package org.xipki.security.pkcs11.iaik;

import iaik.pkcs.pkcs11.Mechanism;
import iaik.pkcs.pkcs11.Notify;
import iaik.pkcs.pkcs11.Session;
import iaik.pkcs.pkcs11.SessionInfo;
import iaik.pkcs.pkcs11.Slot;
import iaik.pkcs.pkcs11.State;
import iaik.pkcs.pkcs11.TokenException;
import iaik.pkcs.pkcs11.objects.Certificate;
import iaik.pkcs.pkcs11.objects.CharArrayAttribute;
import iaik.pkcs.pkcs11.objects.DSAPrivateKey;
import iaik.pkcs.pkcs11.objects.DSAPublicKey;
import iaik.pkcs.pkcs11.objects.ECDSAPrivateKey;
import iaik.pkcs.pkcs11.objects.ECDSAPublicKey;
import iaik.pkcs.pkcs11.objects.GenericSecretKey;
import iaik.pkcs.pkcs11.objects.Key;
import iaik.pkcs.pkcs11.objects.KeyPair;
import iaik.pkcs.pkcs11.objects.Object;
import iaik.pkcs.pkcs11.objects.PrivateKey;
import iaik.pkcs.pkcs11.objects.RSAPrivateKey;
import iaik.pkcs.pkcs11.objects.RSAPublicKey;
import iaik.pkcs.pkcs11.objects.SecretKey;
import iaik.pkcs.pkcs11.objects.Storage;
import iaik.pkcs.pkcs11.objects.X509PublicKeyCertificate;
import iaik.pkcs.pkcs11.parameters.RSAPkcsPssParameters;
import iaik.pkcs.pkcs11.wrapper.Functions;
import iaik.pkcs.pkcs11.wrapper.PKCS11Exception;
import java.io.IOException;
import java.math.BigInteger;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.DSAPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicLong;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x9.ECNamedCurveTable;
import org.bouncycastle.asn1.x9.X9ECParameters;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.common.concurrent.ConcurrentBag;
import org.xipki.common.concurrent.ConcurrentBagEntry;
import org.xipki.common.util.CollectionUtil;
import org.xipki.common.util.LogUtil;
import org.xipki.common.util.ParamUtil;
import org.xipki.common.util.StringUtil;
import org.xipki.security.X509Cert;
import org.xipki.security.exception.P11TokenException;
import org.xipki.security.exception.XiSecurityException;
import org.xipki.security.pkcs11.AbstractP11Slot;
import org.xipki.security.pkcs11.P11EntityIdentifier;
import org.xipki.security.pkcs11.P11Identity;
import org.xipki.security.pkcs11.P11MechanismFilter;
import org.xipki.security.pkcs11.P11NewKeyControl;
import org.xipki.security.pkcs11.P11ObjectIdentifier;
import org.xipki.security.pkcs11.P11Params;
import org.xipki.security.pkcs11.P11RSAPkcsPssParams;
import org.xipki.security.pkcs11.P11SlotIdentifier;
import org.xipki.security.pkcs11.P11SlotRefreshResult;
import org.xipki.security.pkcs11.Pkcs11Functions;
import org.xipki.security.util.KeyUtil;
import org.xipki.security.util.X509Util;

/* loaded from: input_file:org/xipki/security/pkcs11/iaik/IaikP11Slot.class */
class IaikP11Slot extends AbstractP11Slot {
    private static final Logger LOG = LoggerFactory.getLogger(IaikP11Slot.class);
    private static final long DEFAULT_MAX_COUNT_SESSION = 32;
    private final int maxMessageSize;
    private Slot slot;
    private final long userType;
    private List<char[]> password;
    private int maxSessionCount;
    private long timeOutWaitNewSession;
    private final AtomicLong countSessions;
    private final ConcurrentBag<ConcurrentBagEntry<Session>> sessions;
    private boolean writableSessionInUse;
    private Session writableSession;

    /* JADX INFO: Access modifiers changed from: package-private */
    public IaikP11Slot(String str, P11SlotIdentifier p11SlotIdentifier, Slot slot, boolean z, long j, List<char[]> list, int i, P11MechanismFilter p11MechanismFilter) throws P11TokenException {
        super(str, p11SlotIdentifier, z, p11MechanismFilter);
        long j2;
        this.timeOutWaitNewSession = 10000L;
        this.countSessions = new AtomicLong(0L);
        this.sessions = new ConcurrentBag<>();
        this.slot = (Slot) ParamUtil.requireNonNull("slot", slot);
        this.maxMessageSize = ParamUtil.requireMin("maxMessageSize", i, 1);
        this.userType = ParamUtil.requireMin("userType", j, 0L);
        this.password = list;
        try {
            Session openSession = openSession(false);
            try {
                firstLogin(openSession, list);
                try {
                    try {
                        long maxSessionCount = this.slot.getToken().getTokenInfo().getMaxSessionCount();
                        if (maxSessionCount == 0) {
                            j2 = 32;
                        } else {
                            j2 = maxSessionCount < 3 ? 1L : maxSessionCount - 2;
                        }
                        this.maxSessionCount = (int) j2;
                        LOG.info("maxSessionCount: {}", Integer.valueOf(this.maxSessionCount));
                        this.sessions.add(new ConcurrentBagEntry(openSession));
                        refresh();
                    } catch (TokenException e) {
                        throw new P11TokenException("could not get tokenInfo: " + e.getMessage(), e);
                    }
                } catch (TokenException e2) {
                    throw new P11TokenException("could not getToken: " + e2.getMessage(), e2);
                }
            } catch (P11TokenException e3) {
                LogUtil.error(LOG, e3, "firstLogin");
                close();
                throw e3;
            }
        } catch (P11TokenException e4) {
            LogUtil.error(LOG, e4, "openSession");
            close();
            throw e4;
        }
    }

