package com.xdja.hsm.pkcs11;

import com.xdja.hsm.pkcs11.wrapper.AlgorithmId;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.InvalidParameterException;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.SignatureSpi;
import java.security.interfaces.DSAKey;
import java.security.interfaces.ECKey;
import java.security.interfaces.RSAKey;
import sun.nio.ch.DirectBuffer;
import sun.security.pkcs11.wrapper.CK_MECHANISM;
import sun.security.pkcs11.wrapper.CK_MECHANISM_INFO;
import sun.security.pkcs11.wrapper.PKCS11Exception;
import sun.security.rsa.RSAPadding;
import sun.security.rsa.RSASignature;
import sun.security.util.DerInputStream;
import sun.security.util.DerOutputStream;
import sun.security.util.DerValue;
import sun.security.util.KeyUtil;
import sun.security.util.ObjectIdentifier;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/hsm-jce-pkcs11-1.0-SNAPSHOT.jar:com/xdja/hsm/pkcs11/P11Signature.class */
public final class P11Signature extends SignatureSpi {
    private final Token token;
    private final String algorithm;
    private final String keyAlgorithm;
    private final long mechanism;
    private final ObjectIdentifier digestOID;
    private final int type;
    private P11Key p11Key;
    private final MessageDigest md;
    private Session session;
    private int mode;
    private boolean initialized;
    private final byte[] buffer;
    private int bytesProcessed;
    private static final int M_SIGN = 1;
    private static final int M_VERIFY = 2;
    private static final int T_DIGEST = 1;
    private static final int T_UPDATE = 2;
    private static final int T_RAW = 3;
    private static final int RAW_ECDSA_MAX = 128;

    /* JADX INFO: Access modifiers changed from: package-private */
    public P11Signature(Token token, String str, long j) throws NoSuchAlgorithmException, PKCS11Exception {
        String str2;
        this.token = token;
        this.algorithm = str;
        this.mechanism = j;
        byte[] bArr = null;
        ObjectIdentifier objectIdentifier = null;
        MessageDigest messageDigest = null;
        switch ((int) j) {
            case 1:
            case 3:
                this.keyAlgorithm = "RSA";
                this.type = 1;
                if (str.equals("MD5withRSA")) {
                    messageDigest = MessageDigest.getInstance("MD5");
                    objectIdentifier = AlgorithmId.MD5_oid;
                    break;
                } else if (str.equals("SHA1withRSA")) {
                    messageDigest = MessageDigest.getInstance("SHA-1");
                    objectIdentifier = AlgorithmId.SHA_oid;
                    break;
                } else if (str.equals("MD2withRSA")) {
                    messageDigest = MessageDigest.getInstance("MD2");
                    objectIdentifier = AlgorithmId.MD2_oid;
                    break;
                } else if (str.equals("SHA224withRSA")) {
                    messageDigest = MessageDigest.getInstance("SHA-224");
                    objectIdentifier = AlgorithmId.SHA224_oid;
                    break;
                } else if (str.equals("SHA256withRSA")) {
                    messageDigest = MessageDigest.getInstance("SHA-256");
                    objectIdentifier = AlgorithmId.SHA256_oid;
                    break;
                } else if (str.equals("SHA384withRSA")) {
                    messageDigest = MessageDigest.getInstance("SHA-384");
                    objectIdentifier = AlgorithmId.SHA384_oid;
                    break;
                } else {
                    if (!str.equals("SHA512withRSA")) {
                        throw new ProviderException("Unknown signature: " + str);
                    }
                    messageDigest = MessageDigest.getInstance("SHA-512");
                    objectIdentifier = AlgorithmId.SHA512_oid;
                    break;
                }
            case 4:
            case 5:
            case 6:
            case 64:
            case 65:
            case 66:
            case 70:
                this.keyAlgorithm = "RSA";
                this.type = 2;
                bArr = new byte[1];
                break;
            case 17:
                this.keyAlgorithm = "DSA";
                if (str.equals("DSA")) {
                    this.type = 1;
                    messageDigest = MessageDigest.getInstance("SHA-1");
                    break;
                } else {
                    if (!str.equals("RawDSA")) {
                        throw new ProviderException(str);
                    }
                    this.type = 3;
                    bArr = new byte[20];
                    break;
                }
            case 18:
                this.keyAlgorithm = "DSA";
                this.type = 2;
                bArr = new byte[1];
                break;
            case 647:
                this.keyAlgorithm = "SM2";
                this.type = 1;
                if (str.equals("SM3withSM2")) {
                    messageDigest = MessageDigest.getInstance("SM3");
                    objectIdentifier = AlgorithmId.SM3_oid;
                    break;
                }
                break;
            case 4161:
                this.keyAlgorithm = "EC";
                if (!str.equals("NONEwithECDSA")) {
                    if (str.equals("SHA1withECDSA")) {
                        str2 = "SHA-1";
                    } else if (str.equals("SHA224withECDSA")) {
                        str2 = "SHA-224";
                    } else if (str.equals("SHA256withECDSA")) {
                        str2 = "SHA-256";
                    } else if (str.equals("SHA384withECDSA")) {
                        str2 = "SHA-384";
                    } else {
                        if (!str.equals("SHA512withECDSA")) {
                            throw new ProviderException(str);
                        }
                        str2 = "SHA-512";
                    }
                    this.type = 1;
                    messageDigest = MessageDigest.getInstance(str2);
                    break;
                } else {
                    this.type = 3;
                    bArr = new byte[128];
                    break;
                }
            case 4162:
                this.keyAlgorithm = "EC";
                this.type = 2;
                bArr = new byte[1];
                break;
            default:
                throw new ProviderException("Unknown mechanism: " + j);
        }
        this.buffer = bArr;
        this.digestOID = objectIdentifier;
        this.md = messageDigest;
    }

