package com.android.tools.build.bundletool.commands;

import com.android.SdkConstants;
import com.android.bundle.CodeTransparencyOuterClass;
import com.android.tools.build.bundletool.commands.AutoValue_AddTransparencyCommand;
import com.android.tools.build.bundletool.commands.CommandHelp;
import com.android.tools.build.bundletool.flags.Flag;
import com.android.tools.build.bundletool.flags.ParsedFlags;
import com.android.tools.build.bundletool.io.AppBundleSerializer;
import com.android.tools.build.bundletool.model.AppBundle;
import com.android.tools.build.bundletool.model.BundleMetadata;
import com.android.tools.build.bundletool.model.Password;
import com.android.tools.build.bundletool.model.SignerConfig;
import com.android.tools.build.bundletool.model.exceptions.CommandExecutionException;
import com.android.tools.build.bundletool.model.exceptions.InvalidBundleException;
import com.android.tools.build.bundletool.model.exceptions.InvalidCommandException;
import com.android.tools.build.bundletool.model.utils.files.FilePreconditions;
import com.android.tools.build.bundletool.transparency.BundleTransparencyCheckUtils;
import com.android.tools.build.bundletool.transparency.CodeTransparencyCryptoUtils;
import com.android.tools.build.bundletool.transparency.CodeTransparencyFactory;
import com.google.auto.value.AutoValue;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Ascii;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.io.BaseEncoding;
import com.google.common.io.ByteSource;
import com.google.common.io.CharSource;
import com.google.protobuf.InvalidProtocolBufferException;
import com.google.protobuf.util.JsonFormat;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.zip.ZipException;
import java.util.zip.ZipFile;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.lang.JoseException;
import org.jose4j.lang.UncheckedJoseException;

@AutoValue
/* loaded from: input_file:com/android/tools/build/bundletool/commands/AddTransparencyCommand.class */
public abstract class AddTransparencyCommand {
    public static final String COMMAND_NAME = "add-transparency";
    static final int MIN_RSA_KEY_LENGTH = 3072;
    private static final Flag<Mode> MODE_FLAG = Flag.enumFlag("mode", Mode.class);
    private static final Flag<Path> BUNDLE_LOCATION_FLAG = Flag.path("bundle");
    private static final Flag<Path> OUTPUT_FLAG = Flag.path("output");
    private static final Flag<Path> KEYSTORE_FLAG = Flag.path("ks");
    private static final Flag<String> KEY_ALIAS_FLAG = Flag.string("ks-key-alias");
    private static final Flag<Password> KEYSTORE_PASSWORD_FLAG = Flag.password("ks-pass");
    private static final Flag<Password> KEY_PASSWORD_FLAG = Flag.password("key-pass");
    private static final Flag<Path> TRANSPARENCY_KEY_CERTIFICATE_LOCATION_FLAG = Flag.path("transparency-key-certificate");
    private static final Flag<Path> TRANSPARENCY_SIGNATURE_LOCATION_FLAG = Flag.path("transparency-signature");
    private static final Flag<DexMergingChoice> DEX_MERGING_CHOICE_FLAG = Flag.enumFlag("dex-merging-choice", DexMergingChoice.class);
    private static final Flag<Boolean> ALLOW_SHARED_USER_ID_FLAG = Flag.booleanFlag("allow-shared-user-id");

    @AutoValue.Builder
    /* loaded from: input_file:com/android/tools/build/bundletool/commands/AddTransparencyCommand$Builder.class */
    public static abstract class Builder {
        public abstract Builder setMode(Mode mode);

        public abstract Builder setBundlePath(Path path);

        public abstract Builder setOutputPath(Path path);

        public abstract Builder setSignerConfig(SignerConfig signerConfig);

        public abstract Builder setTransparencyKeyCertificates(List<X509Certificate> list);

        public abstract Builder setTransparencySignaturePath(Path path);

        public abstract Builder setDexMergingChoice(DexMergingChoice dexMergingChoice);

        public abstract Builder setAllowSharedUserId(Boolean bool);

        public abstract AddTransparencyCommand build();
    }

    /* loaded from: input_file:com/android/tools/build/bundletool/commands/AddTransparencyCommand$DexMergingChoice.class */
    public enum DexMergingChoice {
        ASK_IN_CONSOLE,
        CONTINUE,
        REJECT;

        final String getLowerCaseName() {
            return Ascii.toLowerCase(name());
        }
    }