    Slot getSlot() {
        return this.slot;
    }

    @Override // org.xipki.security.pkcs11.AbstractP11Slot
    protected P11SlotRefreshResult refresh0() throws P11TokenException {
        try {
            Mechanism[] mechanismList = this.slot.getToken().getMechanismList();
            P11SlotRefreshResult p11SlotRefreshResult = new P11SlotRefreshResult();
            if (mechanismList != null) {
                for (Mechanism mechanism : mechanismList) {
                    p11SlotRefreshResult.addMechanism(mechanism.getMechanismCode());
                }
            }
            for (SecretKey secretKey : getAllSecretKeyObjects()) {
                byte[] byteArrayValue = secretKey.getId().getByteArrayValue();
                if (byteArrayValue != null && byteArrayValue.length != 0) {
                    analyseSingleKey(secretKey, p11SlotRefreshResult);
                }
            }
            for (X509PublicKeyCertificate x509PublicKeyCertificate : getAllCertificateObjects()) {
                p11SlotRefreshResult.addCertificate(new P11ObjectIdentifier(x509PublicKeyCertificate.getId().getByteArrayValue(), toString(x509PublicKeyCertificate.getLabel())), parseCert(x509PublicKeyCertificate));
            }
            for (PrivateKey privateKey : getAllPrivateObjects()) {
                byte[] byteArrayValue2 = privateKey.getId().getByteArrayValue();
                if (byteArrayValue2 == null || byteArrayValue2.length == 0) {
                    break;
                }
                try {
                    analyseSingleKey(privateKey, p11SlotRefreshResult);
                } catch (XiSecurityException e) {
                    LogUtil.error(LOG, e, "XiSecurityException while initializing private key with id " + hex(byteArrayValue2));
                } catch (Throwable th) {
                    LOG.error("unexpected exception while initializing private key with id " + hex(byteArrayValue2) + " and label " + (privateKey.getLabel() != null ? new String(privateKey.getLabel().getCharArrayValue()) : ""), th);
                }
            }
            return p11SlotRefreshResult;
        } catch (TokenException e2) {
            throw new P11TokenException("could not getMechanismList: " + e2.getMessage(), e2);
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    public void close() {
        if (this.slot != null) {
            try {
                LOG.info("close all sessions on token: {}", Long.valueOf(this.slot.getSlotID()));
                if (this.writableSession != null) {
                    this.writableSession.closeSession();
                }
                Iterator it = this.sessions.values().iterator();
                while (it.hasNext()) {
                    ((Session) ((ConcurrentBagEntry) it.next()).value()).closeSession();
                }
            } catch (Throwable th) {
                LogUtil.error(LOG, th, "could not slot.getToken().closeAllSessions()");
            }
            this.slot = null;
        }
        this.sessions.close();
        this.countSessions.lazySet(0L);
    }

    private void analyseSingleKey(SecretKey secretKey, P11SlotRefreshResult p11SlotRefreshResult) {
        p11SlotRefreshResult.addIdentity(new IaikP11Identity(this, new P11EntityIdentifier(this.slotId, new P11ObjectIdentifier(secretKey.getId().getByteArrayValue(), toString(secretKey.getLabel()))), secretKey));
    }

    private void analyseSingleKey(PrivateKey privateKey, P11SlotRefreshResult p11SlotRefreshResult) throws P11TokenException, XiSecurityException {
        PublicKey generatePublicKey;
        byte[] byteArrayValue = privateKey.getId().getByteArrayValue();
        X509Cert certForId = p11SlotRefreshResult.getCertForId(byteArrayValue);
        if (certForId != null) {
            generatePublicKey = certForId.cert().getPublicKey();
        } else {
            iaik.pkcs.pkcs11.objects.PublicKey publicKeyObject = getPublicKeyObject(byteArrayValue, null);
            if (publicKeyObject == null) {
                LOG.info("neither certificate nor public key for the key (" + Hex.toHexString(byteArrayValue) + " is available");
                return;
            }
            generatePublicKey = generatePublicKey(publicKeyObject);
        }
        p11SlotRefreshResult.addIdentity(new IaikP11Identity(this, new P11EntityIdentifier(this.slotId, new P11ObjectIdentifier(byteArrayValue, toString(privateKey.getLabel()))), privateKey, generatePublicKey, certForId == null ? null : new X509Certificate[]{certForId.cert()}));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] digestKey(long j, IaikP11Identity iaikP11Identity) throws P11TokenException {
        int i;
        ParamUtil.requireNonNull("identity", iaikP11Identity);
        assertMechanismSupported(j);
        SecretKey signingKey = iaikP11Identity.signingKey();
        if (!(signingKey instanceof SecretKey)) {
            throw new P11TokenException("digestSecretKey could not be applied to non-SecretKey");
        }
        if (LOG.isTraceEnabled()) {
            LOG.debug("digest (init, digestKey, then finish)\n{}", signingKey);
        }
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        if (borrowSession == null) {
            throw new P11TokenException("no idle session available");
        }
        if (544 == j) {
            i = 20;
        } else if (597 == j || 693 == j) {
            i = 28;
        } else if (592 == j || 688 == j) {
            i = 32;
        } else if (608 == j || 704 == j) {
            i = 48;
        } else {
            if (624 != j && 720 != j) {
                throw new P11TokenException("unsupported mechnism " + j);
            }
            i = 64;
        }
        try {
            try {
                Session session = (Session) borrowSession.value();
                session.digestInit(Mechanism.get(j));
                session.digestKey(signingKey);
                byte[] bArr = new byte[i];
                session.digestFinal(bArr, 0, i);
                this.sessions.requite(borrowSession);
                return bArr;
            } catch (TokenException e) {
                throw new P11TokenException((Throwable) e);
            }
        } catch (Throwable th) {
            this.sessions.requite(borrowSession);
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] sign(long j, P11Params p11Params, byte[] bArr, IaikP11Identity iaikP11Identity) throws P11TokenException {
        ParamUtil.requireNonNull("content", bArr);
        assertMechanismSupported(j);
        int length = bArr.length;
        if (length <= this.maxMessageSize) {
            return singleSign(j, p11Params, bArr, iaikP11Identity);
        }
        Key signingKey = iaikP11Identity.signingKey();
        Mechanism mechanism = getMechanism(j, p11Params);
        if (LOG.isTraceEnabled()) {
            LOG.debug("sign (init, update, then finish) with private key:\n{}", signingKey);
        }
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        try {
            if (borrowSession == null) {
                throw new P11TokenException("no idle session available");
            }
            try {
                Session session = (Session) borrowSession.value();
                session.signInit(mechanism, signingKey);
                int i = 0;
                while (i < length) {
                    session.signUpdate(bArr, i, Math.min(this.maxMessageSize, length - i));
                    i += this.maxMessageSize;
                }
                int expectedSignatureLen = iaikP11Identity.expectedSignatureLen();
                if (j == 545) {
                    expectedSignatureLen = 20;
                } else if (j == 598 || j == 693) {
                    expectedSignatureLen = 28;
                } else if (j == 593 || j == 688) {
                    expectedSignatureLen = 32;
                } else if (j == 609 || j == 704) {
                    expectedSignatureLen = 48;
                } else if (j == 625 || j == 720) {
                    expectedSignatureLen = 64;
                }
                byte[] signFinal = session.signFinal(expectedSignatureLen);
                this.sessions.requite(borrowSession);
                return signFinal;
            } catch (TokenException e) {
                throw new P11TokenException((Throwable) e);
            }
        } catch (Throwable th) {
            this.sessions.requite(borrowSession);
            throw th;
        }
    }

