package org.cesecore.keys.token;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Properties;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.bouncycastle.util.encoders.Hex;
import org.cesecore.config.CesecoreConfiguration;
import org.cesecore.internal.InternalResources;
import org.cesecore.keys.util.KeyStoreTools;
import org.cesecore.util.CryptoProviderTools;
import org.cesecore.util.StringTools;

/* loaded from: input_file:org/cesecore/keys/token/SoftCryptoToken.class */
public class SoftCryptoToken extends BaseCryptoToken {
    private static final long serialVersionUID = 387950849444619646L;
    private static final Logger log = Logger.getLogger(SoftCryptoToken.class);
    private static final InternalResources intres = InternalResources.getInstance();
    public static final float LATEST_VERSION = 3.0f;
    public static final String NODEFAULTPWD = "NODEFAULTPWD";
    private byte[] keystoreData;
    private char[] keyStorePass;

    public SoftCryptoToken() {
        if (log.isDebugEnabled()) {
            log.debug("Creating SoftCryptoToken");
        }
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public void init(Properties properties, byte[] bArr, int i) {
        super.setJCAProviderName("BC");
        this.keystoreData = bArr;
        if (properties == null) {
            properties = new Properties();
        }
        String autoActivatePin = BaseCryptoToken.getAutoActivatePin(properties);
        if (autoActivatePin == null && properties.getProperty(NODEFAULTPWD) == null) {
            String passwordDecryption = StringTools.passwordDecryption(CesecoreConfiguration.getCaKeyStorePass(), "ca.keystorepass");
            if (checkSoftKeystorePassword(passwordDecryption.toCharArray(), i)) {
                log.debug("Succeded to load keystore with password");
                BaseCryptoToken.setAutoActivatePin(properties, passwordDecryption, true);
            }
        } else if (autoActivatePin != null) {
            log.debug("Soft Crypto Token has autoactivation property set.");
        } else if (properties.getProperty(NODEFAULTPWD) != null) {
            log.debug("No default pwd allowed for this soft crypto token.");
        }
        init(properties, autoActivatePin != null || properties.getProperty(NODEFAULTPWD) == null, i);
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public void activate(char[] cArr) throws CryptoTokenAuthenticationFailedException, CryptoTokenOfflineException {
        if (this.keyStore != null) {
            log.debug("Ignoring activation request for already active CryptoToken: " + getId());
            return;
        }
        String autoActivatePin = BaseCryptoToken.getAutoActivatePin(getProperties());
        if (autoActivatePin != null) {
            cArr = autoActivatePin.toCharArray();
        }
        if (this.keystoreData != null) {
            try {
                setKeyStore(loadKeyStore(this.keystoreData, cArr));
                this.keyStorePass = cArr;
                log.info(intres.getLocalizedMessage("token.activated", Integer.valueOf(getId())));
                return;
            } catch (IOException e) {
                log.info(intres.getLocalizedMessage("token.erroractivate", Integer.valueOf(getId()), e.getMessage()), e);
                CryptoTokenAuthenticationFailedException cryptoTokenAuthenticationFailedException = new CryptoTokenAuthenticationFailedException(e.getMessage());
                cryptoTokenAuthenticationFailedException.initCause(e);
                throw cryptoTokenAuthenticationFailedException;
            } catch (Exception e2) {
                log.info(intres.getLocalizedMessage("token.erroractivate", Integer.valueOf(getId()), e2.getMessage()), e2);
                CryptoTokenOfflineException cryptoTokenOfflineException = new CryptoTokenOfflineException(e2.getMessage());
                cryptoTokenOfflineException.initCause(e2);
                throw cryptoTokenOfflineException;
            }
        }
        log.info(intres.getLocalizedMessage("token.erroractivate", Integer.valueOf(getId()), "No keystore data available yet, creating new PKCS#12 keystore."));
        try {
            KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");
            keyStore.load(null, null);
            setKeyStore(keyStore);
            this.keyStorePass = cArr;
            storeKeyStore();
        } catch (IOException e3) {
            log.error(e3);
            throw new CryptoTokenAuthenticationFailedException(e3.getMessage());
        } catch (KeyStoreException e4) {
            log.error(e4);
            throw new CryptoTokenAuthenticationFailedException(e4.getMessage());
        } catch (NoSuchAlgorithmException e5) {
            log.error(e5);
            throw new CryptoTokenAuthenticationFailedException(e5.getMessage());
        } catch (NoSuchProviderException e6) {
            log.error(e6);
            throw new CryptoTokenAuthenticationFailedException(e6.getMessage());
        } catch (CertificateException e7) {
            log.error(e7);
            throw new CryptoTokenAuthenticationFailedException(e7.getMessage());
        }
    }

    public void checkPasswordBeforeExport(char[] cArr) throws CryptoTokenAuthenticationFailedException, CryptoTokenOfflineException, PrivateKeyNotExtractableException {
        if (!doPermitExtractablePrivateKey()) {
            throw new PrivateKeyNotExtractableException(intres.getLocalizedMessage("token.errornotextractable_allkeys", Integer.valueOf(getId())));
        }
        if (cArr != null) {
            try {
                if (cArr.length != 0) {
                    loadKeyStore(this.keystoreData, cArr);
                }
            } catch (IOException e) {
                log.info(intres.getLocalizedMessage("token.wrongauthcode", Integer.valueOf(getId()), e.getMessage()), e);
                CryptoTokenAuthenticationFailedException cryptoTokenAuthenticationFailedException = new CryptoTokenAuthenticationFailedException(e.getMessage());
                cryptoTokenAuthenticationFailedException.initCause(e);
                throw cryptoTokenAuthenticationFailedException;
            } catch (Exception e2) {
                log.info(intres.getLocalizedMessage("token.erroractivate", Integer.valueOf(getId()), e2.getMessage()), e2);
                CryptoTokenOfflineException cryptoTokenOfflineException = new CryptoTokenOfflineException(e2.getMessage());
                cryptoTokenOfflineException.initCause(e2);
                throw cryptoTokenOfflineException;
            }
        }
        loadKeyStore(this.keystoreData, StringTools.passwordDecryption(CesecoreConfiguration.getCaKeyStorePass(), "ca.keystorepass").toCharArray());
    }

