package org.xipki.security.pkcs11;

import java.io.IOException;
import java.io.OutputStream;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.DSAPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import java.time.Clock;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.gm.GMObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.pkcs.RSAPrivateKey;
import org.bouncycastle.asn1.sec.ECPrivateKey;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.DSAParameter;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x9.ECNamedCurveTable;
import org.bouncycastle.asn1.x9.X9ECParameters;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.pkcs11.wrapper.AttributeVector;
import org.xipki.pkcs11.wrapper.Functions;
import org.xipki.pkcs11.wrapper.KeyPairTemplate;
import org.xipki.pkcs11.wrapper.Mechanism;
import org.xipki.pkcs11.wrapper.MechanismInfo;
import org.xipki.pkcs11.wrapper.PKCS11Constants;
import org.xipki.pkcs11.wrapper.PKCS11Exception;
import org.xipki.pkcs11.wrapper.PKCS11Key;
import org.xipki.pkcs11.wrapper.PKCS11KeyId;
import org.xipki.pkcs11.wrapper.PKCS11KeyPair;
import org.xipki.pkcs11.wrapper.PKCS11Token;
import org.xipki.pkcs11.wrapper.Token;
import org.xipki.pkcs11.wrapper.TokenException;
import org.xipki.pkcs11.wrapper.params.ByteArrayParams;
import org.xipki.pkcs11.wrapper.params.CkParams;
import org.xipki.pkcs11.wrapper.params.CkParamsWithExtra;
import org.xipki.pkcs11.wrapper.params.ExtraParams;
import org.xipki.pkcs11.wrapper.params.RSA_PKCS_PSS_PARAMS;
import org.xipki.security.EdECConstants;
import org.xipki.security.pkcs11.P11ModuleConf;
import org.xipki.security.pkcs11.P11Params;
import org.xipki.security.pkcs11.P11Slot;
import org.xipki.security.util.KeyUtil;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.LogUtil;
import org.xipki.util.PermissionConstants;
import org.xipki.util.StringUtil;

/* loaded from: input_file:WEB-INF/lib/security-6.2.0.jar:org/xipki/security/pkcs11/NativeP11Slot.class */
class NativeP11Slot extends P11Slot {
    public static final AlgorithmIdentifier ALGID_RSA = new AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption, DERNull.INSTANCE);
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) NativeP11Slot.class);
    private static final Clock clock = Clock.systemUTC();
    private PKCS11Token token;
    private final SecureRandom random;
    private long rsaKeyPairGenMech;
    private String libDesc;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.xipki.security.pkcs11.NativeP11Slot$1, reason: invalid class name */
    /* loaded from: input_file:WEB-INF/lib/security-6.2.0.jar:org/xipki/security/pkcs11/NativeP11Slot$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$security$pkcs11$P11Slot$P11KeyUsage = new int[P11Slot.P11KeyUsage.values().length];

        static {
            try {
                $SwitchMap$org$xipki$security$pkcs11$P11Slot$P11KeyUsage[P11Slot.P11KeyUsage.DECRYPT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$security$pkcs11$P11Slot$P11KeyUsage[P11Slot.P11KeyUsage.DERIVE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$security$pkcs11$P11Slot$P11KeyUsage[P11Slot.P11KeyUsage.SIGN.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$security$pkcs11$P11Slot$P11KeyUsage[P11Slot.P11KeyUsage.SIGN_RECOVER.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xipki$security$pkcs11$P11Slot$P11KeyUsage[P11Slot.P11KeyUsage.UNWRAP.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public NativeP11Slot(String str, P11SlotId p11SlotId, PKCS11Token pKCS11Token, P11ModuleConf.P11MechanismFilter p11MechanismFilter, P11ModuleConf.P11NewObjectConf p11NewObjectConf, List<Long> list, List<Long> list2) throws TokenException {
        super(str, p11SlotId, pKCS11Token.isReadOnly(), list, list2, p11NewObjectConf);
        this.random = new SecureRandom();
        if (p11SlotId.getId() != pKCS11Token.getTokenId()) {
            throw new IllegalArgumentException("slotId != token.getTokenId");
        }
        this.token = (PKCS11Token) Args.notNull(pKCS11Token, "slot");
        this.libDesc = pKCS11Token.getToken().getSlot().getModule().getInfo().getLibraryDescription();
        if (this.libDesc == null) {
            this.libDesc = "";
        }
        initMechanisms(getSupportedMechanisms(), p11MechanismFilter);
        this.rsaKeyPairGenMech = supportsMechanism(10L, 65536L) ? 10L : 0L;
    }

