package org.cesecore.keys.token;

import java.io.ByteArrayOutputStream;
import java.io.PrintStream;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.ProviderException;
import java.security.PublicKey;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.List;
import java.util.Properties;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.bouncycastle.crypto.paddings.PKCS7Padding;
import org.bouncycastle.jce.ECKeyUtil;
import org.bouncycastle.util.encoders.Hex;
import org.cesecore.certificates.util.AlgorithmConstants;
import org.cesecore.config.CesecoreConfiguration;
import org.cesecore.internal.InternalResources;
import org.cesecore.keys.util.KeyTools;
import org.cesecore.util.StringTools;

/* loaded from: input_file:org/cesecore/keys/token/BaseCryptoToken.class */
public abstract class BaseCryptoToken implements CryptoToken {
    private static final long serialVersionUID = 2133644669863292622L;
    private static final Logger log = Logger.getLogger(BaseCryptoToken.class);
    private static final InternalResources intres = InternalResources.getInstance();
    private String mJcaProviderName = null;
    private String mJceProviderName = null;
    private char[] mAuthCode;
    private Properties properties;
    private int id;
    protected transient CachingKeyStoreWrapper keyStore;

    /* JADX INFO: Access modifiers changed from: protected */
    public void setKeyStore(KeyStore keyStore) throws KeyStoreException {
        if (keyStore == null) {
            this.keyStore = null;
        } else {
            this.keyStore = new CachingKeyStoreWrapper(keyStore, CesecoreConfiguration.isKeyStoreCacheEnabled());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CachingKeyStoreWrapper getKeyStore() throws CryptoTokenOfflineException {
        autoActivate();
        if (this.keyStore == null) {
            throw new CryptoTokenOfflineException(intres.getLocalizedMessage("token.errorinstansiate", this.mJcaProviderName, "keyStore (" + this.id + ") == null"));
        }
        return this.keyStore;
    }

    protected void autoActivate() {
        if (this.mAuthCode == null || this.keyStore != null) {
            return;
        }
        try {
            if (log.isDebugEnabled()) {
                log.debug("Trying to autoactivate CryptoToken");
            }
            activate(this.mAuthCode);
        } catch (Exception e) {
            log.debug(e);
        }
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public boolean doPermitExtractablePrivateKey() {
        return getProperties().containsKey(CryptoToken.ALLOW_EXTRACTABLE_PRIVATE_KEY) && Boolean.parseBoolean(getProperties().getProperty(CryptoToken.ALLOW_EXTRACTABLE_PRIVATE_KEY));
    }

    public abstract boolean permitExtractablePrivateKeyForTest();

    @Override // org.cesecore.keys.token.CryptoToken
    public void testKeyPair(String str) throws InvalidKeyException, CryptoTokenOfflineException {
        testKeyPair(str, getPublicKey(str), getPrivateKey(str));
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public void testKeyPair(String str, PublicKey publicKey, PrivateKey privateKey) throws InvalidKeyException {
        if (log.isDebugEnabled()) {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            PrintStream printStream = new PrintStream(byteArrayOutputStream);
            KeyTools.printPublicKeyInfo(publicKey, printStream);
            printStream.flush();
            log.debug("Testing key of type " + byteArrayOutputStream.toString());
        }
        if (!permitExtractablePrivateKeyForTest() && KeyTools.isPrivateKeyExtractable(privateKey)) {
            String localizedMessage = intres.getLocalizedMessage("token.extractablekey", Boolean.valueOf(CesecoreConfiguration.isPermitExtractablePrivateKeys()));
            if (!CesecoreConfiguration.isPermitExtractablePrivateKeys()) {
                throw new InvalidKeyException(localizedMessage);
            }
            log.info(localizedMessage);
        }
        KeyTools.testKey(privateKey, publicKey, getSignProviderName());
    }

