package org.xipki.qa.ca;

import java.security.spec.InvalidKeySpecException;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.ca.api.BadCertTemplateException;
import org.xipki.ca.api.profile.KeyParametersOption;
import org.xipki.qa.ValidationIssue;
import org.xipki.security.util.AlgorithmUtil;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.LruCache;

/* loaded from: input_file:org/xipki/qa/ca/PublicKeyChecker.class */
public class PublicKeyChecker {
    private static final Logger LOG = LoggerFactory.getLogger(PublicKeyChecker.class);
    private static final LruCache<ASN1ObjectIdentifier, Integer> EC_CURVEFIELD_SIZES = new LruCache<>(100);
    private final Map<ASN1ObjectIdentifier, KeyParametersOption> keyAlgorithms;

    public PublicKeyChecker(Map<ASN1ObjectIdentifier, KeyParametersOption> map) {
        this.keyAlgorithms = map;
    }

    public List<ValidationIssue> checkPublicKey(SubjectPublicKeyInfo subjectPublicKeyInfo, SubjectPublicKeyInfo subjectPublicKeyInfo2) {
        Args.notNull(subjectPublicKeyInfo, "publicKey");
        Args.notNull(subjectPublicKeyInfo2, "requestedPublicKey");
        LinkedList linkedList = new LinkedList();
        if (this.keyAlgorithms != null) {
            ValidationIssue validationIssue = new ValidationIssue("X509.PUBKEY.SYN", "whether the public key in certificate is permitted");
            linkedList.add(validationIssue);
            try {
                checkPublicKey(subjectPublicKeyInfo);
            } catch (BadCertTemplateException e) {
                validationIssue.setFailureMessage(e.getMessage());
            }
        }
        ValidationIssue validationIssue2 = new ValidationIssue("X509.PUBKEY.REQ", "whether public key matches the request one");
        linkedList.add(validationIssue2);
        try {
            if (!X509Util.toRfc3279Style(subjectPublicKeyInfo2).equals(subjectPublicKeyInfo)) {
                validationIssue2.setFailureMessage("public key in the certificate does not equal the requested one");
            }
        } catch (InvalidKeySpecException e2) {
            validationIssue2.setFailureMessage("public key in request is invalid");
        }
        return linkedList;
    }

