package org.xipki.security.pkcs11.emulator;

import iaik.pkcs.pkcs11.constants.Functions;
import iaik.pkcs.pkcs11.constants.PKCS11Constants;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.concurrent.TimeUnit;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import org.bouncycastle.crypto.CryptoException;
import org.bouncycastle.crypto.engines.AESEngine;
import org.bouncycastle.crypto.macs.GMac;
import org.bouncycastle.crypto.macs.HMac;
import org.bouncycastle.crypto.modes.GCMBlockCipher;
import org.bouncycastle.crypto.params.KeyParameter;
import org.bouncycastle.crypto.params.ParametersWithIV;
import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.security.HashAlgo;
import org.xipki.security.XiSecurityException;
import org.xipki.security.pkcs11.P11Identity;
import org.xipki.security.pkcs11.P11IdentityId;
import org.xipki.security.pkcs11.P11Params;
import org.xipki.security.pkcs11.P11Slot;
import org.xipki.security.pkcs11.P11TokenException;
import org.xipki.security.util.GMUtil;
import org.xipki.security.util.SignerUtil;
import org.xipki.util.Args;
import org.xipki.util.concurrent.ConcurrentBag;
import org.xipki.util.concurrent.ConcurrentBagEntry;

/* loaded from: input_file:org/xipki/security/pkcs11/emulator/EmulatorP11Identity.class */
public class EmulatorP11Identity extends P11Identity {
    private static final Logger LOG = LoggerFactory.getLogger(EmulatorP11Identity.class);
    private final Key signingKey;
    private final ConcurrentBag<ConcurrentBagEntry<Cipher>> rsaCiphers;
    private final ConcurrentBag<ConcurrentBagEntry<Signature>> dsaSignatures;
    private final ConcurrentBag<ConcurrentBagEntry<SM2Signer>> sm2Signers;
    private final SecureRandom random;

    public EmulatorP11Identity(P11Slot p11Slot, P11IdentityId p11IdentityId, SecretKey secretKey, int i, SecureRandom secureRandom) {
        super(p11Slot, p11IdentityId, 0);
        this.rsaCiphers = new ConcurrentBag<>();
        this.dsaSignatures = new ConcurrentBag<>();
        this.sm2Signers = new ConcurrentBag<>();
        this.signingKey = (Key) Args.notNull(secretKey, "signingKey");
        this.random = (SecureRandom) Args.notNull(secureRandom, "random");
    }

    public EmulatorP11Identity(P11Slot p11Slot, P11IdentityId p11IdentityId, PrivateKey privateKey, PublicKey publicKey, X509Certificate[] x509CertificateArr, int i, SecureRandom secureRandom) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException {
        super(p11Slot, p11IdentityId, publicKey, x509CertificateArr);
        String str;
        Cipher cipher;
        this.rsaCiphers = new ConcurrentBag<>();
        this.dsaSignatures = new ConcurrentBag<>();
        this.sm2Signers = new ConcurrentBag<>();
        this.signingKey = (Key) Args.notNull(privateKey, "privateKey");
        this.random = (SecureRandom) Args.notNull(secureRandom, "random");
        if (this.publicKey instanceof RSAPublicKey) {
            LOG.info("use provider {}", "BC");
            for (int i2 = 0; i2 < i; i2++) {
                try {
                    cipher = Cipher.getInstance("RSA/ECB/NoPadding", "BC");
                    LOG.info("use cipher algorithm {}", "RSA/ECB/NoPadding");
                } catch (NoSuchAlgorithmException e) {
                    try {
                        cipher = Cipher.getInstance("RSA/NONE/NoPadding", "BC");
                        LOG.info("use cipher algorithm {}", "RSA/NONE/NoPadding");
                    } catch (NoSuchPaddingException e2) {
                        throw new NoSuchAlgorithmException("NoSuchPadding", e);
                    }
                } catch (NoSuchPaddingException e3) {
                    throw new NoSuchAlgorithmException("NoSuchPadding", e3);
                }
                cipher.init(1, privateKey);
                this.rsaCiphers.add(new ConcurrentBagEntry(cipher));
            }
            return;
        }
        if (this.publicKey instanceof ECPublicKey) {
            str = GMUtil.isSm2primev2Curve(((ECPublicKey) this.publicKey).getParams().getCurve()) ? null : "NONEwithECDSA";
        } else {
            if (!(this.publicKey instanceof DSAPublicKey)) {
                throw new IllegalArgumentException("Currently only RSA, DSA and EC public key are supported, but not " + this.publicKey.getAlgorithm() + " (class: " + this.publicKey.getClass().getName() + ")");
            }
            str = "NONEwithDSA";
        }
        if (str == null) {
            for (int i3 = 0; i3 < i; i3++) {
                this.sm2Signers.add(new ConcurrentBagEntry(new SM2Signer(ECUtil.generatePrivateKeyParameter(privateKey))));
            }
            return;
        }
        for (int i4 = 0; i4 < i; i4++) {
            Signature signature = Signature.getInstance(str, "BC");
            signature.initSign(privateKey, secureRandom);
            this.dsaSignatures.add(new ConcurrentBagEntry(signature));
        }
    }

