package org.xipki.security.pkcs11.iaik;

import iaik.pkcs.pkcs11.Mechanism;
import iaik.pkcs.pkcs11.Session;
import iaik.pkcs.pkcs11.SessionInfo;
import iaik.pkcs.pkcs11.Slot;
import iaik.pkcs.pkcs11.State;
import iaik.pkcs.pkcs11.TokenException;
import iaik.pkcs.pkcs11.Util;
import iaik.pkcs.pkcs11.objects.Attribute;
import iaik.pkcs.pkcs11.objects.Certificate;
import iaik.pkcs.pkcs11.objects.DSAPrivateKey;
import iaik.pkcs.pkcs11.objects.DSAPublicKey;
import iaik.pkcs.pkcs11.objects.ECPrivateKey;
import iaik.pkcs.pkcs11.objects.ECPublicKey;
import iaik.pkcs.pkcs11.objects.Key;
import iaik.pkcs.pkcs11.objects.KeyPair;
import iaik.pkcs.pkcs11.objects.PKCS11Object;
import iaik.pkcs.pkcs11.objects.PrivateKey;
import iaik.pkcs.pkcs11.objects.RSAPrivateKey;
import iaik.pkcs.pkcs11.objects.RSAPublicKey;
import iaik.pkcs.pkcs11.objects.SecretKey;
import iaik.pkcs.pkcs11.objects.Storage;
import iaik.pkcs.pkcs11.objects.ValuedSecretKey;
import iaik.pkcs.pkcs11.objects.X509PublicKeyCertificate;
import iaik.pkcs.pkcs11.parameters.InitializationVectorParameters;
import iaik.pkcs.pkcs11.parameters.OpaqueParameters;
import iaik.pkcs.pkcs11.parameters.Parameters;
import iaik.pkcs.pkcs11.parameters.RSAPkcsPssParameters;
import iaik.pkcs.pkcs11.wrapper.Functions;
import iaik.pkcs.pkcs11.wrapper.PKCS11Constants;
import iaik.pkcs.pkcs11.wrapper.PKCS11Exception;
import java.io.IOException;
import java.math.BigInteger;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.DSAPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicLong;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x9.ECNamedCurveTable;
import org.bouncycastle.asn1.x9.X9ECParameters;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.security.EdECConstants;
import org.xipki.security.X509Cert;
import org.xipki.security.XiSecurityException;
import org.xipki.security.pkcs11.P11Identity;
import org.xipki.security.pkcs11.P11IdentityId;
import org.xipki.security.pkcs11.P11ModuleConf;
import org.xipki.security.pkcs11.P11ObjectIdentifier;
import org.xipki.security.pkcs11.P11Params;
import org.xipki.security.pkcs11.P11Slot;
import org.xipki.security.pkcs11.P11SlotIdentifier;
import org.xipki.security.pkcs11.P11TokenException;
import org.xipki.security.pkcs11.P11UnknownEntityException;
import org.xipki.security.pkcs11.iaik.IaikP11Module;
import org.xipki.security.util.KeyUtil;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.LogUtil;
import org.xipki.util.concurrent.ConcurrentBag;
import org.xipki.util.concurrent.ConcurrentBagEntry;

/* loaded from: input_file:WEB-INF/lib/security-5.3.4.jar:org/xipki/security/pkcs11/iaik/IaikP11Slot.class */
class IaikP11Slot extends P11Slot {
    private static final Logger LOG = LoggerFactory.getLogger(IaikP11Slot.class);
    private static final long DEFAULT_MAX_COUNT_SESSION = 32;
    private final int maxMessageSize;
    private Slot slot;
    private final String userTypeText;
    private final long userType;
    private List<char[]> password;
    private int maxSessionCount;
    private long timeOutWaitNewSession;
    private final AtomicLong countSessions;
    private final SecureRandom random;
    private final P11ModuleConf.P11NewObjectConf newObjectConf;
    private final ConcurrentBag<ConcurrentBagEntry<Session>> sessions;
    private final IaikP11Module.Vendor vendor;

    /* JADX INFO: Access modifiers changed from: package-private */
    public IaikP11Slot(String str, P11SlotIdentifier p11SlotIdentifier, Slot slot, boolean z, long j, List<char[]> list, int i, P11ModuleConf.P11MechanismFilter p11MechanismFilter, P11ModuleConf.P11NewObjectConf p11NewObjectConf, IaikP11Module.Vendor vendor) throws P11TokenException {
        super(str, p11SlotIdentifier, z, p11MechanismFilter);
        long j2;
        this.timeOutWaitNewSession = 10000L;
        this.countSessions = new AtomicLong(0L);
        this.random = new SecureRandom();
        this.sessions = new ConcurrentBag<>();
        this.newObjectConf = (P11ModuleConf.P11NewObjectConf) Args.notNull(p11NewObjectConf, "newObjectConf");
        this.slot = (Slot) Args.notNull(slot, "slot");
        this.maxMessageSize = Args.positive(i, "maxMessageSize");
        this.vendor = (IaikP11Module.Vendor) Args.notNull(vendor, "vendo r");
        this.userType = j;
        if (j == 0) {
            this.userTypeText = "CKU_SO";
        } else if (j == 1) {
            this.userTypeText = "CKU_USER";
        } else if (j == 2) {
            this.userTypeText = "CKU_CONTEXT_SPECIFIC";
        } else {
            this.userTypeText = "VENDOR_" + j;
        }
        this.password = list;
        try {
            try {
                Session openSession = openSession();
                try {
                    firstLogin(openSession, list);
                    try {
                        try {
                            long maxSessionCount = this.slot.getToken().getTokenInfo().getMaxSessionCount();
                            if (maxSessionCount == 0) {
                                j2 = 32;
                            } else {
                                j2 = maxSessionCount < 3 ? 1L : maxSessionCount - 2;
                            }
                            this.maxSessionCount = (int) j2;
                            LOG.info("maxSessionCount: {}", Integer.valueOf(this.maxSessionCount));
                            this.sessions.add(new ConcurrentBagEntry<>(openSession));
                            refresh();
                            if (1 == 0) {
                                close();
                            }
                        } catch (TokenException e) {
                            throw new P11TokenException("could not get tokenInfo: " + e.getMessage(), e);
                        }
                    } catch (TokenException e2) {
                        throw new P11TokenException("could not getToken: " + e2.getMessage(), e2);
                    }
                } catch (P11TokenException e3) {
                    LogUtil.error(LOG, e3, "firstLogin");
                    throw e3;
                }
            } catch (P11TokenException e4) {
                LogUtil.error(LOG, e4, "openSession");
                throw e4;
            }
        } catch (Throwable th) {
            if (0 == 0) {
                close();
            }
            throw th;
        }
    }

