package org.cesecore.keys.util;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.io.PrintStream;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAParams;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.DSAParameterSpec;
import java.security.spec.ECFieldFp;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.EllipticCurve;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAKeyGenParameterSpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
import java.util.Iterator;
import javax.crypto.interfaces.DHPrivateKey;
import javax.crypto.interfaces.DHPublicKey;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERBMPString;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.bc.BcX509ExtensionUtils;
import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey;
import org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util;
import org.bouncycastle.jce.ECGOST3410NamedCurveTable;
import org.bouncycastle.jce.ECNamedCurveTable;
import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier;
import org.bouncycastle.jce.provider.JCEECPublicKey;
import org.bouncycastle.jce.spec.ECNamedCurveParameterSpec;
import org.bouncycastle.jce.spec.ECNamedCurveSpec;
import org.bouncycastle.jce.spec.ECPublicKeySpec;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.util.encoders.Hex;
import org.cesecore.certificates.util.AlgorithmConstants;
import org.cesecore.certificates.util.AlgorithmTools;
import org.cesecore.config.CesecoreConfiguration;
import org.cesecore.internal.InternalResources;
import org.cesecore.util.Base64;
import org.cesecore.util.CertTools;
import org.cesecore.util.CryptoProviderTools;
import org.ejbca.cvc.PublicKeyEC;

/* loaded from: input_file:org/cesecore/keys/util/KeyTools.class */
public final class KeyTools {
    private static final Logger log = Logger.getLogger(KeyTools.class);
    private static final InternalResources intres = InternalResources.getInstance();
    private static final byte[] BAG_ATTRIBUTES = "Bag Attributes\n".getBytes();
    private static final byte[] FRIENDLY_NAME = "    friendlyName: ".getBytes();
    private static final byte[] SUBJECT_ATTRIBUTE = "subject=/".getBytes();
    private static final byte[] ISSUER_ATTRIBUTE = "issuer=/".getBytes();
    private static final byte[] BEGIN_CERTIFICATE = CertTools.BEGIN_CERTIFICATE.getBytes();
    private static final byte[] END_CERTIFICATE = CertTools.END_CERTIFICATE.getBytes();
    private static final byte[] BEGIN_PRIVATE_KEY = "-----BEGIN PRIVATE KEY-----".getBytes();
    private static final byte[] END_PRIVATE_KEY = "-----END PRIVATE KEY-----".getBytes();
    private static final byte[] NL = "\n".getBytes();

    private KeyTools() {
    }

    public static KeyPair genKeys(String str, AlgorithmParameterSpec algorithmParameterSpec, String str2) throws InvalidAlgorithmParameterException {
        AlgorithmParameterSpec algorithmParameterSpec2;
        AlgorithmParameterSpec algorithmParameterSpec3;
        if (log.isTraceEnabled()) {
            log.trace(">genKeys(" + str + ", " + str2 + ")");
        }
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str2, "BC");
            if (StringUtils.equals(str2, AlgorithmConstants.KEYALGORITHM_ECDSA)) {
                if (str != null && !StringUtils.equals(str, "implicitlyCA")) {
                    log.debug("Generating named curve ECDSA key pair: " + str);
                    keyPairGenerator.initialize(new ECGenParameterSpec(str), new SecureRandom());
                } else if (algorithmParameterSpec != null) {
                    log.debug("Generating ECDSA key pair from AlgorithmParameterSpec: " + algorithmParameterSpec);
                    keyPairGenerator.initialize(algorithmParameterSpec, new SecureRandom());
                } else {
                    if (!StringUtils.equals(str, "implicitlyCA")) {
                        throw new InvalidAlgorithmParameterException("No keySpec no algSpec and no implicitlyCA specified");
                    }
                    log.debug("Generating implicitlyCA encoded ECDSA key pair");
                    keyPairGenerator.initialize((AlgorithmParameterSpec) null, new SecureRandom());
                }
            } else if (str2.equals(AlgorithmConstants.KEYALGORITHM_ECGOST3410)) {
                if (str != null) {
                    log.debug("Generating keys from given key specifications : " + str);
                    algorithmParameterSpec3 = ECGOST3410NamedCurveTable.getParameterSpec(str);
                    if (algorithmParameterSpec3 == null) {
                        throw new InvalidAlgorithmParameterException("Key specification " + str + " is invalid for ECGOST3410");
                    }
                } else {
                    if (algorithmParameterSpec == null) {
                        throw new InvalidAlgorithmParameterException("No key or algorithm specifications");
                    }
                    log.debug("Generating keys from given algorithm parameters : " + algorithmParameterSpec);
                    algorithmParameterSpec3 = algorithmParameterSpec;
                }
                keyPairGenerator.initialize(algorithmParameterSpec3, new SecureRandom());
            } else if (str2.equals(AlgorithmConstants.KEYALGORITHM_DSTU4145)) {
                if (str != null) {
                    log.debug("Generating keys from given key specifications : " + str);
                    algorithmParameterSpec2 = dstuOidToAlgoParams(str);
                    if (algorithmParameterSpec2 == null) {
                        throw new InvalidAlgorithmParameterException("Key specification " + str + " is invalid for DSTU4145");
                    }
                } else {
                    if (algorithmParameterSpec == null) {
                        throw new InvalidAlgorithmParameterException("No key or algorithm specifications");
                    }
                    log.debug("Generating keys from given algorithm parameters : " + algorithmParameterSpec);
                    algorithmParameterSpec2 = algorithmParameterSpec;
                }
                keyPairGenerator.initialize(algorithmParameterSpec2, new SecureRandom());
            } else if (str.startsWith(AlgorithmConstants.KEYALGORITHM_DSA)) {
                keyPairGenerator.initialize(Integer.parseInt(str.substring(3)));
            } else {
                keyPairGenerator.initialize(Integer.parseInt(str));
            }
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            if (log.isDebugEnabled()) {
                log.debug("Generated " + generateKeyPair.getPublic().getAlgorithm() + " keys with length " + getKeyLength(generateKeyPair.getPublic()));
            }
            log.trace("<genKeys()");
            return generateKeyPair;
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("Algorithm " + str2 + "was not recognized.", e);
        } catch (NoSuchProviderException e2) {
            throw new IllegalStateException("BouncyCastle was not found as a provider.", e2);
        }
    }