    private byte[] singleSign(long j, P11Params p11Params, byte[] bArr, IaikP11Identity iaikP11Identity) throws P11TokenException {
        byte[] sign;
        Key signingKey = iaikP11Identity.signingKey();
        Mechanism mechanism = getMechanism(j, p11Params);
        if (LOG.isTraceEnabled()) {
            LOG.debug("sign with signing key:\n{}", signingKey);
        }
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        try {
            if (borrowSession == null) {
                throw new P11TokenException("no idle session available");
            }
            try {
                Session session = (Session) borrowSession.value();
                synchronized (session) {
                    session.signInit(mechanism, signingKey);
                    sign = session.sign(bArr);
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("signature:\n{}", Hex.toHexString(sign));
                }
                return sign;
            } catch (TokenException e) {
                throw new P11TokenException(e.getMessage(), e);
            }
        } finally {
            this.sessions.requite(borrowSession);
        }
    }

    private static Mechanism getMechanism(long j, P11Params p11Params) throws P11TokenException {
        Mechanism mechanism = Mechanism.get(j);
        if (p11Params == null) {
            return mechanism;
        }
        if (!(p11Params instanceof P11RSAPkcsPssParams)) {
            throw new P11TokenException("unknown P11Parameters " + p11Params.getClass().getName());
        }
        P11RSAPkcsPssParams p11RSAPkcsPssParams = (P11RSAPkcsPssParams) p11Params;
        mechanism.setParameters(new RSAPkcsPssParameters(Mechanism.get(p11RSAPkcsPssParams.hashAlgorithm()), p11RSAPkcsPssParams.maskGenerationFunction(), p11RSAPkcsPssParams.saltLength()));
        return mechanism;
    }

    private Session openSession(boolean z) throws P11TokenException {
        try {
            Session openSession = this.slot.getToken().openSession(true, z, (Object) null, (Notify) null);
            this.countSessions.incrementAndGet();
            return openSession;
        } catch (TokenException e) {
            throw new P11TokenException(e.getMessage(), e);
        }
    }

    private ConcurrentBagEntry<Session> borrowSession() throws P11TokenException {
        ConcurrentBagEntry<Session> concurrentBagEntry = null;
        if (this.countSessions.get() < this.maxSessionCount) {
            try {
                concurrentBagEntry = this.sessions.borrow(1L, TimeUnit.NANOSECONDS);
            } catch (InterruptedException e) {
            }
            if (concurrentBagEntry == null) {
                concurrentBagEntry = new ConcurrentBagEntry<>(openSession(false));
                this.sessions.add(concurrentBagEntry);
            }
        }
        if (concurrentBagEntry == null) {
            try {
                concurrentBagEntry = this.sessions.borrow(this.timeOutWaitNewSession, TimeUnit.MILLISECONDS);
            } catch (InterruptedException e2) {
            }
        }
        if (concurrentBagEntry == null) {
            throw new P11TokenException("no idle session");
        }
        login((Session) concurrentBagEntry.value());
        return concurrentBagEntry;
    }

    private void firstLogin(Session session, List<char[]> list) throws P11TokenException {
        try {
            if (session.getToken().getTokenInfo().isProtectedAuthenticationPath() || CollectionUtil.isEmpty(list)) {
                LOG.info("verify on PKCS11Module with PROTECTED_AUTHENTICATION_PATH");
                singleLogin(session, null);
            } else {
                LOG.info("verify on PKCS11Module with PIN");
                Iterator<char[]> it = list.iterator();
                while (it.hasNext()) {
                    singleLogin(session, it.next());
                }
                this.password = list;
            }
        } catch (TokenException e) {
            throw new P11TokenException(e.getMessage(), e);
        } catch (PKCS11Exception e2) {
            if (e2.getErrorCode() != 256) {
                throw new P11TokenException(e2.getMessage(), e2);
            }
        }
    }

    private void login(Session session) throws P11TokenException {
        boolean z;
        if (checkSessionLoggedIn(session)) {
            return;
        }
        try {
            z = session.getToken().getTokenInfo().isLoginRequired();
        } catch (TokenException e) {
            LogUtil.error(LOG, e, "could not check whether LoginRequired of token");
            z = true;
        }
        LOG.debug("loginRequired: {}", Boolean.valueOf(z));
        if (z) {
            if (CollectionUtil.isEmpty(this.password)) {
                singleLogin(session, null);
                return;
            }
            Iterator<char[]> it = this.password.iterator();
            while (it.hasNext()) {
                singleLogin(session, it.next());
            }
        }
    }

    private void singleLogin(Session session, char[] cArr) throws P11TokenException {
        char[] cArr2 = cArr;
        if (cArr == null) {
            cArr2 = new char[0];
        }
        try {
            if (this.userType == 1) {
                session.login(true, cArr2);
            } else if (this.userType == 0) {
                session.login(false, cArr2);
            } else {
                session.login(this.userType, cArr2);
            }
        } catch (TokenException e) {
            throw new P11TokenException(e.getMessage(), e);
        }
    }

