package org.xipki.security.pkcs11.emulator;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Arrays;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.bouncycastle.crypto.generators.SCrypt;
import org.xipki.audit.services.MacAuditService;
import org.xipki.pkcs11.wrapper.TokenException;
import org.xipki.security.EdECConstants;
import org.xipki.util.Args;
import org.xipki.util.StringUtil;

/* loaded from: input_file:WEB-INF/lib/security-6.3.1.jar:org/xipki/security/pkcs11/emulator/EmulatorKeyCryptor.class */
class EmulatorKeyCryptor {
    private static final byte ALG_SCRYPT1_AESGCMNopadding_128 = 1;
    private static final int AES_GCM_NONCE_BYTE_SIZE = 12;
    private static final int AES_GCM_TAG_BIT_SIZE = 128;
    private final SecretKey key;
    private final SecureRandom rnd = new SecureRandom();

    /* JADX INFO: Access modifiers changed from: package-private */
    public EmulatorKeyCryptor(char[] cArr) {
        this.key = new SecretKeySpec(SCrypt.generate(StringUtil.toUtf8Bytes(new String((char[]) Args.notNull(cArr, MacAuditService.KEY_PASSWORD))), new byte[8], 16384, 8, 1, 16), "AES");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PrivateKey decryptPrivateKey(byte[] bArr) throws TokenException {
        PrivateKeyInfo privateKeyInfo = PrivateKeyInfo.getInstance(decrypt((byte[]) Args.notNull(bArr, "encryptedPrivateKeyInfo")));
        AlgorithmIdentifier privateKeyAlgorithm = privateKeyInfo.getPrivateKeyAlgorithm();
        ASN1ObjectIdentifier algorithm = privateKeyAlgorithm.getAlgorithm();
        String name = PKCSObjectIdentifiers.rsaEncryption.equals(algorithm) ? "RSA" : X9ObjectIdentifiers.id_dsa.equals(algorithm) ? "DSA" : X9ObjectIdentifiers.id_ecPublicKey.equals(algorithm) ? "EC" : EdECConstants.getName(privateKeyAlgorithm.getAlgorithm());
        if (name == null) {
            throw new TokenException("unknown private key algorithm " + algorithm.getId());
        }
        try {
            return KeyFactory.getInstance(name, "BC").generatePrivate(new PKCS8EncodedKeySpec(privateKeyInfo.getEncoded()));
        } catch (IOException | NoSuchAlgorithmException | NoSuchProviderException | InvalidKeySpecException e) {
            throw new TokenException(e.getClass().getName() + ": " + e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] decrypt(byte[] bArr) throws TokenException {
        if (((byte[]) Args.notNull(bArr, "cipherBlob"))[0] != 1) {
            throw new TokenException("unknown encryption algorithm");
        }
        GCMParameterSpec gCMParameterSpec = new GCMParameterSpec(128, bArr, 1, 12);
        try {
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "BC");
            cipher.init(2, this.key, gCMParameterSpec);
            int length = bArr.length - 13;
            int outputSize = cipher.getOutputSize(length);
            byte[] bArr2 = new byte[outputSize];
            int doFinal = cipher.doFinal(bArr, 13, length, bArr2, 0);
            if (outputSize > doFinal) {
                bArr2 = Arrays.copyOf(bArr2, doFinal);
            }
            return bArr2;
        } catch (GeneralSecurityException e) {
            throw new TokenException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] encrypt(PrivateKey privateKey) throws TokenException {
        return encrypt(((PrivateKey) Args.notNull(privateKey, "privateKey")).getEncoded());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] encrypt(SecretKey secretKey) throws TokenException {
        return encrypt(secretKey.getEncoded());
    }

    byte[] encrypt(byte[] bArr) throws TokenException {
        byte[] bArr2 = new byte[12];
        this.rnd.nextBytes(bArr2);
        GCMParameterSpec gCMParameterSpec = new GCMParameterSpec(128, bArr2);
        try {
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "BC");
            cipher.init(1, this.key, gCMParameterSpec);
            int outputSize = cipher.getOutputSize(bArr.length);
            byte[] bArr3 = new byte[1 + bArr2.length + outputSize];
            bArr3[0] = 1;
            System.arraycopy(bArr2, 0, bArr3, 1, bArr2.length);
            int length = 1 + bArr2.length;
            int doFinal = cipher.doFinal(bArr, 0, bArr.length, bArr3, length);
            return outputSize == doFinal ? bArr3 : Arrays.copyOf(bArr3, length + doFinal);
        } catch (GeneralSecurityException e) {
            throw new TokenException(e);
        }
    }
}