    public static KeyPair genKeys(String str, String str2) throws InvalidAlgorithmParameterException {
        return genKeys(str, null, str2);
    }

    public static PublicKey getECPublicKeyWithParams(PublicKey publicKey, String str) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeySpecException {
        PublicKey publicKey2 = publicKey;
        if ((publicKey instanceof PublicKeyEC) && str != null) {
            PublicKeyEC publicKeyEC = (PublicKeyEC) publicKey;
            if (publicKeyEC.getParams() == null) {
                ECNamedCurveParameterSpec parameterSpec = ECNamedCurveTable.getParameterSpec(str);
                publicKey2 = KeyFactory.getInstance(AlgorithmConstants.KEYALGORITHM_ECDSA, "BC").generatePublic(new ECPublicKeySpec(EC5Util.convertPoint(parameterSpec.getCurve(), publicKeyEC.getW(), false), parameterSpec));
            }
        }
        return publicKey2;
    }

    public static PublicKey getECPublicKeyWithParams(PublicKey publicKey, PublicKey publicKey2) throws InvalidKeySpecException {
        PublicKey publicKey3 = publicKey;
        if ((publicKey instanceof PublicKeyEC) && (publicKey2 instanceof PublicKeyEC)) {
            PublicKeyEC publicKeyEC = (PublicKeyEC) publicKey;
            if (publicKeyEC.getParams() == null) {
                ECParameterSpec params = ((PublicKeyEC) publicKey2).getParams();
                if (params != null) {
                    try {
                        publicKey3 = KeyFactory.getInstance(AlgorithmConstants.KEYALGORITHM_ECDSA, "BC").generatePublic(new ECPublicKeySpec(EC5Util.convertPoint(params, publicKeyEC.getW(), false), EC5Util.convertSpec(params, false)));
                    } catch (NoSuchAlgorithmException e) {
                        throw new IllegalStateException("ECDSA was an unknown algorithm", e);
                    } catch (NoSuchProviderException e2) {
                        throw new IllegalStateException("BouncyCastle was not found as a provider.", e2);
                    }
                } else {
                    log.info("pkwithparams does not have any params.");
                }
            }
        } else {
            log.info("Either pk or pkwithparams is not a PublicKeyEC: " + publicKey.toString() + ", " + publicKey2.toString());
        }
        return publicKey3;
    }

    public static int getKeyLength(PublicKey publicKey) {
        int i = -1;
        if (publicKey instanceof RSAPublicKey) {
            i = ((RSAPublicKey) publicKey).getModulus().bitLength();
        } else if (publicKey instanceof JCEECPublicKey) {
            org.bouncycastle.jce.spec.ECParameterSpec parameters = ((JCEECPublicKey) publicKey).getParameters();
            i = parameters != null ? parameters.getN().bitLength() : 0;
        } else if (publicKey instanceof BCECPublicKey) {
            org.bouncycastle.jce.spec.ECParameterSpec parameters2 = ((BCECPublicKey) publicKey).getParameters();
            i = parameters2 != null ? parameters2.getN().bitLength() : 0;
        } else if (publicKey instanceof ECPublicKey) {
            ECParameterSpec params = ((ECPublicKey) publicKey).getParams();
            i = params != null ? params.getOrder().bitLength() : 0;
        } else if (publicKey instanceof DSAPublicKey) {
            DSAPublicKey dSAPublicKey = (DSAPublicKey) publicKey;
            i = dSAPublicKey.getParams() != null ? dSAPublicKey.getParams().getP().bitLength() : dSAPublicKey.getY().bitLength();
        }
        return i;
    }