    private List<PrivateKey> getAllPrivateObjects() throws P11TokenException {
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        try {
            List<Storage> objects = getObjects((Session) borrowSession.value(), new PrivateKey());
            if (CollectionUtil.isEmpty(objects)) {
                List<PrivateKey> emptyList = Collections.emptyList();
                this.sessions.requite(borrowSession);
                return emptyList;
            }
            int size = objects.size();
            LOG.info("found {} private keys", Integer.valueOf(size));
            ArrayList arrayList = new ArrayList(size);
            Iterator<Storage> it = objects.iterator();
            while (it.hasNext()) {
                arrayList.add((Storage) it.next());
            }
            return arrayList;
        } finally {
            this.sessions.requite(borrowSession);
        }
    }

    private List<SecretKey> getAllSecretKeyObjects() throws P11TokenException {
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        try {
            List<Storage> objects = getObjects((Session) borrowSession.value(), new SecretKey());
            if (CollectionUtil.isEmpty(objects)) {
                List<SecretKey> emptyList = Collections.emptyList();
                this.sessions.requite(borrowSession);
                return emptyList;
            }
            int size = objects.size();
            LOG.info("found {} private keys", Integer.valueOf(size));
            ArrayList arrayList = new ArrayList(size);
            Iterator<Storage> it = objects.iterator();
            while (it.hasNext()) {
                arrayList.add((Storage) it.next());
            }
            return arrayList;
        } finally {
            this.sessions.requite(borrowSession);
        }
    }

    private SecretKey getSecretKeyObject(byte[] bArr, char[] cArr) throws P11TokenException {
        return getKeyObject(new SecretKey(), bArr, cArr);
    }

    private PrivateKey getPrivateKeyObject(byte[] bArr, char[] cArr) throws P11TokenException {
        return getKeyObject(new PrivateKey(), bArr, cArr);
    }

    private iaik.pkcs.pkcs11.objects.PublicKey getPublicKeyObject(byte[] bArr, char[] cArr) throws P11TokenException {
        return getKeyObject(new iaik.pkcs.pkcs11.objects.PublicKey(), bArr, cArr);
    }

    private Key getKeyObject(Key key, byte[] bArr, char[] cArr) throws P11TokenException {
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        if (bArr != null) {
            try {
                key.getId().setByteArrayValue(bArr);
            } finally {
                this.sessions.requite(borrowSession);
            }
        }
        if (cArr != null) {
            key.getLabel().setCharArrayValue(cArr);
        }
        List<Storage> objects = getObjects((Session) borrowSession.value(), key, 2);
        if (CollectionUtil.isEmpty(objects)) {
            return null;
        }
        int size = objects.size();
        if (size > 1) {
            LOG.warn("found {} public key identified by {}, use the first one", Integer.valueOf(size), getDescription(bArr, cArr));
        }
        Key key2 = objects.get(0);
        this.sessions.requite(borrowSession);
        return key2;
    }

    private static boolean checkSessionLoggedIn(Session session) throws P11TokenException {
        try {
            SessionInfo sessionInfo = session.getSessionInfo();
            if (LOG.isTraceEnabled()) {
                LOG.debug("SessionInfo: {}", sessionInfo);
            }
            State state = sessionInfo.getState();
            long deviceError = sessionInfo.getDeviceError();
            LOG.debug("to be verified PKCS11Module: state = {}, deviceError: {}", state, Long.valueOf(deviceError));
            boolean z = (state.equals(State.RO_USER_FUNCTIONS) || state.equals(State.RW_USER_FUNCTIONS)) && deviceError == 0;
            LOG.debug("sessionLoggedIn: {}", Boolean.valueOf(z));
            return z;
        } catch (TokenException e) {
            throw new P11TokenException(e.getMessage(), e);
        }
    }

    private static List<Storage> getObjects(Session session, Storage storage) throws P11TokenException {
        return getObjects(session, storage, 9999);
    }

    private static List<Storage> getObjects(Session session, Storage storage, int i) throws P11TokenException {
        Storage[] findObjects;
        LinkedList linkedList = new LinkedList();
        try {
            try {
                session.findObjectsInit(storage);
                while (linkedList.size() < i && (findObjects = session.findObjects(1)) != null && findObjects.length != 0) {
                    for (Storage storage2 : findObjects) {
                        if (LOG.isTraceEnabled()) {
                            LOG.debug("found object: {}", storage2);
                        }
                        linkedList.add(storage2);
                    }
                }
                return linkedList;
            } catch (TokenException e) {
                throw new P11TokenException(e.getMessage(), e);
            }
        } finally {
            try {
                session.findObjectsFinal();
            } catch (Exception e2) {
            }
        }
    }

    private static PublicKey generatePublicKey(iaik.pkcs.pkcs11.objects.PublicKey publicKey) throws XiSecurityException {
        if (publicKey instanceof RSAPublicKey) {
            RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
            try {
                return KeyUtil.generateRSAPublicKey(new RSAPublicKeySpec(new BigInteger(1, rSAPublicKey.getModulus().getByteArrayValue()), new BigInteger(1, rSAPublicKey.getPublicExponent().getByteArrayValue())));
            } catch (InvalidKeySpecException e) {
                throw new XiSecurityException(e.getMessage(), e);
            }
        }
        if (!(publicKey instanceof DSAPublicKey)) {
            if (!(publicKey instanceof ECDSAPublicKey)) {
                throw new XiSecurityException("unknown publicKey class " + publicKey.getClass().getName());
            }
            ECDSAPublicKey eCDSAPublicKey = (ECDSAPublicKey) publicKey;
            try {
                return KeyUtil.createECPublicKey(eCDSAPublicKey.getEcdsaParams().getByteArrayValue(), DEROctetString.getInstance(eCDSAPublicKey.getEcPoint().getByteArrayValue()).getOctets());
            } catch (InvalidKeySpecException e2) {
                throw new XiSecurityException(e2.getMessage(), e2);
            }
        }
        DSAPublicKey dSAPublicKey = (DSAPublicKey) publicKey;
        try {
            return KeyUtil.generateDSAPublicKey(new DSAPublicKeySpec(new BigInteger(1, dSAPublicKey.getValue().getByteArrayValue()), new BigInteger(1, dSAPublicKey.getPrime().getByteArrayValue()), new BigInteger(1, dSAPublicKey.getSubprime().getByteArrayValue()), new BigInteger(1, dSAPublicKey.getBase().getByteArrayValue())));
        } catch (InvalidKeySpecException e3) {
            throw new XiSecurityException(e3.getMessage(), e3);
        }
    }