    /* loaded from: input_file:com/android/tools/build/bundletool/commands/AddTransparencyCommand$Mode.class */
    public enum Mode {
        DEFAULT,
        GENERATE_CODE_TRANSPARENCY_FILE,
        INJECT_SIGNATURE;

        final String getLowerCaseName() {
            return Ascii.toLowerCase(name());
        }
    }

    public abstract Mode getMode();

    public abstract Path getBundlePath();

    public abstract Path getOutputPath();

    public abstract DexMergingChoice getDexMergingChoice();

    public abstract Optional<SignerConfig> getSignerConfig();

    public abstract ImmutableList<X509Certificate> getTransparencyKeyCertificates();

    public abstract Optional<Path> getTransparencySignaturePath();

    public abstract Optional<Boolean> getAllowSharedUserId();

    public static Builder builder() {
        return new AutoValue_AddTransparencyCommand.Builder().setMode(Mode.DEFAULT).setDexMergingChoice(DexMergingChoice.ASK_IN_CONSOLE).setTransparencyKeyCertificates(ImmutableList.of());
    }

    public static AddTransparencyCommand fromFlags(ParsedFlags parsedFlags) {
        switch (MODE_FLAG.getValue(parsedFlags).orElse(Mode.DEFAULT)) {
            case DEFAULT:
                return fromFlagsInDefaultMode(parsedFlags);
            case GENERATE_CODE_TRANSPARENCY_FILE:
                return fromFlagsInGenerateGenerateCodeTransparencyFileMode(parsedFlags);
            case INJECT_SIGNATURE:
                return fromFlagsInInjectSignatureMode(parsedFlags);
            default:
                throw new IllegalStateException("Unrecognized value of --mode flag.");
        }
    }

    private static AddTransparencyCommand fromFlagsInDefaultMode(ParsedFlags parsedFlags) {
        SignerConfig extractFromKeystore = SignerConfig.extractFromKeystore(KEYSTORE_FLAG.getRequiredValue(parsedFlags), KEY_ALIAS_FLAG.getRequiredValue(parsedFlags), KEYSTORE_PASSWORD_FLAG.getValue(parsedFlags), KEY_PASSWORD_FLAG.getValue(parsedFlags));
        Optional<Boolean> value = ALLOW_SHARED_USER_ID_FLAG.getValue(parsedFlags);
        Builder signerConfig = builder().setMode(Mode.DEFAULT).setBundlePath(BUNDLE_LOCATION_FLAG.getRequiredValue(parsedFlags)).setOutputPath(OUTPUT_FLAG.getRequiredValue(parsedFlags)).setDexMergingChoice(DEX_MERGING_CHOICE_FLAG.getValue(parsedFlags).orElse(DexMergingChoice.ASK_IN_CONSOLE)).setSignerConfig(extractFromKeystore);
        Objects.requireNonNull(signerConfig);
        value.ifPresent(signerConfig::setAllowSharedUserId);
        parsedFlags.checkNoUnknownFlags();
        return signerConfig.build();
    }