    protected PublicKey readPublicKey(String str, boolean z) throws KeyStoreException, CryptoTokenOfflineException {
        try {
            Certificate certificate = getKeyStore().getCertificate(str);
            PublicKey publicKey = null;
            if (certificate != null) {
                publicKey = certificate.getPublicKey();
            } else if (z) {
                log.warn(intres.getLocalizedMessage("token.nopublic", str));
                if (log.isDebugEnabled()) {
                    Enumeration<String> aliases = getKeyStore().aliases();
                    while (aliases.hasMoreElements()) {
                        log.debug("Existing alias: " + aliases.nextElement());
                    }
                }
            }
            return publicKey;
        } catch (ProviderException e) {
            throw new CryptoTokenOfflineException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void init(Properties properties, boolean z, int i) {
        if (log.isDebugEnabled()) {
            log.debug(">init: doAutoActivate=" + z);
        }
        this.id = i;
        setProperties(properties);
        if (z) {
            autoActivate();
        }
        if (log.isDebugEnabled()) {
            log.debug("<init: doAutoActivate=" + z);
        }
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public int getId() {
        return this.id;
    }

    public void setId(int i) {
        this.id = i;
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public String getTokenName() {
        return this.properties.getProperty(CryptoToken.TOKENNAME_PROPERTY);
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public void setTokenName(String str) {
        if (this.properties == null) {
            this.properties = new Properties();
        }
        this.properties.setProperty(CryptoToken.TOKENNAME_PROPERTY, str);
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public Properties getProperties() {
        return this.properties;
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public void setProperties(Properties properties) {
        if (properties == null) {
            this.properties = new Properties();
            return;
        }
        if (log.isDebugEnabled()) {
            if (properties.containsKey("pin") || properties.containsKey("PIN")) {
                Properties properties2 = new Properties();
                properties2.putAll(properties);
                if (properties.containsKey("pin")) {
                    properties2.setProperty("pin", "hidden");
                }
                if (properties.containsKey("PIN")) {
                    properties2.setProperty("PIN", "hidden");
                }
                log.debug("Prop: " + (properties2 != null ? properties2.toString() : "null"));
            } else {
                log.debug("Properties: " + (properties != null ? properties.toString() : "null"));
            }
        }
        this.properties = properties;
        String autoActivatePin = getAutoActivatePin(properties);
        this.mAuthCode = autoActivatePin == null ? null : autoActivatePin.toCharArray();
    }

    public static String getAutoActivatePin(Properties properties) {
        String property = properties.getProperty("pin");
        if (property != null) {
            return StringTools.passwordDecryption(property, "autoactivation pin");
        }
        if (!log.isDebugEnabled()) {
            return null;
        }
        log.debug("Not using autoactivation pin");
        return null;
    }

    public static String setAutoActivatePin(Properties properties, String str, boolean z) {
        String str2 = null;
        if (StringUtils.isNotEmpty(str)) {
            String str3 = str;
            if (z) {
                try {
                    str3 = StringTools.pbeEncryptStringWithSha256Aes192(str);
                } catch (Exception e) {
                    log.error(intres.getLocalizedMessage("token.nopinencrypt", new Object[0]), e);
                    str3 = str;
                }
            }
            if (properties != null) {
                properties.setProperty("pin", str3);
            }
            str2 = "pin " + str3;
        }
        return str2;
    }

    protected void setProviders(String str, String str2) throws InstantiationException, IllegalAccessException, ClassNotFoundException {
        Provider provider = (Provider) Class.forName(str).newInstance();
        setProvider(provider);
        this.mJcaProviderName = provider.getName();
        if (str2 == null) {
            this.mJceProviderName = null;
            return;
        }
        try {
            Provider provider2 = (Provider) Class.forName(str2).newInstance();
            setProvider(provider2);
            this.mJceProviderName = provider2.getName();
        } catch (Exception e) {
            log.error(intres.getLocalizedMessage("token.jceinitfail", new Object[0]), e);
        }
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public void storeKey(String str, Key key, Certificate[] certificateArr, char[] cArr) throws KeyStoreException {
        this.keyStore.setKeyEntry(str, key, cArr, certificateArr);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setJCAProvider(Provider provider) {
        setProvider(provider);
        this.mJcaProviderName = provider != null ? provider.getName() : null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setJCAProviderName(String str) {
        this.mJcaProviderName = str;
    }