    private static String toString(CharArrayAttribute charArrayAttribute) {
        char[] charArrayValue;
        String str = "";
        if (charArrayAttribute != null && (charArrayValue = charArrayAttribute.getCharArrayValue()) != null) {
            str = new String(charArrayValue);
        }
        return str;
    }

    private static X509Cert parseCert(X509PublicKeyCertificate x509PublicKeyCertificate) throws P11TokenException {
        try {
            byte[] byteArrayValue = x509PublicKeyCertificate.getValue().getByteArrayValue();
            return new X509Cert(X509Util.parseCert(byteArrayValue), byteArrayValue);
        } catch (CertificateException e) {
            throw new P11TokenException("could not parse certificate: " + e.getMessage(), e);
        }
    }

    private synchronized Session borrowWritableSession() throws P11TokenException {
        if (this.writableSession == null) {
            this.writableSession = openSession(true);
        }
        if (this.writableSessionInUse) {
            throw new P11TokenException("no idle writable session available");
        }
        this.writableSessionInUse = true;
        login(this.writableSession);
        return this.writableSession;
    }

    private synchronized void returnWritableSession(Session session) throws P11TokenException {
        if (session != this.writableSession) {
            throw new P11TokenException("the returned session does not belong to me");
        }
        this.writableSessionInUse = false;
    }

    private List<X509PublicKeyCertificate> getAllCertificateObjects() throws P11TokenException {
        X509PublicKeyCertificate x509PublicKeyCertificate = new X509PublicKeyCertificate();
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        try {
            List<Storage> objects = getObjects((Session) borrowSession.value(), x509PublicKeyCertificate);
            this.sessions.requite(borrowSession);
            ArrayList arrayList = new ArrayList(objects.size());
            Iterator<Storage> it = objects.iterator();
            while (it.hasNext()) {
                arrayList.add((Object) it.next());
            }
            return arrayList;
        } catch (Throwable th) {
            this.sessions.requite(borrowSession);
            throw th;
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    public int removeObjects(byte[] bArr, String str) throws P11TokenException {
        if ((bArr == null || bArr.length == 0) && StringUtil.isBlank(str)) {
            throw new IllegalArgumentException("at least one of id and label must not be null");
        }
        Key key = new Key();
        if (bArr != null && bArr.length > 0) {
            key.getId().setByteArrayValue(bArr);
        }
        if (StringUtil.isNotBlank(str)) {
            key.getLabel().setCharArrayValue(str.toCharArray());
        }
        String description = getDescription(bArr, str);
        int removeObjects = removeObjects((Storage) key, "keys " + description);
        X509PublicKeyCertificate x509PublicKeyCertificate = new X509PublicKeyCertificate();
        if (bArr != null && bArr.length > 0) {
            x509PublicKeyCertificate.getId().setByteArrayValue(bArr);
        }
        if (StringUtil.isNotBlank(str)) {
            x509PublicKeyCertificate.getLabel().setCharArrayValue(str.toCharArray());
        }
        return removeObjects + removeObjects((Storage) x509PublicKeyCertificate, "certificates" + description);
    }

    private int removeObjects(Storage storage, String str) throws P11TokenException {
        Session borrowWritableSession = borrowWritableSession();
        try {
            try {
                List<Storage> objects = getObjects(borrowWritableSession, storage);
                Iterator<Storage> it = objects.iterator();
                while (it.hasNext()) {
                    borrowWritableSession.destroyObject(it.next());
                }
                int size = objects.size();
                returnWritableSession(borrowWritableSession);
                return size;
            } catch (TokenException e) {
                LogUtil.error(LOG, e, "could not remove " + str);
                throw new P11TokenException(e.getMessage(), e);
            }
        } catch (Throwable th) {
            returnWritableSession(borrowWritableSession);
            throw th;
        }
    }

    @Override // org.xipki.security.pkcs11.AbstractP11Slot
    protected void removeCerts0(P11ObjectIdentifier p11ObjectIdentifier) throws P11TokenException {
        Object[] certificateObjects = getCertificateObjects(p11ObjectIdentifier.id(), p11ObjectIdentifier.labelChars());
        if (certificateObjects == null || certificateObjects.length == 0) {
            LOG.warn("could not find certificates " + p11ObjectIdentifier);
            return;
        }
        Session borrowWritableSession = borrowWritableSession();
        try {
            try {
                for (Object object : certificateObjects) {
                    borrowWritableSession.destroyObject(object);
                }
            } catch (TokenException e) {
                throw new P11TokenException(e.getMessage(), e);
            }
        } finally {
            returnWritableSession(borrowWritableSession);
        }
    }

    @Override // org.xipki.security.pkcs11.AbstractP11Slot
    protected void addCert0(P11ObjectIdentifier p11ObjectIdentifier, X509Certificate x509Certificate) throws P11TokenException {
        X509PublicKeyCertificate createPkcs11Template = createPkcs11Template(new X509Cert(x509Certificate), p11ObjectIdentifier.id(), p11ObjectIdentifier.labelChars());
        Session borrowWritableSession = borrowWritableSession();
        try {
            try {
                borrowWritableSession.createObject(createPkcs11Template);
                returnWritableSession(borrowWritableSession);
            } catch (TokenException e) {
                throw new P11TokenException(e.getMessage(), e);
            }
        } catch (Throwable th) {
            returnWritableSession(borrowWritableSession);
            throw th;
        }
    }