    @Override // org.xipki.security.pkcs11.P11Identity
    protected byte[] digestSecretKey0(long j) throws P11TokenException {
        if (!(this.signingKey instanceof SecretKey)) {
            throw new P11TokenException("digestSecretKey could not be applied to non-SecretKey");
        }
        HashAlgo hashAlgoForPkcs11HashMech = getHashAlgoForPkcs11HashMech(j);
        if (hashAlgoForPkcs11HashMech == null) {
            throw new P11TokenException("unknown mechanism " + Functions.mechanismCodeToString(j));
        }
        return hashAlgoForPkcs11HashMech.hash(((SecretKey) this.signingKey).getEncoded());
    }

    @Override // org.xipki.security.pkcs11.P11Identity
    protected byte[] sign0(long j, P11Params p11Params, byte[] bArr) throws P11TokenException {
        if (4161 == j) {
            return dsaAndEcdsaSign(bArr, null);
        }
        if (4162 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA1);
        }
        if (4163 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA224);
        }
        if (4164 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA256);
        }
        if (4165 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA384);
        }
        if (4166 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA512);
        }
        if (4168 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA3_224);
        }
        if (4169 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA3_256);
        }
        if (4170 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA3_384);
        }
        if (4171 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA3_512);
        }
        if (PKCS11Constants.CKM_VENDOR_SM2 == j) {
            return sm2SignHash(bArr);
        }
        if (PKCS11Constants.CKM_VENDOR_SM2_SM3 == j) {
            return sm2Sign(p11Params, bArr, HashAlgo.SM3);
        }
        if (17 == j) {
            return dsaAndEcdsaSign(bArr, null);
        }
        if (18 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA1);
        }
        if (19 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA224);
        }
        if (20 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA256);
        }
        if (21 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA384);
        }
        if (22 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA512);
        }
        if (24 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA3_224);
        }
        if (25 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA3_256);
        }
        if (26 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA3_384);
        }
        if (27 == j) {
            return dsaAndEcdsaSign(bArr, HashAlgo.SHA3_512);
        }
        if (3 == j) {
            return rsaX509Sign(bArr);
        }
        if (1 == j) {
            return rsaPkcsSign(bArr, null);
        }
        if (6 == j) {
            return rsaPkcsSign(bArr, HashAlgo.SHA1);
        }
        if (70 == j) {
            return rsaPkcsSign(bArr, HashAlgo.SHA224);
        }
        if (64 == j) {
            return rsaPkcsSign(bArr, HashAlgo.SHA256);
        }
        if (65 == j) {
            return rsaPkcsSign(bArr, HashAlgo.SHA384);
        }
        if (66 == j) {
            return rsaPkcsSign(bArr, HashAlgo.SHA512);
        }
        if (102 == j) {
            return rsaPkcsSign(bArr, HashAlgo.SHA3_224);
        }
        if (96 == j) {
            return rsaPkcsSign(bArr, HashAlgo.SHA3_256);
        }
        if (97 == j) {
            return rsaPkcsSign(bArr, HashAlgo.SHA3_384);
        }
        if (98 == j) {
            return rsaPkcsSign(bArr, HashAlgo.SHA3_512);
        }
        if (13 == j) {
            return rsaPkcsPssSign(p11Params, bArr, null);
        }
        if (14 == j) {
            return rsaPkcsPssSign(p11Params, bArr, HashAlgo.SHA1);
        }
        if (71 == j) {
            return rsaPkcsPssSign(p11Params, bArr, HashAlgo.SHA224);
        }
        if (67 == j) {
            return rsaPkcsPssSign(p11Params, bArr, HashAlgo.SHA256);
        }
        if (68 == j) {
            return rsaPkcsPssSign(p11Params, bArr, HashAlgo.SHA384);
        }
        if (69 == j) {
            return rsaPkcsPssSign(p11Params, bArr, HashAlgo.SHA512);
        }
        if (103 == j) {
            return rsaPkcsPssSign(p11Params, bArr, HashAlgo.SHA3_224);
        }
        if (99 == j) {
            return rsaPkcsPssSign(p11Params, bArr, HashAlgo.SHA3_256);
        }
        if (100 == j) {
            return rsaPkcsPssSign(p11Params, bArr, HashAlgo.SHA3_384);
        }
        if (101 == j) {
            return rsaPkcsPssSign(p11Params, bArr, HashAlgo.SHA3_512);
        }
        if (545 == j) {
            return hmac(bArr, HashAlgo.SHA1);
        }
        if (598 == j) {
            return hmac(bArr, HashAlgo.SHA224);
        }
        if (593 == j) {
            return hmac(bArr, HashAlgo.SHA256);
        }
        if (609 == j) {
            return hmac(bArr, HashAlgo.SHA384);
        }
        if (625 == j) {
            return hmac(bArr, HashAlgo.SHA512);
        }
        if (694 == j) {
            return hmac(bArr, HashAlgo.SHA3_224);
        }
        if (689 == j) {
            return hmac(bArr, HashAlgo.SHA3_256);
        }
        if (705 == j) {
            return hmac(bArr, HashAlgo.SHA3_384);
        }
        if (721 == j) {
            return hmac(bArr, HashAlgo.SHA3_512);
        }
        if (4238 == j) {
            return aesGmac(p11Params, bArr);
        }
        throw new P11TokenException("unsupported mechanism " + j);
    }