    private void setProvider(Provider provider) {
        if (provider == null) {
            if (log.isDebugEnabled()) {
                log.debug("No provider passed to setProvider()");
                return;
            }
            return;
        }
        String name = provider.getName();
        if (name.startsWith("LunaJCA")) {
            provider.put("Alg.Alias.Cipher.RSA/NONE/NoPadding", "RSA//NoPadding");
            provider.put("Alg.Alias.Cipher.1.2.840.113549.1.1.1", "RSA//NoPadding");
            provider.put("Alg.Alias.Cipher.RSA/ECB/PKCS1Padding", "RSA//PKCS1v1_5");
            provider.put("Alg.Alias.Cipher.1.2.840.113549.3.7", "DES3/CBC/PKCS5Padding");
        }
        if (Security.getProvider(name) == null) {
            Security.addProvider(provider);
        }
        if (Security.getProvider(name) == null) {
            throw new ProviderException("Not possible to install provider: " + name);
        }
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public String getSignProviderName() {
        return this.mJcaProviderName;
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public String getEncProviderName() {
        return this.mJceProviderName == null ? this.mJcaProviderName : this.mJceProviderName;
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public boolean isAliasUsed(String str) {
        boolean z = false;
        try {
            getPublicKey(str, false);
            z = true;
        } catch (CryptoTokenOfflineException e) {
            try {
                getPrivateKey(str, false);
                z = true;
            } catch (CryptoTokenOfflineException e2) {
                try {
                    getKey(str, false);
                    z = true;
                } catch (CryptoTokenOfflineException e3) {
                }
            }
        }
        return z;
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public PrivateKey getPrivateKey(String str) throws CryptoTokenOfflineException {
        return getPrivateKey(str, true);
    }

    private PrivateKey getPrivateKey(String str, boolean z) throws CryptoTokenOfflineException {
        try {
            PrivateKey privateKey = (PrivateKey) getKeyStore().getKey(str, (this.mAuthCode == null || this.mAuthCode.length <= 0) ? null : this.mAuthCode);
            if (privateKey != null) {
                return privateKey;
            }
            if (z) {
                log.warn(intres.getLocalizedMessage("token.noprivate", str));
                if (log.isDebugEnabled()) {
                    Enumeration<String> aliases = getKeyStore().aliases();
                    while (aliases.hasMoreElements()) {
                        log.debug("Existing alias: " + aliases.nextElement());
                    }
                }
            }
            throw new CryptoTokenOfflineException(intres.getLocalizedMessage("token.errornosuchkey", str));
        } catch (KeyStoreException e) {
            throw new CryptoTokenOfflineException(e);
        } catch (NoSuchAlgorithmException e2) {
            throw new CryptoTokenOfflineException(e2);
        } catch (ProviderException e3) {
            throw new CryptoTokenOfflineException(e3);
        } catch (UnrecoverableKeyException e4) {
            throw new CryptoTokenOfflineException(e4);
        }
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public PublicKey getPublicKey(String str) throws CryptoTokenOfflineException {
        return getPublicKey(str, true);
    }

    private PublicKey getPublicKey(String str, boolean z) throws CryptoTokenOfflineException {
        try {
            PublicKey readPublicKey = readPublicKey(str, z);
            if (readPublicKey == null) {
                throw new CryptoTokenOfflineException(intres.getLocalizedMessage("token.errornosuchkey", str));
            }
            if (Boolean.parseBoolean(getProperties().getProperty(CryptoToken.EXPLICIT_ECC_PUBLICKEY_PARAMETERS)) && readPublicKey.getAlgorithm().equals(AlgorithmConstants.KEYALGORITHM_EC)) {
                if (log.isDebugEnabled()) {
                    log.debug("Using explicit parameter encoding for ECC key.");
                }
                readPublicKey = ECKeyUtil.publicToExplicitParameters(readPublicKey, "BC");
            }
            return readPublicKey;
        } catch (IllegalArgumentException e) {
            throw new CryptoTokenOfflineException(e);
        } catch (KeyStoreException e2) {
            throw new CryptoTokenOfflineException(e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new CryptoTokenOfflineException(e3);
        } catch (NoSuchProviderException e4) {
            throw new CryptoTokenOfflineException(e4);
        }
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public Key getKey(String str) throws CryptoTokenOfflineException {
        return getKey(str, true);
    }