    public static AlgorithmParameterSpec getKeyGenSpec(PublicKey publicKey) {
        if (publicKey == null) {
            return null;
        }
        ECNamedCurveSpec eCNamedCurveSpec = null;
        if (publicKey instanceof RSAPublicKey) {
            log.debug("getKeyGenSpec: RSA");
            eCNamedCurveSpec = new RSAKeyGenParameterSpec(getKeyLength(publicKey), ((RSAPublicKey) publicKey).getPublicExponent());
        } else if (publicKey instanceof DSAPublicKey) {
            log.debug("getKeyGenSpec: DSA");
            DSAParams params = ((DSAPublicKey) publicKey).getParams();
            eCNamedCurveSpec = new DSAParameterSpec(params.getP(), params.getQ(), params.getG());
        } else if (publicKey instanceof ECPublicKey) {
            log.debug("getKeyGenSpec: ECPublicKey");
            ECParameterSpec params2 = ((ECPublicKey) publicKey).getParams();
            ECNamedCurveSpec eCParameterSpec = new ECParameterSpec(new EllipticCurve(params2.getCurve().getField(), params2.getCurve().getA(), params2.getCurve().getB()), params2.getGenerator(), params2.getOrder(), params2.getCofactor());
            if (log.isDebugEnabled()) {
                log.debug("Fieldsize: " + eCParameterSpec.getCurve().getField().getFieldSize());
                EllipticCurve curve = eCParameterSpec.getCurve();
                log.debug("CurveA: " + curve.getA().toString(16));
                log.debug("CurveB: " + curve.getB().toString(16));
                log.debug("CurveSeed: " + curve.getSeed());
                log.debug("CurveSfield: " + ((ECFieldFp) curve.getField()).getP().toString(16));
                ECPoint generator = eCParameterSpec.getGenerator();
                log.debug("Generator: " + generator.getAffineX().toString(16) + ", " + generator.getAffineY().toString(16));
                log.debug("Order: " + eCParameterSpec.getOrder().toString(16));
                log.debug("CoFactor: " + eCParameterSpec.getCofactor());
            }
            eCNamedCurveSpec = eCParameterSpec;
        } else if (publicKey instanceof JCEECPublicKey) {
            log.debug("getKeyGenSpec: JCEECPublicKey");
            org.bouncycastle.jce.spec.ECParameterSpec parameters = ((JCEECPublicKey) publicKey).getParameters();
            eCNamedCurveSpec = new ECNamedCurveSpec((String) null, parameters.getCurve(), parameters.getG(), parameters.getN(), parameters.getH());
        }
        return eCNamedCurveSpec;
    }

    public static KeyStore createP12(String str, PrivateKey privateKey, Certificate certificate, Certificate certificate2) throws IOException, KeyStoreException, CertificateException, NoSuchProviderException, NoSuchAlgorithmException, InvalidKeySpecException {
        return createP12(str, privateKey, certificate, certificate2 == null ? null : new Certificate[]{certificate2});
    }

    public static KeyStore createP12(String str, PrivateKey privateKey, Certificate certificate, Collection<Certificate> collection) throws IOException, KeyStoreException, CertificateException, NoSuchProviderException, NoSuchAlgorithmException, InvalidKeySpecException {
        return createP12(str, privateKey, certificate, collection == null ? null : (Certificate[]) collection.toArray(new Certificate[collection.size()]));
    }

