package com.safenetinc.luna.provider;

import com.safenetinc.luna.LunaAPI;
import com.safenetinc.luna.LunaException;
import com.safenetinc.luna.LunaSession;
import com.safenetinc.luna.LunaSessionManager;
import com.safenetinc.luna.LunaSlotManager;
import com.safenetinc.luna.LunaTokenObject;
import com.safenetinc.luna.X509.AsnAlgorithmIdentifier;
import com.safenetinc.luna.X509.AsnAlgorithmIdentifierParametersRSAandPSS;
import com.safenetinc.luna.X509.AsnAlgorithmIdentifierRSAandPSS;
import com.safenetinc.luna.X509.AsnBase;
import com.safenetinc.luna.X509.AsnBitString;
import com.safenetinc.luna.X509.AsnCertificate;
import com.safenetinc.luna.X509.AsnInteger;
import com.safenetinc.luna.X509.AsnName;
import com.safenetinc.luna.X509.AsnNull;
import com.safenetinc.luna.X509.AsnOID;
import com.safenetinc.luna.X509.AsnTBSCertificate;
import com.safenetinc.luna.X509.AsnX509Extension;
import java.lang.ref.SoftReference;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.PSSParameterSpec;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:WEB-INF/lib/LunaProvider.jar:com/safenetinc/luna/provider/LunaCertificateX509.class */
public class LunaCertificateX509 extends X509Certificate implements LunaCertificate {
    static final long serialVersionUID = 0;
    private final LunaTokenObject mObject;
    private final AsnCertificate mCert;
    private PublicKey cachedKey;
    private boolean cachedResult;
    private String cachedSigProvider;
    private static final Map<CertKey, SoftReference<LunaCertificateX509>> cachedCerts = new HashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/LunaProvider.jar:com/safenetinc/luna/provider/LunaCertificateX509$CertKey.class */
    public static class CertKey {
        private final byte[] fingerprint;
        private final int hash;

        CertKey(byte[] bArr) {
            this.fingerprint = bArr;
            this.hash = new BigInteger(bArr).hashCode();
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj instanceof CertKey) {
                return Arrays.equals(this.fingerprint, ((CertKey) obj).fingerprint);
            }
            return false;
        }

        public int hashCode() {
            return this.hash;
        }
    }

    @Deprecated
    public LunaCertificateX509() {
        this.mObject = null;
        this.mCert = null;
    }

    public LunaCertificateX509(X509Certificate x509Certificate) throws CertificateEncodingException {
        this(x509Certificate.getEncoded(), LunaSlotManager.getInstance().getDefaultSlot());
    }

    public LunaCertificateX509(X509Certificate x509Certificate, int i) throws CertificateEncodingException {
        this(x509Certificate.getEncoded(), i);
    }

    public LunaCertificateX509(byte[] bArr) {
        this(bArr, LunaSlotManager.getInstance().getDefaultSlot());
    }

    public LunaCertificateX509(byte[] bArr, int i) {
        this.mCert = new AsnCertificate(bArr);
        byte[] encoded = this.mCert.GetTbsCertificate().GetSubjectDN().getEncoded();
        byte[] encoded2 = this.mCert.GetTbsCertificate().GetIssuerDN().getEncoded();
        byte[] encoded3 = new AsnInteger(this.mCert.GetTbsCertificate().GetSerialNumber()).getEncoded();
        LunaAPI lunaAPI = LunaSlotManager.getInstance().getLunaAPI();
        LunaSession session = LunaSessionManager.getSession(i);
        try {
            this.mObject = LunaTokenObject.LocateObjectByHandle(lunaAPI.StoreCertificate(session.GetSessionHandle(), encoded, encoded2, encoded3, this.mCert.getEncoded()));
            session.Free();
        } catch (Throwable th) {
            session.Free();
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public LunaCertificateX509(LunaTokenObject lunaTokenObject) {
        if (lunaTokenObject == null || lunaTokenObject.GetHandle() < 1) {
            throw new LunaException("Invalid token object");
        }
        this.mObject = lunaTokenObject;
        this.mCert = new AsnCertificate(this.mObject.GetLargeAttribute(17L));
    }

    protected LunaCertificateX509(LunaTokenObject lunaTokenObject, AsnCertificate asnCertificate) {
        this.mObject = lunaTokenObject;
        this.mCert = asnCertificate;
    }