    private Map<Long, MechanismInfo> getSupportedMechanisms() throws TokenException {
        Set<Long> mechanisms = this.token.getMechanisms();
        ArrayList<Long> arrayList = new ArrayList(mechanisms.size());
        StringBuilder sb = new StringBuilder();
        boolean contains = this.libDesc.toLowerCase().contains("smartcard");
        Iterator<Long> it = mechanisms.iterator();
        while (it.hasNext()) {
            long longValue = it.next().longValue();
            if (!contains) {
                arrayList.add(Long.valueOf(longValue));
            } else if (longValue == PKCS11Constants.CKM_ECDSA_SHA1 || longValue == PKCS11Constants.CKM_ECDSA_SHA224 || longValue == PKCS11Constants.CKM_ECDSA_SHA256 || longValue == PKCS11Constants.CKM_ECDSA_SHA384 || longValue == PKCS11Constants.CKM_ECDSA_SHA512 || longValue == PKCS11Constants.CKM_ECDSA_SHA3_224 || longValue == PKCS11Constants.CKM_ECDSA_SHA3_256 || longValue == PKCS11Constants.CKM_ECDSA_SHA3_384 || longValue == PKCS11Constants.CKM_ECDSA_SHA3_512) {
                sb.append(PKCS11Constants.ckmCodeToName(longValue)).append(", ");
            } else {
                arrayList.add(Long.valueOf(longValue));
            }
        }
        if (sb.length() > 0) {
            LOG.info("Ignore mechanisms in smartcard-based HSM: {}", sb.substring(0, sb.length() - 2));
        }
        HashMap hashMap = new HashMap((arrayList.size() * 5) / 4);
        for (Long l : arrayList) {
            MechanismInfo mechanismInfo = this.token.getMechanismInfo(l.longValue());
            if (mechanismInfo == null) {
                LOG.warn("found not MechanismInfo for " + PKCS11Constants.ckmCodeToName(l.longValue()) + ", ignore it");
            } else {
                hashMap.put(l, mechanismInfo);
            }
        }
        return hashMap;
    }

    @Override // org.xipki.security.pkcs11.P11Slot, java.io.Closeable, java.lang.AutoCloseable
    public final void close() {
        this.token.closeAllSessions();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] digestSecretKey(long j, NativeP11Key nativeP11Key) throws TokenException {
        if (!nativeP11Key.isSecretKey()) {
            throw new TokenException("digestSecretKey could not be applied to non-SecretKey");
        }
        long handle = ((NativeP11Key) Args.notNull(nativeP11Key, "identity")).getKeyId().getHandle();
        assertMechanismSupported(j, 1024L);
        return this.token.digestKey(new Mechanism(j), handle);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] sign(long j, P11Params p11Params, byte[] bArr, NativeP11Key nativeP11Key) throws TokenException {
        Args.notNull(bArr, "content");
        assertMechanismSupported(j, 2048L);
        return this.token.sign(getMechanism(j, p11Params, nativeP11Key), nativeP11Key.getKeyId().getHandle(), bArr);
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    public P11Key getKey(PKCS11KeyId pKCS11KeyId) throws TokenException {
        PKCS11Key key = this.token.getKey(pKCS11KeyId);
        if (key == null) {
            return null;
        }
        return toIdentity(key);
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    public P11Key getKey(byte[] bArr, String str) throws TokenException {
        if ((bArr == null || bArr.length == 0) && StringUtil.isBlank(str)) {
            return null;
        }
        AttributeVector attributeVector = new AttributeVector();
        if (bArr != null && bArr.length > 0) {
            attributeVector.id(bArr);
        }
        if (StringUtil.isNotBlank(str)) {
            attributeVector.label(str);
        }
        PKCS11Key key = this.token.getKey(attributeVector);
        if (key == null) {
            return null;
        }
        return toIdentity(key);
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    public PKCS11KeyId getKeyId(byte[] bArr, String str) throws TokenException {
        if ((bArr == null || bArr.length == 0) && StringUtil.isBlank(str)) {
            return null;
        }
        AttributeVector attributeVector = new AttributeVector();
        if (bArr != null && bArr.length > 0) {
            attributeVector.id(bArr);
        }
        if (StringUtil.isNotBlank(str)) {
            attributeVector.label(str);
        }
        PKCS11KeyId keyId = this.token.getKeyId(attributeVector);
        if (keyId == null) {
            return null;
        }
        long objectCLass = keyId.getObjectCLass();
        if (objectCLass == 3 || objectCLass == 4) {
            return keyId;
        }
        throw new TokenException("could not find private key or secret key for " + getDescription(bArr, str));
    }

