package com.koalii.kgsp.core.cert;

import com.koalii.kgsp.bc.asn1.ASN1InputStream;
import com.koalii.kgsp.bc.asn1.ASN1ObjectIdentifier;
import com.koalii.kgsp.bc.asn1.ASN1OctetString;
import com.koalii.kgsp.bc.asn1.ASN1Primitive;
import com.koalii.kgsp.bc.asn1.ASN1Sequence;
import com.koalii.kgsp.bc.asn1.ASN1Set;
import com.koalii.kgsp.bc.asn1.DERBMPString;
import com.koalii.kgsp.bc.asn1.pkcs.AuthenticatedSafe;
import com.koalii.kgsp.bc.asn1.pkcs.CertBag;
import com.koalii.kgsp.bc.asn1.pkcs.ContentInfo;
import com.koalii.kgsp.bc.asn1.pkcs.EncryptedData;
import com.koalii.kgsp.bc.asn1.pkcs.EncryptedPrivateKeyInfo;
import com.koalii.kgsp.bc.asn1.pkcs.MacData;
import com.koalii.kgsp.bc.asn1.pkcs.PKCS12PBEParams;
import com.koalii.kgsp.bc.asn1.pkcs.PKCSObjectIdentifiers;
import com.koalii.kgsp.bc.asn1.pkcs.Pfx;
import com.koalii.kgsp.bc.asn1.pkcs.PrivateKeyInfo;
import com.koalii.kgsp.bc.asn1.pkcs.SafeBag;
import com.koalii.kgsp.bc.asn1.x509.AlgorithmIdentifier;
import com.koalii.kgsp.bc.asn1.x509.BasicConstraints;
import com.koalii.kgsp.bc.asn1.x509.Extension;
import com.koalii.kgsp.bc.asn1.x509.X509ObjectIdentifiers;
import com.koalii.kgsp.bc.cert.X509CertificateHolder;
import com.koalii.kgsp.bc.crypto.Digest;
import com.koalii.kgsp.bc.crypto.ExtendedDigest;
import com.koalii.kgsp.bc.crypto.PBEParametersGenerator;
import com.koalii.kgsp.bc.crypto.engines.DESedeEngine;
import com.koalii.kgsp.bc.crypto.engines.RC2Engine;
import com.koalii.kgsp.bc.crypto.generators.PKCS12ParametersGenerator;
import com.koalii.kgsp.bc.crypto.macs.HMac;
import com.koalii.kgsp.bc.crypto.params.AsymmetricKeyParameter;
import com.koalii.kgsp.bc.crypto.params.KeyParameter;
import com.koalii.kgsp.bc.crypto.util.DigestFactory;
import com.koalii.kgsp.bc.operator.bc.BcDefaultDigestProvider;
import com.koalii.kgsp.bc.util.Arrays;
import com.koalii.kgsp.bc.util.Strings;
import com.koalii.kgsp.bc.util.encoders.Hex;
import com.koalii.kgsp.core.crypto.KcBlockCipher;
import com.koalii.kgsp.core.crypto.KcRC2;
import com.koalii.kgsp.core.crypto.KcTripleDES;
import com.koalii.kgsp.core.exception.KcErrors;
import com.koalii.kgsp.core.exception.KcException;
import java.io.IOException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;

/* loaded from: input_file:com/koalii/kgsp/core/cert/KcPKCS12Store.class */
public class KcPKCS12Store implements PKCSObjectIdentifiers, X509ObjectIdentifiers, KcKeyStore {
    private KcKeyStore privatekeyStore;
    private KcCertStore certStore;
    private String privateKeyAlias;
    private final int DATA = 1;
    private final int SIGNED_DATA = 2;
    private final int ENCRYPTED_DATA = 3;
    private final int ENVELOPED_DATA = 4;
    private ArrayList<X509CertificateHolder> certChain = new ArrayList<>();

    public KcKeyStore getPrivatekeyStore() {
        return this.privatekeyStore;
    }

    public KcCertStore getCertStore() {
        return this.certStore;
    }

    public ArrayList<X509CertificateHolder> getCertChain() {
        return this.certChain;
    }

    public KcPKCS12Store(byte[] bArr, byte[] bArr2) throws KcException {
        load(bArr, bArr2);
    }

    public KcPKCS12Store(byte[] bArr, char[] cArr) throws KcException {
        load(bArr, cArr);
    }