    public static KeyStore createP12(String str, PrivateKey privateKey, Certificate certificate, Certificate[] certificateArr) throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException, InvalidKeySpecException {
        if (log.isTraceEnabled()) {
            log.trace(">createP12: alias=" + str + ", privKey, cert=" + CertTools.getSubjectDN(certificate) + ", cachain.length=" + (certificateArr == null ? 0 : certificateArr.length));
        }
        if (certificate == null) {
            throw new IllegalArgumentException("Parameter cert cannot be null.");
        }
        PKCS12BagAttributeCarrier[] pKCS12BagAttributeCarrierArr = new Certificate[certificateArr != null ? 1 + certificateArr.length : 1];
        CertificateFactory certificateFactory = CertTools.getCertificateFactory();
        pKCS12BagAttributeCarrierArr[0] = certificateFactory.generateCertificate(new ByteArrayInputStream(certificate.getEncoded()));
        if (certificateArr != null) {
            for (int i = 0; i < certificateArr.length; i++) {
                pKCS12BagAttributeCarrierArr[i + 1] = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(certificateArr[i].getEncoded()));
            }
        }
        if (pKCS12BagAttributeCarrierArr.length > 1) {
            for (int i2 = 1; i2 < pKCS12BagAttributeCarrierArr.length; i2++) {
                X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(pKCS12BagAttributeCarrierArr[i2].getEncoded()));
                try {
                    PKCS12BagAttributeCarrier pKCS12BagAttributeCarrier = pKCS12BagAttributeCarrierArr[i2];
                    String partFromDN = CertTools.getPartFromDN(CertTools.getSubjectDN(x509Certificate), "CN");
                    if (partFromDN == null) {
                        String partFromDN2 = CertTools.getPartFromDN(CertTools.getSubjectDN(x509Certificate), "O");
                        if (partFromDN2 == null) {
                            String partFromDN3 = CertTools.getPartFromDN(CertTools.getSubjectDN(x509Certificate), "OU");
                            partFromDN = partFromDN3 == null ? "CA_unknown" + i2 : partFromDN3 + i2;
                        } else {
                            partFromDN = partFromDN2 + i2;
                        }
                    }
                    pKCS12BagAttributeCarrier.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(partFromDN));
                } catch (ClassCastException e) {
                    log.error("ClassCastException setting BagAttributes, can not set friendly name: ", e);
                }
            }
        }
        try {
            PKCS12BagAttributeCarrier pKCS12BagAttributeCarrier2 = pKCS12BagAttributeCarrierArr[0];
            pKCS12BagAttributeCarrier2.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(str));
            pKCS12BagAttributeCarrier2.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, createSubjectKeyId(pKCS12BagAttributeCarrierArr[0].getPublicKey()));
        } catch (ClassCastException e2) {
            log.error("ClassCastException setting BagAttributes, can not set friendly name: ", e2);
        }
        try {
            PKCS12BagAttributeCarrier generatePrivate = KeyFactory.getInstance(privateKey.getAlgorithm(), "BC").generatePrivate(new PKCS8EncodedKeySpec(privateKey.getEncoded()));
            try {
                PKCS12BagAttributeCarrier pKCS12BagAttributeCarrier3 = generatePrivate;
                pKCS12BagAttributeCarrier3.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(str));
                pKCS12BagAttributeCarrier3.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, createSubjectKeyId(pKCS12BagAttributeCarrierArr[0].getPublicKey()));
            } catch (ClassCastException e3) {
                log.error("ClassCastException setting BagAttributes, can not set friendly name: ", e3);
            }
            KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");
            keyStore.load(null, null);
            keyStore.setKeyEntry(str, generatePrivate, null, pKCS12BagAttributeCarrierArr);
            if (log.isTraceEnabled()) {
                log.trace("<createP12: alias=" + str + ", privKey, cert=" + CertTools.getSubjectDN(certificate) + ", cachain.length=" + (certificateArr == null ? 0 : certificateArr.length));
            }
            return keyStore;
        } catch (NoSuchProviderException e4) {
            throw new IllegalStateException("BouncyCastle provider was not found.", e4);
        }
    }

    public static KeyStore createJKS(String str, PrivateKey privateKey, String str2, X509Certificate x509Certificate, Certificate[] certificateArr) throws KeyStoreException {
        if (log.isTraceEnabled()) {
            log.trace(">createJKS: alias=" + str + ", privKey, cert=" + CertTools.getSubjectDN(x509Certificate) + ", cachain.length=" + (certificateArr == null ? 0 : certificateArr.length));
        }
        if (x509Certificate == null) {
            throw new IllegalArgumentException("Parameter cert cannot be null.");
        }
        int i = 1;
        if (certificateArr != null) {
            i = 1 + certificateArr.length;
        }
        Certificate[] certificateArr2 = new Certificate[i];
        certificateArr2[0] = x509Certificate;
        if (certificateArr != null) {
            System.arraycopy(certificateArr, 0, certificateArr2, 1, certificateArr.length);
        }
        try {
            KeyStore keyStore = KeyStore.getInstance("JKS");
            try {
                keyStore.load(null, null);
                try {
                    keyStore.setKeyEntry(str, privateKey, str2.toCharArray(), new X509Certificate[]{x509Certificate});
                    if (certificateArr != null) {
                        if (!CertTools.isSelfSigned(certificateArr[certificateArr.length - 1])) {
                            throw new IllegalArgumentException("Root cert is not self-signed.");
                        }
                        keyStore.setCertificateEntry("cacert", certificateArr[certificateArr.length - 1]);
                    }
                    log.debug("Storing cert chain of length " + certificateArr2.length);
                    keyStore.setKeyEntry(str, privateKey, str2.toCharArray(), certificateArr2);
                    if (log.isTraceEnabled()) {
                        log.trace("<createJKS: alias=" + str + ", privKey, cert=" + CertTools.getSubjectDN(x509Certificate) + ", cachain.length=" + (certificateArr == null ? 0 : certificateArr.length));
                    }
                    return keyStore;
                } catch (KeyStoreException e) {
                    throw new IllegalStateException("Keystore apparently hasn't been loaded?", e);
                }
            } catch (IOException e2) {
                throw new IllegalStateException(e2);
            } catch (NoSuchAlgorithmException e3) {
                throw new IllegalStateException(e3);
            } catch (CertificateException e4) {
                throw new IllegalStateException(e4);
            }
        } catch (KeyStoreException e5) {
            throw new IllegalStateException("No JKS implementation found in provider", e5);
        }
    }