    @Override // org.xipki.security.pkcs11.AbstractP11Slot
    protected P11Identity generateSecretKey0(long j, int i, String str, P11NewKeyControl p11NewKeyControl) throws P11TokenException {
        long j2;
        if (i % 8 != 0) {
            throw new IllegalArgumentException("keysize is not multiple of 8: " + i);
        }
        GenericSecretKey genericSecretKey = new GenericSecretKey();
        genericSecretKey.getKeyType().setLongValue(Long.valueOf(j));
        genericSecretKey.getToken().setBooleanValue(true);
        genericSecretKey.getLabel().setCharArrayValue(str.toCharArray());
        genericSecretKey.getSign().setBooleanValue(true);
        genericSecretKey.getSensitive().setBooleanValue(true);
        genericSecretKey.getExtractable().setBooleanValue(Boolean.valueOf(p11NewKeyControl.isExtractable()));
        genericSecretKey.getValueLen().setLongValue(Long.valueOf(i / 8));
        if (31 == j) {
            j2 = 4224;
        } else if (21 == j) {
            j2 = 305;
        } else if (16 == j) {
            j2 = 848;
        } else {
            if (40 != j && 46 != j && 43 != j && 44 != j && 45 != j && 51 != j && 52 != j && 53 != j && 54 != j) {
                throw new IllegalArgumentException("unsupported key type " + Functions.toFullHexString((int) j));
            }
            j2 = 848;
        }
        Mechanism mechanism = Mechanism.get(j2);
        Session borrowWritableSession = borrowWritableSession();
        try {
            if (labelExists(borrowWritableSession, str)) {
                throw new IllegalArgumentException("label " + str + " exists, please specify another one");
            }
            byte[] generateKeyId = generateKeyId(borrowWritableSession);
            genericSecretKey.getId().setByteArrayValue(generateKeyId);
            try {
                IaikP11Identity iaikP11Identity = new IaikP11Identity(this, new P11EntityIdentifier(this.slotId, new P11ObjectIdentifier(generateKeyId, str)), borrowWritableSession.generateKey(mechanism, genericSecretKey));
                returnWritableSession(borrowWritableSession);
                return iaikP11Identity;
            } catch (TokenException e) {
                throw new P11TokenException("could not generate generic secret key using " + mechanism.getName(), e);
            }
        } catch (Throwable th) {
            returnWritableSession(borrowWritableSession);
            throw th;
        }
    }

    @Override // org.xipki.security.pkcs11.AbstractP11Slot
    protected P11Identity createSecretKey0(long j, byte[] bArr, String str, P11NewKeyControl p11NewKeyControl) throws P11TokenException {
        GenericSecretKey genericSecretKey = new GenericSecretKey();
        genericSecretKey.getKeyType().setLongValue(Long.valueOf(j));
        genericSecretKey.getToken().setBooleanValue(true);
        genericSecretKey.getLabel().setCharArrayValue(str.toCharArray());
        genericSecretKey.getSign().setBooleanValue(true);
        genericSecretKey.getSensitive().setBooleanValue(true);
        genericSecretKey.getExtractable().setBooleanValue(Boolean.valueOf(p11NewKeyControl.isExtractable()));
        genericSecretKey.getValue().setByteArrayValue(bArr);
        Session borrowWritableSession = borrowWritableSession();
        try {
            if (labelExists(borrowWritableSession, str)) {
                throw new IllegalArgumentException("label " + str + " exists, please specify another one");
            }
            byte[] generateKeyId = generateKeyId(borrowWritableSession);
            genericSecretKey.getId().setByteArrayValue(generateKeyId);
            try {
                IaikP11Identity iaikP11Identity = new IaikP11Identity(this, new P11EntityIdentifier(this.slotId, new P11ObjectIdentifier(generateKeyId, str)), borrowWritableSession.createObject(genericSecretKey));
                returnWritableSession(borrowWritableSession);
                return iaikP11Identity;
            } catch (TokenException e) {
                throw new P11TokenException("could not create secret key", e);
            }
        } catch (Throwable th) {
            returnWritableSession(borrowWritableSession);
            throw th;
        }
    }

    @Override // org.xipki.security.pkcs11.AbstractP11Slot
    protected P11Identity generateRSAKeypair0(int i, BigInteger bigInteger, String str, P11NewKeyControl p11NewKeyControl) throws P11TokenException {
        RSAPrivateKey rSAPrivateKey = new RSAPrivateKey();
        RSAPublicKey rSAPublicKey = new RSAPublicKey();
        setKeyAttributes(str, 0L, p11NewKeyControl, rSAPublicKey, rSAPrivateKey);
        rSAPublicKey.getModulusBits().setLongValue(Long.valueOf(i));
        if (bigInteger != null) {
            rSAPublicKey.getPublicExponent().setByteArrayValue(bigInteger.toByteArray());
        }
        return generateKeyPair(0L, rSAPrivateKey, rSAPublicKey);
    }

    @Override // org.xipki.security.pkcs11.AbstractP11Slot
    protected P11Identity generateDSAKeypair0(BigInteger bigInteger, BigInteger bigInteger2, BigInteger bigInteger3, String str, P11NewKeyControl p11NewKeyControl) throws P11TokenException {
        DSAPrivateKey dSAPrivateKey = new DSAPrivateKey();
        DSAPublicKey dSAPublicKey = new DSAPublicKey();
        setKeyAttributes(str, 1L, p11NewKeyControl, dSAPublicKey, dSAPrivateKey);
        dSAPublicKey.getPrime().setByteArrayValue(bigInteger.toByteArray());
        dSAPublicKey.getSubprime().setByteArrayValue(bigInteger2.toByteArray());
        dSAPublicKey.getBase().setByteArrayValue(bigInteger3.toByteArray());
        return generateKeyPair(16L, dSAPrivateKey, dSAPublicKey);
    }