    public void load(byte[] bArr, char[] cArr) throws KcException {
        if (cArr == null || cArr.length == 0) {
            throw new KcException(KcErrors.ERROR_CORE_PKCS12_PASSWORD_EMPTY);
        }
        Pfx pfx = Pfx.getInstance(bArr);
        if (false == isMacValid(pfx, cArr)) {
            throw new KcException(KcErrors.ERROR_CORE_PKCS12_MAC_INVALID);
        }
        ContentInfo authSafe = pfx.getAuthSafe();
        if (authSafe.getContentType().equals(data)) {
            parseAuthSafe(AuthenticatedSafe.getInstance(((ASN1OctetString) authSafe.getContent()).getOctets()), authSafe.getContentType(), cArr, null);
        }
    }

    public void load(byte[] bArr, byte[] bArr2) throws KcException {
        load(bArr, Strings.asCharArray(bArr2));
    }

    public String getPrivateKeyAlias() {
        return this.privateKeyAlias;
    }

    protected byte[] generateMac(ExtendedDigest extendedDigest, PKCS12PBEParams pKCS12PBEParams, char[] cArr, byte[] bArr) {
        PKCS12ParametersGenerator pKCS12ParametersGenerator = new PKCS12ParametersGenerator(extendedDigest);
        pKCS12ParametersGenerator.init(PKCS12ParametersGenerator.PKCS12PasswordToBytes(cArr), pKCS12PBEParams.getIV(), pKCS12PBEParams.getIterations().intValue());
        KeyParameter keyParameter = (KeyParameter) pKCS12ParametersGenerator.generateDerivedMacParameters(extendedDigest.getDigestSize() * 8);
        HMac hMac = new HMac(extendedDigest);
        hMac.init(keyParameter);
        hMac.update(bArr, 0, bArr.length);
        byte[] bArr2 = new byte[hMac.getMacSize()];
        hMac.doFinal(bArr2, 0);
        return bArr2;
    }

    protected boolean isMacValid(Pfx pfx, char[] cArr) throws KcException {
        if (pfx.getMacData() == null) {
            return true;
        }
        try {
            MacData macData = pfx.getMacData();
            return Arrays.constantTimeAreEqual(generateMac(BcDefaultDigestProvider.INSTANCE.get(macData.getMac().getAlgorithmId()), PKCS12PBEParams.getInstance(new AlgorithmIdentifier(macData.getMac().getAlgorithmId().getAlgorithm(), new PKCS12PBEParams(macData.getSalt(), macData.getIterationCount().intValue())).getParameters()), cArr, ASN1OctetString.getInstance(pfx.getAuthSafe().getContent()).getOctets()), pfx.getMacData().getMac().getDigest());
        } catch (Exception e) {
            throw new KcException(KcErrors.ERROR_CORE_PKCS12_MAC_INVALID, e);
        }
    }

    protected KcBlockCipher getPbeCipher(ASN1ObjectIdentifier aSN1ObjectIdentifier) throws KcException {
        if (aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.pbeWithSHAAnd3_KeyTripleDES_CBC) || aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.pbeWithSHAAnd2_KeyTripleDES_CBC)) {
            return new KcTripleDES("CBC");
        }
        if (aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.pbeWithSHAAnd128BitRC2_CBC) || aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.pbeWithSHAAnd40BitRC2_CBC)) {
            return new KcRC2("CBC");
        }
        throw new KcException(KcErrors.ERROR_CORE_PKCS12_ALG_UNSUPPORTED, aSN1ObjectIdentifier.getId());
    }

    protected Digest getPbeDigest(ASN1ObjectIdentifier aSN1ObjectIdentifier) throws KcException {
        if (aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.pbeWithSHAAnd3_KeyTripleDES_CBC) || aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.pbeWithSHAAnd2_KeyTripleDES_CBC) || aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.pbeWithSHAAnd128BitRC2_CBC) || aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.pbeWithSHAAnd40BitRC2_CBC)) {
            return DigestFactory.createSHA1();
        }
        throw new KcException(KcErrors.ERROR_CORE_PKCS12_ALG_UNSUPPORTED, aSN1ObjectIdentifier.getId());
    }

    protected int getPbeIVSize(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        if (aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.pbeWithSHAAnd3_KeyTripleDES_CBC) || aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.pbeWithSHAAnd2_KeyTripleDES_CBC)) {
            return new DESedeEngine().getBlockSize() * 8;
        }
        if (aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.pbeWithSHAAnd128BitRC2_CBC) || aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.pbeWithSHAAnd40BitRC2_CBC)) {
            return new RC2Engine().getBlockSize() * 8;
        }
        return 0;
    }