    private KeyStore loadKeyStore(byte[] bArr, char[] cArr) throws NoSuchAlgorithmException, CertificateException, IOException, KeyStoreException, NoSuchProviderException {
        CryptoProviderTools.installBCProviderIfNotAvailable();
        KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");
        if (log.isDebugEnabled()) {
            log.debug("Loading keystore data of size: " + (bArr == null ? "null" : Integer.valueOf(bArr.length)));
        }
        keyStore.load(new ByteArrayInputStream(bArr), cArr);
        return keyStore;
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public void deactivate() {
        storeKeyStore();
        try {
            setKeyStore(null);
            log.info(intres.getLocalizedMessage("token.deactivate", Integer.valueOf(getId())));
        } catch (KeyStoreException e) {
            throw new IllegalStateException("This should never happen.");
        }
    }

    void storeKeyStore() {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            if (this.keyStore != null) {
                this.keyStore.store(byteArrayOutputStream, this.keyStorePass);
                this.keystoreData = byteArrayOutputStream.toByteArray();
            }
        } catch (IOException e) {
            log.error(e);
        } catch (KeyStoreException e2) {
            log.error(e2);
        } catch (NoSuchAlgorithmException e3) {
            log.error(e3);
        } catch (CertificateException e4) {
            log.error(e4);
        }
        if (log.isDebugEnabled()) {
            log.debug("Storing soft keystore of size " + (this.keystoreData == null ? "null" : Integer.valueOf(this.keystoreData.length)));
        }
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public byte[] getTokenData() {
        storeKeyStore();
        return this.keystoreData;
    }

    private boolean checkSoftKeystorePassword(char[] cArr, int i) {
        try {
            if (this.keystoreData == null) {
                return true;
            }
            KeyStore.getInstance("PKCS12", "BC").load(new ByteArrayInputStream(this.keystoreData), cArr);
            return true;
        } catch (Exception e) {
            log.debug("Error: ", e);
            log.info(intres.getLocalizedMessage("token.wrongauthcode", Integer.valueOf(i)));
            return false;
        }
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public void deleteEntry(String str) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, CryptoTokenOfflineException {
        if (!StringUtils.isNotEmpty(str)) {
            log.debug("Trying to delete keystore entry with empty alias.");
            return;
        }
        try {
            new KeyStoreTools(getKeyStore(), getSignProviderName()).deleteEntry(str);
            log.info(intres.getLocalizedMessage("token.deleteentry", str, Integer.valueOf(getId())));
        } catch (KeyStoreException e) {
        }
        storeKeyStore();
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public void generateKeyPair(String str, String str2) throws InvalidAlgorithmParameterException, CryptoTokenOfflineException {
        if (!StringUtils.isNotEmpty(str2)) {
            log.debug("Trying to generate keys with empty alias.");
        } else {
            new KeyStoreTools(getKeyStore(), getSignProviderName()).generateKeyPair(str, str2);
            storeKeyStore();
        }
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public void generateKey(String str, int i, String str2) throws NoSuchAlgorithmException, NoSuchProviderException, KeyStoreException, CryptoTokenOfflineException, InvalidKeyException, InvalidAlgorithmParameterException, SignatureException, CertificateException, IOException, NoSuchPaddingException, IllegalBlockSizeException {
        PublicKey publicKey;
        if (!StringUtils.isNotEmpty(str2)) {
            log.debug("Trying to generate keys with empty alias.");
            return;
        }
        KeyGenerator keyGenerator = KeyGenerator.getInstance(str, getEncProviderName());
        keyGenerator.init(i);
        SecretKey generateKey = keyGenerator.generateKey();
        try {
            publicKey = getPublicKey("symwrap");
        } catch (CryptoTokenOfflineException e) {
            generateKeyPair("2048", "symwrap");
            publicKey = getPublicKey("symwrap");
        }
        Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", getEncProviderName());
        cipher.init(3, publicKey);
        String str3 = new String(Hex.encode(cipher.wrap(generateKey)));
        Properties properties = getProperties();
        properties.setProperty(str2, str3);
        setProperties(properties);
    }

    @Override // org.cesecore.keys.token.CryptoToken
    public void generateKeyPair(AlgorithmParameterSpec algorithmParameterSpec, String str) throws InvalidAlgorithmParameterException, CertificateException, IOException, CryptoTokenOfflineException {
        if (!StringUtils.isNotEmpty(str)) {
            log.debug("Trying to generate keys with empty alias.");
        } else {
            new KeyStoreTools(getKeyStore(), getSignProviderName()).generateKeyPair(algorithmParameterSpec, str);
            storeKeyStore();
        }
    }

    @Override // org.cesecore.keys.token.BaseCryptoToken
    public boolean permitExtractablePrivateKeyForTest() {
        return true;
    }
}