    private void ensureInitialized() {
        this.token.ensureValid();
        if (this.initialized) {
            return;
        }
        initialize();
    }

    private void cancelOperation() {
        this.token.ensureValid();
        if (this.initialized) {
            this.initialized = false;
            if (this.session == null || !this.token.explicitCancel) {
                return;
            }
            if (!this.session.hasObjects()) {
                this.session = this.token.killSession(this.session);
                return;
            }
            if (this.mode == 1) {
                try {
                    if (this.type == 2) {
                        this.token.p11.C_SignFinal(this.session.id(), 0);
                    } else {
                        this.token.p11.C_Sign(this.session.id(), this.type == 1 ? this.md.digest() : this.buffer);
                    }
                    return;
                } catch (PKCS11Exception e) {
                    throw new ProviderException("cancel failed", e);
                }
            }
            try {
                byte[] bArr = this.keyAlgorithm.equals("DSA") ? new byte[40] : new byte[(this.p11Key.length() + 7) >> 3];
                if (this.type == 2) {
                    this.token.p11.C_VerifyFinal(this.session.id(), bArr);
                } else {
                    this.token.p11.C_Verify(this.session.id(), this.type == 1 ? this.md.digest() : this.buffer, bArr);
                }
            } catch (PKCS11Exception e2) {
            }
        }
    }

    private void initialize() {
        try {
            if (this.session == null) {
                this.session = this.token.getOpSession();
            }
            if (this.mode == 1) {
                this.token.p11.C_SignInit(this.session.id(), new CK_MECHANISM(this.mechanism), this.p11Key.keyID);
            } else {
                this.token.p11.C_VerifyInit(this.session.id(), new CK_MECHANISM(this.mechanism), this.p11Key.keyID);
            }
            this.initialized = true;
            if (this.bytesProcessed != 0) {
                this.bytesProcessed = 0;
                if (this.md != null) {
                    this.md.reset();
                }
            }
        } catch (PKCS11Exception e) {
            throw new ProviderException("Initialization failed", e);
        }
    }

    private void checkKeySize(String str, Key key) throws InvalidKeyException {
        int fieldSize;
        CK_MECHANISM_INFO ck_mechanism_info = null;
        try {
            ck_mechanism_info = this.token.getMechanismInfo(this.mechanism);
        } catch (PKCS11Exception e) {
        }
        if (ck_mechanism_info == null) {
            return;
        }
        int i = (int) ck_mechanism_info.ulMinKeySize;
        int i2 = (int) ck_mechanism_info.ulMaxKeySize;
        if (key instanceof P11Key) {
            fieldSize = ((P11Key) key).length();
        } else if (str.equals("RSA")) {
            fieldSize = ((RSAKey) key).getModulus().bitLength();
        } else if (str.equals("DSA")) {
            fieldSize = ((DSAKey) key).getParams().getP().bitLength();
        } else {
            if (!str.equals("EC")) {
                throw new ProviderException("Error: unsupported algo " + str);
            }
            fieldSize = ((ECKey) key).getParams().getCurve().getField().getFieldSize();
        }
        if (i != -1 && fieldSize < i) {
            throw new InvalidKeyException(str + " key must be at least " + i + " bits");
        }
        if (i2 != -1 && fieldSize > i2) {
            throw new InvalidKeyException(str + " key must be at most " + i2 + " bits");
        }
        if (str.equals("RSA")) {
            checkRSAKeyLength(fieldSize);
        }
    }