    public static byte[] getSinglePemFromKeyStore(KeyStore keyStore, char[] cArr) throws KeyStoreException, CertificateEncodingException, IOException, UnrecoverableKeyException, NoSuchAlgorithmException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        Enumeration<String> aliases = keyStore.aliases();
        String str = null;
        String str2 = "";
        PrivateKey privateKey = null;
        while (true) {
            if (!aliases.hasMoreElements()) {
                break;
            }
            str = aliases.nextElement();
            if ((str instanceof String) && keyStore.isKeyEntry(str)) {
                PrivateKey privateKey2 = (PrivateKey) keyStore.getKey(str, cArr);
                privateKey = privateKey2;
                if (privateKey2 != null) {
                    str2 = str;
                    break;
                }
            }
        }
        byte[] bytes = "".getBytes();
        if (privateKey != null) {
            bytes = privateKey.getEncoded();
        }
        Certificate[] certChain = getCertChain(keyStore, str);
        X509Certificate x509Certificate = (X509Certificate) certChain[0];
        byte[] encoded = x509Certificate.getEncoded();
        String replace = CertTools.getSubjectDN(x509Certificate).replace(',', '/');
        String replace2 = CertTools.getIssuerDN(x509Certificate).replace(',', '/');
        byteArrayOutputStream.write(BAG_ATTRIBUTES);
        byteArrayOutputStream.write(FRIENDLY_NAME);
        byteArrayOutputStream.write(str2.getBytes());
        byteArrayOutputStream.write(NL);
        byteArrayOutputStream.write(BEGIN_PRIVATE_KEY);
        byteArrayOutputStream.write(NL);
        byteArrayOutputStream.write(Base64.encode(bytes));
        byteArrayOutputStream.write(NL);
        byteArrayOutputStream.write(END_PRIVATE_KEY);
        byteArrayOutputStream.write(NL);
        byteArrayOutputStream.write(BAG_ATTRIBUTES);
        byteArrayOutputStream.write(FRIENDLY_NAME);
        byteArrayOutputStream.write(str2.getBytes());
        byteArrayOutputStream.write(NL);
        byteArrayOutputStream.write(SUBJECT_ATTRIBUTE);
        byteArrayOutputStream.write(replace.getBytes());
        byteArrayOutputStream.write(NL);
        byteArrayOutputStream.write(ISSUER_ATTRIBUTE);
        byteArrayOutputStream.write(replace2.getBytes());
        byteArrayOutputStream.write(NL);
        byteArrayOutputStream.write(BEGIN_CERTIFICATE);
        byteArrayOutputStream.write(NL);
        byteArrayOutputStream.write(Base64.encode(encoded));
        byteArrayOutputStream.write(NL);
        byteArrayOutputStream.write(END_CERTIFICATE);
        byteArrayOutputStream.write(NL);
        if (!CertTools.isSelfSigned(x509Certificate)) {
            for (int i = 1; i < certChain.length; i++) {
                X509Certificate x509Certificate2 = (X509Certificate) certChain[i];
                String subjectDN = CertTools.getSubjectDN(x509Certificate2);
                String partFromDN = CertTools.getPartFromDN(subjectDN, "CN");
                if (StringUtils.isEmpty(partFromDN)) {
                    partFromDN = "Unknown";
                }
                String replace3 = subjectDN.replace(',', '/');
                String replace4 = CertTools.getIssuerDN(x509Certificate2).replace(',', '/');
                byteArrayOutputStream.write(BAG_ATTRIBUTES);
                byteArrayOutputStream.write(FRIENDLY_NAME);
                byteArrayOutputStream.write(partFromDN.getBytes());
                byteArrayOutputStream.write(NL);
                byteArrayOutputStream.write(SUBJECT_ATTRIBUTE);
                byteArrayOutputStream.write(replace3.getBytes());
                byteArrayOutputStream.write(NL);
                byteArrayOutputStream.write(ISSUER_ATTRIBUTE);
                byteArrayOutputStream.write(replace4.getBytes());
                byteArrayOutputStream.write(NL);
                byte[] encoded2 = x509Certificate2.getEncoded();
                byteArrayOutputStream.write(BEGIN_CERTIFICATE);
                byteArrayOutputStream.write(NL);
                byteArrayOutputStream.write(Base64.encode(encoded2));
                byteArrayOutputStream.write(NL);
                byteArrayOutputStream.write(END_CERTIFICATE);
                byteArrayOutputStream.write(NL);
            }
        }
        return byteArrayOutputStream.toByteArray();
    }

    public static String getAsPem(PublicKey publicKey) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(new OutputStreamWriter(byteArrayOutputStream));
        jcaPEMWriter.writeObject(publicKey);
        jcaPEMWriter.close();
        return new String(byteArrayOutputStream.toByteArray(), "UTF8");
    }

