EOFException e) {
            throw new InvalidCommandFormatException(e);
        }
    }

    private Signature algId() throws IOException, NoSuchAlgorithmException, DerFormatException {
        try {
            DerValueInputStream derValueInputStream = new DerValueInputStream(this.is);
            String readOIDString = DerInputStreamHelper.readOIDString(derValueInputStream);
            boolean z = -1;
            switch (readOIDString.hashCode()) {
                case -551630290:
                    if (readOIDString.equals(OID_SHA256withRSA)) {
                        z = VERSION;
                        break;
                    }
                    break;
                case 246195496:
                    if (readOIDString.equals(OID_HEX_SHA256withRSA)) {
                        z = false;
                        break;
                    }
                    break;
                case 368620366:
                    if (readOIDString.equals(OID_SHA256withECDSA)) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                case VERSION /* 1 */:
                    DerInputStreamHelper.readNull(derValueInputStream);
                    return Signature.getInstance(ALG_SHA256withRSA);
                case true:
                    DerInputStreamHelper.readNull(derValueInputStream);
                    return Signature.getInstance(ALG_SHA256withECDSA);
                default:
                    throw new InvalidCommandFormatException("Unsupported ObjectIdentifier '" + readOIDString + "'.");
            }
        } catch (EOFException e) {
            throw new InvalidCommandFormatException(e);
        }
    }

    private void certPath(Signature signature) throws IOException, CertificateException, InvalidKeyException, DerFormatException {
        InputStream derValueInputStream = new DerValueInputStream(this.is);
        X509Certificate x509Certificate = null;
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        int i = VERSION;
        boolean z = false;
        do {
            X509Certificate x509Certificate2 = (X509Certificate) certificateFactory.generateCertificate(derValueInputStream);
            try {
                z = this.certificateChainValidator.validateCertificate(x509Certificate, x509Certificate2, derValueInputStream.remainingLength() == 0, z);
                i += VERSION;
                x509Certificate = x509Certificate2;
            } catch (CertificateException e) {
                throw new IOException("Certificate in position " + i + " of the cert path is not trusted. ", e);
            }
        } while (derValueInputStream.remainingLength() > 0);
        if (!z) {
            throw new IOException("Certificate chain was verified but not authorized");
        }
        signature.initVerify(x509Certificate.getPublicKey());
    }
}