    protected int getPbeKeySize(ASN1ObjectIdentifier aSN1ObjectIdentifier) throws KcException {
        if (aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.pbeWithSHAAnd3_KeyTripleDES_CBC)) {
            return 192;
        }
        if (aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.pbeWithSHAAnd2_KeyTripleDES_CBC) || aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.pbeWithSHAAnd128BitRC2_CBC)) {
            return 128;
        }
        if (aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.pbeWithSHAAnd40BitRC2_CBC)) {
            return 40;
        }
        throw new KcException(KcErrors.ERROR_CORE_PKCS12_ALG_UNSUPPORTED, aSN1ObjectIdentifier.getId());
    }

    protected byte[] unwrapPbeData(AlgorithmIdentifier algorithmIdentifier, byte[] bArr, char[] cArr) throws KcException {
        ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
        if (!algorithm.on(PKCSObjectIdentifiers.pkcs_12PbeIds)) {
            throw new KcException(KcErrors.ERROR_CORE_PKCS12_UNWRAP_PBE, algorithm.toString());
        }
        PKCS12PBEParams pKCS12PBEParams = PKCS12PBEParams.getInstance(algorithmIdentifier.getParameters());
        int pbeKeySize = getPbeKeySize(algorithm);
        int pbeIVSize = getPbeIVSize(algorithm);
        PKCS12ParametersGenerator pKCS12ParametersGenerator = new PKCS12ParametersGenerator(getPbeDigest(algorithm));
        pKCS12ParametersGenerator.init(PBEParametersGenerator.PKCS12PasswordToBytes(cArr), pKCS12PBEParams.getIV(), pKCS12PBEParams.getIterations().intValue());
        return getPbeCipher(algorithm).decrypt(bArr, pbeIVSize > 0 ? pKCS12ParametersGenerator.generateDerivedParameters(pbeKeySize, pbeIVSize) : pKCS12ParametersGenerator.generateDerivedParameters(pbeKeySize));
    }

    protected void unwrapPrivateKey(AlgorithmIdentifier algorithmIdentifier, byte[] bArr, char[] cArr) throws KcException {
        ASN1InputStream aSN1InputStream = new ASN1InputStream(unwrapPbeData(algorithmIdentifier, bArr, cArr));
        try {
            PrivateKeyInfo privateKeyInfo = PrivateKeyInfo.getInstance(aSN1InputStream.readObject());
            aSN1InputStream.close();
            if (KcRSAKeyStore.isRsaKey(privateKeyInfo)) {
                this.privatekeyStore = new KcRSAKeyStore();
                this.privatekeyStore.setPrivateKey(KcRSAKeyStore.parseRsaPrivateKey(privateKeyInfo));
            }
            if (KcSM2KeyStore.isSM2Key(privateKeyInfo)) {
                this.privatekeyStore = new KcSM2KeyStore();
                this.privatekeyStore.setPrivateKey(KcSM2KeyStore.parseEcPrivateKey(privateKeyInfo));
            }
            if (null == this.privatekeyStore) {
                throw new KcException(KcErrors.ERROR_CORE_PKCS12_UNWRAP_PRIVAE_KEY, "no private key");
            }
        } catch (Exception e) {
            throw new KcException(KcErrors.ERROR_CORE_PKCS12_UNWRAP_PRIVAE_KEY, e);
        }
    }

    protected void parseBagAttrs(ASN1Set aSN1Set) throws KcException {
        String str = null;
        ASN1OctetString aSN1OctetString = null;
        Enumeration objects = aSN1Set.getObjects();
        while (objects.hasMoreElements()) {
            ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(objects.nextElement());
            ASN1ObjectIdentifier aSN1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(aSN1Sequence.getObjectAt(0));
            ASN1Set aSN1Set2 = ASN1Set.getInstance(aSN1Sequence.getObjectAt(1));
            if (aSN1Set2.size() > 0) {
                ASN1Primitive aSN1Primitive = (ASN1Primitive) aSN1Set2.getObjectAt(0);
                if (aSN1ObjectIdentifier.equals(pkcs_9_at_friendlyName)) {
                    str = ((DERBMPString) aSN1Primitive).getString();
                } else if (aSN1ObjectIdentifier.equals(pkcs_9_at_localKeyId)) {
                    aSN1OctetString = (ASN1OctetString) aSN1Primitive;
                }
            }
        }
        String str2 = new String(Hex.encode(aSN1OctetString.getOctets()));
        if (str == null) {
            this.privateKeyAlias = str2;
        } else {
            this.privateKeyAlias = str;
        }
    }