    private byte[] hmac(byte[] bArr, HashAlgo hashAlgo) {
        HMac hMac = new HMac(hashAlgo.createDigest());
        hMac.init(new KeyParameter(this.signingKey.getEncoded()));
        hMac.update(bArr, 0, bArr.length);
        byte[] bArr2 = new byte[hMac.getMacSize()];
        hMac.doFinal(bArr2, 0);
        return bArr2;
    }

    private byte[] aesGmac(P11Params p11Params, byte[] bArr) throws P11TokenException {
        if (p11Params == null) {
            throw new P11TokenException("iv may not be null");
        }
        if (!(p11Params instanceof P11Params.P11IVParams)) {
            throw new P11TokenException("params must be instanceof P11IVParams");
        }
        byte[] iv = ((P11Params.P11IVParams) p11Params).getIV();
        GMac gMac = new GMac(new GCMBlockCipher(new AESEngine()));
        gMac.init(new ParametersWithIV(new KeyParameter(this.signingKey.getEncoded()), iv));
        gMac.update(bArr, 0, bArr.length);
        byte[] bArr2 = new byte[gMac.getMacSize()];
        gMac.doFinal(bArr2, 0);
        return bArr2;
    }

    private byte[] rsaPkcsPssSign(P11Params p11Params, byte[] bArr, HashAlgo hashAlgo) throws P11TokenException {
        if (!(p11Params instanceof P11Params.P11RSAPkcsPssParams)) {
            throw new P11TokenException("the parameters is not of " + P11Params.P11RSAPkcsPssParams.class.getName());
        }
        P11Params.P11RSAPkcsPssParams p11RSAPkcsPssParams = (P11Params.P11RSAPkcsPssParams) p11Params;
        HashAlgo hashAlgoForPkcs11HashMech = getHashAlgoForPkcs11HashMech(p11RSAPkcsPssParams.getHashAlgorithm());
        if (hashAlgoForPkcs11HashMech == null) {
            throw new P11TokenException("unsupported HashAlgorithm " + p11RSAPkcsPssParams.getHashAlgorithm());
        }
        if (hashAlgo != null && hashAlgoForPkcs11HashMech != hashAlgo) {
            throw new P11TokenException("Invalid parameters: invalid hash algorithm");
        }
        HashAlgo hashAlgoForPkcs11MgfMech = getHashAlgoForPkcs11MgfMech(p11RSAPkcsPssParams.getMaskGenerationFunction());
        if (hashAlgoForPkcs11MgfMech == null) {
            throw new P11TokenException("unsupported MaskGenerationFunction " + p11RSAPkcsPssParams.getHashAlgorithm());
        }
        try {
            return rsaX509Sign(SignerUtil.EMSA_PSS_ENCODE(hashAlgoForPkcs11HashMech, hashAlgo == null ? bArr : hashAlgo.hash(bArr), hashAlgoForPkcs11MgfMech, (int) p11RSAPkcsPssParams.getSaltLength(), getSignatureKeyBitLength(), this.random));
        } catch (XiSecurityException e) {
            throw new P11TokenException("XiSecurityException: " + e.getMessage(), e);
        }
    }

    private byte[] rsaPkcsSign(byte[] bArr, HashAlgo hashAlgo) throws P11TokenException {
        int signatureKeyBitLength = getSignatureKeyBitLength();
        try {