    private P11Key toIdentity(PKCS11Key pKCS11Key) throws TokenException {
        PKCS11KeyId id = pKCS11Key.id();
        NativeP11Key nativeP11Key = new NativeP11Key(this, id);
        long objectCLass = id.getObjectCLass();
        long keyType = id.getKeyType();
        if (objectCLass == 3) {
            if (keyType == 0) {
                nativeP11Key.setRsaMParameters(pKCS11Key.rsaModulus(), pKCS11Key.rsaPublicExponent());
            } else if (keyType == 1) {
                nativeP11Key.setDsaParameters(pKCS11Key.dsaPrime(), pKCS11Key.dsaSubprime(), pKCS11Key.dsaBase());
            } else {
                if (keyType != 3 && keyType != 4294963201L && keyType != 64 && keyType != 65) {
                    throw new IllegalStateException("unknown key type " + PKCS11Constants.ckkCodeToName(keyType));
                }
                ASN1ObjectIdentifier detectCurveOid = detectCurveOid(pKCS11Key.ecParams());
                if (detectCurveOid == null && id.getPublicKeyHandle() != null) {
                    detectCurveOid = detectCurveOid(this.token.getAttrValues(id.getPublicKeyHandle().longValue(), 384).ecParams());
                }
                if (detectCurveOid != null) {
                    nativeP11Key.setEcParams(detectCurveOid);
                }
            }
        } else if (objectCLass != 4) {
            throw new IllegalStateException("unknown object class " + PKCS11Constants.ckoCodeToName(objectCLass));
        }
        return nativeP11Key.sign(pKCS11Key.sign());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.xipki.security.pkcs11.P11Slot
    public PublicKey getPublicKey(P11Key p11Key) throws TokenException {
        Long publicKeyHandle = p11Key.getKeyId().getPublicKeyHandle();
        if (publicKeyHandle == null) {
            return null;
        }
        long keyType = p11Key.getKeyType();
        if (keyType == 0) {
            return buildRSAKey(p11Key.getRsaModulus(), p11Key.getRsaPublicExponent());
        }
        if (keyType == 1) {
            try {
                return KeyUtil.generateDSAPublicKey(new DSAPublicKeySpec(new BigInteger(1, this.token.getAttrValues(publicKeyHandle.longValue(), 17).value()), p11Key.getDsaP(), p11Key.getDsaQ(), p11Key.getDsaG()));
            } catch (InvalidKeySpecException e) {
                throw new TokenException(e.getMessage(), e);
            }
        }
        if (keyType != 3 && keyType != 4294963201L && keyType != 64 && keyType != 65) {
            throw new TokenException("unknown key type " + PKCS11Constants.ckkCodeToName(keyType));
        }
        byte[] ecPoint = this.token.getAttrValues(publicKeyHandle.longValue(), 385).ecPoint();
        ASN1ObjectIdentifier ecParams = p11Key.getEcParams();
        if (keyType != 64 && keyType != 65) {
            try {
                return KeyUtil.createECPublicKey(ecParams, ecPoint);
            } catch (InvalidKeySpecException e2) {
                throw new TokenException(e2.getMessage(), e2);
            }
        }
        if (keyType == 64) {
            if (!EdECConstants.isEdwardsCurve(ecParams)) {
                throw new TokenException("unknown Edwards curve OID " + ecParams);
            }
        } else if (!EdECConstants.isMontgomeryCurve(ecParams)) {
            throw new TokenException("unknown Montgomery curve OID " + ecParams);
        }
        try {
            return KeyUtil.generatePublicKey(new SubjectPublicKeyInfo(new AlgorithmIdentifier(ecParams), ecPoint));
        } catch (InvalidKeySpecException e3) {
            throw new TokenException(e3.getMessage(), e3);
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    public boolean objectExistsByIdLabel(byte[] bArr, String str) throws TokenException {
        if ((bArr == null || bArr.length == 0) && StringUtil.isBlank(str)) {
            return false;
        }
        AttributeVector attributeVector = new AttributeVector();
        if (bArr != null && bArr.length > 0) {
            attributeVector.id(bArr);
        }
        if (!StringUtil.isBlank(str)) {
            attributeVector.label(str);
        }
        return !getObjects(attributeVector, 1).isEmpty();
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    public int destroyAllObjects() {
        try {
            return this.token.destroyObjects(this.token.findAllObjects(null)).length;
        } catch (TokenException e) {
            LogUtil.warn(LOG, e, "error destroyAllObjects()");
            return 0;
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    public long[] destroyObjectsByHandle(long[] jArr) {
        ArrayList arrayList = new ArrayList(jArr.length);
        for (long j : jArr) {
            arrayList.add(Long.valueOf(j));
        }
        try {
            List<Long> destroyObjects = this.token.destroyObjects(arrayList);
            if (jArr.length == destroyObjects.size()) {
                return new long[0];
            }
            long[] jArr2 = new long[jArr.length - destroyObjects.size()];
            int i = 0;
            for (long j2 : jArr) {
                if (!destroyObjects.contains(Long.valueOf(j2))) {
                    int i2 = i;
                    i++;
                    jArr2[i2] = j2;
                }
            }
            return jArr2;
        } catch (TokenException e) {
            return jArr;
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    public int destroyObjectsByIdLabel(byte[] bArr, String str) throws TokenException {
        if ((bArr == null || bArr.length == 0) && StringUtil.isBlank(str)) {
            throw new IllegalArgumentException("at least one of id and label may not be null");
        }
        AttributeVector attributeVector = new AttributeVector();
        if (bArr != null && bArr.length > 0) {
            attributeVector.id(bArr);
        }
        if (str != null && !str.isEmpty()) {
            attributeVector.label(str);
        }
        return removeObjects0(attributeVector, "objects " + getDescription(bArr, str));
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected PKCS11KeyId doGenerateSecretKey(long j, Integer num, P11Slot.P11NewKeyControl p11NewKeyControl) throws TokenException {
        long j2;
        String label;
        if (num != null && num.intValue() % 8 != 0) {
            throw new IllegalArgumentException("keysize is not multiple of 8: " + num);
        }
        boolean z = true;
        if (31 == j) {
            j2 = 4224;
        } else if (21 == j) {
            j2 = 305;
            z = false;
        } else if (16 == j) {
            j2 = 848;
        } else {
            if (40 != j && 46 != j && 43 != j && 44 != j && 45 != j && 54 != j && 55 != j && 56 != j && 57 != j) {
                throw new IllegalArgumentException("unsupported key type 0x" + PKCS11Constants.codeToName(PKCS11Constants.Category.CKK, j));
            }
            j2 = 848;
        }
        assertMechanismSupported(j2, PKCS11Constants.CKF_GENERATE);
        if (this.newObjectConf.isIgnoreLabel()) {
            if (p11NewKeyControl.getLabel() != null) {
                LOG.warn("label is set, but ignored: '{}'", p11NewKeyControl.getLabel());
            }
            label = null;
        } else {
            label = p11NewKeyControl.getLabel();
        }
        byte[] id = p11NewKeyControl.getId();
        AttributeVector newSecretKey = AttributeVector.newSecretKey(j);
        setKeyAttributes(p11NewKeyControl, newSecretKey, label);
        if (z) {
            if (num == null) {
                throw new IllegalArgumentException("keysize must not be null");
            }
            newSecretKey.valueLen(Integer.valueOf(num.intValue() / 8));
        }
        Mechanism mechanism = new Mechanism(j2);
        if (label != null && labelExists(label)) {
            throw new IllegalArgumentException("label " + p11NewKeyControl.getLabel() + " exists, please specify another one");
        }
        if (id == null) {
            id = generateId();
        }
        long generateKey = this.token.generateKey(mechanism, newSecretKey.id(id));
        return new PKCS11KeyId(generateKey, 4L, j, id, this.token.getAttrValues(generateKey, 3).label());
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected PKCS11KeyId doImportSecretKey(long j, byte[] bArr, P11Slot.P11NewKeyControl p11NewKeyControl) throws TokenException {
        String label;
        AttributeVector newSecretKey = AttributeVector.newSecretKey(j);
        if (this.newObjectConf.isIgnoreLabel()) {
            if (p11NewKeyControl.getLabel() != null) {
                LOG.warn("label is set, but ignored: '{}'", p11NewKeyControl.getLabel());
            }
            label = null;
        } else {
            label = p11NewKeyControl.getLabel();
        }
        setKeyAttributes(p11NewKeyControl, newSecretKey, label);
        if (label != null && labelExists(label)) {
            throw new IllegalArgumentException("label " + p11NewKeyControl.getLabel() + " exists, please specify another one");
        }
        byte[] id = p11NewKeyControl.getId();
        if (id == null) {
            id = generateId();
        }
        long createObject = this.token.createObject(newSecretKey.value(bArr).id(id));
        try {
            label = this.token.getAttrValues(createObject, 3).label();
        } catch (PKCS11Exception e) {
        }
        return new PKCS11KeyId(createObject, 4L, j, id, label);
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected PKCS11KeyId doGenerateRSAKeypair(int i, BigInteger bigInteger, P11Slot.P11NewKeyControl p11NewKeyControl) throws TokenException {
        KeyPairTemplate keyPairTemplate = new KeyPairTemplate(0L);
        keyPairTemplate.publicKey().modulusBits(Integer.valueOf(i));
        if (bigInteger != null) {
            keyPairTemplate.publicKey().publicExponent(bigInteger);
        }
        setKeyPairAttributes(p11NewKeyControl, keyPairTemplate, this.newObjectConf);
        return doGenerateKeyPair(this.rsaKeyPairGenMech, p11NewKeyControl.getId(), keyPairTemplate);
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected PrivateKeyInfo doGenerateRSAKeypairOtf(int i, BigInteger bigInteger) throws TokenException {
        KeyPairTemplate keyPairTemplate = new KeyPairTemplate(0L);
        keyPairTemplate.publicKey().modulusBits(Integer.valueOf(i));
        if (bigInteger != null) {
            keyPairTemplate.publicKey().publicExponent(bigInteger);
        }
        setPrivateKeyAttrsOtf(keyPairTemplate.privateKey());
        long j = this.rsaKeyPairGenMech;
        PKCS11KeyPair pKCS11KeyPair = null;
        try {
            try {
                pKCS11KeyPair = this.token.generateKeyPair(new Mechanism(j), keyPairTemplate);
                AttributeVector attrValues = this.token.getAttrValues(pKCS11KeyPair.getPrivateKey(), 288, 290, 291, 292, 293, 294, 295, 296);
                PrivateKeyInfo privateKeyInfo = new PrivateKeyInfo(ALGID_RSA, new RSAPrivateKey(attrValues.modulus(), attrValues.publicExponent(), attrValues.privateExponent(), attrValues.prime1(), attrValues.prime2(), attrValues.exponent1(), attrValues.exponent2(), attrValues.coefficient()));
                destroyKeyPairQuietly(pKCS11KeyPair);
                return privateKeyInfo;
            } catch (IOException | PKCS11Exception e) {
                throw new TokenException("could not generate keypair " + PKCS11Constants.ckmCodeToName(j), e);
            }
        } catch (Throwable th) {
            destroyKeyPairQuietly(pKCS11KeyPair);
            throw th;
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected PKCS11KeyId doGenerateDSAKeypair(BigInteger bigInteger, BigInteger bigInteger2, BigInteger bigInteger3, P11Slot.P11NewKeyControl p11NewKeyControl) throws TokenException {
        KeyPairTemplate keyPairTemplate = new KeyPairTemplate(1L);
        keyPairTemplate.publicKey().prime(bigInteger).subprime(bigInteger2).base(bigInteger3);
        setKeyPairAttributes(p11NewKeyControl, keyPairTemplate, this.newObjectConf);
        return doGenerateKeyPair(16L, p11NewKeyControl.getId(), keyPairTemplate);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.xipki.security.pkcs11.P11Slot
    public PrivateKeyInfo generateDSAKeypairOtf0(BigInteger bigInteger, BigInteger bigInteger2, BigInteger bigInteger3) throws TokenException {
        KeyPairTemplate keyPairTemplate = new KeyPairTemplate(1L);
        setPrivateKeyAttrsOtf(keyPairTemplate.privateKey());
        keyPairTemplate.publicKey().prime(bigInteger).subprime(bigInteger2).base(bigInteger3);
        PKCS11KeyPair pKCS11KeyPair = null;
        try {
            try {
                AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(X9ObjectIdentifiers.id_dsa, new DSAParameter(bigInteger, bigInteger2, bigInteger3));
                pKCS11KeyPair = this.token.generateKeyPair(new Mechanism(16L), keyPairTemplate);
                PrivateKeyInfo privateKeyInfo = new PrivateKeyInfo(algorithmIdentifier, new ASN1Integer(new BigInteger(1, this.token.getAttrValues(pKCS11KeyPair.getPrivateKey(), 17).value())), (ASN1Set) null, new ASN1Integer(new BigInteger(1, this.token.getAttrValues(pKCS11KeyPair.getPublicKey(), 17).value())).getEncoded());
                destroyKeyPairQuietly(pKCS11KeyPair);
                return privateKeyInfo;
            } catch (IOException | PKCS11Exception e) {
                throw new TokenException("could not generate keypair " + PKCS11Constants.ckmCodeToName(16L), e);
            }
        } catch (Throwable th) {
            destroyKeyPairQuietly(pKCS11KeyPair);
            throw th;
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected PKCS11KeyId doGenerateECEdwardsKeypair(ASN1ObjectIdentifier aSN1ObjectIdentifier, P11Slot.P11NewKeyControl p11NewKeyControl) throws TokenException {
        KeyPairTemplate keyPairTemplate = new KeyPairTemplate(64L);
        setKeyPairAttributes(p11NewKeyControl, keyPairTemplate, this.newObjectConf);
        try {
            keyPairTemplate.publicKey().ecParams(aSN1ObjectIdentifier.getEncoded());
            return doGenerateKeyPair(PKCS11Constants.CKM_EC_EDWARDS_KEY_PAIR_GEN, p11NewKeyControl.getId(), keyPairTemplate);
        } catch (IOException e) {
            throw new TokenException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.xipki.security.pkcs11.P11Slot
    public PrivateKeyInfo doGenerateECEdwardsKeypairOtf(ASN1ObjectIdentifier aSN1ObjectIdentifier) throws TokenException {
        return doGenerateECKeypairOtf(64L, PKCS11Constants.CKM_EC_EDWARDS_KEY_PAIR_GEN, aSN1ObjectIdentifier);
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected PKCS11KeyId doGenerateECMontgomeryKeypair(ASN1ObjectIdentifier aSN1ObjectIdentifier, P11Slot.P11NewKeyControl p11NewKeyControl) throws TokenException {
        KeyPairTemplate keyPairTemplate = new KeyPairTemplate(65L);
        setKeyPairAttributes(p11NewKeyControl, keyPairTemplate, this.newObjectConf);
        try {
            keyPairTemplate.publicKey().ecParams(aSN1ObjectIdentifier.getEncoded());
            return doGenerateKeyPair(PKCS11Constants.CKM_EC_MONTGOMERY_KEY_PAIR_GEN, p11NewKeyControl.getId(), keyPairTemplate);
        } catch (IOException e) {
            throw new TokenException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.xipki.security.pkcs11.P11Slot
    public PrivateKeyInfo doGenerateECMontgomeryKeypairOtf(ASN1ObjectIdentifier aSN1ObjectIdentifier) throws TokenException {
        return doGenerateECKeypairOtf(65L, PKCS11Constants.CKM_EC_MONTGOMERY_KEY_PAIR_GEN, aSN1ObjectIdentifier);
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected PKCS11KeyId doGenerateECKeypair(ASN1ObjectIdentifier aSN1ObjectIdentifier, P11Slot.P11NewKeyControl p11NewKeyControl) throws TokenException {
        KeyPairTemplate keyPairTemplate = new KeyPairTemplate(3L);
        setKeyPairAttributes(p11NewKeyControl, keyPairTemplate, this.newObjectConf);
        try {
            keyPairTemplate.publicKey().ecParams(aSN1ObjectIdentifier.getEncoded());
            return doGenerateKeyPair(4160L, p11NewKeyControl.getId(), keyPairTemplate);
        } catch (IOException e) {
            throw new TokenException(e.getMessage(), e);
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected PrivateKeyInfo doGenerateECKeypairOtf(ASN1ObjectIdentifier aSN1ObjectIdentifier) throws TokenException {
        return doGenerateECKeypairOtf(3L, 4160L, aSN1ObjectIdentifier);
    }