    private void checkRSAKeyLength(int i) throws InvalidKeyException {
        int i2;
        try {
            int maxDataSize = RSAPadding.getInstance(1, (i + 7) >> 3).getMaxDataSize();
            if (this.algorithm.equals("MD5withRSA") || this.algorithm.equals("MD2withRSA")) {
                i2 = 34;
            } else if (this.algorithm.equals("SHA1withRSA")) {
                i2 = 35;
            } else if (this.algorithm.equals("SHA224withRSA")) {
                i2 = 47;
            } else if (this.algorithm.equals("SHA256withRSA")) {
                i2 = 51;
            } else if (this.algorithm.equals("SHA384withRSA")) {
                i2 = 67;
            } else {
                if (!this.algorithm.equals("SHA512withRSA")) {
                    throw new ProviderException("Unknown signature algo: " + this.algorithm);
                }
                i2 = 83;
            }
            if (i2 > maxDataSize) {
                throw new InvalidKeyException("Key is too short for this signature algorithm");
            }
        } catch (InvalidAlgorithmParameterException e) {
            throw new InvalidKeyException(e.getMessage());
        }
    }

    @Override // java.security.SignatureSpi
    protected void engineInitVerify(PublicKey publicKey) throws InvalidKeyException {
        if (publicKey == null) {
            throw new InvalidKeyException("Key must not be null");
        }
        if (publicKey != this.p11Key) {
            checkKeySize(this.keyAlgorithm, publicKey);
        }
        cancelOperation();
        this.mode = 2;
        this.p11Key = P11KeyFactory.convertKey(this.token, publicKey, this.keyAlgorithm);
        initialize();
    }

    @Override // java.security.SignatureSpi
    protected void engineInitSign(PrivateKey privateKey) throws InvalidKeyException {
        if (privateKey == null) {
            throw new InvalidKeyException("Key must not be null");
        }
        if (privateKey != this.p11Key) {
            checkKeySize(this.keyAlgorithm, privateKey);
        }
        cancelOperation();
        this.mode = 1;
        this.p11Key = P11KeyFactory.convertKey(this.token, privateKey, this.keyAlgorithm);
        initialize();
    }

    @Override // java.security.SignatureSpi
    protected void engineUpdate(byte b) throws SignatureException {
        ensureInitialized();
        switch (this.type) {
            case 1:
                this.md.update(b);
                this.bytesProcessed++;
                return;
            case 2:
                this.buffer[0] = b;
                engineUpdate(this.buffer, 0, 1);
                return;
            case 3:
                if (this.bytesProcessed >= this.buffer.length) {
                    this.bytesProcessed = this.buffer.length + 1;
                    return;
                }
                byte[] bArr = this.buffer;
                int i = this.bytesProcessed;
                this.bytesProcessed = i + 1;
                bArr[i] = b;
                return;
            default:
                throw new ProviderException("Internal error");
        }
    }

    @Override // java.security.SignatureSpi
    protected void engineUpdate(byte[] bArr, int i, int i2) throws SignatureException {
        ensureInitialized();
        if (i2 == 0) {
            return;
        }
        switch (this.type) {
            case 1:
                this.md.update(bArr, i, i2);
                this.bytesProcessed += i2;
                return;
            case 2:
                try {
                    if (this.mode == 1) {
                        this.token.p11.C_SignUpdate(this.session.id(), 0L, bArr, i, i2);
                    } else {
                        this.token.p11.C_VerifyUpdate(this.session.id(), 0L, bArr, i, i2);
                    }
                    this.bytesProcessed += i2;
                    return;
                } catch (PKCS11Exception e) {
                    throw new ProviderException((Throwable) e);
                }
            case 3:
                if (this.bytesProcessed + i2 > this.buffer.length) {
                    this.bytesProcessed = this.buffer.length + 1;
                    return;
                } else {
                    System.arraycopy(bArr, i, this.buffer, this.bytesProcessed, i2);
                    this.bytesProcessed += i2;
                    return;
                }
            default:
                throw new ProviderException("Internal error");
        }
    }