    Slot getSlot() {
        return this.slot;
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected P11Slot.P11SlotRefreshResult refresh0() throws P11TokenException {
        try {
            Mechanism[] mechanismList = this.slot.getToken().getMechanismList();
            P11Slot.P11SlotRefreshResult p11SlotRefreshResult = new P11Slot.P11SlotRefreshResult();
            if (mechanismList != null) {
                for (Mechanism mechanism : mechanismList) {
                    p11SlotRefreshResult.addMechanism(mechanism.getMechanismCode());
                }
            }
            ConcurrentBagEntry<Session> borrowSession = borrowSession();
            try {
                Session value = borrowSession.value();
                for (SecretKey secretKey : getAllSecretKeyObjects(value)) {
                    byte[] byteArrayValue = secretKey.getId().getByteArrayValue();
                    if (byteArrayValue != null && byteArrayValue.length != 0) {
                        analyseSingleKey(secretKey, p11SlotRefreshResult);
                    }
                }
                for (X509PublicKeyCertificate x509PublicKeyCertificate : getAllCertificateObjects(value)) {
                    byte[] byteArrayValue2 = x509PublicKeyCertificate.getId().getByteArrayValue();
                    char[] charArrayValue = x509PublicKeyCertificate.getLabel().getCharArrayValue();
                    if (byteArrayValue2 != null && charArrayValue != null) {
                        p11SlotRefreshResult.addCertificate(new P11ObjectIdentifier(byteArrayValue2, new String(charArrayValue)), parseCert(x509PublicKeyCertificate));
                    }
                }
                for (PrivateKey privateKey : getAllPrivateObjects(value)) {
                    byte[] byteArrayValue3 = privateKey.getId().getByteArrayValue();
                    try {
                        analyseSingleKey(value, privateKey, p11SlotRefreshResult);
                    } catch (XiSecurityException e) {
                        LogUtil.error(LOG, e, "XiSecurityException while initializing private key with id " + hex(byteArrayValue3));
                    } catch (Throwable th) {
                        LOG.error("unexpected exception while initializing private key with id " + hex(byteArrayValue3) + " and label " + (privateKey.getLabel() != null ? new String(privateKey.getLabel().getCharArrayValue()) : ""), th);
                    }
                }
                return p11SlotRefreshResult;
            } finally {
                this.sessions.requite(borrowSession);
            }
        } catch (TokenException e2) {
            throw new P11TokenException("could not getMechanismList: " + e2.getMessage(), e2);
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot, java.io.Closeable, java.lang.AutoCloseable
    public final void close() {
        if (this.slot != null) {
            try {
                LOG.info("close all sessions on token: {}", Long.valueOf(this.slot.getSlotID()));
                Iterator<ConcurrentBagEntry<Session>> it = this.sessions.values().iterator();
                while (it.hasNext()) {
                    it.next().value().closeSession();
                }
            } catch (Throwable th) {
                LogUtil.error(LOG, th, "could not slot.getToken().closeAllSessions()");
            }
            this.slot = null;
        }
        this.sessions.close();
        this.countSessions.lazySet(0L);
    }

    private void analyseSingleKey(SecretKey secretKey, P11Slot.P11SlotRefreshResult p11SlotRefreshResult) {
        byte[] byteArrayValue = secretKey.getId().getByteArrayValue();
        char[] charArrayValue = secretKey.getLabel().getCharArrayValue();
        if (byteArrayValue == null || charArrayValue == null) {
            return;
        }
        p11SlotRefreshResult.addIdentity(new IaikP11Identity(this, new P11IdentityId(this.slotId, new P11ObjectIdentifier(byteArrayValue, new String(charArrayValue)), null, null), secretKey));
    }

    private void analyseSingleKey(Session session, PrivateKey privateKey, P11Slot.P11SlotRefreshResult p11SlotRefreshResult) throws P11TokenException, XiSecurityException {
        PublicKey generatePublicKey;
        byte[] byteArrayValue = privateKey.getId().getByteArrayValue();
        char[] charArrayValue = privateKey.getLabel().getCharArrayValue();
        if (byteArrayValue == null || charArrayValue == null) {
            return;
        }
        String str = null;
        iaik.pkcs.pkcs11.objects.PublicKey publicKeyObject = getPublicKeyObject(session, byteArrayValue, null);
        if (publicKeyObject != null) {
            str = new String(publicKeyObject.getLabel().getCharArrayValue());
        }
        String str2 = null;
        X509Cert certForId = p11SlotRefreshResult.getCertForId(byteArrayValue);
        if (certForId != null) {
            str2 = p11SlotRefreshResult.getCertLabelForId(byteArrayValue);
            generatePublicKey = certForId.getCert().getPublicKey();
        } else {
            if (publicKeyObject == null) {
                LOG.info("neither certificate nor public key for the key (" + hex(byteArrayValue) + " is available");
                return;
            }
            generatePublicKey = generatePublicKey(publicKeyObject);
        }
        p11SlotRefreshResult.addIdentity(new IaikP11Identity(this, new P11IdentityId(this.slotId, new P11ObjectIdentifier(byteArrayValue, new String(charArrayValue)), str, str2), privateKey, generatePublicKey, certForId == null ? null : new X509Certificate[]{certForId.getCert()}));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] digestKey(long j, IaikP11Identity iaikP11Identity) throws P11TokenException {
        int i;
        Args.notNull(iaikP11Identity, "identity");
        assertMechanismSupported(j);
        Key signingKey = iaikP11Identity.getSigningKey();
        if (!(signingKey instanceof SecretKey)) {
            throw new P11TokenException("digestSecretKey could not be applied to non-SecretKey");
        }
        if (LOG.isTraceEnabled()) {
            LOG.debug("digest (init, digestKey, then finish)\n{}", signingKey);
        }
        if (544 == j) {
            i = 20;
        } else if (597 == j || 693 == j) {
            i = 28;
        } else if (592 == j || 688 == j) {
            i = 32;
        } else if (608 == j || 704 == j) {
            i = 48;
        } else {
            if (624 != j && 720 != j) {
                throw new P11TokenException("unsupported mechnism " + j);
            }
            i = 64;
        }
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        Mechanism mechanism = Mechanism.get(j);
        try {
            Session value = borrowSession.value();
            try {
                try {
                    byte[] digestKey0 = digestKey0(value, i, mechanism, (SecretKey) signingKey);
                    this.sessions.requite(borrowSession);
                    return digestKey0;
                } catch (TokenException e) {
                    throw new P11TokenException(e.getMessage(), e);
                }
            } catch (PKCS11Exception e2) {
                if (e2.getErrorCode() != 257) {
                    throw new P11TokenException(e2.getMessage(), e2);
                }
                LOG.info("digestKey ended with ERROR CKR_USER_NOT_LOGGED_IN, login and then retry it");
                forceLogin(value);
                try {
                    byte[] digestKey02 = digestKey0(value, i, mechanism, (SecretKey) signingKey);
                    this.sessions.requite(borrowSession);
                    return digestKey02;
                } catch (TokenException e3) {
                    throw new P11TokenException(e3.getMessage(), e3);
                }
            }
        } catch (Throwable th) {
            this.sessions.requite(borrowSession);
            throw th;
        }
    }

    private byte[] digestKey0(Session session, int i, Mechanism mechanism, SecretKey secretKey) throws TokenException {
        session.digestInit(mechanism);
        session.digestKey(secretKey);
        byte[] bArr = new byte[i];
        session.digestFinal(bArr, 0, i);
        return bArr;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] sign(long j, P11Params p11Params, byte[] bArr, IaikP11Identity iaikP11Identity) throws P11TokenException {
        Args.notNull(bArr, "content");
        assertMechanismSupported(j);
        int expectedSignatureLen = j == 545 ? 20 : (j == 598 || j == 693) ? 28 : (j == 593 || j == 688) ? 32 : (j == 609 || j == 704) ? 48 : (j == 625 || j == 720) ? 64 : (j == PKCS11Constants.CKM_VENDOR_SM2 || j == PKCS11Constants.CKM_VENDOR_SM2_SM3) ? 32 : iaikP11Identity.getExpectedSignatureLen();
        Mechanism mechanism = getMechanism(j, p11Params);
        Key signingKey = iaikP11Identity.getSigningKey();
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        try {
            Session value = borrowSession.value();
            try {
                try {
                    byte[] sign0 = sign0(value, expectedSignatureLen, mechanism, bArr, signingKey);
                    this.sessions.requite(borrowSession);
                    return sign0;
                } catch (Throwable th) {
                    this.sessions.requite(borrowSession);
                    throw th;
                }
            } catch (PKCS11Exception e) {
                if (e.getErrorCode() != 257) {
                    throw e;
                }
                LOG.info("sign ended with ERROR CKR_USER_NOT_LOGGED_IN, login and then retry it");
                forceLogin(value);
                byte[] sign02 = sign0(value, expectedSignatureLen, mechanism, bArr, signingKey);
                this.sessions.requite(borrowSession);
                return sign02;
            }
        } catch (TokenException e2) {
            throw new P11TokenException(e2.getMessage(), e2);
        }
    }

