package com.rsa.certj.provider.pki.cmp;

import com.rsa.asn1.ASN1Container;
import com.rsa.asn1.ASN1Template;
import com.rsa.asn1.ASN_Exception;
import com.rsa.asn1.BitStringContainer;
import com.rsa.asn1.EncodedContainer;
import com.rsa.asn1.EndContainer;
import com.rsa.asn1.IntegerContainer;
import com.rsa.asn1.OIDContainer;
import com.rsa.asn1.OctetStringContainer;
import com.rsa.asn1.OfContainer;
import com.rsa.asn1.SequenceContainer;
import com.rsa.certj.CertJ;
import com.rsa.certj.CertJException;
import com.rsa.certj.cert.Certificate;
import com.rsa.certj.cert.CertificateException;
import com.rsa.certj.cert.X509Certificate;
import com.rsa.certj.internal.JSAFEFactory;
import com.rsa.certj.spi.pki.PKIRequestMessage;
import com.rsa.jsafe.JSAFE_Exception;
import com.rsa.jsafe.JSAFE_MAC;
import com.rsa.jsafe.JSAFE_Parameters;
import com.rsa.jsafe.JSAFE_PrivateKey;
import com.rsa.jsafe.JSAFE_SecretKey;
import com.rsa.jsafe.JSAFE_SecureRandom;
import com.rsa.jsafe.JSAFE_Signature;
import java.security.SecureRandom;
import java.util.StringTokenizer;

/* loaded from: input_file:com/rsa/certj/provider/pki/cmp/CMPRequestCommon.class */
abstract class CMPRequestCommon extends PKIRequestMessage {
    private static final int SALT_LEN = 20;
    private static final int PBHMAC_ITERATIONS = 1024;
    private static final byte[] HMAC_SHA1_OID = {43, 6, 1, 5, 5, 8, 1, 2};
    private byte[] recipNonce;
    private TypeAndValue[] generalInfo;
    private int messageType;

    /* JADX INFO: Access modifiers changed from: protected */
    public CMPRequestCommon(int i, byte[] bArr) {
        this(i, bArr, null, null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CMPRequestCommon(int i, byte[] bArr, String[] strArr, TypeAndValue[] typeAndValueArr) {
        super(null, null, false);
        this.messageType = i;
        this.recipNonce = bArr;
        this.generalInfo = typeAndValueArr;
        setFreeText(strArr);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public int getMessageType() {
        return this.messageType;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] getRecipNonce() {
        return this.recipNonce;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TypeAndValue[] getGeneralInfo() {
        return this.generalInfo;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setRecipNonce(byte[] bArr) {
        this.recipNonce = bArr;
    }

    protected byte[] derEncodeBody(CertJ certJ) throws CMPException {
        throw new CMPException("CMPRequestCommon.derEncode: this method should be overwritten by sublclasses.");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] derEncode(CMPProtectInfo cMPProtectInfo, CertJ certJ) throws CMPException {
        try {
            JSAFE_SecureRandom randomObject = certJ.getRandomObject();
            byte[] bArr = null;
            byte[] bArr2 = null;
            int i = -1;
            byte[] derEncodeBody = derEncodeBody(certJ);
            if (cMPProtectInfo != null) {
                if (cMPProtectInfo.pbmProtected()) {
                    String algorithm = cMPProtectInfo.getAlgorithm();
                    if (!algorithm.startsWith("PBE/HMAC/SHA1")) {
                        throw new CMPException("CMPRequestCommon.writeMessage: PBM MAC algorithm specified by " + algorithm + " is not supported.");
                    }
                    bArr2 = randomObject.generateRandomBytes(20);
                    StringTokenizer stringTokenizer = new StringTokenizer(algorithm, "-");
                    if (stringTokenizer.hasMoreTokens()) {
                        stringTokenizer.nextToken();
                        if (stringTokenizer.hasMoreTokens()) {
                            i = Integer.parseInt(stringTokenizer.nextToken());
                        }
                    }
                    if (i <= 0) {
                        i = 1024;
                    }
                    bArr = derEncodePBMAlg(bArr2, i, certJ);
                } else {
                    bArr = derEncodeSignatureAlg(cMPProtectInfo.getAlgorithm(), certJ);
                }
            }
            byte[] derEncode = new PKIHeader(this, cMPProtectInfo, bArr, randomObject).derEncode();
            byte[] derEncodeProtectedPart = CMP.derEncodeProtectedPart(derEncode, 0, derEncode.length, derEncodeBody, 0, derEncodeBody.length);
            byte[] bArr3 = null;
            if (cMPProtectInfo != null) {
                bArr3 = cMPProtectInfo.pbmProtected() ? computeProtection(derEncodeProtectedPart, cMPProtectInfo, bArr2, certJ) : computeProtection(derEncodeProtectedPart, cMPProtectInfo, randomObject, certJ);
            }
            return derEncodePKIMessage(derEncode, derEncodeBody, bArr3, getExtraCerts());
        } catch (CertJException e) {
            throw new CMPException("CMPRequestCommon.writeMessage: unable to get a registered random service.", e);
        }
    }