            return rsaX509Sign(hashAlgo == null ? SignerUtil.EMSA_PKCS1_v1_5_encoding(bArr, signatureKeyBitLength) : SignerUtil.EMSA_PKCS1_v1_5_encoding(hashAlgo.hash(bArr), signatureKeyBitLength, hashAlgo));
        } catch (XiSecurityException e) {
            throw new P11TokenException("XiSecurityException: " + e.getMessage(), e);
        }
    }

    private byte[] rsaX509Sign(byte[] bArr) throws P11TokenException {
        try {
            ConcurrentBagEntry borrow = this.rsaCiphers.borrow(5000L, TimeUnit.MILLISECONDS);
            try {
                if (borrow == null) {
                    throw new P11TokenException("no idle RSA cipher available");
                }
                try {
                    byte[] doFinal = ((Cipher) borrow.value()).doFinal(bArr);
                    this.rsaCiphers.requite(borrow);
                    return doFinal;
                } catch (BadPaddingException e) {
                    throw new P11TokenException("BadPaddingException: " + e.getMessage(), e);
                } catch (IllegalBlockSizeException e2) {
                    throw new P11TokenException("IllegalBlockSizeException: " + e2.getMessage(), e2);
                }
            } catch (Throwable th) {
                this.rsaCiphers.requite(borrow);
                throw th;
            }
        } catch (InterruptedException e3) {
            throw new P11TokenException("could not take any idle signer");
        }
    }

    private byte[] dsaAndEcdsaSign(byte[] bArr, HashAlgo hashAlgo) throws P11TokenException {
        byte[] hash = hashAlgo == null ? bArr : hashAlgo.hash(bArr);
        try {
            ConcurrentBagEntry borrow = this.dsaSignatures.borrow(5000L, TimeUnit.MILLISECONDS);
            try {
                if (borrow == null) {
                    throw new P11TokenException("no idle DSA Signature available");
                }
                try {
                    try {
                        Signature signature = (Signature) borrow.value();
                        signature.update(hash);
                        byte[] dsaSigX962ToPlain = SignerUtil.dsaSigX962ToPlain(signature.sign(), getSignatureKeyBitLength());
                        this.dsaSignatures.requite(borrow);
                        return dsaSigX962ToPlain;
                    } catch (SignatureException e) {
                        throw new P11TokenException("SignatureException: " + e.getMessage(), e);
                    }
                } catch (XiSecurityException e2) {
                    throw new P11TokenException("XiSecurityException: " + e2.getMessage(), e2);
                }
            } catch (Throwable th) {
                this.dsaSignatures.requite(borrow);
                throw th;
            }
        } catch (InterruptedException e3) {
            throw new P11TokenException("InterruptedException occurs while retrieving idle signature");
        }
    }