    private static AddTransparencyCommand fromFlagsInGenerateGenerateCodeTransparencyFileMode(ParsedFlags parsedFlags) {
        Optional<Boolean> value = ALLOW_SHARED_USER_ID_FLAG.getValue(parsedFlags);
        Builder transparencyKeyCertificates = builder().setMode(Mode.GENERATE_CODE_TRANSPARENCY_FILE).setBundlePath(BUNDLE_LOCATION_FLAG.getRequiredValue(parsedFlags)).setOutputPath(OUTPUT_FLAG.getRequiredValue(parsedFlags)).setTransparencyKeyCertificates(CodeTransparencyCryptoUtils.getX509Certificates(TRANSPARENCY_KEY_CERTIFICATE_LOCATION_FLAG.getRequiredValue(parsedFlags)));
        Objects.requireNonNull(transparencyKeyCertificates);
        value.ifPresent(transparencyKeyCertificates::setAllowSharedUserId);
        parsedFlags.checkNoUnknownFlags();
        return transparencyKeyCertificates.build();
    }

    private static AddTransparencyCommand fromFlagsInInjectSignatureMode(ParsedFlags parsedFlags) {
        Optional<Boolean> value = ALLOW_SHARED_USER_ID_FLAG.getValue(parsedFlags);
        Builder transparencyKeyCertificates = builder().setMode(Mode.INJECT_SIGNATURE).setBundlePath(BUNDLE_LOCATION_FLAG.getRequiredValue(parsedFlags)).setOutputPath(OUTPUT_FLAG.getRequiredValue(parsedFlags)).setTransparencySignaturePath(TRANSPARENCY_SIGNATURE_LOCATION_FLAG.getRequiredValue(parsedFlags)).setTransparencyKeyCertificates(CodeTransparencyCryptoUtils.getX509Certificates(TRANSPARENCY_KEY_CERTIFICATE_LOCATION_FLAG.getRequiredValue(parsedFlags)));
        Objects.requireNonNull(transparencyKeyCertificates);
        value.ifPresent(transparencyKeyCertificates::setAllowSharedUserId);
        parsedFlags.checkNoUnknownFlags();
        return transparencyKeyCertificates.build();
    }

    public void execute() {
        validateCommonInputs();
        try {
            ZipFile zipFile = new ZipFile(getBundlePath().toFile());
            try {
                AppBundle buildFromZip = AppBundle.buildFromZip(zipFile);
                Boolean orElse = getAllowSharedUserId().orElse(false);
                if (buildFromZip.hasSharedUserId() && !orElse.booleanValue()) {
                    throw InvalidBundleException.builder().withUserMessage("Transparency can not be added because `sharedUserId` attribute is specified in one of the manifests and `allow-shared-user-id` flag is either false or not specified explicitly.").build();
                }
                if (buildFromZip.dexMergingEnabled() && evaluateDexMergingChoice().equals(DexMergingChoice.REJECT)) {
                    throw InvalidCommandException.builder().withInternalMessage("'add-transparency' command is rejected because one of generated standalone/universal APKs will require dex merging and it is requested toreject command in this case.").build();
                }
                switch (getMode()) {
                    case DEFAULT:
                        executeDefaultMode(buildFromZip);
                        break;
                    case GENERATE_CODE_TRANSPARENCY_FILE:
                        executeGenerateCodeTransparencyFileMode(buildFromZip);
                        break;
                    case INJECT_SIGNATURE:
                        executeInjectSignatureMode(buildFromZip);
                        break;
                }
                zipFile.close();
            } catch (Throwable th) {
                try {
                    zipFile.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } catch (ZipException e) {
            throw InvalidBundleException.builder().withCause(e).withUserMessage("The App Bundle is not a valid zip file.").build();
        } catch (IOException e2) {
            throw new UncheckedIOException("An error occurred when processing the App Bundle.", e2);
        } catch (JoseException e3) {
            throw new UncheckedJoseException("An error occurred when signing the code transparency file.", e3);
        }
    }

