package com.rsa.certj.provider.db.pkcs11;

import com.bea.security.saml2.util.SAML2Constants;
import com.rsa.certj.CertJ;
import com.rsa.certj.CertJUtils;
import com.rsa.certj.InvalidParameterException;
import com.rsa.certj.NotSupportedException;
import com.rsa.certj.Provider;
import com.rsa.certj.ProviderImplementation;
import com.rsa.certj.ProviderManagementException;
import com.rsa.certj.cert.CRL;
import com.rsa.certj.cert.CertificateException;
import com.rsa.certj.cert.NameException;
import com.rsa.certj.cert.X500Name;
import com.rsa.certj.cert.X509Certificate;
import com.rsa.certj.cert.X509V3Extensions;
import com.rsa.certj.cms.InfoObjectFactory;
import com.rsa.certj.internal.JSAFEFactory;
import com.rsa.certj.spi.db.DatabaseException;
import com.rsa.certj.spi.db.DatabaseInterface;
import com.rsa.jsafe.JSAFE_Exception;
import com.rsa.jsafe.JSAFE_InvalidParameterException;
import com.rsa.jsafe.JSAFE_MessageDigest;
import com.rsa.jsafe.JSAFE_PKCS11SessionSpec;
import com.rsa.jsafe.JSAFE_PrivateKey;
import com.rsa.jsafe.JSAFE_PublicKey;
import com.rsa.jsafe.JSAFE_SecureRandom;
import com.rsa.jsafe.JSAFE_Session;
import com.rsa.jsafe.JSAFE_SessionSpec;
import com.rsa.jsafe.JSAFE_Signature;
import com.rsa.jsafe.JSAFE_UnimplementedException;
import com.rsa.jsafe.provider.HardwareIterator;
import com.rsa.jsafe.provider.HardwareStore;
import com.rsa.jsafe.provider.HardwareStoreException;
import com.rsa.jsafe.provider.JsafeJCE;
import com.rsa.jsafe.provider.JsafeJCEPKCS11;
import com.rsa.jsafe.provider.PKCS11CertIteratorParameters;
import com.rsa.jsafe.provider.PKCS11Key;
import com.rsa.jsafe.provider.PKCS11KeyIteratorParameters;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.security.Key;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.Date;
import java.util.Properties;
import java.util.Vector;

/* loaded from: input_file:com/rsa/certj/provider/db/pkcs11/PKCS11DB.class */
public final class PKCS11DB extends Provider {
    JsafeJCEPKCS11 p11Provider;
    HardwareStore store;
    private final java.security.Provider jsafeJCE;
    private HardwareIterator<Certificate> certIterator;
    private HardwareIterator<Key> keyIterator;
    private JSAFE_Session session;
    private boolean sessionFlag;
    private static final String PASSED_IN_SESSION_IS_NULL = "Passed in session is null.";
    private static final String CANNOT_CREATE_PKCS_11_SESSION = "Cannot create PKCS#11 session.";
    private static final String CANNOT_CREATE_PROVIDER = "Cannot create provider.";

    /* loaded from: input_file:com/rsa/certj/provider/db/pkcs11/PKCS11DB$PKCS11DBImplementation.class */
    private final class PKCS11DBImplementation extends ProviderImplementation implements DatabaseInterface {
        private final Object certLock;
        private final Object keyLock;
        private final Object certIteratorLock;
        private final Object keyIteratorLock;
        private static final String PROVIDER_INSERT_CERTIFICATE = "PKCS11DBProvider.insertCertificate: ";
        private static final String INSERT_PRIVATE_KEY_BY_CERTIFICATE = "PKCS11DBProvider.insertPrivateKeyByCertificate: ";
        private static final String INSERT_PRIVATE_KEY_BY_PUBLIC_KEY = "PKCS11DBProvider.insertPrivateKeyByPublicKey: ";
        private static final String SELECT_CERTIFICATE_SESSION_IS_NOT_OPEN = "PKCS11DBProvider.selectCertificate: Session is not open.";
        private static final String PKCS11_DB_PROVIDER_DOES_NOT_SUPPORT = "PKCS11 DB provider does not support ";
        private static final String PKCS11 = "PKCS11";
        private static final int KEY_TYPE_OFFSET = 7;
        private static final int RSA_KEY_TYPE = 0;
        private static final int DSA_KEY_TYPE = 1;
        private static final int DH_KEY_TYPE = 2;
        private final byte[] toSign;

        private PKCS11DBImplementation(CertJ certJ, String str) throws InvalidParameterException {
            super(certJ, str);
            this.certLock = new Object();
            this.keyLock = new Object();
            this.certIteratorLock = new Object();
            this.keyIteratorLock = new Object();
            this.toSign = "Message to sign".getBytes();
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public void insertCertificate(com.rsa.certj.cert.Certificate certificate) throws DatabaseException {
            if (certificate == null) {
                throw new DatabaseException("PKCS11DBProvider.insertCertificate: cert should not be null.");
            }
            if (PKCS11DB.this.p11Provider == null) {
                throw new DatabaseException("PKCS11DBProvider.insertCertificate: Session is not open. MES DB Provider is not initialized.");
            }
            X500Name issuerName = ((X509Certificate) certificate).getIssuerName();
            byte[] serialNumber = ((X509Certificate) certificate).getSerialNumber();
            if (issuerName == null || serialNumber == null) {
                throw new DatabaseException("PKCS11DBProvider.insertCertificate: invalid certificate. IssuerName or SerialNumber is null.");
            }
            try {
                int dERLen = ((X509Certificate) certificate).getDERLen(0);
                if (dERLen == 0) {
                    throw new DatabaseException("PKCS11DBProvider.insertCertificate: invalid certificate. Cannot DER-encode certificate.");
                }
                byte[] bArr = new byte[dERLen];
                if (((X509Certificate) certificate).getDEREncoding(bArr, 0, 0) == 0) {
                    throw new DatabaseException("PKCS11DBProvider.insertCertificate: invalid certificate. Cannot DER-encode certificate.");
                }
                byte[] ckaId = getCkaId(certificate);
                synchronized (this.certLock) {
                    if (PKCS11DB.this.nativeInsertCertificate(bArr, ckaId) != 0) {
                        throw new DatabaseException("PKCS11DBProvider.insertCertificate: unable to insert certificate");
                    }
                }
            } catch (Exception e) {
                throw new DatabaseException("PKCS11DBProvider.insertCertificate: invalid certificate.", e);
            }
        }