    public static LunaCertificateX509 SelfSign(String str, KeyPair keyPair, String str2, BigInteger bigInteger, Date date, Date date2, int i) throws InvalidKeyException, CertificateEncodingException {
        return SelfSign(str, keyPair, str2, bigInteger, date, date2, i, LunaSlotManager.getInstance().getDefaultSlot());
    }

    public static LunaCertificateX509 SelfSign(String str, KeyPair keyPair, String str2, BigInteger bigInteger, Date date, Date date2, int i, int i2) throws InvalidKeyException, CertificateEncodingException {
        AsnAlgorithmIdentifier GetInstance;
        Signature signature;
        AsnBase asnNull;
        PublicKey publicKey = keyPair.getPublic();
        PrivateKey privateKey = keyPair.getPrivate();
        try {
            if (publicKey instanceof RSAPublicKey) {
                if (str == null) {
                    str = "SHA1withRSA";
                }
                try {
                    if ("SHA1withRSA".equals(str) || "SHA224withRSA".equals(str) || "SHA256withRSA".equals(str) || "SHA384withRSA".equals(str) || "SHA512withRSA".equals(str)) {
                        asnNull = new AsnNull();
                    } else if (str.equals("SHA224withRSAandMGF1")) {
                        asnNull = new AsnAlgorithmIdentifierParametersRSAandPSS("SHA224", i);
                    } else if (str.equals("SHA256withRSAandMGF1")) {
                        asnNull = new AsnAlgorithmIdentifierParametersRSAandPSS("SHA256", i);
                    } else if (str.equals("SHA384withRSAandMGF1")) {
                        asnNull = new AsnAlgorithmIdentifierParametersRSAandPSS("SHA384", i);
                    } else {
                        if (!str.equals("SHA512withRSAandMGF1")) {
                            throw new SignatureException("Invalid algorithm for self sign RSA (" + str + ")");
                        }
                        asnNull = new AsnAlgorithmIdentifierParametersRSAandPSS("SHA512", i);
                    }
                    GetInstance = AsnAlgorithmIdentifier.GetInstance(str, asnNull);
                    signature = Signature.getInstance(str, "LunaProvider");
                    if (!(asnNull instanceof AsnNull)) {
                        signature.setParameter(new PSSParameterSpec(i));
                    }
                } catch (InvalidAlgorithmParameterException e) {
                    throw new SignatureException("Invalid algorithm parameter for algorithm " + str);
                }
            } else if (publicKey instanceof DSAPublicKey) {
                if (str != null && !str.equals("SHA1withDSA")) {
                    throw new SignatureException("Discrepancy between algorithm and keypair type.");
                }
                GetInstance = AsnAlgorithmIdentifier.GetInstance("SHA1withDSA", new AsnNull());
                signature = Signature.getInstance("SHA1withDSA", "LunaProvider");
            } else {
                if (!(publicKey instanceof ECPublicKey)) {
                    throw new SignatureException("Invalid algorithm for self sign (" + str + ")");
                }
                if (!"SHA1withECDSA".equals(str) && !"SHA224withECDSA".equals(str) && !"SHA256withECDSA".equals(str) && !"SHA384withECDSA".equals(str) && !"SHA512withECDSA".equals(str)) {
                    throw new SignatureException("Invalid algorithm for self sign ECDSA (" + str + ")");
                }
                GetInstance = AsnAlgorithmIdentifier.GetInstance(str, new AsnNull());
                signature = Signature.getInstance(str, "LunaProvider");
            }
            AsnTBSCertificate asnTBSCertificate = new AsnTBSCertificate(keyPair.getPublic(), GetInstance, str2, str2, bigInteger, date, date2);
            byte[] encoded = asnTBSCertificate.getEncoded();
            signature.initSign(privateKey);
            signature.update(encoded);
            byte[] sign = signature.sign();
            AsnCertificate asnCertificate = new AsnCertificate(asnTBSCertificate, GetInstance, new AsnBitString(sign, sign.length * 8));
            LunaAPI lunaAPI = LunaSlotManager.getInstance().getLunaAPI();
            byte[] encoded2 = new AsnName(str2).getEncoded();
            LunaSession session = LunaSessionManager.getSession(i2);
            try {
                int StoreCertificate = lunaAPI.StoreCertificate(session.GetSessionHandle(), encoded2, encoded2, new AsnInteger(bigInteger).getEncoded(), asnCertificate.getEncoded());
                session.Free();
                if (StoreCertificate <= 0) {
                    throw new LunaException("Unable to save certificate on the HSM");
                }
                return new LunaCertificateX509(LunaTokenObject.LocateObjectByHandle(StoreCertificate), asnCertificate);
            } catch (Throwable th) {
                session.Free();
                throw th;
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new InvalidKeyException("Couldn't sign with key " + privateKey.getClass().getName());
        } catch (NoSuchProviderException e3) {
            throw new LunaException("Couldn't find LunaProvider");
        } catch (SignatureException e4) {
            throw new CertificateEncodingException("Problems with signature: " + e4);
        }
    }