    private void parseAuthSafe(AuthenticatedSafe authenticatedSafe, ASN1ObjectIdentifier aSN1ObjectIdentifier, char[] cArr, KcKeyStore kcKeyStore) throws KcException {
        switch (getContentInfoType(aSN1ObjectIdentifier)) {
            case 1:
                parseAuthSafe4Data(authenticatedSafe.getContentInfo(), cArr, kcKeyStore);
                return;
            case 2:
            default:
                throw new KcException(KcErrors.ERROR_CORE_PKCS12_UNSUPPORTED_TYPE, "Unsupported type");
        }
    }

    private int getContentInfoType(ASN1ObjectIdentifier aSN1ObjectIdentifier) throws KcException {
        if (aSN1ObjectIdentifier.equals(data)) {
            return 1;
        }
        if (aSN1ObjectIdentifier.equals(signedData)) {
            return 2;
        }
        if (aSN1ObjectIdentifier.equals(encryptedData)) {
            return 3;
        }
        if (aSN1ObjectIdentifier.equals(envelopedData)) {
            return 4;
        }
        throw new KcException(KcErrors.ERROR_CORE_PKCS12_LOAD_AUTHSAFE, "unkown contentInfo type");
    }

    private void parseAuthSafe4Data(ContentInfo[] contentInfoArr, char[] cArr, KcKeyStore kcKeyStore) throws KcException {
        initCertChain();
        for (int i = 0; i != contentInfoArr.length; i++) {
            switch (getContentInfoType(contentInfoArr[i].getContentType())) {
                case 1:
                    parseSafeBagsInLoop(ASN1Sequence.getInstance(((ASN1OctetString) contentInfoArr[i].getContent()).getOctets()), cArr);
                    break;
                case 3:
                    EncryptedData encryptedData = EncryptedData.getInstance(contentInfoArr[i].getContent());
                    try {
                        parseSafeBagsInLoop((ASN1Sequence) ASN1Primitive.fromByteArray(unwrapPbeData(encryptedData.getEncryptionAlgorithm(), encryptedData.getContent().getOctets(), cArr)), cArr);
                        break;
                    } catch (IOException e) {
                        throw new KcException(KcErrors.ERROR_CORE_PKCS12_READ_ENCRYPTEDDATA, "Read EncryptedData failed");
                    }
                case 4:
                    throw new KcException(KcErrors.ERROR_CORE_PKCS12_UNSUPPORTED_TYPE, "Unsupported type");
            }
        }
        selectCertFromCertchain();
    }

    private void initCertChain() {
        this.certChain.clear();
    }

    private void selectCertFromCertchain() throws KcException {
        ArrayList<X509CertificateHolder> certChain = getCertChain();
        X509CertificateHolder x509CertificateHolder = null;
        if (certChain.size() == 0) {
            return;
        }
        if (1 == certChain.size()) {
            x509CertificateHolder = certChain.get(0);
        } else if (certChain.size() > 0) {
            int i = 0;
            while (true) {
                if (i >= certChain.size()) {
                    break;
                }
                X509CertificateHolder x509CertificateHolder2 = certChain.get(i);
                if (!x509CertificateHolder2.getExtensionOIDs().contains(Extension.basicConstraints)) {
                    x509CertificateHolder = x509CertificateHolder2;
                    break;
                } else {
                    if (!BasicConstraints.getInstance(x509CertificateHolder2.getExtension(Extension.basicConstraints).getExtnValue().getOctets()).isCA()) {
                        x509CertificateHolder = x509CertificateHolder2;
                        break;
                    }
                    i++;
                }
            }
        }
        if (null == x509CertificateHolder) {
            throw new KcException(KcErrors.ERROR_CORE_PKCS12_UNWRAP_CERT, "no cert");
        }
        this.certChain.remove(x509CertificateHolder);
        if (this.certStore == null) {
            if (KcRSACertStore.isRsaCert(x509CertificateHolder)) {
                this.certStore = new KcRSACertStore();
            } else {
                if (!KcSM2CertStore.isSM2Cert(x509CertificateHolder)) {
                    throw new KcException(KcErrors.ERROR_CORE_PKCS12_UNSUPPORTED_ALGORITHM, "Unsupported algorithm");
                }
                this.certStore = new KcSM2CertStore();
            }
        }
        this.certStore.setCert(x509CertificateHolder);
    }

    private void parseSafeBagsInLoop(ASN1Sequence aSN1Sequence, char[] cArr) throws KcException {
        for (int i = 0; i != aSN1Sequence.size(); i++) {
            parseDataSafeBag(SafeBag.getInstance(aSN1Sequence.getObjectAt(i)), cArr);
        }
    }