        private byte[] getCkaId(JSAFE_PublicKey jSAFE_PublicKey) {
            try {
                byte[] bArr = null;
                if (jSAFE_PublicKey.getAlgorithm().equalsIgnoreCase("RSA")) {
                    bArr = digest(jSAFE_PublicKey.getKeyData("RSAPublicKey")[0]);
                } else if (jSAFE_PublicKey.getAlgorithm().equalsIgnoreCase(SAML2Constants.DSA_KEY_TYPE)) {
                    byte[][] keyData = jSAFE_PublicKey.getKeyData("DSAPublicKey");
                    bArr = digest(keyData[keyData.length - 1]);
                } else if (jSAFE_PublicKey.getAlgorithm().equalsIgnoreCase("EC")) {
                    bArr = null;
                }
                return bArr;
            } catch (Exception e) {
                return null;
            }
        }

        private byte[] getCkaId(com.rsa.certj.cert.Certificate certificate) {
            try {
                return getCkaId(certificate.getSubjectPublicKey("Java"));
            } catch (Exception e) {
                return null;
            }
        }

        private byte[] digest(byte[] bArr) {
            try {
                JSAFE_MessageDigest jSAFE_MessageDigest = JSAFE_MessageDigest.getInstance("SHA1", "Java");
                jSAFE_MessageDigest.digestInit();
                jSAFE_MessageDigest.digestUpdate(bArr, 0, bArr.length);
                return jSAFE_MessageDigest.digestFinal();
            } catch (Exception e) {
                return null;
            }
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public void insertCRL(CRL crl) throws NotSupportedException {
            throw new NotSupportedException("insertCRL method is not supported by PKCS11DB provider.");
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public void insertPrivateKeyByCertificate(com.rsa.certj.cert.Certificate certificate, JSAFE_PrivateKey jSAFE_PrivateKey) throws DatabaseException {
            if (certificate == null || jSAFE_PrivateKey == null) {
                throw new DatabaseException("PKCS11DBImplementation.insertPrivateKeyByCertificate: cert and private key should not be null");
            }
            if (PKCS11DB.this.p11Provider == null) {
                throw new DatabaseException("PKCS11DBProvider.insertPrivateKey: Session is not open.");
            }
            try {
                JSAFE_PublicKey subjectPublicKey = certificate.getSubjectPublicKey("Java");
                if (!pairwiseCheck(subjectPublicKey.getAlgorithm(), jSAFE_PrivateKey, subjectPublicKey, this.certJ.getRandomObject())) {
                    throw new DatabaseException("PKCS11DBProvider.insertPrivateKey: pairwise check failure.");
                }
                synchronized (this.keyLock) {
                    if (selectPrivateKeyByCertificate(certificate) != null) {
                        return;
                    }
                    byte[] privateKeyData = getPrivateKeyData(jSAFE_PrivateKey);
                    byte[] ckaId = getCkaId(certificate);
                    if (ckaId == null) {
                        throw new DatabaseException("PKCS11DBImplementation.insertPrivateKeyByCertificate: Public key in certificate is null.");
                    }
                    synchronized (this.keyLock) {
                        if (PKCS11DB.this.nativeInsertPrivateKey(jSAFE_PrivateKey.getAlgorithm(), ckaId, privateKeyData) != 0) {
                            throw new DatabaseException("PKCS11DBProvider.insertPrivateKeyByCertificate: unable to insert private key");
                        }
                        if (isPrivateKeyIteratorSetup()) {
                            setupPrivateKeyIterator();
                        }
                    }
                }
            } catch (Exception e) {
                throw new DatabaseException("PKCS11DBProvider.insertPrivateKey: pairwise check failure.");
            }
        }