    public static LunaCertificateX509 SelfSign(KeyPair keyPair, String str, BigInteger bigInteger, Date date, Date date2) throws InvalidKeyException, CertificateEncodingException {
        return SelfSign(keyPair, str, bigInteger, date, date2, LunaSlotManager.getInstance().getDefaultSlot());
    }

    public static LunaCertificateX509 SelfSign(KeyPair keyPair, String str, BigInteger bigInteger, Date date, Date date2, int i) throws InvalidKeyException, CertificateEncodingException {
        String str2;
        PublicKey publicKey = keyPair.getPublic();
        if (publicKey instanceof RSAPublicKey) {
            str2 = "SHA1withRSA";
        } else if (publicKey instanceof DSAPublicKey) {
            str2 = "SHA1withDSA";
        } else {
            if (!(publicKey instanceof ECPublicKey)) {
                throw new InvalidKeyException("Invalid key pair algorithm: " + publicKey.getAlgorithm());
            }
            str2 = "SHA1withECDSA";
        }
        return SelfSign(str2, keyPair, str, bigInteger, date, date2, 0, i);
    }

    public static LunaCertificateX509 LocateCertByAlias(String str) {
        return LocateCertByAlias(str, LunaSlotManager.getInstance().getDefaultSlot());
    }

    public static LunaCertificateX509 LocateCertByAlias(String str, int i) {
        LunaCertificateX509 lunaCertificateX509 = null;
        LunaTokenObject LocateObjectByAlias = LunaTokenObject.LocateObjectByAlias(str, i);
        if (LocateObjectByAlias != null && LocateObjectByAlias.GetClassAndType()[0] == 1) {
            lunaCertificateX509 = getCachedCert(LocateObjectByAlias);
        }
        return lunaCertificateX509;
    }

    public static LunaCertificateX509 LocateCertByHandle(int i) {
        return LocateCertByHandle(i, LunaSlotManager.getInstance().getDefaultSlot());
    }

    public static LunaCertificateX509 LocateCertByHandle(int i, int i2) {
        LunaTokenObject LocateObjectByHandle = LunaTokenObject.LocateObjectByHandle(i, i2);
        if (LocateObjectByHandle.GetClassAndType()[0] != 1) {
            throw new LunaException("Object handle " + i + " is not a certificate");
        }
        return getCachedCert(LocateObjectByHandle);
    }

    private static LunaCertificateX509 getCachedCert(LunaTokenObject lunaTokenObject) {
        LunaCertificateX509 lunaCertificateX509 = null;
        CertKey certKey = new CertKey(lunaTokenObject.GetFingerprint());
        SoftReference<LunaCertificateX509> softReference = cachedCerts.get(certKey);
        if (softReference != null) {
            lunaCertificateX509 = softReference.get();
        }
        if (lunaCertificateX509 == null) {
            lunaCertificateX509 = new LunaCertificateX509(lunaTokenObject);
            cachedCerts.put(certKey, new SoftReference<>(lunaCertificateX509));
        }
        return lunaCertificateX509;
    }

    @Override // java.security.cert.Certificate
    public byte[] getEncoded() throws CertificateEncodingException {
        return this.mCert.getEncoded();
    }

    @Override // java.security.cert.Certificate
    public String toString() {
        return "LunaCertificateX509: handle " + this.mObject.GetHandle() + ", DN='" + this.mCert.GetTbsCertificate().GetSubjectDN() + "'";
    }

    @Override // java.security.cert.Certificate
    public void verify(PublicKey publicKey) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException {
        verify(publicKey, (String) null);
    }