    private byte[] sign0(Session session, int i, Mechanism mechanism, byte[] bArr, Key key) throws TokenException {
        int length = bArr.length;
        if (length <= this.maxMessageSize) {
            return singleSign(session, mechanism, bArr, key);
        }
        LOG.debug("sign (init, update, then finish)");
        session.signInit(mechanism, key);
        int i2 = 0;
        while (true) {
            int i3 = i2;
            if (i3 >= length) {
                return session.signFinal(i);
            }
            session.signUpdate(bArr, i3, Math.min(this.maxMessageSize, length - i3));
            i2 = i3 + this.maxMessageSize;
        }
    }

    private byte[] singleSign(Session session, Mechanism mechanism, byte[] bArr, Key key) throws TokenException {
        LOG.debug("single sign");
        session.signInit(mechanism, key);
        return session.sign(bArr);
    }

    private static Mechanism getMechanism(long j, P11Params p11Params) throws P11TokenException {
        Parameters initializationVectorParameters;
        Mechanism mechanism = Mechanism.get(j);
        if (p11Params == null) {
            return mechanism;
        }
        if (p11Params instanceof P11Params.P11RSAPkcsPssParams) {
            P11Params.P11RSAPkcsPssParams p11RSAPkcsPssParams = (P11Params.P11RSAPkcsPssParams) p11Params;
            initializationVectorParameters = new RSAPkcsPssParameters(p11RSAPkcsPssParams.getHashAlgorithm(), p11RSAPkcsPssParams.getMaskGenerationFunction(), p11RSAPkcsPssParams.getSaltLength());
        } else if (p11Params instanceof P11Params.P11ByteArrayParams) {
            initializationVectorParameters = new OpaqueParameters(((P11Params.P11ByteArrayParams) p11Params).getBytes());
        } else {
            if (!(p11Params instanceof P11Params.P11IVParams)) {
                throw new P11TokenException("unknown P11Parameters " + p11Params.getClass().getName());
            }
            initializationVectorParameters = new InitializationVectorParameters(((P11Params.P11IVParams) p11Params).getIV());
        }
        if (initializationVectorParameters != null) {
            mechanism.setParameters(initializationVectorParameters);
        }
        return mechanism;
    }

    private Session openSession() throws P11TokenException {
        try {
            Session openSession = this.slot.getToken().openSession(true, !isReadOnly(), null, null);
            this.countSessions.incrementAndGet();
            return openSession;
        } catch (TokenException e) {
            throw new P11TokenException(e.getMessage(), e);
        }
    }

    private ConcurrentBagEntry<Session> borrowSession() throws P11TokenException {
        ConcurrentBagEntry<Session> concurrentBagEntry = null;
        synchronized (this.sessions) {
            if (this.countSessions.get() < this.maxSessionCount) {
                try {
                    concurrentBagEntry = this.sessions.borrow(1L, TimeUnit.NANOSECONDS);
                } catch (InterruptedException e) {
                }
                if (concurrentBagEntry == null) {
                    this.sessions.add(new ConcurrentBagEntry<>(openSession()));
                }
            }
        }
        if (concurrentBagEntry == null) {
            try {
                concurrentBagEntry = this.sessions.borrow(this.timeOutWaitNewSession, TimeUnit.MILLISECONDS);
            } catch (InterruptedException e2) {
            }
        }
        if (concurrentBagEntry == null) {
            throw new P11TokenException("no idle session");
        }
        login(concurrentBagEntry.value());
        return concurrentBagEntry;
    }

    private void firstLogin(Session session, List<char[]> list) throws P11TokenException {
        try {
            if (session.getToken().getTokenInfo().isProtectedAuthenticationPath() || CollectionUtil.isEmpty(list)) {
                LOG.info("verify on PKCS11Module with PROTECTED_AUTHENTICATION_PATH");
                singleLogin(session, null);
            } else {
                LOG.info("verify on PKCS11Module with PIN");
                Iterator<char[]> it = list.iterator();
                while (it.hasNext()) {
                    singleLogin(session, it.next());
                }
                this.password = list;
            }
        } catch (PKCS11Exception e) {
            if (e.getErrorCode() != 256) {
                throw new P11TokenException(e.getMessage(), e);
            }
        } catch (TokenException e2) {
            throw new P11TokenException(e2.getMessage(), e2);
        }
    }

    private void login(Session session) throws P11TokenException {
        boolean z;
        if (checkSessionLoggedIn(session)) {
            return;
        }
        try {
            z = session.getToken().getTokenInfo().isLoginRequired();
        } catch (TokenException e) {
            LogUtil.error(LOG, e, "could not check whether LoginRequired of token");
            z = true;
        }
        LOG.debug("loginRequired: {}", Boolean.valueOf(z));
        if (z) {
            if (CollectionUtil.isEmpty(this.password)) {
                singleLogin(session, null);
                return;
            }
            Iterator<char[]> it = this.password.iterator();
            while (it.hasNext()) {
                singleLogin(session, it.next());
            }
        }
    }

    private void forceLogin(Session session) throws P11TokenException {
        if (CollectionUtil.isEmpty(this.password)) {
            LOG.info("verify on PKCS11Module with NULL PIN");
            singleLogin(session, null);
        } else {
            LOG.info("verify on PKCS11Module with PIN");
            Iterator<char[]> it = this.password.iterator();
            while (it.hasNext()) {
                singleLogin(session, it.next());
            }
        }
    }

    private void singleLogin(Session session, char[] cArr) throws P11TokenException {
        char[] cArr2 = cArr;
        if (cArr == null) {
            cArr2 = new char[0];
        }
        try {
            session.login(this.userType, cArr2);
            LOG.info("login successful as user " + this.userTypeText);
        } catch (TokenException e) {
            if ((e instanceof PKCS11Exception) && ((PKCS11Exception) e).getErrorCode() == 256) {
                LOG.info("user already logged in");
            } else {
                LOG.info("login failed as user " + this.userTypeText);
                throw new P11TokenException("login failed as user " + this.userTypeText + ": " + e.getMessage(), e);
            }
        }
    }

    private List<PrivateKey> getAllPrivateObjects(Session session) throws P11TokenException {
        List<Storage> objects = getObjects(session, new PrivateKey());
        if (CollectionUtil.isEmpty(objects)) {
            return Collections.emptyList();
        }
        int size = objects.size();
        LOG.info("found {} private keys", Integer.valueOf(size));
        ArrayList arrayList = new ArrayList(size);
        Iterator<Storage> it = objects.iterator();
        while (it.hasNext()) {
            arrayList.add((PrivateKey) it.next());
        }
        return arrayList;
    }

    private List<SecretKey> getAllSecretKeyObjects(Session session) throws P11TokenException {
        List<Storage> objects = getObjects(session, new SecretKey());
        if (CollectionUtil.isEmpty(objects)) {
            return Collections.emptyList();
        }
        int size = objects.size();
        LOG.info("found {} private keys", Integer.valueOf(size));
        ArrayList arrayList = new ArrayList(size);
        Iterator<Storage> it = objects.iterator();
        while (it.hasNext()) {
            arrayList.add((SecretKey) it.next());
        }
        return arrayList;
    }

    private SecretKey getSecretKeyObject(Session session, byte[] bArr, char[] cArr) throws P11TokenException {
        return (SecretKey) getKeyObject(session, new SecretKey(), bArr, cArr);
    }

    private PrivateKey getPrivateKeyObject(Session session, byte[] bArr, char[] cArr) throws P11TokenException {
        return (PrivateKey) getKeyObject(session, new PrivateKey(), bArr, cArr);
    }

    private iaik.pkcs.pkcs11.objects.PublicKey getPublicKeyObject(Session session, byte[] bArr, char[] cArr) throws P11TokenException {
        return (iaik.pkcs.pkcs11.objects.PublicKey) getKeyObject(session, new iaik.pkcs.pkcs11.objects.PublicKey(), bArr, cArr);
    }

    private Key getKeyObject(Session session, Key key, byte[] bArr, char[] cArr) throws P11TokenException {
        if (bArr != null) {
            key.getId().setByteArrayValue(bArr);
        }
        if (cArr != null) {
            key.getLabel().setCharArrayValue(cArr);
        }
        List<Storage> objects = getObjects(session, key, 2);
        if (CollectionUtil.isEmpty(objects)) {
            return null;
        }
        int size = objects.size();
        if (size > 1) {
            LOG.warn("found {} public key identified by {}, use the first one", Integer.valueOf(size), getDescription(bArr, cArr));
        }
        return (Key) objects.get(0);
    }