        private byte[] getPrivateKeyData(JSAFE_PrivateKey jSAFE_PrivateKey) throws DatabaseException {
            byte[][] bArr = (byte[][]) null;
            try {
                String[] supportedGetFormats = jSAFE_PrivateKey.getSupportedGetFormats();
                int i = 0;
                while (i < supportedGetFormats.length) {
                    if (supportedGetFormats[i].equals("RSAPrivateKeyBER") || supportedGetFormats[i].equals("DSAPrivateKeyBER") || supportedGetFormats[i].equals("DSAPrivateKeyX957BER")) {
                        bArr = jSAFE_PrivateKey.getKeyData(supportedGetFormats[i]);
                        break;
                    }
                    i++;
                }
                if (i == supportedGetFormats.length) {
                    throw new DatabaseException("PKCS11DBProvider.insertPrivateKeyByCertificate: cannot get private key BER data.");
                }
                if (bArr == null || bArr.length == 0 || bArr[0] == null) {
                    throw new DatabaseException("PKCS11DBProvider.insertPrivateKeyByCertificate: cannot get private key data");
                }
                return bArr[0];
            } catch (JSAFE_UnimplementedException e) {
                throw new DatabaseException(INSERT_PRIVATE_KEY_BY_CERTIFICATE, e);
            }
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public void insertPrivateKeyByPublicKey(JSAFE_PublicKey jSAFE_PublicKey, JSAFE_PrivateKey jSAFE_PrivateKey) throws DatabaseException {
            if (jSAFE_PublicKey == null || jSAFE_PrivateKey == null) {
                throw new DatabaseException("PKCS11DBProvider.insertPrivateKeyByPublicKey: Neither publicKey nor privateKey should be null.");
            }
            if (PKCS11DB.this.p11Provider == null) {
                throw new DatabaseException("PKCS11DBProvider.insertPrivateKey: Session is not open.");
            }
            try {
                if (!pairwiseCheck(jSAFE_PublicKey.getAlgorithm(), jSAFE_PrivateKey, jSAFE_PublicKey, this.certJ.getRandomObject())) {
                    throw new DatabaseException("PKCS11DBProvider.insertPrivateKey: pairwise check failure.");
                }
                synchronized (this.keyLock) {
                    if (selectPrivateKeyByPublicKey(jSAFE_PublicKey) != null) {
                        return;
                    }
                    byte[] privateKeyData = getPrivateKeyData(jSAFE_PrivateKey);
                    byte[] ckaId = getCkaId(jSAFE_PublicKey);
                    synchronized (this.keyLock) {
                        if (PKCS11DB.this.nativeInsertPrivateKey(jSAFE_PrivateKey.getAlgorithm(), ckaId, privateKeyData) != 0) {
                            throw new DatabaseException("PKCS11DBProvider.insertPrivateKeyByPublicKey: unable to insert private key");
                        }
                        if (isPrivateKeyIteratorSetup()) {
                            setupPrivateKeyIterator();
                        }
                    }
                }
            } catch (Exception e) {
                throw new DatabaseException("PKCS11DBProvider.insertPrivateKey: pairwise check failure.");
            }
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public int selectCertificateByIssuerAndSerialNumber(X500Name x500Name, byte[] bArr, Vector vector) throws DatabaseException {
            byte[][] nativeSelectCertByIssuerSerial;
            if (x500Name == null || bArr == null) {
                throw new DatabaseException("PKCS11DBProvider.Neither issuerName nor serialNumber should be null.");
            }
            if (PKCS11DB.this.p11Provider == null) {
                throw new DatabaseException(SELECT_CERTIFICATE_SESSION_IS_NOT_OPEN);
            }
            byte[] bArr2 = new byte[x500Name.getDERLen(0)];
            try {
                if (x500Name.getDEREncoding(bArr2, 0, 0) == 0) {
                    throw new DatabaseException("PKCS11DBProvider: Invalid IssuerName. Cannot DER-encode IssuerName.");
                }
                synchronized (this.certLock) {
                    nativeSelectCertByIssuerSerial = PKCS11DB.this.nativeSelectCertByIssuerSerial(bArr2, bArr, PKCS11DB.this.p11Provider);
                }
                if (nativeSelectCertByIssuerSerial == null) {
                    return 0;
                }
                int i = 0;
                for (byte[] bArr3 : nativeSelectCertByIssuerSerial) {
                    try {
                        X509Certificate x509Certificate = new X509Certificate(bArr3, 0, 0);
                        if (!vector.contains(x509Certificate)) {
                            vector.addElement(x509Certificate);
                            i++;
                        }
                    } catch (CertificateException e) {
                        throw new DatabaseException("PKCS11DBProvider: Invalid certificate.", e);
                    }
                }
                return i;
            } catch (NameException e2) {
                throw new DatabaseException("PKCS11DBProvider: Invalid IssuerName.", e2);
            }
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public int selectCertificateBySubject(X500Name x500Name, Vector vector) throws DatabaseException {
            byte[][] nativeSelectCertBySubject;
            if (x500Name == null) {
                throw new DatabaseException("PKCS11DBProvider.selectCertificateBySubject: subjectName should not be null.");
            }
            if (PKCS11DB.this.p11Provider == null) {
                throw new DatabaseException(SELECT_CERTIFICATE_SESSION_IS_NOT_OPEN);
            }
            byte[] bArr = new byte[x500Name.getDERLen(0)];
            try {
                if (x500Name.getDEREncoding(bArr, 0, 0) == 0) {
                    throw new DatabaseException("PKCS11DBProvider: Invalid SubjectName. Cannot DER-encode SubjectName.");
                }
                synchronized (this.certLock) {
                    nativeSelectCertBySubject = PKCS11DB.this.nativeSelectCertBySubject(bArr, PKCS11DB.this.p11Provider);
                }
                if (nativeSelectCertBySubject == null) {
                    return 0;
                }
                int i = 0;
                for (byte[] bArr2 : nativeSelectCertBySubject) {
                    try {
                        X509Certificate x509Certificate = new X509Certificate(bArr2, 0, 0);
                        if (!vector.contains(x509Certificate)) {
                            vector.addElement(x509Certificate);
                            i++;
                        }
                    } catch (CertificateException e) {
                        throw new DatabaseException("PKCS11DBProvider: Invalid certificate.", e);
                    }
                }
                return i;