    public static Certificate[] getCertChain(KeyStore keyStore, String str) throws KeyStoreException {
        if (log.isTraceEnabled()) {
            log.trace(">getCertChain: alias='" + str + "'");
        }
        Certificate[] certificateChain = keyStore.getCertificateChain(str);
        if (certificateChain == null) {
            return null;
        }
        log.debug("Certchain retrieved from alias '" + str + "' has length " + certificateChain.length);
        if (certificateChain.length < 1) {
            log.error("Cannot load certificate chain with alias '" + str + "' from keystore.");
            if (log.isTraceEnabled()) {
                log.trace("<getCertChain: alias='" + str + "', retlength=" + certificateChain.length);
            }
            return certificateChain;
        }
        if (certificateChain.length > 0 && CertTools.isSelfSigned(certificateChain[certificateChain.length - 1])) {
            if (log.isDebugEnabled()) {
                log.debug("Issuer='" + CertTools.getIssuerDN(certificateChain[certificateChain.length - 1]) + "'.");
                log.debug("Subject='" + CertTools.getSubjectDN(certificateChain[certificateChain.length - 1]) + "'.");
            }
            if (log.isTraceEnabled()) {
                log.trace("<getCertChain: alias='" + str + "', retlength=" + certificateChain.length);
            }
            return certificateChain;
        }
        ArrayList arrayList = new ArrayList();
        for (Certificate certificate : certificateChain) {
            arrayList.add(certificate);
        }
        boolean z = false;
        while (!z) {
            String partFromDN = CertTools.getPartFromDN(CertTools.getIssuerDN((X509Certificate) arrayList.get(arrayList.size() - 1)), "CN");
            Certificate[] certificateChain2 = keyStore.getCertificateChain(partFromDN);
            if (certificateChain2 == null) {
                z = true;
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("Loaded certificate chain with length " + certificateChain2.length + " with alias '" + partFromDN + "'.");
                }
                if (certificateChain2.length == 0) {
                    log.error("No RootCA certificate found!");
                    z = true;
                }
                for (int i = 0; i < certificateChain2.length; i++) {
                    arrayList.add(certificateChain2[i]);
                    if (CertTools.isSelfSigned(certificateChain2[i])) {
                        z = true;
                    }
                }
            }
        }
        Certificate[] certificateArr = new Certificate[arrayList.size()];
        for (int i2 = 0; i2 < certificateArr.length; i2++) {
            certificateArr[i2] = (Certificate) arrayList.get(i2);
            if (log.isDebugEnabled()) {
                log.debug("Issuer='" + CertTools.getIssuerDN(certificateArr[i2]) + "'.");
                log.debug("Subject='" + CertTools.getSubjectDN(certificateArr[i2]) + "'.");
            }
        }
        if (log.isTraceEnabled()) {
            log.trace("<getCertChain: alias='" + str + "', retlength=" + certificateArr.length);
        }
        return certificateArr;
    }

    public static SubjectKeyIdentifier createSubjectKeyId(PublicKey publicKey) {
        ASN1Sequence readObject;
        try {
            ASN1InputStream aSN1InputStream = new ASN1InputStream(new ByteArrayInputStream(publicKey.getEncoded()));
            try {
                ASN1Sequence readObject2 = aSN1InputStream.readObject();
                if (readObject2 instanceof ASN1Sequence) {
                    readObject = readObject2;
                } else {
                    aSN1InputStream = new ASN1InputStream(new ByteArrayInputStream(((PublicKey) KeyFactory.getInstance(publicKey.getAlgorithm(), "BC").translateKey(publicKey)).getEncoded()));
                    try {
                        readObject = aSN1InputStream.readObject();
                        aSN1InputStream.close();
                    } finally {
                    }
                }
                return new BcX509ExtensionUtils().createSubjectKeyIdentifier(new SubjectPublicKeyInfo(readObject));
            } finally {
                aSN1InputStream.close();
            }
        } catch (Exception e) {
            RuntimeException runtimeException = new RuntimeException("error creating key");
            runtimeException.initCause(e);
            throw runtimeException;
        }
    }

    public static boolean isUsingExportableCryptography() {
        return CryptoProviderTools.isUsingExportableCryptography();
    }

    public static byte[] signData(PrivateKey privateKey, String str, byte[] bArr) throws SignatureException, NoSuchAlgorithmException, InvalidKeyException {
        Signature signature = Signature.getInstance(str);
        signature.initSign(privateKey);
        signature.update(bArr);
        return signature.sign();
    }

    public static boolean verifyData(PublicKey publicKey, String str, byte[] bArr, byte[] bArr2) throws SignatureException, NoSuchAlgorithmException, InvalidKeyException {
        Signature signature = Signature.getInstance(str);
        signature.initVerify(publicKey);
        signature.update(bArr);
        return signature.verify(bArr2);
    }