    @Override // java.security.SignatureSpi
    protected void engineUpdate(ByteBuffer byteBuffer) {
        ensureInitialized();
        int remaining = byteBuffer.remaining();
        if (remaining <= 0) {
            return;
        }
        switch (this.type) {
            case 1:
                this.md.update(byteBuffer);
                this.bytesProcessed += remaining;
                return;
            case 2:
                if (!(byteBuffer instanceof DirectBuffer)) {
                    super.engineUpdate(byteBuffer);
                    return;
                }
                long address = ((DirectBuffer) byteBuffer).address();
                int position = byteBuffer.position();
                try {
                    if (this.mode == 1) {
                        this.token.p11.C_SignUpdate(this.session.id(), address + position, null, 0, remaining);
                    } else {
                        this.token.p11.C_VerifyUpdate(this.session.id(), address + position, null, 0, remaining);
                    }
                    this.bytesProcessed += remaining;
                    byteBuffer.position(position + remaining);
                    return;
                } catch (PKCS11Exception e) {
                    throw new ProviderException("Update failed", e);
                }
            case 3:
                if (this.bytesProcessed + remaining > this.buffer.length) {
                    this.bytesProcessed = this.buffer.length + 1;
                    return;
                } else {
                    byteBuffer.get(this.buffer, this.bytesProcessed, remaining);
                    this.bytesProcessed += remaining;
                    return;
                }
            default:
                throw new ProviderException("Internal error");
        }
    }

    @Override // java.security.SignatureSpi
    protected byte[] engineSign() throws SignatureException {
        byte[] bArr;
        byte[] C_Sign;
        ensureInitialized();
        try {
            try {
                if (this.type == 2) {
                    C_Sign = this.token.p11.C_SignFinal(this.session.id(), this.keyAlgorithm.equals("DSA") ? 40 : 0);
                } else {
                    if (this.type == 1) {
                        bArr = this.md.digest();
                    } else if (this.mechanism == 17) {
                        if (this.bytesProcessed != this.buffer.length) {
                            throw new SignatureException("Data for RawDSA must be exactly 20 bytes long");
                        }
                        bArr = this.buffer;
                    } else {
                        if (this.bytesProcessed > this.buffer.length) {
                            throw new SignatureException("Data for NONEwithECDSA must be at most 128 bytes long");
                        }
                        bArr = new byte[this.bytesProcessed];
                        System.arraycopy(this.buffer, 0, bArr, 0, this.bytesProcessed);
                    }
                    if (this.keyAlgorithm.equals("RSA")) {
                        byte[] encodeSignature = encodeSignature(bArr);
                        if (this.mechanism == 3) {
                            encodeSignature = pkcs1Pad(encodeSignature);
                        }
                        C_Sign = this.token.p11.C_Sign(this.session.id(), encodeSignature);
                    } else {
                        C_Sign = this.token.p11.C_Sign(this.session.id(), bArr);
                    }
                }
                if (this.keyAlgorithm.equals("RSA")) {
                    return C_Sign;
                }
                byte[] dsaToASN1 = dsaToASN1(C_Sign);
                this.initialized = false;
                this.session = this.token.releaseSession(this.session);
                return dsaToASN1;
            } catch (PKCS11Exception e) {
                throw new ProviderException((Throwable) e);
            }
        } finally {
            this.initialized = false;
            this.session = this.token.releaseSession(this.session);
        }
    }

    @Override // java.security.SignatureSpi
    protected boolean engineVerify(byte[] bArr) throws SignatureException {
        byte[] bArr2;
        ensureInitialized();
        try {
            try {
                if (this.keyAlgorithm.equals("DSA")) {
                    bArr = asn1ToDSA(bArr);
                } else if (this.keyAlgorithm.equals("EC")) {
                    bArr = asn1ToECDSA(bArr);
                }
                if (this.type == 2) {
                    this.token.p11.C_VerifyFinal(this.session.id(), bArr);
                } else {
                    if (this.type == 1) {
                        bArr2 = this.md.digest();
                    } else if (this.mechanism == 17) {
                        if (this.bytesProcessed != this.buffer.length) {
                            throw new SignatureException("Data for RawDSA must be exactly 20 bytes long");
                        }
                        bArr2 = this.buffer;
                    } else {
                        if (this.bytesProcessed > this.buffer.length) {
                            throw new SignatureException("Data for NONEwithECDSA must be at most 128 bytes long");
                        }
                        bArr2 = new byte[this.bytesProcessed];
                        System.arraycopy(this.buffer, 0, bArr2, 0, this.bytesProcessed);
                    }
                    if (this.keyAlgorithm.equals("RSA")) {
                        byte[] encodeSignature = encodeSignature(bArr2);
                        if (this.mechanism == 3) {
                            encodeSignature = pkcs1Pad(encodeSignature);
                        }
                        this.token.p11.C_Verify(this.session.id(), encodeSignature, bArr);
                    } else {
                        this.token.p11.C_Verify(this.session.id(), bArr2, bArr);
                    }
                }
                this.initialized = false;
                this.session = this.token.releaseSession(this.session);
                return true;
            } catch (PKCS11Exception e) {
                long errorCode = e.getErrorCode();
                if (errorCode == 192) {
                    this.initialized = false;
                    this.session = this.token.releaseSession(this.session);
                    return false;
                }
                if (errorCode == 193) {
                    this.initialized = false;
                    this.session = this.token.releaseSession(this.session);
                    return false;
                }
                if (errorCode != 33) {
                    throw new ProviderException((Throwable) e);
                }
                this.initialized = false;
                this.session = this.token.releaseSession(this.session);
                return false;
            }
        } catch (Throwable th) {
            this.initialized = false;
            this.session = this.token.releaseSession(this.session);
            throw th;
        }
    }