            } catch (NameException e2) {
                throw new DatabaseException("PKCS11DBProvider: Invalid SubjectName.", e2);
            }
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public int selectCertificateByExtensions(X500Name x500Name, X509V3Extensions x509V3Extensions, Vector vector) throws DatabaseException {
            byte[][] nativeSelectCertByExtensions;
            if (x500Name == null || x509V3Extensions == null) {
                throw new DatabaseException("PKCS11DBProvider.selectCertificateByExtensions: Either baseName or extensions should have a non-null value.");
            }
            if (PKCS11DB.this.p11Provider == null) {
                throw new DatabaseException(SELECT_CERTIFICATE_SESSION_IS_NOT_OPEN);
            }
            byte[] bArr = new byte[x500Name.getDERLen(0)];
            try {
                if (x500Name.getDEREncoding(bArr, 0, 0) == 0) {
                    throw new DatabaseException("PKCS11DBProvider: Invalid BaseName. Cannot DER-encode BaseName.");
                }
                byte[] bArr2 = new byte[x509V3Extensions.getDERLen(0)];
                if (x509V3Extensions.getDEREncoding(bArr2, 0, 0) == 0) {
                    throw new DatabaseException("PKCS11DBProvider: Invalid extensions. Cannot DER-encode extensions.");
                }
                synchronized (this.certLock) {
                    nativeSelectCertByExtensions = PKCS11DB.this.nativeSelectCertByExtensions(bArr, bArr2, PKCS11DB.this.p11Provider);
                }
                if (nativeSelectCertByExtensions == null) {
                    return 0;
                }
                int i = 0;
                for (byte[] bArr3 : nativeSelectCertByExtensions) {
                    try {
                        X509Certificate x509Certificate = new X509Certificate(bArr3, 0, 0);
                        if (!vector.contains(x509Certificate)) {
                            vector.addElement(x509Certificate);
                            i++;
                        }
                    } catch (CertificateException e) {
                        throw new DatabaseException("PKCS11DBProvider: Invalid certificate.", e);
                    }
                }
                return i;
            } catch (NameException e2) {
                throw new DatabaseException("PKCS11DBProvider: Invalid BaseName.", e2);
            }
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public boolean isCertificateIteratorSetup() {
            boolean z;
            synchronized (this.certIteratorLock) {
                z = PKCS11DB.this.certIterator != null;
            }
            return z;
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public void setupCertificateIterator() {
            synchronized (this.certIteratorLock) {
                try {
                    PKCS11DB.this.certIterator = PKCS11DB.this.store.certificateIterator(new PKCS11CertIteratorParameters((byte[]) null, (String) null));
                } catch (Exception e) {
                }
            }
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public com.rsa.certj.cert.Certificate firstCertificate() throws DatabaseException {
            if (PKCS11DB.this.p11Provider == null) {
                throw new DatabaseException("PKCS11DBProvider.firstCertificate: Session is not open.");
            }
            setupCertificateIterator();
            synchronized (this.certIteratorLock) {
                byte[] nativeNextCertificate = PKCS11DB.this.nativeNextCertificate();
                if (nativeNextCertificate == null) {
                    PKCS11DB.this.certIterator = null;
                    return null;
                }
                try {
                    return new X509Certificate(nativeNextCertificate, 0, 0);
                } catch (CertificateException e) {
                    throw new DatabaseException("PKCS11DBProvider.", e);
                }
            }
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public com.rsa.certj.cert.Certificate nextCertificate() throws DatabaseException {
            if (PKCS11DB.this.p11Provider == null) {
                throw new DatabaseException("PKCS11DBProvider.nextCertificate: Session is not open.");
            }
            if (!isCertificateIteratorSetup()) {
                throw new DatabaseException("PKCS11DBProvider.nextCertificate: iterator is not set up.");
            }
            byte[] bArr = null;
            synchronized (this.certIteratorLock) {
                if (PKCS11DB.this.certIterator.hasNext()) {
                    bArr = PKCS11DB.this.nativeNextCertificate();
                }
                if (bArr == null) {
                    PKCS11DB.this.certIterator = null;
                    return null;
                }
                try {
                    return new X509Certificate(bArr, 0, 0);
                } catch (CertificateException e) {
                    throw new DatabaseException("PKCS11DBProvider.", e);
                }
            }
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public boolean hasMoreCertificates() throws DatabaseException {
            boolean hasNext;
            synchronized (this.certIteratorLock) {
                if (!isCertificateIteratorSetup()) {
                    throw new DatabaseException("Iterator is not set up.");
                }
                hasNext = PKCS11DB.this.certIterator.hasNext();
            }
            return hasNext;
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public int selectCRLByIssuerAndTime(X500Name x500Name, Date date, Vector vector) throws NotSupportedException {
            throw new NotSupportedException("PKCS11 DB provider does not support selectCRLByIssuerAndTime method.");
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public boolean isCRLIteratorSetup() throws NotSupportedException {
            throw new NotSupportedException("PKCS11 DB provider does not support isCRLIteratorSetup() method");
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public void setupCRLIterator() throws NotSupportedException {
            throw new NotSupportedException("PKCS11 DB provider does not support setupCRLIterator() method");
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public CRL firstCRL() throws NotSupportedException {
            throw new NotSupportedException("PKCS11 DB provider does not support firstCRL() method");
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public CRL nextCRL() throws NotSupportedException {
            throw new NotSupportedException("PKCS11 DB provider does not support nextCRL() method");
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public boolean hasMoreCRLs() throws NotSupportedException {
            throw new NotSupportedException("PKCS11 DB provider does not support hasMoreCRLs() method");
        }