    private PrivateKeyInfo doGenerateECKeypairOtf(long j, long j2, ASN1ObjectIdentifier aSN1ObjectIdentifier) throws TokenException {
        if (j == 4294963201L && !GMObjectIdentifiers.sm2p256v1.equals(aSN1ObjectIdentifier)) {
            throw new TokenException("keyType and curveId do not match.");
        }
        KeyPairTemplate keyPairTemplate = new KeyPairTemplate(j);
        setPrivateKeyAttrsOtf(keyPairTemplate.privateKey());
        try {
            byte[] encoded = aSN1ObjectIdentifier.getEncoded();
            keyPairTemplate.publicKey().ecParams(encoded);
            try {
                try {
                    PKCS11KeyPair generateKeyPair = this.token.generateKeyPair(new Mechanism(j2), keyPairTemplate);
                    byte[] ecPoint = this.token.getAttrValues(generateKeyPair.getPublicKey(), 385).ecPoint();
                    byte[] value = this.token.getAttrValues(generateKeyPair.getPrivateKey(), 17).value();
                    if (64 == j || 65 == j) {
                        PrivateKeyInfo privateKeyInfo = new PrivateKeyInfo(new AlgorithmIdentifier(aSN1ObjectIdentifier), new DEROctetString(value), (ASN1Set) null, ecPoint);
                        destroyKeyPairQuietly(generateKeyPair);
                        return privateKeyInfo;
                    }
                    AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(X9ObjectIdentifiers.id_ecPublicKey, aSN1ObjectIdentifier);
                    if (ecPoint[0] != 4) {
                        throw new TokenException("EcPoint does not start with 0x04");
                    }
                    Integer curveOrderBitLength = Functions.getCurveOrderBitLength(encoded);
                    if (curveOrderBitLength == null) {
                        throw new TokenException("unknown curve " + aSN1ObjectIdentifier.getId());
                    }
                    PrivateKeyInfo privateKeyInfo2 = new PrivateKeyInfo(algorithmIdentifier, new ECPrivateKey(curveOrderBitLength.intValue(), new BigInteger(1, value), new DERBitString(ecPoint), (ASN1Encodable) null));
                    destroyKeyPairQuietly(generateKeyPair);
                    return privateKeyInfo2;
                } catch (IOException | PKCS11Exception e) {
                    throw new TokenException("could not generate keypair " + PKCS11Constants.ckmCodeToName(j2), e);
                }
            } catch (Throwable th) {
                destroyKeyPairQuietly(null);
                throw th;
            }
        } catch (IOException e2) {
            throw new TokenException(e2.getMessage(), e2);
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected PKCS11KeyId doGenerateSM2Keypair(P11Slot.P11NewKeyControl p11NewKeyControl) throws TokenException {
        if (!supportsMechanism(4294963201L, 65536L)) {
            return doGenerateECKeypair(GMObjectIdentifiers.sm2p256v1, p11NewKeyControl);
        }
        KeyPairTemplate keyPairTemplate = new KeyPairTemplate(4294963201L);
        keyPairTemplate.publicKey().ecParams(Hex.decode("06082A811CCF5501822D"));
        setKeyPairAttributes(p11NewKeyControl, keyPairTemplate, this.newObjectConf);
        return doGenerateKeyPair(4294963201L, p11NewKeyControl.getId(), keyPairTemplate);
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected PrivateKeyInfo doGenerateSM2KeypairOtf() throws TokenException {
        return supportsMechanism(4294963201L, 65536L) ? doGenerateECKeypairOtf(4294963201L, 4294963201L, GMObjectIdentifiers.sm2p256v1) : doGenerateECKeypairOtf(GMObjectIdentifiers.sm2p256v1);
    }