    private byte[] sm2SignHash(byte[] bArr) throws P11TokenException {
        try {
            ConcurrentBagEntry borrow = this.sm2Signers.borrow(5000L, TimeUnit.MILLISECONDS);
            try {
                if (borrow == null) {
                    throw new P11TokenException("no idle SM2 Signer available");
                }
                try {
                    byte[] dsaSigX962ToPlain = SignerUtil.dsaSigX962ToPlain(((SM2Signer) borrow.value()).generateSignatureForHash(bArr), getSignatureKeyBitLength());
                    this.sm2Signers.requite(borrow);
                    return dsaSigX962ToPlain;
                } catch (CryptoException e) {
                    throw new P11TokenException("CryptoException: " + e.getMessage(), e);
                } catch (XiSecurityException e2) {
                    throw new P11TokenException("XiSecurityException: " + e2.getMessage(), e2);
                }
            } catch (Throwable th) {
                this.sm2Signers.requite(borrow);
                throw th;
            }
        } catch (InterruptedException e3) {
            throw new P11TokenException("InterruptedException occurs while retrieving idle signature");
        }
    }

    private byte[] sm2Sign(P11Params p11Params, byte[] bArr, HashAlgo hashAlgo) throws P11TokenException {
        if (p11Params == null) {
            throw new P11TokenException("userId may not be null");
        }
        if (!(p11Params instanceof P11Params.P11ByteArrayParams)) {
            throw new P11TokenException("params must be instanceof P11ByteArrayParams");
        }
        byte[] bytes = ((P11Params.P11ByteArrayParams) p11Params).getBytes();
        try {
            ConcurrentBagEntry borrow = this.sm2Signers.borrow(5000L, TimeUnit.MILLISECONDS);
            try {
                if (borrow == null) {
                    throw new P11TokenException("no idle SM2 Signer available");
                }
                try {
                    try {
                        byte[] dsaSigX962ToPlain = SignerUtil.dsaSigX962ToPlain(((SM2Signer) borrow.value()).generateSignatureForMessage(bytes, bArr), getSignatureKeyBitLength());
                        this.sm2Signers.requite(borrow);
                        return dsaSigX962ToPlain;
                    } catch (XiSecurityException e) {
                        throw new P11TokenException("XiSecurityException: " + e.getMessage(), e);
                    }
                } catch (CryptoException e2) {
                    throw new P11TokenException("CryptoException: " + e2.getMessage(), e2);
                }
            } catch (Throwable th) {
                this.sm2Signers.requite(borrow);
                throw th;
            }
        } catch (InterruptedException e3) {
            throw new P11TokenException("InterruptedException occurs while retrieving idle signature");
        }
    }

    Key getSigningKey() {
        return this.signingKey;
    }

    private static HashAlgo getHashAlgoForPkcs11HashMech(long j) {
        if (j == 544) {
            return HashAlgo.SHA1;
        }
        if (j == 597) {
            return HashAlgo.SHA224;
        }
        if (j == 592) {
            return HashAlgo.SHA256;
        }
        if (j == 608) {
            return HashAlgo.SHA384;
        }
        if (j == 624) {
            return HashAlgo.SHA512;
        }
        if (j == 693) {
            return HashAlgo.SHA3_224;
        }
        if (j == 688) {
            return HashAlgo.SHA3_256;
        }
        if (j == 704) {
            return HashAlgo.SHA3_384;
        }
        if (j == 720) {
            return HashAlgo.SHA3_512;
        }
        if (j == PKCS11Constants.CKM_VENDOR_SM3) {
            return HashAlgo.SM3;
        }
        return null;
    }

    private static HashAlgo getHashAlgoForPkcs11MgfMech(long j) {
        if (j == 1) {
            return HashAlgo.SHA1;
        }
        if (j == 5) {
            return HashAlgo.SHA224;
        }
        if (j == 2) {
            return HashAlgo.SHA256;
        }
        if (j == 3) {
            return HashAlgo.SHA384;
        }
        if (j == 4) {
            return HashAlgo.SHA512;
        }
        if (j == 6) {
            return HashAlgo.SHA3_224;
        }
        if (j == 7) {
            return HashAlgo.SHA3_256;
        }
        if (j == 8) {
            return HashAlgo.SHA3_384;
        }
        if (j == 9) {
            return HashAlgo.SHA3_512;
        }
        return null;
    }
}