        /* JADX WARN: Type inference failed for: r0v26, types: [byte[], byte[][]] */
        private JSAFE_PrivateKey setPrivateKeyData(byte[][] bArr) throws DatabaseException {
            JSAFE_PrivateKey jSAFE_PrivateKey = null;
            try {
                if (bArr.length == 1) {
                    jSAFE_PrivateKey = JSAFEFactory.getPrivateKey(bArr[0], 0, "Java", this.context.jsafe);
                } else if (bArr[0] != null && bArr[1] != null && bArr[1].length >= 8) {
                    if (bArr[1][7] == 0) {
                        jSAFE_PrivateKey = JSAFEFactory.getPrivateKey("RSA", PKCS11, this.context.jsafe);
                    } else if (bArr[1][7] == 1) {
                        jSAFE_PrivateKey = JSAFEFactory.getPrivateKey(SAML2Constants.DSA_KEY_TYPE, PKCS11, this.context.jsafe);
                    } else {
                        if (bArr[1][7] != 2) {
                            throw new DatabaseException("PKCS11DBImplementation.selectPrivateKeyByCertificate: Invalid Private key - unknown algorithm: " + ((int) bArr[1][7]));
                        }
                        jSAFE_PrivateKey = JSAFEFactory.getPrivateKey(InfoObjectFactory.KEYAGREE_DH, PKCS11, this.context.jsafe);
                    }
                    byte[] bArr2 = new byte[(bArr[1].length - 7) - 1];
                    System.arraycopy(bArr[1], 8, bArr2, 0, bArr2.length);
                    jSAFE_PrivateKey.setKeyData("KeyToken", (byte[][]) new byte[]{bArr[0], bArr2});
                }
                return jSAFE_PrivateKey;
            } catch (JSAFE_Exception e) {
                throw new DatabaseException("Cannot set the private key data.", e);
            }
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public JSAFE_PrivateKey selectPrivateKeyByCertificate(com.rsa.certj.cert.Certificate certificate) throws DatabaseException {
            byte[][] bArr;
            if (certificate == null) {
                throw new DatabaseException("PKCS11DBImplementation.selectPrivateKeyByCertificate: cert should not be null.");
            }
            if (PKCS11DB.this.p11Provider == null) {
                throw new DatabaseException("PKCS11DBProvider.selectPrivateKey: Session is not open.");
            }
            byte[] ckaId = getCkaId(certificate);
            if (ckaId == null) {
                throw new DatabaseException("Cert does not contain public key info.");
            }
            synchronized (this.keyLock) {
                try {
                    bArr = PKCS11DB.this.nativeSelectPrivateKey(certificate.getSubjectPublicKey("Java").getAlgorithm(), ckaId, PKCS11DB.this.p11Provider);
                } catch (Exception e) {
                    bArr = (byte[][]) null;
                }
            }
            if (bArr == null) {
                return null;
            }
            return setPrivateKeyData(bArr);
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public JSAFE_PrivateKey selectPrivateKeyByPublicKey(JSAFE_PublicKey jSAFE_PublicKey) throws DatabaseException {
            byte[][] nativeSelectPrivateKey;
            if (jSAFE_PublicKey == null) {
                throw new DatabaseException("PKCS11DBImplementation.selectPrivateKeyByPublicKey: publicKey should not be null.");
            }
            if (PKCS11DB.this.p11Provider == null) {
                throw new DatabaseException("PKCS11DBProvider.selectPrivateKey: Session is not open.");
            }
            byte[] ckaId = getCkaId(jSAFE_PublicKey);
            synchronized (this.keyLock) {
                nativeSelectPrivateKey = PKCS11DB.this.nativeSelectPrivateKey(jSAFE_PublicKey.getAlgorithm(), ckaId, PKCS11DB.this.p11Provider);
            }
            if (nativeSelectPrivateKey == null) {
                return null;
            }
            return setPrivateKeyData(nativeSelectPrivateKey);
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public boolean isPrivateKeyIteratorSetup() {
            boolean z;
            synchronized (this.keyIteratorLock) {
                z = PKCS11DB.this.keyIterator != null;
            }
            return z;
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public void setupPrivateKeyIterator() {
            synchronized (this.keyIteratorLock) {
                try {
                    PKCS11DB.this.keyIterator = PKCS11DB.this.store.keyIterator(new PKCS11KeyIteratorParameters((byte[]) null, (String) null, "RSA"));
                } catch (HardwareStoreException e) {
                }
            }
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public JSAFE_PrivateKey firstPrivateKey() throws DatabaseException {
            if (PKCS11DB.this.p11Provider == null) {
                throw new DatabaseException("PKCS11DBProvider.firstPrivateKey: Session is not open.");
            }
            byte[][] bArr = (byte[][]) null;
            setupPrivateKeyIterator();
            synchronized (this.keyIteratorLock) {
                try {
                    bArr = PKCS11DB.this.nativeNextPrivateKey(PKCS11DB.this.keyIterator);
                } catch (Exception e) {
                }
                if (bArr != null) {
                    return setPrivateKeyData(bArr);
                }
                PKCS11DB.this.keyIterator = null;
                return null;
            }
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public JSAFE_PrivateKey nextPrivateKey() throws DatabaseException {
            if (PKCS11DB.this.p11Provider == null) {
                throw new DatabaseException("PKCS11DBProvider.nextPrivateKey: Session is not open.");
            }
            if (!isPrivateKeyIteratorSetup()) {
                throw new DatabaseException("PKCS11DBProvider.nextPrivateKey: iterator is not set up.");
            }
            byte[][] bArr = (byte[][]) null;
            synchronized (this.keyIteratorLock) {
                if (bArr != null) {
                    return setPrivateKeyData(bArr);
                }
                PKCS11DB.this.keyIterator = null;
                return null;
            }
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public boolean hasMorePrivateKeys() throws NotSupportedException {
            if (!isPrivateKeyIteratorSetup()) {
                setupPrivateKeyIterator();
            }
            return PKCS11DB.this.keyIterator.hasNext();
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public void deleteCertificate(X500Name x500Name, byte[] bArr) throws DatabaseException {
            int nativeDeleteCert;
            if (x500Name == null || bArr == null) {
                throw new DatabaseException("PKCS11DBImplementation.deleteCertificate: Neither issuerName nor serialNumber should be null.");
            }
            if (PKCS11DB.this.p11Provider == null) {
                throw new DatabaseException("PKCS11DBProvider.deleteCertificate: Session is not open. MES DB provider is not initialized.");
            }
            byte[] bArr2 = new byte[x500Name.getDERLen(0)];
            try {
                if (x500Name.getDEREncoding(bArr2, 0, 0) == 0) {
                    throw new DatabaseException("PKCS11DBProvider: Invalid IssuerName. Cannot DER-encode Issuer Name.");
                }
                synchronized (this.certLock) {
                    nativeDeleteCert = PKCS11DB.this.nativeDeleteCert(bArr2, bArr, PKCS11DB.this.p11Provider);
                }
                if (nativeDeleteCert != 0) {
                    throw new DatabaseException("PKCS11DBProvider: Unable to delete certificate.");
                }
            } catch (NameException e) {
                throw new DatabaseException("PKCS11DBProvider: Invalid IssuerName.", e);
            }
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public void deleteCRL(X500Name x500Name, Date date) throws NotSupportedException {
            throw new NotSupportedException("deleteCRL method is not supported by PKCS11DB provider.");
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public void deletePrivateKeyByCertificate(com.rsa.certj.cert.Certificate certificate) throws DatabaseException {
            int nativeDeletePrivateKey;
            if (certificate == null) {
                throw new DatabaseException("PKCS11DBImplementation.deletePrivateKeyByCertificate: cert should not be null.");
            }
            if (PKCS11DB.this.p11Provider == null) {
                throw new DatabaseException("PKCS11DBProvider.deletePrivateKey: Session is not open.");
            }
            try {
                byte[] ckaId = getCkaId(certificate);
                if (ckaId == null) {
                    throw new DatabaseException("PKCS11DBProvider: cert is missing public Key.");
                }
                synchronized (this.keyLock) {
                    nativeDeletePrivateKey = PKCS11DB.this.nativeDeletePrivateKey(certificate.getSubjectPublicKey("Java").getAlgorithm(), ckaId);
                }
                if (nativeDeletePrivateKey != 0) {
                    throw new DatabaseException("PKCS11DBProvider: Unable to delete private key.");
                }
            } catch (CertificateException e) {
                throw new DatabaseException("PKCS11DBProvider: invalid cert.", e);
            }
        }