    private DexMergingChoice evaluateDexMergingChoice() {
        switch (getDexMergingChoice()) {
            case REJECT:
            case CONTINUE:
                return getDexMergingChoice();
            case ASK_IN_CONSOLE:
                return Ascii.equalsIgnoreCase(System.console().readLine("You will not be able to verify code transparency for standalone and universal APKs generated from this bundle. Reason: bundletool will merge dex files when generating standalone APKs. This happens for applications with dynamic feature modules that have min sdk below 21 and specify DexMergingStrategy.MERGE_IF_NEEDED.\nWould you like to continue? [yes/no]:", new Object[0]), SdkConstants.VALUE_YES) ? DexMergingChoice.CONTINUE : DexMergingChoice.REJECT;
            default:
                throw new IllegalStateException("Unsupported DexMergingChoice");
        }
    }

    private void executeDefaultMode(AppBundle appBundle) throws IOException, JoseException {
        validateDefaultModeInputs();
        String jsonText = toJsonText(CodeTransparencyFactory.createCodeTransparencyMetadata(appBundle));
        AppBundle.Builder builder = appBundle.toBuilder();
        builder.setBundleMetadata(appBundle.getBundleMetadata().toBuilder().addFile(BundleMetadata.BUNDLETOOL_NAMESPACE, BundleMetadata.TRANSPARENCY_SIGNED_FILE_NAME, toBytes(createSignedJwt(jsonText, getSignerConfig().get().getCertificates()))).build());
        new AppBundleSerializer().writeToDisk(builder.build(), getOutputPath());
    }

    private void executeGenerateCodeTransparencyFileMode(AppBundle appBundle) throws IOException {
        validateGenerateCodeTransparencyFileModeInputs();
        Files.write(getOutputPath(), toBytes(createJwtWithoutSignature(toJsonText(CodeTransparencyFactory.createCodeTransparencyMetadata(appBundle)), getTransparencyKeyCertificates())).read(), new OpenOption[0]);
    }

    private void executeInjectSignatureMode(AppBundle appBundle) throws IOException {
        validateInjectSignatureModeInputs();
        AppBundle build = appBundle.toBuilder().setBundleMetadata(appBundle.getBundleMetadata().toBuilder().addFile(BundleMetadata.BUNDLETOOL_NAMESPACE, BundleMetadata.TRANSPARENCY_SIGNED_FILE_NAME, toBytes(createJwtWithoutSignature(toJsonText(CodeTransparencyFactory.createCodeTransparencyMetadata(appBundle)), getTransparencyKeyCertificates()) + "." + BaseEncoding.base64Url().encode(Files.readAllBytes(getTransparencySignaturePath().get())))).build()).build();
        if (!BundleTransparencyCheckUtils.checkTransparency(build).verified()) {
            throw CommandExecutionException.builder().withInternalMessage("Code transparency verification failed for the provided public key certificate and signature.").build();
        }
        new AppBundleSerializer().writeToDisk(build, getOutputPath());
    }