    private X509PublicKeyCertificate getCertificateObject(Session session, byte[] bArr, char[] cArr) throws P11TokenException {
        X509PublicKeyCertificate x509PublicKeyCertificate = new X509PublicKeyCertificate();
        if (bArr != null) {
            x509PublicKeyCertificate.getId().setByteArrayValue(bArr);
        }
        if (cArr != null) {
            x509PublicKeyCertificate.getLabel().setCharArrayValue(cArr);
        }
        List<Storage> objects = getObjects(session, x509PublicKeyCertificate, 2);
        if (CollectionUtil.isEmpty(objects)) {
            LOG.info("found no certificate identified by {}", getDescription(bArr, cArr));
            return null;
        }
        int size = objects.size();
        if (size > 1) {
            LOG.warn("found {} public key identified by {}, use the first one", Integer.valueOf(size), getDescription(bArr, cArr));
        }
        return (X509PublicKeyCertificate) objects.get(0);
    }

    private boolean checkSessionLoggedIn(Session session) throws P11TokenException {
        boolean z;
        try {
            SessionInfo sessionInfo = session.getSessionInfo();
            if (LOG.isTraceEnabled()) {
                LOG.debug("SessionInfo: {}", sessionInfo);
            }
            State state = sessionInfo.getState();
            long deviceError = sessionInfo.getDeviceError();
            LOG.debug("to be verified PKCS11Module: state = {}, deviceError: {}", state, Long.valueOf(deviceError));
            if (deviceError != 0) {
                LOG.error("deviceError {}", Long.valueOf(deviceError));
                return false;
            }
            if (this.userType == 0) {
                z = state.equals(State.RW_SO_FUNCTIONS);
            } else {
                z = state.equals(State.RW_USER_FUNCTIONS) || state.equals(State.RO_USER_FUNCTIONS);
            }
            LOG.debug("sessionLoggedIn: {}", Boolean.valueOf(z));
            return z;
        } catch (TokenException e) {
            throw new P11TokenException(e.getMessage(), e);
        }
    }

    private static List<Storage> getObjects(Session session, Storage storage) throws P11TokenException {
        return getObjects(session, storage, 9999);
    }

    private static List<Storage> getObjects(Session session, Storage storage, int i) throws P11TokenException {
        PKCS11Object[] findObjects;
        LinkedList linkedList = new LinkedList();
        try {
            try {
                session.findObjectsInit(storage);
                while (linkedList.size() < i && (findObjects = session.findObjects(1)) != null && findObjects.length != 0) {
                    for (PKCS11Object pKCS11Object : findObjects) {
                        logPkcs11ObjectAttributes("found object: ", pKCS11Object);
                        linkedList.add((Storage) pKCS11Object);
                    }
                }
                return linkedList;
            } catch (TokenException e) {
                throw new P11TokenException(e.getMessage(), e);
            }
        } finally {
            try {
                session.findObjectsFinal();
            } catch (Exception e2) {
                LogUtil.error(LOG, e2, "session.findObjectsFinal() failed");
            }
        }
    }

    private static PublicKey generatePublicKey(iaik.pkcs.pkcs11.objects.PublicKey publicKey) throws XiSecurityException {
        if (publicKey instanceof RSAPublicKey) {
            RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
            try {
                return KeyUtil.generateRSAPublicKey(new RSAPublicKeySpec(new BigInteger(1, rSAPublicKey.getModulus().getByteArrayValue()), new BigInteger(1, rSAPublicKey.getPublicExponent().getByteArrayValue())));
            } catch (InvalidKeySpecException e) {
                throw new XiSecurityException(e.getMessage(), e);
            }
        }
        if (publicKey instanceof DSAPublicKey) {
            DSAPublicKey dSAPublicKey = (DSAPublicKey) publicKey;
            try {
                return KeyUtil.generateDSAPublicKey(new DSAPublicKeySpec(new BigInteger(1, dSAPublicKey.getValue().getByteArrayValue()), new BigInteger(1, dSAPublicKey.getPrime().getByteArrayValue()), new BigInteger(1, dSAPublicKey.getSubprime().getByteArrayValue()), new BigInteger(1, dSAPublicKey.getBase().getByteArrayValue())));
            } catch (InvalidKeySpecException e2) {
                throw new XiSecurityException(e2.getMessage(), e2);
            }
        }
        if (!(publicKey instanceof ECPublicKey)) {
            throw new XiSecurityException("unknown publicKey class " + publicKey.getClass().getName());
        }
        ECPublicKey eCPublicKey = (ECPublicKey) publicKey;
        long longValue = eCPublicKey.getKeyType().getLongValue().longValue();
        byte[] byteArrayValue = eCPublicKey.getEcdsaParams().getByteArrayValue();
        byte[] octets = DEROctetString.getInstance(eCPublicKey.getEcPoint().getByteArrayValue()).getOctets();
        if (longValue != Key.KeyType.EC_EDWARDS.longValue() && longValue != Key.KeyType.EC_MONTGOMERY.longValue()) {
            try {
                return KeyUtil.createECPublicKey(byteArrayValue, octets);
            } catch (InvalidKeySpecException e3) {
                throw new XiSecurityException(e3.getMessage(), e3);
            }
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(byteArrayValue);
        if (longValue == Key.KeyType.EC_EDWARDS.longValue()) {
            if (!EdECConstants.isEdwardsCurve(aSN1ObjectIdentifier)) {
                throw new XiSecurityException("unknown Edwards curve OID " + aSN1ObjectIdentifier);
            }
        } else if (!EdECConstants.isMontgomeryCurve(aSN1ObjectIdentifier)) {
            throw new XiSecurityException("unknown Montgomery curve OID " + aSN1ObjectIdentifier);
        }
        try {
            return KeyUtil.generatePublicKey(new SubjectPublicKeyInfo(new AlgorithmIdentifier(aSN1ObjectIdentifier), octets));
        } catch (InvalidKeySpecException e4) {
            throw new XiSecurityException(e4.getMessage(), e4);
        }
    }

    private static X509Cert parseCert(X509PublicKeyCertificate x509PublicKeyCertificate) throws P11TokenException {
        try {
            byte[] byteArrayValue = x509PublicKeyCertificate.getValue().getByteArrayValue();
            return new X509Cert(X509Util.parseCert(byteArrayValue), byteArrayValue);
        } catch (CertificateException e) {
            throw new P11TokenException("could not parse certificate: " + e.getMessage(), e);
        }
    }

    private List<X509PublicKeyCertificate> getAllCertificateObjects(Session session) throws P11TokenException {
        List<Storage> objects = getObjects(session, new X509PublicKeyCertificate());
        ArrayList arrayList = new ArrayList(objects.size());
        Iterator<Storage> it = objects.iterator();
        while (it.hasNext()) {
            arrayList.add((X509PublicKeyCertificate) it.next());
        }
        return arrayList;
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    public int removeObjects(byte[] bArr, String str) throws P11TokenException {
        return removeObjects(bArr, str == null ? null : str.toCharArray());
    }

    private int removeObjects(byte[] bArr, char[] cArr) throws P11TokenException {
        boolean z = (cArr == null || cArr.length == 0) ? false : true;
        if ((bArr == null || bArr.length == 0) && !z) {
            throw new IllegalArgumentException("at least one of id and label may not be null");
        }
        Key key = new Key();
        if (bArr != null && bArr.length > 0) {
            key.getId().setByteArrayValue(bArr);
        }
        if (z) {
            key.getLabel().setCharArrayValue(cArr);
        }
        String description = getDescription(bArr, cArr);
        int removeObjects = removeObjects(key, "keys " + description);
        X509PublicKeyCertificate x509PublicKeyCertificate = new X509PublicKeyCertificate();
        if (bArr != null && bArr.length > 0) {
            x509PublicKeyCertificate.getId().setByteArrayValue(bArr);
        }
        if (z) {
            x509PublicKeyCertificate.getLabel().setCharArrayValue(cArr);
        }
        return removeObjects + removeObjects(x509PublicKeyCertificate, "certificates" + description);
    }