    private PKCS11KeyId doGenerateKeyPair(long j, byte[] bArr, KeyPairTemplate keyPairTemplate) throws TokenException {
        PKCS11KeyPair generateKeyPair;
        long longValue = keyPairTemplate.privateKey().keyType().longValue();
        String label = keyPairTemplate.privateKey().label();
        if (label != null) {
            try {
                if (labelExists(label)) {
                    throw new IllegalArgumentException("label " + label + " exists, please specify another one");
                }
            } catch (Throwable th) {
                if (0 == 0 && bArr != null) {
                    try {
                        destroyObjectsByIdLabel(bArr, label);
                    } catch (Throwable th2) {
                        LogUtil.error(LOG, th2, "could not remove objects");
                    }
                }
                throw th;
            }
        }
        if (bArr == null) {
            bArr = generateId();
        }
        keyPairTemplate.id(bArr);
        try {
            generateKeyPair = this.token.generateKeyPair(new Mechanism(j), keyPairTemplate);
        } catch (PKCS11Exception e) {
            if (j != 4160) {
                throw new TokenException("could not generate keypair " + PKCS11Constants.ckmCodeToName(j), e);
            }
            X9ECParameters byOID = ECNamedCurveTable.getByOID(ASN1ObjectIdentifier.getInstance(keyPairTemplate.publicKey().ecParams()));
            if (byOID == null) {
                throw e;
            }
            try {
                keyPairTemplate.publicKey().ecParams(byOID.getEncoded());
                generateKeyPair = this.token.generateKeyPair(new Mechanism(j), keyPairTemplate);
            } catch (IOException e2) {
                throw e;
            }
        }
        PKCS11KeyId pKCS11KeyId = new PKCS11KeyId(generateKeyPair.getPrivateKey(), 3L, longValue, bArr, label);
        pKCS11KeyId.setPublicKeyHandle(Long.valueOf(generateKeyPair.getPublicKey()));
        if (1 == 0 && bArr != null) {
            try {
                destroyObjectsByIdLabel(bArr, label);
            } catch (Throwable th3) {
                LogUtil.error(LOG, th3, "could not remove objects");
            }
        }
        return pKCS11KeyId;
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    public void showDetails(OutputStream outputStream, Long l, boolean z) throws IOException {
        String str;
        String str2;
        String str3;
        Token token = this.token.getToken();
        try {
            str = token.getTokenInfo().toString("  ");
        } catch (PKCS11Exception e) {
            str = "  ERROR";
        }
        try {
            str2 = token.getSlot().getSlotInfo().toString("  ");
        } catch (PKCS11Exception e2) {
            str2 = "  ERROR";
        }
        outputStream.write(("\nToken information:\n" + str).getBytes(StandardCharsets.UTF_8));
        outputStream.write(("\n\nSlot information:\n" + str2).getBytes(StandardCharsets.UTF_8));
        outputStream.write(10);
        if (z) {
            printSupportedMechanism(outputStream);
        }
        try {
            if (l != null) {
                outputStream.write(("\nDetails of object with handle " + l + "\n").getBytes(StandardCharsets.UTF_8));
                outputStream.write(this.token.getDefaultAttrValues(l.longValue()).toString(false, "  ").getBytes(StandardCharsets.UTF_8));
            } else {
                outputStream.write("\nList of objects:\n".getBytes(StandardCharsets.UTF_8));
                int i = 0;
                for (long j : this.token.findObjects(null, 9999)) {
                    i++;
                    try {
                        str3 = formatNumber(i, 3) + ". " + objectToString(j);
                    } catch (Exception e3) {
                        str3 = formatNumber(i, 3) + ". Error reading object with handle " + j;
                        LOG.debug(str3, (Throwable) e3);
                    }
                    outputStream.write(("  " + str3 + "\n").getBytes(StandardCharsets.UTF_8));
                    if (i % 10 == 0) {
                        outputStream.flush();
                    }
                }
            }
        } catch (TokenException e4) {
            String str4 = "  error: " + e4.getMessage();
            outputStream.write(str4.getBytes(StandardCharsets.UTF_8));
            LogUtil.warn(LOG, e4, str4);
        }
        outputStream.flush();
    }