        @Override // com.rsa.certj.spi.db.DatabaseInterface
        public void deletePrivateKeyByPublicKey(JSAFE_PublicKey jSAFE_PublicKey) throws DatabaseException {
            int nativeDeletePrivateKey;
            if (jSAFE_PublicKey == null) {
                throw new DatabaseException("PKCS11DBImplementation.deletePrivateKeyByPublicKey: publicKey should not be null.");
            }
            if (PKCS11DB.this.p11Provider == null) {
                throw new DatabaseException("PKCS11DBProvider.deletePrivateKey: Session is not open.");
            }
            byte[] ckaId = getCkaId(jSAFE_PublicKey);
            synchronized (this.keyLock) {
                nativeDeletePrivateKey = PKCS11DB.this.nativeDeletePrivateKey(jSAFE_PublicKey.getAlgorithm(), ckaId);
            }
            if (nativeDeletePrivateKey != 0) {
                throw new DatabaseException("PKCS11DB: Unable to delete private key.");
            }
        }

        private boolean pairwiseCheck(String str, JSAFE_PrivateKey jSAFE_PrivateKey, JSAFE_PublicKey jSAFE_PublicKey, JSAFE_SecureRandom jSAFE_SecureRandom) {
            JSAFE_Signature jSAFE_Signature = null;
            JSAFE_Signature jSAFE_Signature2 = null;
            String str2 = "SHA1/" + str + "/PKCS1Block01Pad";
            try {
                jSAFE_Signature = JSAFE_Signature.getInstance(str2, "Java");
                jSAFE_Signature.signInit(jSAFE_PrivateKey, jSAFE_SecureRandom);
                jSAFE_Signature.signUpdate(this.toSign, 0, this.toSign.length);
                byte[] signFinal = jSAFE_Signature.signFinal();
                jSAFE_Signature2 = JSAFE_Signature.getInstance(str2, "Java");
                jSAFE_Signature2.verifyInit(jSAFE_PublicKey, jSAFE_SecureRandom);
                jSAFE_Signature2.verifyUpdate(this.toSign, 0, this.toSign.length);
                boolean verifyFinal = jSAFE_Signature2.verifyFinal(signFinal, 0, signFinal.length);
                if (jSAFE_Signature != null) {
                    jSAFE_Signature.clearSensitiveData();
                }
                if (jSAFE_Signature2 != null) {
                    jSAFE_Signature2.clearSensitiveData();
                }
                return verifyFinal;
            } catch (Exception e) {
                if (jSAFE_Signature != null) {
                    jSAFE_Signature.clearSensitiveData();
                }
                if (jSAFE_Signature2 != null) {
                    jSAFE_Signature2.clearSensitiveData();
                }
                return false;
            } catch (Throwable th) {
                if (jSAFE_Signature != null) {
                    jSAFE_Signature.clearSensitiveData();
                }
                if (jSAFE_Signature2 != null) {
                    jSAFE_Signature2.clearSensitiveData();
                }
                throw th;
            }
        }