    private int removeObjects(Storage storage, String str) throws P11TokenException {
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        try {
            try {
                Session value = borrowSession.value();
                List<Storage> objects = getObjects(value, storage);
                for (Storage storage2 : objects) {
                    if (this.vendor == IaikP11Module.Vendor.YUBIKEY) {
                        if (storage2 instanceof X509PublicKeyCertificate) {
                            throw new P11TokenException("cannot delete certificates in Yubikey token");
                        }
                        if (!(storage2 instanceof PrivateKey) && !(storage2 instanceof iaik.pkcs.pkcs11.objects.PublicKey)) {
                        }
                    }
                    value.destroyObject(storage2);
                }
                int size = objects.size();
                this.sessions.requite(borrowSession);
                return size;
            } catch (TokenException e) {
                LogUtil.error(LOG, e, "could not remove " + str);
                throw new P11TokenException(e.getMessage(), e);
            }
        } catch (Throwable th) {
            this.sessions.requite(borrowSession);
            throw th;
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected void removeCerts0(P11ObjectIdentifier p11ObjectIdentifier) throws P11TokenException {
        if (this.vendor == IaikP11Module.Vendor.YUBIKEY) {
            throw new P11TokenException("Unsupported operation removeCerts() in yubikey token");
        }
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        try {
            try {
                Session value = borrowSession.value();
                X509PublicKeyCertificate[] certificateObjects = getCertificateObjects(value, p11ObjectIdentifier.getId(), p11ObjectIdentifier.getLabelChars());
                if (certificateObjects == null || certificateObjects.length == 0) {
                    LOG.warn("could not find certificates " + p11ObjectIdentifier);
                    this.sessions.requite(borrowSession);
                    return;
                }
                for (X509PublicKeyCertificate x509PublicKeyCertificate : certificateObjects) {
                    value.destroyObject(x509PublicKeyCertificate);
                }
            } catch (TokenException e) {
                throw new P11TokenException(e.getMessage(), e);
            }
        } finally {
            this.sessions.requite(borrowSession);
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected P11ObjectIdentifier addCert0(X509Certificate x509Certificate, P11Slot.P11NewObjectControl p11NewObjectControl) throws P11TokenException {
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        try {
            try {
                Session value = borrowSession.value();
                X509PublicKeyCertificate x509PublicKeyCertificate = (X509PublicKeyCertificate) value.createObject(createPkcs11Template(value, new X509Cert(x509Certificate), p11NewObjectControl));
                P11ObjectIdentifier p11ObjectIdentifier = new P11ObjectIdentifier(x509PublicKeyCertificate.getId().getByteArrayValue(), new String(x509PublicKeyCertificate.getLabel().getCharArrayValue()));
                this.sessions.requite(borrowSession);
                return p11ObjectIdentifier;
            } catch (TokenException e) {
                throw new P11TokenException(e.getMessage(), e);
            }
        } catch (Throwable th) {
            this.sessions.requite(borrowSession);
            throw th;
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected P11Identity generateSecretKey0(long j, int i, P11Slot.P11NewKeyControl p11NewKeyControl) throws P11TokenException {
        long j2;
        if (i % 8 != 0) {
            throw new IllegalArgumentException("keysize is not multiple of 8: " + i);
        }
        if (31 == j) {
            j2 = 4224;
        } else if (21 == j) {
            j2 = 305;
        } else if (16 == j) {
            j2 = 848;
        } else {
            if (40 != j && 46 != j && 43 != j && 44 != j && 45 != j && 54 != j && 55 != j && 56 != j && 57 != j) {
                throw new IllegalArgumentException("unsupported key type 0x" + Functions.toFullHex((int) j));
            }
            j2 = 848;
        }
        assertMechanismSupported(j2);
        char[] charArray = this.newObjectConf.isIgnoreLabel() ? null : p11NewKeyControl.getLabel().toCharArray();
        byte[] id = p11NewKeyControl.getId();
        ValuedSecretKey valuedSecretKey = new ValuedSecretKey(j);
        valuedSecretKey.getToken().setBooleanValue(true);
        if (charArray != null) {
            valuedSecretKey.getLabel().setCharArrayValue(charArray);
        }
        if (p11NewKeyControl.getExtractable() != null) {
            valuedSecretKey.getExtractable().setBooleanValue(p11NewKeyControl.getExtractable());
        }
        if (p11NewKeyControl.getSensitive() != null) {
            valuedSecretKey.getSensitive().setBooleanValue(p11NewKeyControl.getSensitive());
        }
        Set<P11Slot.P11KeyUsage> usages = p11NewKeyControl.getUsages();
        Boolean bool = Boolean.TRUE;
        if (CollectionUtil.isNotEmpty(usages)) {
            Iterator<P11Slot.P11KeyUsage> it = usages.iterator();
            while (it.hasNext()) {
                switch (it.next()) {
                    case DECRYPT:
                        valuedSecretKey.getDecrypt().setBooleanValue(bool);
                        break;
                    case DERIVE:
                        valuedSecretKey.getDerive().setBooleanValue(bool);
                        break;
                    case SIGN:
                        valuedSecretKey.getSign().setBooleanValue(bool);
                        break;
                    case UNWRAP:
                        valuedSecretKey.getUnwrap().setBooleanValue(bool);
                        break;
                }
            }
        }
        valuedSecretKey.getValueLen().setLongValue(Long.valueOf(i / 8));
        Mechanism mechanism = Mechanism.get(j2);
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        try {
            Session value = borrowSession.value();
            if (charArray != null && labelExists(value, charArray)) {
                throw new IllegalArgumentException("label " + p11NewKeyControl.getLabel() + " exists, please specify another one");
            }
            if (id == null) {
                id = generateId(value);
            }
            valuedSecretKey.getId().setByteArrayValue(id);
            try {
                SecretKey secretKey = (SecretKey) value.generateKey(mechanism, valuedSecretKey);
                IaikP11Identity iaikP11Identity = new IaikP11Identity(this, new P11IdentityId(this.slotId, new P11ObjectIdentifier(id, new String(secretKey.getLabel().getCharArrayValue())), null, null), secretKey);
                this.sessions.requite(borrowSession);
                return iaikP11Identity;
            } catch (TokenException e) {
                throw new P11TokenException("could not generate generic secret key using " + mechanism.getName(), e);
            }
        } catch (Throwable th) {
            this.sessions.requite(borrowSession);
            throw th;
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected P11Identity importSecretKey0(long j, byte[] bArr, P11Slot.P11NewKeyControl p11NewKeyControl) throws P11TokenException {
        ValuedSecretKey valuedSecretKey = new ValuedSecretKey(j);
        valuedSecretKey.getToken().setBooleanValue(true);
        char[] charArray = this.newObjectConf.isIgnoreLabel() ? null : p11NewKeyControl.getLabel().toCharArray();
        if (charArray != null) {
            valuedSecretKey.getLabel().setCharArrayValue(charArray);
        }
        if (p11NewKeyControl.getExtractable() != null) {
            valuedSecretKey.getExtractable().setBooleanValue(p11NewKeyControl.getExtractable());
        }
        if (p11NewKeyControl.getSensitive() != null) {
            valuedSecretKey.getSensitive().setBooleanValue(p11NewKeyControl.getSensitive());
        }
        valuedSecretKey.getValue().setByteArrayValue(bArr);
        Set<P11Slot.P11KeyUsage> usages = p11NewKeyControl.getUsages();
        Boolean bool = Boolean.TRUE;
        if (CollectionUtil.isNotEmpty(usages)) {
            Iterator<P11Slot.P11KeyUsage> it = usages.iterator();
            while (it.hasNext()) {
                switch (it.next()) {
                    case DECRYPT:
                        valuedSecretKey.getDecrypt().setBooleanValue(bool);
                        break;
                    case DERIVE:
                        valuedSecretKey.getDerive().setBooleanValue(bool);
                        break;
                    case SIGN:
                        valuedSecretKey.getSign().setBooleanValue(bool);
                        break;
                    case UNWRAP:
                        valuedSecretKey.getUnwrap().setBooleanValue(bool);
                        break;
                }
            }
        }
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        try {
            Session value = borrowSession.value();
            if (charArray != null && labelExists(value, charArray)) {
                throw new IllegalArgumentException("label " + p11NewKeyControl.getLabel() + " exists, please specify another one");
            }
            byte[] id = p11NewKeyControl.getId();
            if (id == null) {
                id = generateId(value);
            }
            if (id != null) {
                valuedSecretKey.getId().setByteArrayValue(id);
            }
            try {
                SecretKey secretKey = (SecretKey) value.createObject(valuedSecretKey);
                IaikP11Identity iaikP11Identity = new IaikP11Identity(this, new P11IdentityId(this.slotId, new P11ObjectIdentifier(id, new String(secretKey.getLabel().getCharArrayValue())), null, null), secretKey);
                this.sessions.requite(borrowSession);
                return iaikP11Identity;
            } catch (TokenException e) {
                throw new P11TokenException("could not create secret key", e);
            }
        } catch (Throwable th) {
            this.sessions.requite(borrowSession);
            throw th;
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected P11Identity generateRSAKeypair0(int i, BigInteger bigInteger, P11Slot.P11NewKeyControl p11NewKeyControl) throws P11TokenException {
        assertMechanismSupported(0L);
        PrivateKey rSAPrivateKey = new RSAPrivateKey();
        RSAPublicKey rSAPublicKey = new RSAPublicKey();
        setKeyAttributes(p11NewKeyControl, rSAPublicKey, rSAPrivateKey);
        rSAPublicKey.getModulusBits().setLongValue(Long.valueOf(i));
        if (bigInteger != null) {
            rSAPublicKey.getPublicExponent().setByteArrayValue(bigInteger.toByteArray());
        }
        return generateKeyPair(0L, p11NewKeyControl.getId(), rSAPrivateKey, rSAPublicKey);
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected P11Identity generateDSAKeypair0(BigInteger bigInteger, BigInteger bigInteger2, BigInteger bigInteger3, P11Slot.P11NewKeyControl p11NewKeyControl) throws P11TokenException {
        assertMechanismSupported(16L);
        PrivateKey dSAPrivateKey = new DSAPrivateKey();
        DSAPublicKey dSAPublicKey = new DSAPublicKey();
        setKeyAttributes(p11NewKeyControl, dSAPublicKey, dSAPrivateKey);
        dSAPublicKey.getPrime().setByteArrayValue(Util.unsignedBigIntergerToByteArray(bigInteger));
        dSAPublicKey.getSubprime().setByteArrayValue(Util.unsignedBigIntergerToByteArray(bigInteger2));
        dSAPublicKey.getBase().setByteArrayValue(Util.unsignedBigIntergerToByteArray(bigInteger3));
        return generateKeyPair(16L, p11NewKeyControl.getId(), dSAPrivateKey, dSAPublicKey);
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected P11Identity generateECEdwardsKeypair0(ASN1ObjectIdentifier aSN1ObjectIdentifier, P11Slot.P11NewKeyControl p11NewKeyControl) throws P11TokenException {
        assertMechanismSupported(PKCS11Constants.CKM_EC_EDWARDS_KEY_PAIR_GEN);
        PrivateKey eCPrivateKey = new ECPrivateKey(Key.KeyType.EC_EDWARDS.longValue());
        ECPublicKey eCPublicKey = new ECPublicKey(Key.KeyType.EC_EDWARDS.longValue());
        setKeyAttributes(p11NewKeyControl, eCPublicKey, eCPrivateKey);
        try {
            eCPublicKey.getEcdsaParams().setByteArrayValue(aSN1ObjectIdentifier.getEncoded());
            return generateKeyPair(PKCS11Constants.CKM_EC_EDWARDS_KEY_PAIR_GEN, p11NewKeyControl.getId(), eCPrivateKey, eCPublicKey);
        } catch (IOException e) {
            throw new P11TokenException(e.getMessage(), e);
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected P11Identity generateECMontgomeryKeypair0(ASN1ObjectIdentifier aSN1ObjectIdentifier, P11Slot.P11NewKeyControl p11NewKeyControl) throws P11TokenException {
        assertMechanismSupported(PKCS11Constants.CKM_EC_MONTGOMERY_KEY_PAIR_GEN);
        PrivateKey eCPrivateKey = new ECPrivateKey(Key.KeyType.EC_MONTGOMERY.longValue());
        ECPublicKey eCPublicKey = new ECPublicKey(Key.KeyType.EC_MONTGOMERY.longValue());
        setKeyAttributes(p11NewKeyControl, eCPublicKey, eCPrivateKey);
        try {
            eCPublicKey.getEcdsaParams().setByteArrayValue(aSN1ObjectIdentifier.getEncoded());
            return generateKeyPair(PKCS11Constants.CKM_EC_MONTGOMERY_KEY_PAIR_GEN, p11NewKeyControl.getId(), eCPrivateKey, eCPublicKey);
        } catch (IOException e) {
            throw new P11TokenException(e.getMessage(), e);
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected P11Identity generateECKeypair0(ASN1ObjectIdentifier aSN1ObjectIdentifier, P11Slot.P11NewKeyControl p11NewKeyControl) throws P11TokenException {
        assertMechanismSupported(4160L);
        PrivateKey eCPrivateKey = new ECPrivateKey();
        ECPublicKey eCPublicKey = new ECPublicKey();
        setKeyAttributes(p11NewKeyControl, eCPublicKey, eCPrivateKey);
        try {
            try {
                eCPublicKey.getEcdsaParams().setByteArrayValue(aSN1ObjectIdentifier.getEncoded());
                return generateKeyPair(4160L, p11NewKeyControl.getId(), eCPrivateKey, eCPublicKey);
            } catch (P11TokenException e) {
                X9ECParameters byOID = ECNamedCurveTable.getByOID(aSN1ObjectIdentifier);
                if (byOID == null) {
                    throw new IllegalArgumentException("could not get X9ECParameters for curve " + aSN1ObjectIdentifier.getId());
                }
                try {
                    eCPublicKey.getEcdsaParams().setByteArrayValue(byOID.getEncoded());
                    return generateKeyPair(4160L, p11NewKeyControl.getId(), eCPrivateKey, eCPublicKey);
                } catch (IOException e2) {
                    throw new P11TokenException(e.getMessage(), e);
                }
            }
        } catch (IOException e3) {
            throw new P11TokenException(e3.getMessage(), e3);
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected P11Identity generateSM2Keypair0(P11Slot.P11NewKeyControl p11NewKeyControl) throws P11TokenException {
        long j = PKCS11Constants.CKM_VENDOR_SM2_KEY_PAIR_GEN;
        assertMechanismSupported(j);
        ECPrivateKey eCPrivateKey = new ECPrivateKey(Key.KeyType.VENDOR_SM2.longValue());
        ECPublicKey eCPublicKey = new ECPublicKey(Key.KeyType.VENDOR_SM2.longValue());
        setKeyAttributes(p11NewKeyControl, eCPublicKey, eCPrivateKey);
        return generateKeyPair(j, p11NewKeyControl.getId(), eCPrivateKey, eCPublicKey);
    }