    private byte[] computeProtection(byte[] bArr, CMPProtectInfo cMPProtectInfo, JSAFE_SecureRandom jSAFE_SecureRandom, CertJ certJ) throws CMPException {
        try {
            JSAFE_PrivateKey selectPrivateKeyByCertificate = cMPProtectInfo.getDatabase().selectPrivateKeyByCertificate(cMPProtectInfo.getSenderCert());
            if (selectPrivateKeyByCertificate == null) {
                throw new CMPException("CMPRequestCommon.computeProtection: unable to find a signer private key in the database.");
            }
            String algorithm = cMPProtectInfo.getAlgorithm();
            try {
                try {
                    JSAFE_Signature signature = JSAFEFactory.getSignature(algorithm, certJ.getDevice(), certJ);
                    signature.signInit(selectPrivateKeyByCertificate, (JSAFE_Parameters) null, jSAFE_SecureRandom, certJ.getPKCS11Sessions());
                    signature.signUpdate(bArr, 0, bArr.length);
                    byte[] signFinal = signature.signFinal();
                    selectPrivateKeyByCertificate.clearSensitiveData();
                    return signFinal;
                } catch (Throwable th) {
                    selectPrivateKeyByCertificate.clearSensitiveData();
                    throw th;
                }
            } catch (JSAFE_Exception e) {
                throw new CMPException("CMPRequestCommon.createSignatureProtectionDER: unable to generate a signature for " + algorithm + ".", e);
            }
        } catch (CertJException e2) {
            throw new CMPException("CMPRequestCommon.computeProtection: unable to find a signer private key in the database.", e2);
        }
    }

    private byte[] computeProtection(byte[] bArr, CMPProtectInfo cMPProtectInfo, byte[] bArr2, CertJ certJ) throws CMPException {
        JSAFE_MAC jsafe_mac = null;
        try {
            try {
                jsafe_mac = JSAFEFactory.getMAC(cMPProtectInfo.getAlgorithm(), certJ.getDevice(), certJ);
                jsafe_mac.setSalt(bArr2, 0, bArr2.length);
                JSAFE_SecretKey blankKey = jsafe_mac.getBlankKey();
                char[] sharedSecret = cMPProtectInfo.getSharedSecret();
                blankKey.setPassword(sharedSecret, 0, sharedSecret.length);
                jsafe_mac.macInit(blankKey, (SecureRandom) null);
                jsafe_mac.macUpdate(bArr, 0, bArr.length);
                byte[] macFinal = jsafe_mac.macFinal();
                if (jsafe_mac != null) {
                    jsafe_mac.clearSensitiveData();
                }
                return macFinal;
            } catch (JSAFE_Exception e) {
                throw new CMPException("CMPRequestCommon.createPBMProtection: unable to compute PBM.", e);
            }
        } catch (Throwable th) {
            if (jsafe_mac != null) {
                jsafe_mac.clearSensitiveData();
            }
            throw th;
        }
    }

    private byte[] derEncodePKIMessage(byte[] bArr, byte[] bArr2, byte[] bArr3, Certificate[] certificateArr) throws CMPException {
        try {
            ASN1Template aSN1Template = new ASN1Template(new ASN1Container[]{new SequenceContainer(0, true, 0), new EncodedContainer(0, true, 0, bArr, 0, bArr.length), new EncodedContainer(0, true, 0, bArr2, 0, bArr2.length), bArr3 == null ? new BitStringContainer(10551296, false, 0, 0, 0, false) : new BitStringContainer(10551296, true, 0, bArr3, 0, bArr3.length, bArr3.length * 8, false), createExtraCertsContainer(certificateArr), new EndContainer()});
            byte[] bArr4 = new byte[aSN1Template.derEncodeInit()];
            aSN1Template.derEncode(bArr4, 0);
            return bArr4;
        } catch (ASN_Exception e) {
            throw new CMPException("CMPRequestCommon.derEncodePKIMessage: Encoding CMP message failed.", e);
        }
    }

    private ASN1Container createExtraCertsContainer(Certificate[] certificateArr) throws CMPException, ASN_Exception {
        if (certificateArr == null) {
            return new EncodedContainer(10551297, false, 0, (byte[]) null, 0, 0);
        }
        OfContainer ofContainer = new OfContainer(10551297, true, 0, 12288, new EncodedContainer(12288));
        for (Certificate certificate : certificateArr) {
            if (!(certificate instanceof X509Certificate)) {
                throw new CMPException("CMPRequestCommon.createExtraCertsContainer:certificate in extraCerts should be an instance of X509Certificate.");
            }
            try {
                byte[] bArr = new byte[((X509Certificate) certificate).getDERLen(0)];
                ((X509Certificate) certificate).getDEREncoding(bArr, 0, 0);
                try {
                    ofContainer.addContainer(new EncodedContainer(0, true, 0, bArr, 0, bArr.length));
                } catch (ASN_Exception e) {
                    throw new CMPException("CMPRequestCommon.createExtraCertsContainer: unable to add an element of extraCerts.", e);
                }
            } catch (CertificateException e2) {
                throw new CMPException("CMPRequestCommon.createExtraCertsContainer: Encoding a certificate failed.", e2);
            }
        }
        return ofContainer;
    }