        @Override // com.rsa.certj.ProviderImplementation
        public void unregister() {
            if (PKCS11DB.this.p11Provider != null) {
                PKCS11DB.this.nativeFinalizeSession();
            }
            if (PKCS11DB.this.sessionFlag) {
                PKCS11DB.this.session.clearSensitiveData();
                PKCS11DB.this.session.closeSession();
            }
            PKCS11DB.this.store = null;
            PKCS11DB.this.p11Provider = null;
        }

        protected void finalize() {
            unregister();
        }
    }

    public PKCS11DB(String str, JSAFE_Session jSAFE_Session) throws InvalidParameterException {
        super(1, str);
        this.jsafeJCE = new JsafeJCE();
        if (jSAFE_Session == null) {
            throw new InvalidParameterException(PASSED_IN_SESSION_IS_NULL);
        }
        this.session = jSAFE_Session;
        createProvider(str, jSAFE_Session);
    }

    public PKCS11DB(String str, JSAFE_PKCS11SessionSpec jSAFE_PKCS11SessionSpec) throws InvalidParameterException {
        super(1, str);
        this.jsafeJCE = new JsafeJCE();
        if (jSAFE_PKCS11SessionSpec == null) {
            throw new InvalidParameterException("Spec is null.");
        }
        try {
            this.session = JSAFE_Session.getInstance(jSAFE_PKCS11SessionSpec);
            this.sessionFlag = true;
            createProvider(str, this.session);
        } catch (JSAFE_InvalidParameterException e) {
            throw new InvalidParameterException(CANNOT_CREATE_PKCS_11_SESSION, e);
        }
    }

    public PKCS11DB(String str, String str2, String str3, char[] cArr, int i, int i2) throws InvalidParameterException {
        super(1, str);
        this.jsafeJCE = new JsafeJCE();
        try {
            this.session = JSAFE_Session.getInstance(new JSAFE_PKCS11SessionSpec(str2, str3, cArr, i, i2));
            this.sessionFlag = true;
            createProvider(str, this.session);
        } catch (JSAFE_InvalidParameterException e) {
            throw new InvalidParameterException(CANNOT_CREATE_PKCS_11_SESSION, e);
        }
    }

    private void createProvider(String str, JSAFE_Session jSAFE_Session) throws InvalidParameterException {
        if (jSAFE_Session == null) {
            throw new InvalidParameterException(PASSED_IN_SESSION_IS_NULL);
        }
        JSAFE_SessionSpec sessionSpec = jSAFE_Session.getSessionSpec();
        if (sessionSpec == null || !(sessionSpec instanceof JSAFE_PKCS11SessionSpec)) {
            throw new InvalidParameterException("Passed in session does not contain PKCS11 spec.");
        }
        try {
            this.p11Provider = createP11Provider(str, (JSAFE_PKCS11SessionSpec) sessionSpec);
        } catch (Exception e) {
            this.p11Provider = null;
        }
        if (this.p11Provider == null) {
            throw new InvalidParameterException(CANNOT_CREATE_PROVIDER);
        }
        try {
            this.store = HardwareStore.getInstance("PKCS11", this.p11Provider);
        } catch (NoSuchAlgorithmException e2) {
            throw new InvalidParameterException(CANNOT_CREATE_PROVIDER);
        }
    }

    private JsafeJCEPKCS11 createP11Provider(String str, JSAFE_PKCS11SessionSpec jSAFE_PKCS11SessionSpec) throws Exception {
        Properties properties = new Properties();
        properties.setProperty("library", jSAFE_PKCS11SessionSpec.getLibraryName());
        properties.setProperty("name", str);
        properties.setProperty("tokenLabel", jSAFE_PKCS11SessionSpec.getTokenLabel());
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        properties.store(byteArrayOutputStream, (String) null);
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
        JsafeJCEPKCS11 jsafeJCEPKCS11 = new JsafeJCEPKCS11(byteArrayInputStream);
        jsafeJCEPKCS11.login(CertJUtils.byteArrayToCharArray(jSAFE_PKCS11SessionSpec.getPassPhrase()));
        byteArrayInputStream.close();
        byteArrayOutputStream.close();
        return jsafeJCEPKCS11;
    }

    @Override // com.rsa.certj.Provider
    public ProviderImplementation instantiate(CertJ certJ) throws ProviderManagementException {
        try {
            return new PKCS11DBImplementation(certJ, getName());
        } catch (InvalidParameterException e) {
            throw new ProviderManagementException("PKCS11DB.instantiate.", e);
        }
    }