    @Override // java.security.cert.Certificate
    public void verify(PublicKey publicKey, String str) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException {
        Signature signature;
        String str2;
        String GetAlgorithm = this.mCert.GetSignatureAlgorithmId().GetAlgorithm();
        if (str == null) {
            str = "LunaProvider";
        }
        if (this.cachedKey != null && this.cachedKey.equals(publicKey) && str.equalsIgnoreCase(this.cachedSigProvider)) {
            if (!this.cachedResult) {
                throw new SignatureException("Verification failed");
            }
            return;
        }
        if (this.mCert.GetSignatureAlgorithmId() instanceof AsnAlgorithmIdentifierRSAandPSS) {
            AsnOID hashAlgorithmOID = ((AsnAlgorithmIdentifierRSAandPSS) this.mCert.GetSignatureAlgorithmId()).getHashAlgorithmOID();
            if (hashAlgorithmOID == null) {
                throw new SignatureException("No hash algorithm found for RSAandMGF1 algorithm");
            }
            if (Arrays.equals(hashAlgorithmOID.GetOID(), AsnOID.idSHA1)) {
                str2 = "SHA1withRSAandMGF1";
            } else if (Arrays.equals(hashAlgorithmOID.GetOID(), AsnOID.idSHA224)) {
                str2 = "SHA224withRSAandMGF1";
            } else if (Arrays.equals(hashAlgorithmOID.GetOID(), AsnOID.idSHA256)) {
                str2 = "SHA256withRSAandMGF1";
            } else if (Arrays.equals(hashAlgorithmOID.GetOID(), AsnOID.idSHA384)) {
                str2 = "SHA384withRSAandMGF1";
            } else {
                if (!Arrays.equals(hashAlgorithmOID.GetOID(), AsnOID.idSHA512)) {
                    throw new SignatureException("Invalid hash algorithm for an RSAandMGF1 algorithm identifier");
                }
                str2 = "SHA512withRSAandMGF1";
            }
            signature = Signature.getInstance(str2, str);
            try {
                signature.setParameter(new PSSParameterSpec(((AsnAlgorithmIdentifierRSAandPSS) this.mCert.GetSignatureAlgorithmId()).getSaltValue().GetIntValue()));
            } catch (InvalidAlgorithmParameterException e) {
                throw new SignatureException("Invalid Algorithm Parameter Exception");
            }
        } else {
            signature = Signature.getInstance(GetAlgorithm, str);
        }
        signature.initVerify(publicKey);
        signature.update(this.mCert.GetTbsCertificate().getEncoded());
        this.cachedResult = signature.verify(this.mCert.GetSignature());
        this.cachedKey = publicKey;
        this.cachedSigProvider = str;
        if (!this.cachedResult) {
            throw new SignatureException("Verification failed");
        }
    }

    @Override // java.security.cert.Certificate
    public PublicKey getPublicKey() {
        return this.mCert.GetTbsCertificate().GetSubjectKey();
    }

    @Override // java.security.cert.X509Certificate
    public void checkValidity() throws CertificateExpiredException, CertificateNotYetValidException {
        checkValidity(new Date());
    }

    @Override // java.security.cert.X509Certificate
    public void checkValidity(Date date) throws CertificateExpiredException, CertificateNotYetValidException {
        Date GetNotBefore = this.mCert.GetTbsCertificate().GetNotBefore();
        Date GetNotAfter = this.mCert.GetTbsCertificate().GetNotAfter();
        if (GetNotBefore.after(date)) {
            throw new CertificateNotYetValidException("Certificate becomes valid at " + GetNotBefore.toString());
        }
        if (GetNotAfter.before(date)) {
            throw new CertificateExpiredException("Certificate expired on " + GetNotAfter.toString());
        }
    }

    @Override // java.security.cert.X509Certificate
    public int getBasicConstraints() {
        return this.mCert.GetTbsCertificate().GetBasicConstraints();
    }

    @Override // java.security.cert.X509Certificate
    @Deprecated
    public Principal getIssuerDN() {
        return getIssuerX500Principal();
    }

    @Override // java.security.cert.X509Certificate
    public X500Principal getIssuerX500Principal() {
        return this.mCert.GetTbsCertificate().GetIssuerDN();
    }

    @Override // java.security.cert.X509Certificate
    public boolean[] getIssuerUniqueID() {
        return this.mCert.GetTbsCertificate().GetIssuerUniqueId().GetBitString();
    }

    @Override // java.security.cert.X509Certificate
    public boolean[] getKeyUsage() {
        return this.mCert.GetTbsCertificate().GetKeyUsage();
    }

    @Override // java.security.cert.X509Certificate
    public List<String> getExtendedKeyUsage() {
        return this.mCert.GetTbsCertificate().GetExtKeyUsage();
    }