    public static void testKey(PrivateKey privateKey, PublicKey publicKey, String str) throws InvalidKeyException {
        byte[] bytes = "Lillan gick pa vagen ut, motte dar en katt...".getBytes();
        Iterator<String> it = AlgorithmTools.getSignatureAlgorithms(publicKey).iterator();
        String next = it.hasNext() ? it.next() : null;
        String str2 = next != null ? next : AlgorithmConstants.SIGALG_SHA1_WITH_RSA;
        if (log.isDebugEnabled()) {
            log.debug("Testing keys with algorithm: " + publicKey.getAlgorithm());
            log.debug("testSigAlg: " + str2);
            log.debug("provider: " + str);
            log.trace("privateKey: " + privateKey);
            log.trace("privateKey class: " + privateKey.getClass().getName());
            log.trace("publicKey: " + publicKey);
            log.trace("publicKey class: " + publicKey.getClass().getName());
        }
        try {
            Signature signature = Signature.getInstance(str2, Security.getProvider(str != null ? str : "BC"));
            signature.initSign(privateKey);
            signature.update(bytes);
            byte[] sign = signature.sign();
            if (sign == null) {
                throw new InvalidKeyException("Result from signing is null.");
            }
            if (log.isDebugEnabled()) {
                log.trace("Created signature of size: " + sign.length);
                log.trace("Created signature: " + new String(Hex.encode(sign)));
            }
            try {
                Signature signature2 = Signature.getInstance(str2, "BC");
                signature2.initVerify(publicKey);
                signature2.update(bytes);
                if (!signature2.verify(sign)) {
                    throw new InvalidKeyException("Not possible to sign and then verify with key pair.");
                }
            } catch (NoSuchProviderException e) {
                throw new IllegalStateException("BouncyCastle was not found as a provider.", e);
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new InvalidKeyException("Exception testing key: " + e2.getMessage(), e2);
        } catch (SignatureException e3) {
            throw new InvalidKeyException("Exception testing key: " + e3.getMessage(), e3);
        }
    }

    public static void printPublicKeyInfo(PublicKey publicKey, PrintStream printStream) {
        if (publicKey instanceof RSAPublicKey) {
            printStream.println("RSA key:");
            RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
            printStream.println("  modulus: " + rSAPublicKey.getModulus().toString(16));
            printStream.println("  public exponent: " + rSAPublicKey.getPublicExponent().toString(16));
            return;
        }
        if (publicKey instanceof ECPublicKey) {
            printStream.println("Elliptic curve key:");
            ECPublicKey eCPublicKey = (ECPublicKey) publicKey;
            printStream.println("  the affine x-coordinate: " + eCPublicKey.getW().getAffineX().toString(16));
            printStream.println("  the affine y-coordinate: " + eCPublicKey.getW().getAffineY().toString(16));
            return;
        }
        if (publicKey instanceof DHPublicKey) {
            printStream.println("DH key:");
            printStream.println("  the public value y: " + ((DHPublicKey) publicKey).getY().toString(16));
        } else if (publicKey instanceof DSAPublicKey) {
            printStream.println("DSA key:");
            printStream.println("  the public value y: " + ((DSAPublicKey) publicKey).getY().toString(16));
        }
    }

    public static boolean isPrivateKeyExtractable(PrivateKey privateKey) {
        BigInteger x;
        if (privateKey instanceof RSAPrivateKey) {
            BigInteger privateExponent = ((RSAPrivateKey) privateKey).getPrivateExponent();
            return privateExponent != null && privateExponent.bitLength() > 0;
        }
        if (privateKey instanceof ECPrivateKey) {
            BigInteger s = ((ECPrivateKey) privateKey).getS();
            return s != null && s.bitLength() > 0;
        }
        if (!(privateKey instanceof DHPrivateKey)) {
            return (privateKey instanceof DSAPrivateKey) && (x = ((DSAPrivateKey) privateKey).getX()) != null && x.bitLength() > 0;
        }
        BigInteger x2 = ((DHPrivateKey) privateKey).getX();
        return x2 != null && x2.bitLength() > 0;
    }

    public static void checkValidKeyLength(String str) throws InvalidKeyException, InvalidAlgorithmParameterException {
        String keyspecToKeyalg = keyspecToKeyalg(str);
        checkValidKeyLength(keyspecToKeyalg, keyspecToKeyalg.equals(AlgorithmConstants.KEYALGORITHM_RSA) ? Integer.valueOf(str).intValue() : keyspecToKeyalg.equals(AlgorithmConstants.KEYALGORITHM_DSA) ? Integer.valueOf(str.substring(3)).intValue() : getKeyLength(genKeys(str, keyspecToKeyalg).getPublic()));
    }

    public static void checkValidKeyLength(PublicKey publicKey) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException {
        checkValidKeyLength(AlgorithmTools.getKeyAlgorithm(publicKey), getKeyLength(publicKey));
    }