    public static CommandHelp help() {
        String str = (String) Arrays.stream(Mode.values()).map((v0) -> {
            return v0.getLowerCaseName();
        }).collect(Collectors.joining(SdkConstants.VALUE_DELIMITER_PIPE));
        return CommandHelp.builder().setCommandName(COMMAND_NAME).setCommandDescription(CommandHelp.CommandDescription.builder().setShortDescription("Generates code transparency file and adds it to the output bundle.").build()).addFlag(CommandHelp.FlagDescription.builder().setFlagName(MODE_FLAG.getName()).setExampleValue(str).setOptional(true).setDescription("Specifies which mode to run '%s' command against. Acceptable values are '%s'. If set to '%s' we generate a signed code transparency file and include it into the output bundle. If set to '%s' we generate unsigned transparency file. If set to '%s' we inject the provided signed transparency file into the bundle. The default value is '%s'.", COMMAND_NAME, str, Mode.DEFAULT.getLowerCaseName(), Mode.GENERATE_CODE_TRANSPARENCY_FILE.getLowerCaseName(), Mode.INJECT_SIGNATURE.getLowerCaseName(), Mode.DEFAULT.getLowerCaseName()).build()).addFlag(CommandHelp.FlagDescription.builder().setFlagName(BUNDLE_LOCATION_FLAG.getName()).setExampleValue("path/to/bundle.aab").setDescription("Path to the Android App Bundle that we want to add transparency file to.").build()).addFlag(CommandHelp.FlagDescription.builder().setFlagName(OUTPUT_FLAG.getName()).setExampleValue("path/to/[bundle_with_transparency.aab|transparency_file.jwe]").setDescription("Path to where the output file should be written. Must have extension .aab in '%s' and '%s' modes.", Mode.DEFAULT.getLowerCaseName(), Mode.INJECT_SIGNATURE.getLowerCaseName()).build()).addFlag(CommandHelp.FlagDescription.builder().setFlagName(KEYSTORE_FLAG.getName()).setExampleValue("path/to/keystore").setOptional(true).setDescription("Path to the keystore that should be used to sign the code transparency file.").build()).addFlag(CommandHelp.FlagDescription.builder().setFlagName(KEY_ALIAS_FLAG.getName()).setOptional(true).setExampleValue("key-alias").setDescription("Alias of the key to use in the keystore to sign the code transparency file.").build()).addFlag(CommandHelp.FlagDescription.builder().setFlagName(KEYSTORE_PASSWORD_FLAG.getName()).setExampleValue("[pass|file]:value").setOptional(true).setDescription("Password of the keystore to use to sign the code transparency file. Must be prefixed with either 'pass:' (if the password is passed in clear text, e.g. 'pass:qwerty') or 'file:' (if the password is the first line of a file, e.g. 'file:/tmp/myPassword.txt'). If this flag is not set, the password will be requested on the prompt.").build()).addFlag(CommandHelp.FlagDescription.builder().setFlagName(KEY_PASSWORD_FLAG.getName()).setExampleValue("[pass|file]:value").setOptional(true).setDescription("Password of the key in the keystore to use to sign the code transparency file. Must be prefixed with either 'pass:' (if the password is passed in clear text, e.g. 'pass:qwerty') or 'file:' (if the password is the first line of a file, e.g. 'file:/tmp/myPassword.txt'). If this flag is not set, the keystore password will be tried. If that fails, the password will be requested on the prompt.").build()).addFlag(CommandHelp.FlagDescription.builder().setFlagName(TRANSPARENCY_KEY_CERTIFICATE_LOCATION_FLAG.getName()).setExampleValue("path/to/certificate.cert").setOptional(true).setDescription("Path to the file containing the code transparency public key certificate. Required in '%s' and '%s' modes. Should not be used in other modes.", Mode.GENERATE_CODE_TRANSPARENCY_FILE.getLowerCaseName(), Mode.INJECT_SIGNATURE.getLowerCaseName()).build()).addFlag(CommandHelp.FlagDescription.builder().setFlagName(TRANSPARENCY_SIGNATURE_LOCATION_FLAG.getName()).setExampleValue("path/to/transparency.signature").setOptional(true).setDescription("Path to the file containing the code transparency file signature. Required in '%s' mode. Should not be used in other modes.", Mode.INJECT_SIGNATURE.getLowerCaseName()).build()).addFlag(CommandHelp.FlagDescription.builder().setFlagName(DEX_MERGING_CHOICE_FLAG.getName()).setExampleValue(String.format("%s|%s", DexMergingChoice.CONTINUE.getLowerCaseName(), DexMergingChoice.REJECT.getLowerCaseName())).setOptional(true).setDescription("Allows to silently respond how 'add-transparency' command should behave if some of generated standalone/universal APKs will require dex merging. '%s' means that 'add-transparency' should add code transparency anyway, but it won't be propagated to these APKs. '%s' means that 'add-transparency' command should fail. By default, if this choice is required user will be asked in terminal.", DexMergingChoice.CONTINUE.getLowerCaseName(), DexMergingChoice.REJECT.getLowerCaseName()).build()).addFlag(CommandHelp.FlagDescription.builder().setFlagName(ALLOW_SHARED_USER_ID_FLAG.getName()).setExampleValue("true|false").setOptional(true).setDescription("Allows to use `add-transparency` command when AppBundle has `sharedUserId`. If the flag is not provided explicitly then its value considered as false").build()).build();
    }

    private String createSignedJwt(String str, List<X509Certificate> list) throws JoseException {
        JsonWebSignature createJwsCommon = createJwsCommon(str, list);
        createJwsCommon.setKey(getSignerConfig().get().getPrivateKey());
        return createJwsCommon.getCompactSerialization();
    }