    private byte[] derEncodePBMAlg(byte[] bArr, int i, CertJ certJ) throws CMPException {
        byte[] derEncodePBMParameter = derEncodePBMParameter(bArr, i, certJ);
        try {
            ASN1Template aSN1Template = new ASN1Template(new ASN1Container[]{new SequenceContainer(10551297, true, 0), new OIDContainer(16777216, true, 0, CMP.PASSWORD_BASED_MAC_OID, 0, CMP.PASSWORD_BASED_MAC_OID.length), new EncodedContainer(77824, true, 0, derEncodePBMParameter, 0, derEncodePBMParameter.length), new EndContainer()});
            byte[] bArr2 = new byte[aSN1Template.derEncodeInit()];
            aSN1Template.derEncode(bArr2, 0);
            return bArr2;
        } catch (ASN_Exception e) {
            throw new CMPException("CMPRequestCommon.encodePBMAlgorithmIdentifier: unable to encodeEncoding PBMAlgorithmIdentifier.", e);
        }
    }

    private byte[] derEncodeSignatureAlg(String str, CertJ certJ) throws CMPException {
        try {
            byte[] dERAlgorithmID = JSAFEFactory.getSignature(str, certJ.getDevice(), certJ).getDERAlgorithmID();
            try {
                ASN1Template aSN1Template = new ASN1Template(new ASN1Container[]{new SequenceContainer(8388609, true, 0), new EncodedContainer(0, true, 0, dERAlgorithmID, 0, dERAlgorithmID.length), new EndContainer()});
                byte[] bArr = new byte[aSN1Template.derEncodeInit()];
                aSN1Template.derEncode(bArr, 0);
                return bArr;
            } catch (ASN_Exception e) {
                throw new CMPException("CMPRequestCommon.derEncodeSignatureAlgorithm: unable to encode signature algorithm.", e);
            }
        } catch (JSAFE_Exception e2) {
            throw new CMPException("CMPRequestCommon.derEncodeSignatureAlgorithm: unable to get algorithm identifier for " + str + ".", e2);
        }
    }

    private byte[] derEncodePBMParameter(byte[] bArr, int i, CertJ certJ) throws CMPException {
        String device = certJ.getDevice();
        try {
            byte[] dERAlgorithmID = JSAFEFactory.getDigest("SHA1", device, certJ).getDERAlgorithmID();
            try {
                byte[] mACAlgorithmID = getMACAlgorithmID(JSAFEFactory.getMAC("HMAC/SHA1", device, certJ));
                try {
                    ASN1Template aSN1Template = new ASN1Template(new ASN1Container[]{new SequenceContainer(0, true, 0), new OctetStringContainer(0, true, 0, bArr, 0, bArr.length), new EncodedContainer(12288, true, 0, dERAlgorithmID, 0, dERAlgorithmID.length), new IntegerContainer(0, true, 0, i), new EncodedContainer(12288, true, 0, mACAlgorithmID, 0, mACAlgorithmID.length), new EndContainer()});
                    byte[] bArr2 = new byte[aSN1Template.derEncodeInit()];
                    aSN1Template.derEncode(bArr2, 0);
                    return bArr2;
                } catch (ASN_Exception e) {
                    throw new CMPException("CMPRequestCommon.derEncodePBMParameter: Encoding PBMParameter failed.", e);
                }
            } catch (JSAFE_Exception e2) {
                throw new CMPException("CMPRequestCommon.derEncodePBMParameter.", e2);
            }
        } catch (JSAFE_Exception e3) {
            throw new CMPException("CMPRequestCommon.derEncodePBMParameter.", e3);
        }
    }

    private byte[] getMACAlgorithmID(JSAFE_MAC jsafe_mac) throws CMPException {
        String mACAlgorithm = jsafe_mac.getMACAlgorithm();
        String digestAlgorithm = jsafe_mac.getDigestAlgorithm();
        if (!jsafe_mac.getMACAlgorithm().equals("HMAC") || !jsafe_mac.getDigestAlgorithm().equals("SHA1")) {
            throw new CMPException("CMPRequestCommon.getMACAlgorithmID: algorithm(" + mACAlgorithm + "/" + digestAlgorithm + ") not supported.  Use HMAC/SHA1.");
        }
        try {
            ASN1Template aSN1Template = new ASN1Template(new ASN1Container[]{new SequenceContainer(0, true, 0), new OIDContainer(16777216, true, 0, HMAC_SHA1_OID, 0, HMAC_SHA1_OID.length), new EncodedContainer(77824, false, 5, (byte[]) null, 0, 0), new EndContainer()});
            byte[] bArr = new byte[aSN1Template.derEncodeInit()];
            aSN1Template.derEncode(bArr, 0);
            return bArr;
        } catch (ASN_Exception e) {
            throw new CMPException("CMPRequestCommon.getMACAlgorithmID: Encoding MAC Algorithm Identifier failed.", e);
        }
    }
}