    private String objectToString(long j) throws TokenException {
        String curveName;
        int intValue;
        AttributeVector attrValues = this.token.getAttrValues(j, 258, 3, 0);
        long longValue = attrValues.class_().longValue();
        byte[] id = attrValues.id();
        String label = attrValues.label();
        String str = null;
        if (longValue == 3 || longValue == 2 || longValue == 4) {
            long longValue2 = this.token.getAttrValues(j, 256).keyType().longValue();
            if (longValue == 4) {
                if (longValue2 == 21) {
                    intValue = 24;
                } else {
                    Integer valueLen = this.token.getAttrValues(j, 353).valueLen();
                    intValue = valueLen == null ? 0 : valueLen.intValue();
                }
                str = PKCS11Constants.ckkCodeToName(longValue2).substring(4) + "/" + (intValue * 8);
            } else if (longValue2 == 0) {
                BigInteger modulus = this.token.getAttrValues(j, 288).modulus();
                str = "RSA/" + (modulus == null ? "<N/A>" : Integer.valueOf(modulus.bitLength()));
            } else if (longValue2 == 3 || longValue2 == 64 || longValue2 == 65) {
                byte[] ecParams = this.token.getAttrValues(j, 384).ecParams();
                if (ecParams == null) {
                    curveName = "<N/A>";
                } else {
                    curveName = Functions.getCurveName(ecParams);
                    if (curveName == null) {
                        curveName = "0x" + hex(ecParams);
                    }
                }
                str = PKCS11Constants.ckkCodeToName(longValue2).substring(4) + "/" + curveName;
            } else if (longValue2 == 4294963201L) {
                str = "SM2";
            } else if (longValue2 == 1) {
                BigInteger prime = this.token.getAttrValues(j, 304).prime();
                str = "DSA/" + (prime == null ? 0 : prime.bitLength());
            } else {
                str = PKCS11Constants.ckkCodeToName(longValue2).substring(4);
            }
        }
        String str2 = "handle=" + j + ", id=" + (id == null ? "<N/A>" : hex(id)) + ", label=" + (label == null ? "<N/A>" : label) + ", " + PKCS11Constants.ckoCodeToName(longValue).substring(4);
        if (str != null) {
            str2 = str2 + ": " + str;
        }
        return str2;
    }