    public String toString() {
        return "PKCS11 database provider named: " + super.getName();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public int nativeInsertCertificate(byte[] bArr, byte[] bArr2) {
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X509", this.jsafeJCE);
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            Certificate generateCertificate = certificateFactory.generateCertificate(byteArrayInputStream);
            byteArrayInputStream.close();
            this.store.setCertificate(bArr2, (String) null, generateCertificate);
            return 0;
        } catch (Exception e) {
            return 1;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public int nativeInsertPrivateKey(String str, byte[] bArr, byte[] bArr2) {
        try {
            this.store.setKey(bArr, (String) null, KeyFactory.getInstance(str, this.jsafeJCE).generatePrivate(new PKCS8EncodedKeySpec(bArr2)));
            return 0;
        } catch (Exception e) {
            return 1;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r0v13, types: [byte[], byte[][]] */
    public byte[][] nativeSelectCertByIssuerSerial(byte[] bArr, byte[] bArr2, java.security.Provider provider) {
        try {
            ArrayList arrayList = new ArrayList();
            HardwareIterator certificateIterator = HardwareStore.getInstance("PKCS11", (JsafeJCEPKCS11) provider).certificateIterator(new PKCS11CertIteratorParameters((byte[]) null, (String) null));
            while (certificateIterator.hasNext()) {
                java.security.cert.X509Certificate x509Certificate = (java.security.cert.X509Certificate) certificateIterator.next();
                if (CertJUtils.byteArraysEqual(bArr, x509Certificate.getIssuerX500Principal().getEncoded()) && CertJUtils.byteArraysEqual(bArr2, x509Certificate.getSerialNumber().toByteArray())) {
                    arrayList.add(x509Certificate);
                }
            }
            int size = arrayList.size();
            ?? r0 = new byte[size];
            for (int i = 0; i < size; i++) {
                r0[i] = ((java.security.cert.X509Certificate) arrayList.get(i)).getEncoded();
            }
            return r0;
        } catch (Exception e) {
            return (byte[][]) null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r0v13, types: [byte[], byte[][]] */
    public byte[][] nativeSelectCertBySubject(byte[] bArr, java.security.Provider provider) {
        try {
            ArrayList arrayList = new ArrayList();
            HardwareIterator certificateIterator = HardwareStore.getInstance("PKCS11", (JsafeJCEPKCS11) provider).certificateIterator(new PKCS11CertIteratorParameters((byte[]) null, (String) null));
            while (certificateIterator.hasNext()) {
                java.security.cert.X509Certificate x509Certificate = (java.security.cert.X509Certificate) certificateIterator.next();
                if (CertJUtils.byteArraysEqual(bArr, x509Certificate.getSubjectX500Principal().getEncoded())) {
                    arrayList.add(x509Certificate);
                }
            }
            int size = arrayList.size();
            ?? r0 = new byte[size];
            for (int i = 0; i < size; i++) {
                r0[i] = ((java.security.cert.X509Certificate) arrayList.get(i)).getEncoded();
            }
            return r0;
        } catch (Exception e) {
            return (byte[][]) null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r0v13, types: [byte[], byte[][]] */
    public byte[][] nativeSelectCertByExtensions(byte[] bArr, byte[] bArr2, java.security.Provider provider) {
        try {
            ArrayList arrayList = new ArrayList();
            HardwareIterator certificateIterator = HardwareStore.getInstance("PKCS11", (JsafeJCEPKCS11) provider).certificateIterator(new PKCS11CertIteratorParameters((byte[]) null, (String) null));
            while (certificateIterator.hasNext()) {
                java.security.cert.X509Certificate x509Certificate = (java.security.cert.X509Certificate) certificateIterator.next();
                if (CertJUtils.byteArraysEqual(bArr, x509Certificate.getSubjectX500Principal().getEncoded())) {
                    X509Certificate x509Certificate2 = new X509Certificate(x509Certificate.getEncoded(), 0, 0);
                    byte[] bArr3 = new byte[x509Certificate2.getExtensions().getDERLen(0)];
                    x509Certificate2.getExtensions().getDEREncoding(bArr3, 0, 0);
                    if (CertJUtils.byteArraysEqual(bArr2, bArr3)) {
                        arrayList.add(x509Certificate);
                    }
                }
            }
            int size = arrayList.size();
            ?? r0 = new byte[size];
            for (int i = 0; i < size; i++) {
                r0[i] = ((java.security.cert.X509Certificate) arrayList.get(i)).getEncoded();
            }
            return r0;
        } catch (Exception e) {
            return (byte[][]) null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r0v13, types: [byte[], byte[][]] */
    public byte[][] nativeSelectPrivateKey(String str, byte[] bArr, java.security.Provider provider) {
        try {
            HardwareIterator keyIterator = this.store.keyIterator(new PKCS11KeyIteratorParameters(bArr, (String) null, str));
            if (!keyIterator.hasNext()) {
                return (byte[][]) null;
            }
            PKCS11Key pKCS11Key = (PKCS11Key) keyIterator.next();
            return new byte[]{pKCS11Key.getManufacturerId(), pKCS11Key.getKeyId()};
        } catch (Exception e) {
            return (byte[][]) null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] nativeNextCertificate() {
        try {
            return ((Certificate) this.certIterator.next()).getEncoded();
        } catch (Exception e) {
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public int nativeDeleteCert(byte[] bArr, byte[] bArr2, java.security.Provider provider) {
        try {
            HardwareIterator certificateIterator = HardwareStore.getInstance("PKCS11", (JsafeJCEPKCS11) provider).certificateIterator(new PKCS11CertIteratorParameters((byte[]) null, (String) null));
            while (certificateIterator.hasNext()) {
                java.security.cert.X509Certificate x509Certificate = (java.security.cert.X509Certificate) certificateIterator.next();
                if (CertJUtils.byteArraysEqual(bArr, x509Certificate.getIssuerX500Principal().getEncoded()) && CertJUtils.byteArraysEqual(bArr2, x509Certificate.getSerialNumber().toByteArray())) {
                    certificateIterator.remove();
                    return 0;
                }
            }
            return 1;
        } catch (Exception e) {
            return 1;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r0v4, types: [byte[], byte[][]] */
    public byte[][] nativeNextPrivateKey(HardwareIterator<Key> hardwareIterator) {
        PKCS11Key pKCS11Key = (PKCS11Key) hardwareIterator.next();
        return new byte[]{pKCS11Key.getManufacturerId(), pKCS11Key.getKeyId()};
    }

    /* JADX INFO: Access modifiers changed from: private */
    public int nativeDeletePrivateKey(String str, byte[] bArr) {
        try {
            HardwareIterator keyIterator = this.store.keyIterator(new PKCS11KeyIteratorParameters(bArr, (String) null, str));
            boolean z = false;
            while (keyIterator.hasNext()) {
                keyIterator.next();
                keyIterator.remove();
                z = true;
            }
            return z ? 0 : 1;
        } catch (Exception e) {
            return 1;
        }
    }

    private static String byteArrayToHexString(byte[] bArr) {
        StringBuffer stringBuffer = new StringBuffer();
        int length = bArr.length;
        int i = 0;
        while (length > 0) {
            String hexString = Integer.toHexString(bArr[i] & 255);
            if (hexString.length() == 1) {
                stringBuffer = stringBuffer.append("0");
            }
            stringBuffer = stringBuffer.append(hexString);
            length--;
            i++;
        }
        return stringBuffer.toString();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void nativeFinalizeSession() {
        this.p11Provider.logout();
    }

    static {
        System.loadLibrary("ncm");
    }
}