    @VisibleForTesting
    static String createJwtWithoutSignature(String str, List<X509Certificate> list) {
        JsonWebSignature createJwsCommon = createJwsCommon(str, list);
        return createJwsCommon.getHeaders().getEncodedHeader() + "." + createJwsCommon.getEncodedPayload();
    }

    private static JsonWebSignature createJwsCommon(String str, List<X509Certificate> list) {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
        jsonWebSignature.setCertificateChainHeaderValue((X509Certificate[]) list.toArray(new X509Certificate[0]));
        jsonWebSignature.setPayload(str);
        return jsonWebSignature;
    }

    private static String toJsonText(CodeTransparencyOuterClass.CodeTransparency codeTransparency) throws InvalidProtocolBufferException {
        return JsonFormat.printer().print(codeTransparency);
    }

    private static ByteSource toBytes(String str) {
        return CharSource.wrap(str).asByteSource(Charset.defaultCharset());
    }

    private void validateCommonInputs() {
        FilePreconditions.checkFileHasExtension("AAB file", getBundlePath(), ".aab");
        FilePreconditions.checkFileExistsAndReadable(getBundlePath());
    }

    private void validateDefaultModeInputs() {
        FilePreconditions.checkFileHasExtension("AAB file", getOutputPath(), ".aab");
        FilePreconditions.checkFileDoesNotExist(getOutputPath());
        Preconditions.checkArgument(getSignerConfig().get().getPrivateKey().getAlgorithm().equals("RSA"), "Transparency signing key must be an RSA key, but %s key was provided.", getSignerConfig().get().getPrivateKey().getAlgorithm());
        int bitLength = ((RSAPrivateKey) getSignerConfig().get().getPrivateKey()).getModulus().bitLength();
        Preconditions.checkArgument(bitLength >= MIN_RSA_KEY_LENGTH, "Minimum required key length is %s bits, but %s bit key was provided.", MIN_RSA_KEY_LENGTH, bitLength);
    }

    private void validateGenerateCodeTransparencyFileModeInputs() {
        FilePreconditions.checkFileDoesNotExist(getOutputPath());
        validateTransparencyKeyCertificate();
    }

    private void validateInjectSignatureModeInputs() {
        FilePreconditions.checkFileHasExtension("AAB file", getOutputPath(), ".aab");
        FilePreconditions.checkFileDoesNotExist(getOutputPath());
        FilePreconditions.checkFileExistsAndReadable(getTransparencySignaturePath().get());
        validateTransparencyKeyCertificate();
    }

    private void validateTransparencyKeyCertificate() {
        Preconditions.checkArgument(!getTransparencyKeyCertificates().isEmpty(), "Transparency signing key certificates must be provided.");
        X509Certificate x509Certificate = getTransparencyKeyCertificates().get(0);
        Preconditions.checkArgument(x509Certificate.getPublicKey().getAlgorithm().equals("RSA"), "Transparency signing key must be an RSA key, but %s key was provided.", x509Certificate.getPublicKey().getAlgorithm());
        int bitLength = ((RSAPublicKey) x509Certificate.getPublicKey()).getModulus().bitLength();
        Preconditions.checkArgument(bitLength >= MIN_RSA_KEY_LENGTH, "Minimum required key length is %s bits, but %s bit key was provided.", MIN_RSA_KEY_LENGTH, bitLength);
    }
}