    private byte[] generateId() throws TokenException {
        return this.token.generateUniqueId(null, this.newObjectConf.getIdLength(), this.random);
    }

    private boolean labelExists(String str) throws TokenException {
        Args.notNull(str, "keyLabel");
        return !CollectionUtil.isEmpty(getObjects(new AttributeVector().label(str), 1));
    }

    private static void setPrivateKeyAttrsOtf(AttributeVector attributeVector) {
        attributeVector.sensitive(false).extractable(true).token(false);
    }

    private void destroyKeyPairQuietly(PKCS11KeyPair pKCS11KeyPair) {
        if (pKCS11KeyPair != null) {
            try {
                this.token.destroyObject(pKCS11KeyPair.getPrivateKey());
            } catch (TokenException e) {
                LogUtil.warn(LOG, e, "error destroying private key " + pKCS11KeyPair.getPrivateKey());
            }
            try {
                this.token.destroyObject(pKCS11KeyPair.getPublicKey());
            } catch (TokenException e2) {
                LogUtil.warn(LOG, e2, "error destroying public key " + pKCS11KeyPair.getPublicKey());
            }
        }
    }

    private static ASN1ObjectIdentifier detectCurveOid(byte[] bArr) {
        if (bArr[0] != 6 || (255 & bArr[1]) != bArr.length - 2) {
            return null;
        }
        try {
            return ASN1ObjectIdentifier.getInstance(bArr);
        } catch (Exception e) {
            return null;
        }
    }

    private Mechanism getMechanism(long j, P11Params p11Params, P11Key p11Key) throws TokenException {
        CkParams byteArrayParams;
        if (p11Params == null) {
            return new Mechanism(j);
        }
        if (p11Params instanceof P11Params.P11RSAPkcsPssParams) {
            P11Params.P11RSAPkcsPssParams p11RSAPkcsPssParams = (P11Params.P11RSAPkcsPssParams) p11Params;
            byteArrayParams = new RSA_PKCS_PSS_PARAMS(p11RSAPkcsPssParams.getHashAlgorithm(), p11RSAPkcsPssParams.getMaskGenerationFunction(), p11RSAPkcsPssParams.getSaltLength());
        } else {
            if (!(p11Params instanceof P11Params.P11ByteArrayParams)) {
                throw new TokenException("unknown P11Parameters " + p11Params.getClass().getName());
            }
            byteArrayParams = new ByteArrayParams(((P11Params.P11ByteArrayParams) p11Params).getBytes());
        }
        if (p11Key.getEcOrderBitSize() != null) {
            byteArrayParams = new CkParamsWithExtra(byteArrayParams, new ExtraParams().ecOrderBitSize(p11Key.getEcOrderBitSize().intValue()));
        }
        return new Mechanism(j, byteArrayParams);
    }