    private byte[] pkcs1Pad(byte[] bArr) {
        try {
            return RSAPadding.getInstance(1, (this.p11Key.length() + 7) >> 3).pad(bArr);
        } catch (GeneralSecurityException e) {
            throw new ProviderException(e);
        }
    }

    private byte[] encodeSignature(byte[] bArr) throws SignatureException {
        try {
            return RSASignature.encodeSignature(this.digestOID, bArr);
        } catch (IOException e) {
            throw new SignatureException("Invalid encoding", e);
        }
    }

    private static byte[] dsaToASN1(byte[] bArr) {
        int length = bArr.length >> 1;
        BigInteger bigInteger = new BigInteger(1, P11Util.subarray(bArr, 0, length));
        BigInteger bigInteger2 = new BigInteger(1, P11Util.subarray(bArr, length, length));
        try {
            DerOutputStream derOutputStream = new DerOutputStream(100);
            derOutputStream.putInteger(bigInteger);
            derOutputStream.putInteger(bigInteger2);
            return new DerValue((byte) 48, derOutputStream.toByteArray()).toByteArray();
        } catch (IOException e) {
            throw new RuntimeException("Internal error", e);
        }
    }

    private static byte[] asn1ToDSA(byte[] bArr) throws SignatureException {
        try {
            DerValue[] sequence = new DerInputStream(bArr).getSequence(2);
            BigInteger positiveBigInteger = sequence[0].getPositiveBigInteger();
            BigInteger positiveBigInteger2 = sequence[1].getPositiveBigInteger();
            byte[] byteArray = toByteArray(positiveBigInteger, 20);
            byte[] byteArray2 = toByteArray(positiveBigInteger2, 20);
            if (byteArray == null || byteArray2 == null) {
                throw new SignatureException("Out of range value for R or S");
            }
            return P11Util.concat(byteArray, byteArray2);
        } catch (SignatureException e) {
            throw e;
        } catch (Exception e2) {
            throw new SignatureException("invalid encoding for signature", e2);
        }
    }

    private byte[] asn1ToECDSA(byte[] bArr) throws SignatureException {
        try {
            DerValue[] sequence = new DerInputStream(bArr).getSequence(2);
            BigInteger positiveBigInteger = sequence[0].getPositiveBigInteger();
            BigInteger positiveBigInteger2 = sequence[1].getPositiveBigInteger();
            byte[] trimZeroes = KeyUtil.trimZeroes(positiveBigInteger.toByteArray());
            byte[] trimZeroes2 = KeyUtil.trimZeroes(positiveBigInteger2.toByteArray());
            int max = Math.max(trimZeroes.length, trimZeroes2.length);
            byte[] bArr2 = new byte[max << 1];
            System.arraycopy(trimZeroes, 0, bArr2, max - trimZeroes.length, trimZeroes.length);
            System.arraycopy(trimZeroes2, 0, bArr2, bArr2.length - trimZeroes2.length, trimZeroes2.length);
            return bArr2;
        } catch (Exception e) {
            throw new SignatureException("invalid encoding for signature", e);
        }
    }

    private static byte[] toByteArray(BigInteger bigInteger, int i) {
        byte[] byteArray = bigInteger.toByteArray();
        int length = byteArray.length;
        if (length == i) {
            return byteArray;
        }
        if (length == i + 1 && byteArray[0] == 0) {
            byte[] bArr = new byte[i];
            System.arraycopy(byteArray, 1, bArr, 0, i);
            return bArr;
        }
        if (length > i) {
            return null;
        }
        byte[] bArr2 = new byte[i];
        System.arraycopy(byteArray, 0, bArr2, i - length, length);
        return bArr2;
    }

    @Override // java.security.SignatureSpi
    protected void engineSetParameter(String str, Object obj) throws InvalidParameterException {
        throw new UnsupportedOperationException("setParameter() not supported");
    }

    @Override // java.security.SignatureSpi
    protected Object engineGetParameter(String str) throws InvalidParameterException {
        throw new UnsupportedOperationException("getParameter() not supported");
    }
}