    private P11Identity generateKeyPair(long j, byte[] bArr, PrivateKey privateKey, iaik.pkcs.pkcs11.objects.PublicKey publicKey) throws P11TokenException {
        char[] cArr = null;
        if (privateKey.getLabel() != null) {
            cArr = privateKey.getLabel().getCharArrayValue();
        }
        try {
            ConcurrentBagEntry<Session> borrowSession = borrowSession();
            try {
                Session value = borrowSession.value();
                if (cArr != null && labelExists(value, cArr)) {
                    throw new IllegalArgumentException("label " + new String(cArr) + " exists, please specify another one");
                }
                if (bArr == null) {
                    bArr = generateId(value);
                }
                privateKey.getId().setByteArrayValue(bArr);
                publicKey.getId().setByteArrayValue(bArr);
                try {
                    KeyPair generateKeyPair = value.generateKeyPair(Mechanism.get(j), publicKey, privateKey);
                    char[] charArrayValue = generateKeyPair.getPrivateKey().getLabel().getCharArrayValue();
                    String str = new String(generateKeyPair.getPublicKey().getLabel().getCharArrayValue());
                    P11ObjectIdentifier p11ObjectIdentifier = new P11ObjectIdentifier(bArr, new String(charArrayValue));
                    try {
                        PublicKey generatePublicKey = generatePublicKey(generateKeyPair.getPublicKey());
                        PrivateKey privateKeyObject = getPrivateKeyObject(value, bArr, charArrayValue);
                        if (privateKeyObject == null) {
                            throw new P11TokenException("could not read the generated private key");
                        }
                        X509PublicKeyCertificate certificateObject = getCertificateObject(value, bArr, null);
                        String str2 = null;
                        X509Certificate[] x509CertificateArr = null;
                        if (certificateObject != null) {
                            str2 = new String(certificateObject.getLabel().getCharArrayValue());
                            x509CertificateArr = new X509Certificate[1];
                            try {
                                x509CertificateArr[0] = X509Util.parseCert(certificateObject.getValue().getByteArrayValue());
                            } catch (CertificateException e) {
                                throw new P11TokenException("coult not parse certifcate", e);
                            }
                        }
                        IaikP11Identity iaikP11Identity = new IaikP11Identity(this, new P11IdentityId(this.slotId, p11ObjectIdentifier, str, str2), privateKeyObject, generatePublicKey, x509CertificateArr);
                        this.sessions.requite(borrowSession);
                        if (1 == 0 && (bArr != null || charArrayValue != null)) {
                            try {
                                removeObjects(bArr, charArrayValue);
                            } catch (Throwable th) {
                                LogUtil.error(LOG, th, "could not remove objects");
                            }
                        }
                        return iaikP11Identity;
                    } catch (XiSecurityException e2) {
                        throw new P11TokenException("could not generate public key " + p11ObjectIdentifier, e2);
                    }
                } catch (TokenException e3) {
                    throw new P11TokenException("could not generate keypair " + Functions.mechanismCodeToString(j), e3);
                }
            } catch (Throwable th2) {
                this.sessions.requite(borrowSession);
                throw th2;
            }
        } catch (Throwable th3) {
            if (0 == 0 && (bArr != null || cArr != null)) {
                try {
                    removeObjects(bArr, cArr);
                } catch (Throwable th4) {
                    LogUtil.error(LOG, th4, "could not remove objects");
                }
            }
            throw th3;
        }
    }