    @Override // org.xipki.security.pkcs11.AbstractP11Slot
    protected P11Identity generateECKeypair0(ASN1ObjectIdentifier aSN1ObjectIdentifier, String str, P11NewKeyControl p11NewKeyControl) throws P11TokenException {
        ECDSAPrivateKey eCDSAPrivateKey = new ECDSAPrivateKey();
        ECDSAPublicKey eCDSAPublicKey = new ECDSAPublicKey();
        setKeyAttributes(str, 3L, p11NewKeyControl, eCDSAPublicKey, eCDSAPrivateKey);
        try {
            try {
                eCDSAPublicKey.getEcdsaParams().setByteArrayValue(aSN1ObjectIdentifier.getEncoded());
                return generateKeyPair(4160L, eCDSAPrivateKey, eCDSAPublicKey);
            } catch (P11TokenException e) {
                X9ECParameters byOID = ECNamedCurveTable.getByOID(aSN1ObjectIdentifier);
                if (byOID == null) {
                    throw new IllegalArgumentException("could not get X9ECParameters for curve " + aSN1ObjectIdentifier.getId());
                }
                try {
                    eCDSAPublicKey.getEcdsaParams().setByteArrayValue(byOID.getEncoded());
                    return generateKeyPair(4160L, eCDSAPrivateKey, eCDSAPublicKey);
                } catch (IOException e2) {
                    throw new P11TokenException(e.getMessage(), e);
                }
            }
        } catch (IOException e3) {
            throw new P11TokenException(e3.getMessage(), e3);
        }
    }

    /* JADX WARN: Finally extract failed */
    private P11Identity generateKeyPair(long j, PrivateKey privateKey, iaik.pkcs.pkcs11.objects.PublicKey publicKey) throws P11TokenException {
        String iaikP11Slot = toString(privateKey.getLabel());
        byte[] bArr = null;
        try {
            Session borrowWritableSession = borrowWritableSession();
            try {
                if (labelExists(borrowWritableSession, iaikP11Slot)) {
                    throw new IllegalArgumentException("label " + iaikP11Slot + " exists, please specify another one");
                }
                bArr = generateKeyId(borrowWritableSession);
                privateKey.getId().setByteArrayValue(bArr);
                publicKey.getId().setByteArrayValue(bArr);
                try {
                    KeyPair generateKeyPair = borrowWritableSession.generateKeyPair(Mechanism.get(j), publicKey, privateKey);
                    returnWritableSession(borrowWritableSession);
                    P11ObjectIdentifier p11ObjectIdentifier = new P11ObjectIdentifier(bArr, iaikP11Slot);
                    P11EntityIdentifier p11EntityIdentifier = new P11EntityIdentifier(this.slotId, p11ObjectIdentifier);
                    try {
                        PublicKey generatePublicKey = generatePublicKey(generateKeyPair.getPublicKey());
                        PrivateKey privateKeyObject = getPrivateKeyObject(bArr, iaikP11Slot.toCharArray());
                        if (privateKeyObject == null) {
                            throw new P11TokenException("could not read the generated private key");
                        }
                        return new IaikP11Identity(this, p11EntityIdentifier, privateKeyObject, generatePublicKey, null);
                    } catch (XiSecurityException e) {
                        throw new P11TokenException("could not generate public key " + p11ObjectIdentifier, e);
                    }
                } catch (TokenException e2) {
                    throw new P11TokenException("could not generate keypair " + Pkcs11Functions.mechanismCodeToString(j), e2);
                }
            } catch (Throwable th) {
                returnWritableSession(borrowWritableSession);
                throw th;
            }
        } catch (RuntimeException | P11TokenException e3) {
            try {
                removeObjects(bArr, iaikP11Slot);
            } catch (Throwable th2) {
                LogUtil.error(LOG, th2, "could not remove objects");
            }
            throw e3;
        }
    }

    private static X509PublicKeyCertificate createPkcs11Template(X509Cert x509Cert, byte[] bArr, char[] cArr) {
        if (cArr == null || cArr.length == 0) {
            throw new IllegalArgumentException("label must not be null or empty");
        }
        X509PublicKeyCertificate x509PublicKeyCertificate = new X509PublicKeyCertificate();
        x509PublicKeyCertificate.getId().setByteArrayValue(bArr);
        x509PublicKeyCertificate.getLabel().setCharArrayValue(cArr);
        x509PublicKeyCertificate.getToken().setBooleanValue(true);
        x509PublicKeyCertificate.getCertificateType().setLongValue(Certificate.CertificateType.X_509_PUBLIC_KEY);
        x509PublicKeyCertificate.getSubject().setByteArrayValue(x509Cert.cert().getSubjectX500Principal().getEncoded());
        x509PublicKeyCertificate.getIssuer().setByteArrayValue(x509Cert.cert().getIssuerX500Principal().getEncoded());
        x509PublicKeyCertificate.getSerialNumber().setByteArrayValue(x509Cert.cert().getSerialNumber().toByteArray());
        x509PublicKeyCertificate.getValue().setByteArrayValue(x509Cert.encodedCert());
        return x509PublicKeyCertificate;
    }

    private static void setKeyAttributes(String str, long j, P11NewKeyControl p11NewKeyControl, iaik.pkcs.pkcs11.objects.PublicKey publicKey, PrivateKey privateKey) {
        if (privateKey != null) {
            privateKey.getToken().setBooleanValue(true);
            privateKey.getLabel().setCharArrayValue(str.toCharArray());
            privateKey.getKeyType().setLongValue(Long.valueOf(j));
            privateKey.getSign().setBooleanValue(true);
            privateKey.getPrivate().setBooleanValue(true);
            privateKey.getSensitive().setBooleanValue(true);
            privateKey.getExtractable().setBooleanValue(Boolean.valueOf(p11NewKeyControl.isExtractable()));
        }
        if (publicKey != null) {
            publicKey.getToken().setBooleanValue(true);
            publicKey.getLabel().setCharArrayValue(str.toCharArray());
            publicKey.getKeyType().setLongValue(Long.valueOf(j));
            publicKey.getVerify().setBooleanValue(true);
            publicKey.getModifiable().setBooleanValue(Boolean.TRUE);
        }
    }