    private void checkPublicKey(SubjectPublicKeyInfo subjectPublicKeyInfo) throws BadCertTemplateException {
        if (CollectionUtil.isEmpty(this.keyAlgorithms)) {
            return;
        }
        ASN1ObjectIdentifier algorithm = subjectPublicKeyInfo.getAlgorithm().getAlgorithm();
        if (!this.keyAlgorithms.containsKey(algorithm)) {
            throw new BadCertTemplateException("key type " + algorithm.getId() + " is not permitted");
        }
        KeyParametersOption.ECParamatersOption eCParamatersOption = (KeyParametersOption) this.keyAlgorithms.get(algorithm);
        if (eCParamatersOption instanceof KeyParametersOption.AllowAllParametersOption) {
            return;
        }
        if (eCParamatersOption instanceof KeyParametersOption.ECParamatersOption) {
            KeyParametersOption.ECParamatersOption eCParamatersOption2 = eCParamatersOption;
            ASN1ObjectIdentifier parameters = subjectPublicKeyInfo.getAlgorithm().getParameters();
            if (!(parameters instanceof ASN1ObjectIdentifier)) {
                throw new BadCertTemplateException("only namedCurve EC public key is supported");
            }
            ASN1ObjectIdentifier aSN1ObjectIdentifier = parameters;
            if (!eCParamatersOption2.allowsCurve(aSN1ObjectIdentifier)) {
                throw new BadCertTemplateException("EC curve " + AlgorithmUtil.getCurveName(aSN1ObjectIdentifier) + " (OID: " + aSN1ObjectIdentifier.getId() + ") is not allowed");
            }
            if (eCParamatersOption2.getPointEncodings() != null) {
                byte[] bytes = subjectPublicKeyInfo.getPublicKeyData().getBytes();
                if (bytes.length < 1) {
                    throw new BadCertTemplateException("invalid publicKeyData");
                }
                byte b = bytes[0];
                if (!eCParamatersOption2.getPointEncodings().contains(Byte.valueOf(b))) {
                    throw new BadCertTemplateException("not-accepted EC point encoding " + ((int) b));
                }
            }
            try {
                checkECSubjectPublicKeyInfo(aSN1ObjectIdentifier, subjectPublicKeyInfo.getPublicKeyData().getBytes());
                return;
            } catch (Exception e) {
                LOG.debug("checkECSubjectPublicKeyInfo", e);
                throw new BadCertTemplateException("invalid public key: " + e.getMessage());
            } catch (BadCertTemplateException e2) {
                throw e2;
            }
        }
        if (eCParamatersOption instanceof KeyParametersOption.RSAParametersOption) {
            try {
                if (((KeyParametersOption.RSAParametersOption) eCParamatersOption).allowsModulusLength(ASN1Integer.getInstance(ASN1Sequence.getInstance(subjectPublicKeyInfo.getPublicKeyData().getBytes()).getObjectAt(0)).getPositiveValue().bitLength())) {
                    return;
                }
            } catch (IllegalArgumentException e3) {
                throw new BadCertTemplateException("invalid publicKeyData");
            }
        } else {
            if (!(eCParamatersOption instanceof KeyParametersOption.DSAParametersOption)) {
                throw new IllegalStateException("should not reach here, unknown keyParamsOption " + (eCParamatersOption == null ? "null" : eCParamatersOption.getClass().getName()));
            }
            KeyParametersOption.DSAParametersOption dSAParametersOption = (KeyParametersOption.DSAParametersOption) eCParamatersOption;
            ASN1Encodable parameters2 = subjectPublicKeyInfo.getAlgorithm().getParameters();
            if (parameters2 == null) {
                throw new BadCertTemplateException("null Dss-Parms is not permitted");
            }
            try {
                ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(parameters2);
                ASN1Integer aSN1Integer = ASN1Integer.getInstance(aSN1Sequence.getObjectAt(0));
                ASN1Integer aSN1Integer2 = ASN1Integer.getInstance(aSN1Sequence.getObjectAt(1));
                int bitLength = aSN1Integer.getPositiveValue().bitLength();
                int bitLength2 = aSN1Integer2.getPositiveValue().bitLength();
                boolean allowsPlength = dSAParametersOption.allowsPlength(bitLength);
                if (allowsPlength) {
                    allowsPlength = dSAParametersOption.allowsQlength(bitLength2);
                }
                if (allowsPlength) {
                    return;
                }
            } catch (ArrayIndexOutOfBoundsException | IllegalArgumentException e4) {
                throw new BadCertTemplateException("illegal Dss-Parms");
            }
        }
        throw new BadCertTemplateException("the given publicKey is not permitted");
    }

    private static void checkECSubjectPublicKeyInfo(ASN1ObjectIdentifier aSN1ObjectIdentifier, byte[] bArr) throws BadCertTemplateException {
        Integer num = (Integer) EC_CURVEFIELD_SIZES.get(aSN1ObjectIdentifier);
        if (num == null) {
            num = Integer.valueOf((ECUtil.getNamedCurveByOid(aSN1ObjectIdentifier).getCurve().getFieldSize() + 7) / 8);
            EC_CURVEFIELD_SIZES.put(aSN1ObjectIdentifier, num);
        }
        switch (bArr[0]) {
            case 2:
            case 3:
                if (bArr.length != num.intValue() + 1) {
                    throw new BadCertTemplateException("incorrect length for compressed encoding");
                }
                return;
            case 4:
            case 6:
            case 7:
                if (bArr.length != (2 * num.intValue()) + 1) {
                    throw new BadCertTemplateException("incorrect length for uncompressed/hybrid encoding");
                }
                return;
            case 5:
            default:
                throw new BadCertTemplateException("invalid point encoding 0x" + Integer.toString(bArr[0], 16));
        }
    }
}