    private X509PublicKeyCertificate createPkcs11Template(Session session, X509Cert x509Cert, P11Slot.P11NewObjectControl p11NewObjectControl) throws P11TokenException {
        X509PublicKeyCertificate x509PublicKeyCertificate = new X509PublicKeyCertificate();
        byte[] id = p11NewObjectControl.getId();
        if (id == null) {
            id = generateId(session);
        }
        x509PublicKeyCertificate.getId().setByteArrayValue(id);
        if (!this.newObjectConf.isIgnoreLabel()) {
            x509PublicKeyCertificate.getLabel().setCharArrayValue(p11NewObjectControl.getLabel().toCharArray());
        }
        x509PublicKeyCertificate.getToken().setBooleanValue(true);
        x509PublicKeyCertificate.getCertificateType().setLongValue(Certificate.CertificateType.X_509_PUBLIC_KEY);
        Set<Long> setCertObjectAttributes = this.newObjectConf.getSetCertObjectAttributes();
        if (setCertObjectAttributes.contains(257L)) {
            x509PublicKeyCertificate.getSubject().setByteArrayValue(x509Cert.getCert().getSubjectX500Principal().getEncoded());
        }
        if (setCertObjectAttributes.contains(129L)) {
            x509PublicKeyCertificate.getIssuer().setByteArrayValue(x509Cert.getCert().getIssuerX500Principal().getEncoded());
        }
        if (setCertObjectAttributes.contains(130L)) {
            x509PublicKeyCertificate.getSerialNumber().setByteArrayValue(x509Cert.getCert().getSerialNumber().toByteArray());
        }
        if (setCertObjectAttributes.contains(272L)) {
            x509PublicKeyCertificate.getStartDate().setDateValue(x509Cert.getCert().getNotBefore());
        }
        if (setCertObjectAttributes.contains(273L)) {
            x509PublicKeyCertificate.getStartDate().setDateValue(x509Cert.getCert().getNotAfter());
        }
        x509PublicKeyCertificate.getValue().setByteArrayValue(x509Cert.getEncodedCert());
        return x509PublicKeyCertificate;
    }

    private void setKeyAttributes(P11Slot.P11NewKeyControl p11NewKeyControl, iaik.pkcs.pkcs11.objects.PublicKey publicKey, PrivateKey privateKey) {
        if (privateKey != null) {
            privateKey.getToken().setBooleanValue(true);
            if (!this.newObjectConf.isIgnoreLabel()) {
                privateKey.getLabel().setCharArrayValue(p11NewKeyControl.getLabel().toCharArray());
            }
            privateKey.getPrivate().setBooleanValue(true);
            if (p11NewKeyControl.getExtractable() != null) {
                privateKey.getExtractable().setBooleanValue(p11NewKeyControl.getExtractable());
            }
            if (p11NewKeyControl.getSensitive() != null) {
                privateKey.getSensitive().setBooleanValue(p11NewKeyControl.getSensitive());
            }
            Set<P11Slot.P11KeyUsage> usages = p11NewKeyControl.getUsages();
            Boolean bool = Boolean.TRUE;
            if (CollectionUtil.isNotEmpty(usages)) {
                Iterator<P11Slot.P11KeyUsage> it = usages.iterator();
                while (it.hasNext()) {
                    switch (it.next()) {
                        case DECRYPT:
                            privateKey.getDecrypt().setBooleanValue(bool);
                            break;
                        case DERIVE:
                            privateKey.getDerive().setBooleanValue(bool);
                            break;
                        case SIGN:
                            privateKey.getSign().setBooleanValue(bool);
                            break;
                        case UNWRAP:
                            privateKey.getUnwrap().setBooleanValue(bool);
                            break;
                        case SIGN_RECOVER:
                            privateKey.getSignRecover().setBooleanValue(bool);
                            break;
                    }
                }
            } else {
                long longValue = privateKey.getKeyType().getLongValue().longValue();
                if (longValue == 3 || longValue == 0 || longValue == 1 || longValue == PKCS11Constants.CKK_VENDOR_SM2) {
                    privateKey.getSign().setBooleanValue(bool);
                }
                if (longValue == 0) {
                    privateKey.getUnwrap().setBooleanValue(bool);
                    privateKey.getDecrypt().setBooleanValue(bool);
                }
            }
        }
        if (publicKey != null) {
            publicKey.getToken().setBooleanValue(true);
            if (!this.newObjectConf.isIgnoreLabel()) {
                publicKey.getLabel().setCharArrayValue(p11NewKeyControl.getLabel().toCharArray());
            }
            publicKey.getVerify().setBooleanValue(true);
        }
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected void updateCertificate0(P11ObjectIdentifier p11ObjectIdentifier, X509Certificate x509Certificate) throws P11TokenException {
        try {
            removeCerts(p11ObjectIdentifier);
        } catch (P11UnknownEntityException e) {
        }
        try {
            Thread.sleep(1000L);
        } catch (InterruptedException e2) {
        }
        P11Slot.P11NewObjectControl p11NewObjectControl = new P11Slot.P11NewObjectControl(p11ObjectIdentifier.getId(), p11ObjectIdentifier.getLabel());
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        try {
            try {
                Session value = borrowSession.value();
                value.createObject(createPkcs11Template(value, new X509Cert(x509Certificate), p11NewObjectControl));
                this.sessions.requite(borrowSession);
            } catch (TokenException e3) {
                throw new P11TokenException("could not createObject: " + e3.getMessage(), e3);
            }
        } catch (Throwable th) {
            this.sessions.requite(borrowSession);
            throw th;
        }
    }