    public static void checkValidKeyLength(String str, int i) throws InvalidKeyException {
        boolean equals = AlgorithmConstants.KEYALGORITHM_ECDSA.equals(str);
        boolean z = AlgorithmTools.isGost3410Enabled() && AlgorithmConstants.KEYALGORITHM_ECGOST3410.equals(str);
        boolean z2 = AlgorithmTools.isDstu4145Enabled() && str.startsWith(new StringBuilder().append(CesecoreConfiguration.getOidDstu4145()).append(".").toString());
        if (equals || z || z2) {
            if (i > 0 && i < 224) {
                throw new InvalidKeyException(intres.getLocalizedMessage("catoken.invalidkeylength", AlgorithmConstants.KEYALGORITHM_ECDSA, "224", Integer.valueOf(i)));
            }
        } else if ((AlgorithmConstants.KEYALGORITHM_RSA.equals(str) || AlgorithmConstants.KEYALGORITHM_DSA.equals(str)) && i < 1024) {
            throw new InvalidKeyException(intres.getLocalizedMessage("catoken.invalidkeylength", "RSA/DSA", "1024", Integer.valueOf(i)));
        }
    }

    public static AlgorithmParameterSpec dstuOidToAlgoParams(String str) {
        return new ECGenParameterSpec(str);
    }

    public static String keyspecToKeyalg(String str) {
        return StringUtils.isNumeric(str) ? AlgorithmConstants.KEYALGORITHM_RSA : str.startsWith(AlgorithmConstants.KEYALGORITHM_DSA) ? AlgorithmConstants.KEYALGORITHM_DSA : (AlgorithmTools.isGost3410Enabled() && str.startsWith(AlgorithmConstants.KEYSPECPREFIX_ECGOST3410)) ? AlgorithmConstants.KEYALGORITHM_ECGOST3410 : (AlgorithmTools.isDstu4145Enabled() && str.startsWith(new StringBuilder().append(CesecoreConfiguration.getOidDstu4145()).append(".").toString())) ? AlgorithmConstants.KEYALGORITHM_DSTU4145 : AlgorithmConstants.KEYALGORITHM_ECDSA;
    }

    public static String shortenKeySpec(String str) {
        return str.startsWith(AlgorithmConstants.KEYALGORITHM_DSA) ? str.substring(3) : str;
    }

    public static String keyalgspecToKeyspec(String str, String str2) {
        return AlgorithmConstants.KEYALGORITHM_DSA.equals(str) ? AlgorithmConstants.KEYALGORITHM_DSA + str2 : str2;
    }

    public static PublicKey getPublicKeyFromBytes(byte[] bArr) {
        PublicKey publicKey = null;
        ASN1InputStream aSN1InputStream = new ASN1InputStream(bArr);
        try {
            try {
                try {
                    try {
                        SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(aSN1InputStream.readObject());
                        publicKey = KeyFactory.getInstance(subjectPublicKeyInfo.getAlgorithm().getAlgorithm().getId(), "BC").generatePublic(new X509EncodedKeySpec(new DERBitString(subjectPublicKeyInfo).getBytes()));
                        try {
                            aSN1InputStream.close();
                        } catch (IOException e) {
                            log.debug("Unable to close input stream.");
                        }
                    } catch (InvalidKeySpecException e2) {
                        log.debug("Unable to decode PublicKey.", e2);
                        try {
                            aSN1InputStream.close();
                        } catch (IOException e3) {
                            log.debug("Unable to close input stream.");
                        }
                    }
                } catch (NoSuchAlgorithmException e4) {
                    log.debug("Unable to decode PublicKey.", e4);
                    try {
                        aSN1InputStream.close();
                    } catch (IOException e5) {
                        log.debug("Unable to close input stream.");
                    }
                }
            } catch (IOException e6) {
                log.debug("Unable to decode PublicKey.", e6);
                try {
                    aSN1InputStream.close();
                } catch (IOException e7) {
                    log.debug("Unable to close input stream.");
                }
            } catch (NoSuchProviderException e8) {
                log.debug("Unable to decode PublicKey.", e8);
                try {
                    aSN1InputStream.close();
                } catch (IOException e9) {
                    log.debug("Unable to close input stream.");
                }
            }
            return publicKey;
        } catch (Throwable th) {
            try {
                aSN1InputStream.close();
            } catch (IOException e10) {
                log.debug("Unable to close input stream.");
            }
            throw th;
        }
    }

    public static byte[] getBytesFromPEM(String str, String str2, String str3) {
        int indexOf = str.indexOf(str2);
        int indexOf2 = str.indexOf(str3, indexOf);
        if (indexOf == -1 || indexOf2 == -1) {
            log.debug("Could not find " + str2 + " and " + str3 + " lines in PEM");
            return null;
        }
        try {
            return Base64.decode(str.substring(indexOf + str2.length(), indexOf2).getBytes("ASCII"));
        } catch (UnsupportedEncodingException e) {
            log.debug("Invalid byte in PEM data");
            return null;
        }
    }

    public static byte[] getBytesFromPublicKeyFile(byte[] bArr) {
        byte[] bytesFromPEM = getBytesFromPEM(Charset.forName("ASCII").decode(ByteBuffer.wrap(bArr)).toString(), CertTools.BEGIN_PUBLIC_KEY, CertTools.END_PUBLIC_KEY);
        return bytesFromPEM != null ? bytesFromPEM : bArr;
    }
}