    private void parseDataSafeBag(SafeBag safeBag, char[] cArr) throws KcException {
        if (safeBag.getBagId().equals(pkcs8ShroudedKeyBag)) {
            parseDataPkcs8ShroudedKeyBag(safeBag, cArr);
        } else {
            if (!safeBag.getBagId().equals(certBag)) {
                throw new KcException(KcErrors.ERROR_CORE_PKCS12_UNSUPPORTED_TYPE, "Unsupported type");
            }
            parseDataCertBag(safeBag);
        }
    }

    private void parseDataPkcs8ShroudedKeyBag(SafeBag safeBag, char[] cArr) throws KcException {
        EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = EncryptedPrivateKeyInfo.getInstance(safeBag.getBagValue());
        unwrapPrivateKey(encryptedPrivateKeyInfo.getEncryptionAlgorithm(), encryptedPrivateKeyInfo.getEncryptedData(), cArr);
        if (null == safeBag.getBagAttributes() || safeBag.getBagAttributes().size() <= 0) {
            return;
        }
        parseBagAttrs(safeBag.getBagAttributes());
    }

    private void parseDataCertBag(SafeBag safeBag) throws KcException {
        try {
            this.certChain.add(new X509CertificateHolder(((ASN1OctetString) CertBag.getInstance(safeBag.getBagValue()).getCertValue()).getOctets()));
        } catch (IOException e) {
            throw new KcException(KcErrors.ERROR_CORE_PKCS12_READ_CERT_ERROR, "read certificate error");
        }
    }

    @Override // com.koalii.kgsp.core.cert.KcCertStore
    public void setCert(X509CertificateHolder x509CertificateHolder) throws KcException {
        this.certStore.setCert(x509CertificateHolder);
    }

    @Override // com.koalii.kgsp.core.cert.KcCertStore
    public X509CertificateHolder getCert() {
        return this.certStore.getCert();
    }

    @Override // com.koalii.kgsp.core.cert.KcCertStore
    public String getCertImprint() throws KcException {
        return this.certStore.getCertImprint();
    }

    @Override // com.koalii.kgsp.core.cert.KcCertStore
    public AsymmetricKeyParameter getPublicKey() {
        return this.certStore.getPublicKey();
    }

    @Override // com.koalii.kgsp.core.cert.KcCertStore
    public X509Certificate getJcaCert() throws KcException {
        return this.certStore.getJcaCert();
    }

    @Override // com.koalii.kgsp.core.cert.KcCertStore
    public X509Certificate getJcaCert(String str) throws KcException {
        return this.certStore.getJcaCert(str);
    }

    @Override // com.koalii.kgsp.core.cert.KcCertStore
    public PublicKey getJcaPublicKey() throws KcException {
        return this.certStore.getJcaPublicKey();
    }

    @Override // com.koalii.kgsp.core.cert.KcCertStore
    public boolean isIssuerOf(X509CertificateHolder x509CertificateHolder) {
        return this.certStore.isIssuerOf(x509CertificateHolder);
    }

    @Override // com.koalii.kgsp.core.cert.KcCertStore
    public boolean isSignCert() {
        return this.certStore.isSignCert();
    }

    @Override // com.koalii.kgsp.core.cert.KcCertStore
    public boolean isEncryptCert() {
        return this.certStore.isEncryptCert();
    }

    @Override // com.koalii.kgsp.core.cert.KcCertStore
    public String getKeyAlgName() {
        return this.certStore.getKeyAlgName();
    }

    @Override // com.koalii.kgsp.core.cert.KcCertStore
    public int getKeyBitLength() throws KcException {
        return this.privatekeyStore.getKeyBitLength();
    }

    @Override // com.koalii.kgsp.core.cert.KcKeyStore
    public void setPrivateKey(AsymmetricKeyParameter asymmetricKeyParameter) {
        this.privatekeyStore.setPrivateKey(asymmetricKeyParameter);
    }

    @Override // com.koalii.kgsp.core.cert.KcKeyStore
    public AsymmetricKeyParameter getPrivateKey() {
        return this.privatekeyStore.getPrivateKey();
    }

    @Override // com.koalii.kgsp.core.cert.KcKeyStore
    public PrivateKey getJcaPrivateKey() throws KcException {
        return this.privatekeyStore.getJcaPrivateKey();
    }

    @Override // com.koalii.kgsp.core.cert.KcKeyStore
    public boolean isKeyMatched() throws KcException {
        return this.privatekeyStore.isKeyMatched();
    }

    @Override // com.koalii.kgsp.core.cert.KcKeyStore
    public void loadKeyData(byte[] bArr, char[] cArr) throws KcException {
        this.privatekeyStore.loadKeyData(bArr, cArr);
    }
}