    @Override // java.security.cert.X509Certificate
    public Date getNotAfter() {
        return this.mCert.GetTbsCertificate().GetNotAfter();
    }

    @Override // java.security.cert.X509Certificate
    public Date getNotBefore() {
        return this.mCert.GetTbsCertificate().GetNotBefore();
    }

    @Override // java.security.cert.X509Certificate
    public BigInteger getSerialNumber() {
        return this.mCert.GetTbsCertificate().GetSerialNumber();
    }

    @Override // java.security.cert.X509Certificate
    public String getSigAlgName() {
        return this.mCert.GetTbsCertificate().GetSignatureAlgId().GetAlgorithm();
    }

    @Override // java.security.cert.X509Certificate
    public String getSigAlgOID() {
        return this.mCert.GetSignatureAlgorithmId().GetOID().GetOIDAsString();
    }

    @Override // java.security.cert.X509Certificate
    public byte[] getSigAlgParams() {
        return this.mCert.GetTbsCertificate().GetSignatureAlgId().GetParameters().getEncoded();
    }

    @Override // java.security.cert.X509Certificate
    public byte[] getSignature() {
        return this.mCert.GetSignature();
    }

    @Override // java.security.cert.X509Certificate
    @Deprecated
    public Principal getSubjectDN() {
        return getSubjectX500Principal();
    }

    @Override // java.security.cert.X509Certificate
    public X500Principal getSubjectX500Principal() {
        return this.mCert.GetTbsCertificate().GetSubjectDN();
    }

    @Override // java.security.cert.X509Certificate
    public boolean[] getSubjectUniqueID() {
        return this.mCert.GetTbsCertificate().GetSubjectUniqueId().GetBitString();
    }

    @Override // java.security.cert.X509Certificate
    public byte[] getTBSCertificate() throws CertificateEncodingException {
        return this.mCert.GetTbsCertificate().getEncoded();
    }

    @Override // java.security.cert.X509Certificate
    public int getVersion() {
        return this.mCert.GetTbsCertificate().GetVersion();
    }

    @Override // java.security.cert.X509Extension
    public byte[] getExtensionValue(String str) {
        AsnX509Extension GetExtension = this.mCert.GetTbsCertificate().GetExtension(new AsnOID(str));
        if (GetExtension == null) {
            return null;
        }
        return GetExtension.GetExtnValue().getEncoded();
    }

    @Override // java.security.cert.X509Extension
    public Set<String> getNonCriticalExtensionOIDs() {
        return getExtensionOIDs(false);
    }

    @Override // java.security.cert.X509Extension
    public Set<String> getCriticalExtensionOIDs() {
        return getExtensionOIDs(true);
    }

    private Set<String> getExtensionOIDs(boolean z) {
        HashSet hashSet = new HashSet();
        int GetExtensionCount = this.mCert.GetTbsCertificate().GetExtensionCount();
        for (int i = 0; i < GetExtensionCount; i++) {
            AsnX509Extension GetExtension = this.mCert.GetTbsCertificate().GetExtension(i);
            if (GetExtension != null && GetExtension.IsCritical() == z) {
                hashSet.add(GetExtension.GetExtnID().GetOIDAsString());
            }
        }
        return hashSet;
    }

    @Override // java.security.cert.X509Extension
    public boolean hasUnsupportedCriticalExtension() {
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getSlot() {
        return this.mObject.getSlot();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String GetCertChainEntryName(String str, int i) {
        return str + "--cert" + i;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public int GetCertHandle() {
        if (this.mObject.GetHandle() == -1) {
            throw new LunaException("Certificate invalid: uninitialized.");
        }
        return this.mObject.GetHandle();
    }

    public void MakePersistent(String str) {
        if (this.mObject.GetHandle() == -1) {
            throw new LunaException("Certificate invalid: uninitialized.");
        }
        this.mObject.MakePersistent(str);
    }

    public boolean IsCertPersistent() {
        return this.mObject.IsObjectPersistent();
    }

    public Date GetDateMadePersistent() {
        if (this.mObject.GetHandle() == -1) {
            throw new LunaException("Certificate invalid: uninitialized.");
        }
        return this.mObject.GetDateMadePersistent();
    }

    public void DestroyCert() {
        if (this.mObject.GetHandle() == -1) {
            throw new LunaException("Certificate invalid: uninitialized.");
        }
        this.mObject.DestroyObject();
    }

    public byte[] GetFingerprint() {
        return this.mObject.GetFingerprint();
    }
}