    private List<Long> getObjects(AttributeVector attributeVector) throws TokenException {
        return getObjects(attributeVector, 9999);
    }

    private List<Long> getObjects(AttributeVector attributeVector, int i) throws TokenException {
        LinkedList linkedList = new LinkedList();
        for (long j : this.token.findObjects(attributeVector, i)) {
            linkedList.add(Long.valueOf(j));
        }
        return linkedList;
    }

    private RSAPublicKey buildRSAKey(BigInteger bigInteger, BigInteger bigInteger2) throws TokenException {
        try {
            return KeyUtil.generateRSAPublicKey(new RSAPublicKeySpec(bigInteger, bigInteger2));
        } catch (InvalidKeySpecException e) {
            throw new TokenException(e.getMessage(), e);
        }
    }

    private int removeObjects0(AttributeVector attributeVector, String str) throws TokenException {
        try {
            return this.token.destroyObjects(getObjects(attributeVector)).size();
        } catch (TokenException e) {
            LogUtil.error(LOG, e, "could not remove " + str);
            throw new TokenException(e.getMessage(), e);
        }
    }

    private void setKeyPairAttributes(P11Slot.P11NewKeyControl p11NewKeyControl, KeyPairTemplate keyPairTemplate, P11ModuleConf.P11NewObjectConf p11NewObjectConf) {
        keyPairTemplate.token(true);
        keyPairTemplate.privateKey().private_(true);
        if (!p11NewObjectConf.isIgnoreLabel()) {
            keyPairTemplate.labels(p11NewKeyControl.getLabel());
        } else if (p11NewKeyControl.getLabel() != null) {
            LOG.warn("label is set, but ignored: '{}'", p11NewKeyControl.getLabel());
        }
        if (p11NewKeyControl.getExtractable() != null) {
            keyPairTemplate.privateKey().extractable(p11NewKeyControl.getExtractable());
        }
        if (p11NewKeyControl.getSensitive() != null) {
            keyPairTemplate.privateKey().sensitive(p11NewKeyControl.getSensitive());
        }
        Set<P11Slot.P11KeyUsage> usages = p11NewKeyControl.getUsages();
        if (!CollectionUtil.isNotEmpty(usages)) {
            long longValue = keyPairTemplate.privateKey().keyType().longValue();
            if (longValue == 3 || longValue == 0 || longValue == 1 || longValue == 4294963201L) {
                keyPairTemplate.signVerify(true);
            }
            if (longValue == 0) {
                keyPairTemplate.unwrapWrap(true).decryptEncrypt(true);
                return;
            }
            return;
        }
        Iterator<P11Slot.P11KeyUsage> it = usages.iterator();
        while (it.hasNext()) {
            switch (AnonymousClass1.$SwitchMap$org$xipki$security$pkcs11$P11Slot$P11KeyUsage[it.next().ordinal()]) {
                case 1:
                    keyPairTemplate.decryptEncrypt(true);
                    break;
                case 2:
                    keyPairTemplate.derive(true);
                    break;
                case 3:
                    keyPairTemplate.signVerify(true);
                    break;
                case PermissionConstants.UNSUSPEND_CERT /* 4 */:
                    keyPairTemplate.signVerifyRecover(true);
                    break;
                case 5:
                    keyPairTemplate.unwrapWrap(true);
                    break;
                default:
                    throw new IllegalStateException("unknown P11KeyUsage");
            }
        }
    }

    private void setKeyAttributes(P11Slot.P11NewKeyControl p11NewKeyControl, AttributeVector attributeVector, String str) {
        attributeVector.token(true);
        if (str != null) {
            attributeVector.label(str);
        }
        if (p11NewKeyControl.getExtractable() != null) {
            attributeVector.extractable(p11NewKeyControl.getExtractable());
        }
        if (p11NewKeyControl.getSensitive() != null) {
            attributeVector.sensitive(p11NewKeyControl.getSensitive());
        }
        Set<P11Slot.P11KeyUsage> usages = p11NewKeyControl.getUsages();
        if (CollectionUtil.isNotEmpty(usages)) {
            Iterator<P11Slot.P11KeyUsage> it = usages.iterator();
            while (it.hasNext()) {
                switch (AnonymousClass1.$SwitchMap$org$xipki$security$pkcs11$P11Slot$P11KeyUsage[it.next().ordinal()]) {
                    case 1:
                        attributeVector.decrypt(true).encrypt(true);
                        break;
                    case 2:
                        attributeVector.derive(true);
                        break;
                    case 3:
                        attributeVector.sign(true).verify(true);
                        break;
                    case PermissionConstants.UNSUSPEND_CERT /* 4 */:
                        attributeVector.signRecover(true).verifyRecover(true);
                        break;
                    case 5:
                        attributeVector.unwrap(true).wrap(true);
                        break;
                    default:
                        throw new IllegalStateException("unknown P11KeyUsage");
                }
            }
        }
    }
}