    @Override // org.xipki.security.pkcs11.AbstractP11Slot
    protected void updateCertificate0(P11ObjectIdentifier p11ObjectIdentifier, X509Certificate x509Certificate) throws P11TokenException {
        removeCerts(p11ObjectIdentifier);
        try {
            Thread.sleep(1000L);
        } catch (InterruptedException e) {
        }
        X509PublicKeyCertificate createPkcs11Template = createPkcs11Template(new X509Cert(x509Certificate), p11ObjectIdentifier.id(), p11ObjectIdentifier.labelChars());
        Session borrowWritableSession = borrowWritableSession();
        try {
            try {
                borrowWritableSession.createObject(createPkcs11Template);
                returnWritableSession(borrowWritableSession);
            } catch (TokenException e2) {
                throw new P11TokenException("could not createObject: " + e2.getMessage(), e2);
            }
        } catch (Throwable th) {
            returnWritableSession(borrowWritableSession);
            throw th;
        }
    }

    private X509PublicKeyCertificate[] getCertificateObjects(byte[] bArr, char[] cArr) throws P11TokenException {
        X509PublicKeyCertificate x509PublicKeyCertificate = new X509PublicKeyCertificate();
        if (bArr != null) {
            x509PublicKeyCertificate.getId().setByteArrayValue(bArr);
        }
        if (cArr != null) {
            x509PublicKeyCertificate.getLabel().setCharArrayValue(cArr);
        }
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        try {
            List<Storage> objects = getObjects((Session) borrowSession.value(), x509PublicKeyCertificate);
            this.sessions.requite(borrowSession);
            if (CollectionUtil.isEmpty(objects)) {
                LOG.info("found no certificate identified by {}", getDescription(bArr, cArr));
                return null;
            }
            int size = objects.size();
            X509PublicKeyCertificate[] x509PublicKeyCertificateArr = new X509PublicKeyCertificate[size];
            for (int i = 0; i < size; i++) {
                x509PublicKeyCertificateArr[i] = (X509PublicKeyCertificate) objects.get(i);
            }
            return x509PublicKeyCertificateArr;
        } catch (Throwable th) {
            this.sessions.requite(borrowSession);
            throw th;
        }
    }

    @Override // org.xipki.security.pkcs11.AbstractP11Slot
    protected void removeIdentity0(P11ObjectIdentifier p11ObjectIdentifier) throws P11TokenException {
        Session borrowWritableSession = borrowWritableSession();
        try {
            byte[] id = p11ObjectIdentifier.id();
            char[] labelChars = p11ObjectIdentifier.labelChars();
            SecretKey secretKeyObject = getSecretKeyObject(id, labelChars);
            if (secretKeyObject != null) {
                try {
                    borrowWritableSession.destroyObject(secretKeyObject);
                } catch (TokenException e) {
                    String str = "could not delete secret key " + p11ObjectIdentifier;
                    LogUtil.error(LOG, e, str);
                    throw new P11TokenException(str);
                }
            }
            PrivateKey privateKeyObject = getPrivateKeyObject(id, labelChars);
            if (privateKeyObject != null) {
                try {
                    borrowWritableSession.destroyObject(privateKeyObject);
                } catch (TokenException e2) {
                    String str2 = "could not delete private key " + p11ObjectIdentifier;
                    LogUtil.error(LOG, e2, str2);
                    throw new P11TokenException(str2);
                }
            }
            iaik.pkcs.pkcs11.objects.PublicKey publicKeyObject = getPublicKeyObject(id, labelChars);
            if (publicKeyObject != null) {
                try {
                    borrowWritableSession.destroyObject(publicKeyObject);
                } catch (TokenException e3) {
                    String str3 = "could not delete public key " + p11ObjectIdentifier;
                    LogUtil.error(LOG, e3, str3);
                    throw new P11TokenException(str3);
                }
            }
            Object[] certificateObjects = getCertificateObjects(id, labelChars);
            if (certificateObjects != null && certificateObjects.length > 0) {
                for (Object object : certificateObjects) {
                    try {
                        borrowWritableSession.destroyObject(object);
                    } catch (TokenException e4) {
                        String str4 = "could not delete certificate " + p11ObjectIdentifier;
                        LogUtil.error(LOG, e4, str4);
                        throw new P11TokenException(str4);
                    }
                }
            }
        } finally {
            returnWritableSession(borrowWritableSession);
        }
    }

    private static byte[] generateKeyId(Session session) throws P11TokenException {
        byte[] bArr;
        SecureRandom secureRandom = new SecureRandom();
        do {
            bArr = new byte[8];
            secureRandom.nextBytes(bArr);
        } while (idExists(session, bArr));
        return bArr;
    }

    private static boolean idExists(Session session, byte[] bArr) throws P11TokenException {
        Key key = new Key();
        key.getId().setByteArrayValue(bArr);
        try {
            session.findObjectsInit(key);
            Object[] findObjects = session.findObjects(1);
            session.findObjectsFinal();
            if (findObjects.length > 0) {
                return true;
            }
            X509PublicKeyCertificate x509PublicKeyCertificate = new X509PublicKeyCertificate();
            x509PublicKeyCertificate.getId().setByteArrayValue(bArr);
            session.findObjectsInit(x509PublicKeyCertificate);
            Object[] findObjects2 = session.findObjects(1);
            session.findObjectsFinal();
            return findObjects2.length > 0;
        } catch (TokenException e) {
            throw new P11TokenException(e.getMessage(), e);
        }
    }

    private static boolean labelExists(Session session, String str) throws P11TokenException {
        ParamUtil.requireNonBlank("keyLabel", str);
        Key key = new Key();
        key.getLabel().setCharArrayValue(str.toCharArray());
        try {
            session.findObjectsInit(key);
            Object[] findObjects = session.findObjects(1);
            session.findObjectsFinal();
            if (findObjects.length > 0) {
                return true;
            }
            X509PublicKeyCertificate x509PublicKeyCertificate = new X509PublicKeyCertificate();
            x509PublicKeyCertificate.getLabel().setCharArrayValue(str.toCharArray());
            session.findObjectsInit(x509PublicKeyCertificate);
            Object[] findObjects2 = session.findObjects(1);
            session.findObjectsFinal();
            return findObjects2.length > 0;
        } catch (TokenException e) {
            throw new P11TokenException(e.getMessage(), e);
        }
    }
}