    private X509PublicKeyCertificate[] getCertificateObjects(Session session, byte[] bArr, char[] cArr) throws P11TokenException {
        X509PublicKeyCertificate x509PublicKeyCertificate = new X509PublicKeyCertificate();
        if (bArr != null) {
            x509PublicKeyCertificate.getId().setByteArrayValue(bArr);
        }
        if (cArr != null) {
            x509PublicKeyCertificate.getLabel().setCharArrayValue(cArr);
        }
        List<Storage> objects = getObjects(session, x509PublicKeyCertificate);
        if (CollectionUtil.isEmpty(objects)) {
            LOG.info("found no certificate identified by {}", getDescription(bArr, cArr));
            return null;
        }
        int size = objects.size();
        X509PublicKeyCertificate[] x509PublicKeyCertificateArr = new X509PublicKeyCertificate[size];
        for (int i = 0; i < size; i++) {
            x509PublicKeyCertificateArr[i] = (X509PublicKeyCertificate) objects.get(i);
        }
        return x509PublicKeyCertificateArr;
    }

    @Override // org.xipki.security.pkcs11.P11Slot
    protected void removeIdentity0(P11IdentityId p11IdentityId) throws P11TokenException {
        X509PublicKeyCertificate[] certificateObjects;
        iaik.pkcs.pkcs11.objects.PublicKey publicKeyObject;
        ConcurrentBagEntry<Session> borrowSession = borrowSession();
        try {
            Session value = borrowSession.value();
            P11ObjectIdentifier keyId = p11IdentityId.getKeyId();
            byte[] id = keyId.getId();
            char[] labelChars = keyId.getLabelChars();
            SecretKey secretKeyObject = getSecretKeyObject(value, id, labelChars);
            if (secretKeyObject != null) {
                try {
                    value.destroyObject(secretKeyObject);
                } catch (TokenException e) {
                    String str = "could not delete secret key " + keyId;
                    LogUtil.error(LOG, e, str);
                    throw new P11TokenException(str);
                }
            }
            if (this.vendor != IaikP11Module.Vendor.YUBIKEY) {
                PrivateKey privateKeyObject = getPrivateKeyObject(value, id, labelChars);
                if (privateKeyObject != null) {
                    try {
                        value.destroyObject(privateKeyObject);
                    } catch (TokenException e2) {
                        String str2 = "could not delete private key " + keyId;
                        LogUtil.error(LOG, e2, str2);
                        throw new P11TokenException(str2);
                    }
                }
                P11ObjectIdentifier publicKeyId = p11IdentityId.getPublicKeyId();
                if (publicKeyId != null && (publicKeyObject = getPublicKeyObject(value, publicKeyId.getId(), publicKeyId.getLabelChars())) != null) {
                    try {
                        value.destroyObject(publicKeyObject);
                    } catch (TokenException e3) {
                        String str3 = "could not delete public key " + publicKeyId;
                        LogUtil.error(LOG, e3, str3);
                        throw new P11TokenException(str3);
                    }
                }
            }
            P11ObjectIdentifier certId = p11IdentityId.getCertId();
            if (certId != null && (certificateObjects = getCertificateObjects(value, certId.getId(), certId.getLabelChars())) != null && certificateObjects.length > 0) {
                for (X509PublicKeyCertificate x509PublicKeyCertificate : certificateObjects) {
                    try {
                        value.destroyObject(x509PublicKeyCertificate);
                    } catch (TokenException e4) {
                        String str4 = "could not delete certificate " + certId;
                        LogUtil.error(LOG, e4, str4);
                        throw new P11TokenException(str4);
                    }
                }
            }
        } finally {
            this.sessions.requite(borrowSession);
        }
    }

    private byte[] generateId(Session session) throws P11TokenException {
        byte[] bArr;
        do {
            bArr = new byte[this.newObjectConf.getIdLength()];
            this.random.nextBytes(bArr);
        } while (idExists(session, bArr));
        return bArr;
    }

    private boolean idExists(Session session, byte[] bArr) throws P11TokenException {
        if (existsIdentityForId(bArr) || existsCertForId(bArr)) {
            return true;
        }
        Key key = new Key();
        key.getId().setByteArrayValue(bArr);
        try {
            try {
                session.findObjectsInit(key);
                if (session.findObjects(1).length > 0) {
                    return true;
                }
                try {
                    session.findObjectsFinal();
                } catch (TokenException e) {
                    LogUtil.error(LOG, e, "session.findObjectsFinal() failed");
                }
                X509PublicKeyCertificate x509PublicKeyCertificate = new X509PublicKeyCertificate();
                x509PublicKeyCertificate.getId().setByteArrayValue(bArr);
                try {
                    try {
                        session.findObjectsInit(x509PublicKeyCertificate);
                        PKCS11Object[] findObjects = session.findObjects(1);
                        try {
                            session.findObjectsFinal();
                        } catch (TokenException e2) {
                            LogUtil.error(LOG, e2, "session.findObjectsFinal() failed");
                        }
                        return findObjects.length > 0;
                    } finally {
                        try {
                            session.findObjectsFinal();
                        } catch (TokenException e3) {
                            LogUtil.error(LOG, e3, "session.findObjectsFinal() failed");
                        }
                    }
                } catch (TokenException e4) {
                    throw new P11TokenException(e4.getMessage(), e4);
                }
            } finally {
                try {
                    session.findObjectsFinal();
                } catch (TokenException e5) {
                    LogUtil.error(LOG, e5, "session.findObjectsFinal() failed");
                }
            }
        } catch (TokenException e6) {
            throw new P11TokenException(e6.getMessage(), e6);
        }
    }

    private static boolean labelExists(Session session, char[] cArr) throws P11TokenException {
        Args.notNull(cArr, "keyLabel");
        Key key = new Key();
        key.getLabel().setCharArrayValue(cArr);
        try {
            try {
                session.findObjectsInit(key);
                if (session.findObjects(1).length > 0) {
                    return true;
                }
                try {
                    session.findObjectsFinal();
                } catch (TokenException e) {
                    LogUtil.error(LOG, e, "session.findObjectsFinal() failed");
                }
                X509PublicKeyCertificate x509PublicKeyCertificate = new X509PublicKeyCertificate();
                x509PublicKeyCertificate.getLabel().setCharArrayValue(cArr);
                try {
                    try {
                        session.findObjectsInit(x509PublicKeyCertificate);
                        PKCS11Object[] findObjects = session.findObjects(1);
                        try {
                            session.findObjectsFinal();
                        } catch (TokenException e2) {
                            LogUtil.error(LOG, e2, "session.findObjectsFinal() failed");
                        }
                        return findObjects.length > 0;
                    } catch (TokenException e3) {
                        throw new P11TokenException(e3.getMessage(), e3);
                    }
                } finally {
                    try {
                        session.findObjectsFinal();
                    } catch (TokenException e4) {
                        LogUtil.error(LOG, e4, "session.findObjectsFinal() failed");
                    }
                }
            } catch (TokenException e5) {
                throw new P11TokenException(e5.getMessage(), e5);
            }
        } finally {
            try {
                session.findObjectsFinal();
            } catch (TokenException e6) {
                LogUtil.error(LOG, e6, "session.findObjectsFinal() failed");
            }
        }
    }

    private static void logPkcs11ObjectAttributes(String str, PKCS11Object pKCS11Object) {
        if (LOG.isDebugEnabled()) {
            Hashtable<Long, Attribute> attributeTable = pKCS11Object.getAttributeTable();
            StringBuilder sb = new StringBuilder();
            if (str != null) {
                sb.append(str);
            }
            Enumeration<Long> keys = attributeTable.keys();
            while (keys.hasMoreElements()) {
                sb.append("\n  ").append(pKCS11Object.getAttribute(keys.nextElement().longValue()).toString(true));
            }
            LOG.debug(sb.toString());
        }
    }
}