    private Key getKey(String str, boolean z) throws CryptoTokenOfflineException {
        try {
            Key key = getKeyStore().getKey(str, (this.mAuthCode == null || this.mAuthCode.length <= 0) ? null : this.mAuthCode);
            if (key == null) {
                key = getKeyFromProperties(str);
                if (key == null) {
                    if (z) {
                        log.warn(intres.getLocalizedMessage("token.errornosuchkey", str));
                        if (log.isDebugEnabled()) {
                            Enumeration<String> aliases = getKeyStore().aliases();
                            while (aliases.hasMoreElements()) {
                                log.debug("Existing alias: " + aliases.nextElement());
                            }
                        }
                    }
                    throw new CryptoTokenOfflineException(intres.getLocalizedMessage("token.errornosuchkey", str));
                }
            }
            return key;
        } catch (KeyStoreException e) {
            throw new CryptoTokenOfflineException(e);
        } catch (NoSuchAlgorithmException e2) {
            throw new CryptoTokenOfflineException(e2);
        } catch (ProviderException e3) {
            throw new CryptoTokenOfflineException(e3);
        } catch (UnrecoverableKeyException e4) {
            throw new CryptoTokenOfflineException(e4);
        }
    }

    private Key getKeyFromProperties(String str) {
        Key key = null;
        String property = getProperties().getProperty(str);
        if (StringUtils.isNotEmpty(property)) {
            try {
                PrivateKey privateKey = getPrivateKey("symwrap");
                Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", getEncProviderName());
                cipher.init(4, privateKey);
                key = cipher.unwrap(Hex.decode(property), "AES", 3);
            } catch (InvalidKeyException e) {
                log.debug(e);
            } catch (NoSuchAlgorithmException e2) {
                log.debug(e2);
            } catch (NoSuchProviderException e3) {
                log.debug(e3);
            } catch (NoSuchPaddingException e4) {
                log.debug(e4);
            } catch (CryptoTokenOfflineException e5) {
                log.debug(e5);
            }
        }
        return key;
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public void reset() {
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public int getTokenStatus() {
        int i = 2;
        try {
            getKeyStore();
            i = 1;
        } catch (CryptoTokenOfflineException e) {
        }
        return i;
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public byte[] extractKey(String str, String str2, String str3) throws NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException, InvalidKeyException, IllegalBlockSizeException, CryptoTokenOfflineException, PrivateKeyNotExtractableException, InvalidAlgorithmParameterException {
        IvParameterSpec ivParameterSpec = null;
        if (str.matches(".+\\/CBC\\/.+")) {
            ivParameterSpec = new IvParameterSpec(new byte[]{0, 0, 0, 0, 0, 0, 0, 0});
        }
        return extractKey(str, ivParameterSpec, str2, str3);
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public byte[] extractKey(String str, AlgorithmParameterSpec algorithmParameterSpec, String str2, String str3) throws NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException, InvalidKeyException, IllegalBlockSizeException, CryptoTokenOfflineException, PrivateKeyNotExtractableException, InvalidAlgorithmParameterException {
        if (!doPermitExtractablePrivateKey()) {
            throw new PrivateKeyNotExtractableException(intres.getLocalizedMessage("token.errornotextractable", str3, str2));
        }
        Key key = getKey(str2);
        PrivateKey privateKey = getPrivateKey(str3);
        if (privateKey == null) {
            throw new PrivateKeyNotExtractableException("Extracting key with alias '" + str3 + "' return null.");
        }
        Cipher cipher = Cipher.getInstance(str, getEncProviderName());
        if (algorithmParameterSpec == null) {
            cipher.init(1, key);
        } else {
            cipher.init(1, key, algorithmParameterSpec);
        }
        try {
            byte[] encoded = privateKey.getEncoded();
            if (StringUtils.containsIgnoreCase(str, "NoPadding")) {
                PKCS7Padding pKCS7Padding = new PKCS7Padding();
                int blockSize = cipher.getBlockSize() - (encoded.length % cipher.getBlockSize());
                if (log.isDebugEnabled()) {
                    log.debug("Padding key data with " + blockSize + " bytes, using PKCS7/5Padding. Total len: " + (encoded.length + blockSize));
                }
                byte[] copyOf = Arrays.copyOf(encoded, encoded.length + blockSize);
                pKCS7Padding.addPadding(copyOf, encoded.length);
                encoded = copyOf;
            }
            return cipher.doFinal(encoded);
        } catch (BadPaddingException e) {
            throw new PrivateKeyNotExtractableException("Extracting key with alias '" + str3 + "' failed.");
        }
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public List<String> getAliases() throws KeyStoreException, CryptoTokenOfflineException {
        return Collections.list(getKeyStore().aliases());
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public boolean isAutoActivationPinPresent() {
        return getAutoActivatePin(getProperties()) != null;
    }
}
