package sun.security.pkcs11;

import java.nio.ByteBuffer;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.InvalidParameterException;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.SignatureSpi;
import java.security.interfaces.RSAKey;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.PSSParameterSpec;
import java.util.Hashtable;
import sun.nio.ch.DirectBuffer;
import sun.security.pkcs11.wrapper.CK_MECHANISM;
import sun.security.pkcs11.wrapper.CK_MECHANISM_INFO;
import sun.security.pkcs11.wrapper.CK_RSA_PKCS_PSS_PARAMS;
import sun.security.pkcs11.wrapper.PKCS11Exception;
import sun.util.locale.LanguageTag;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:win/1.8.0_412/lib/ext/sunpkcs11.jar:sun/security/pkcs11/P11PSSSignature.class */
public final class P11PSSSignature extends SignatureSpi {
    private static final boolean DEBUG = false;
    private static final Hashtable<String, Integer> DIGEST_LENGTHS = new Hashtable<>();
    private final Token token;
    private final String algorithm;
    private static final String KEY_ALGO = "RSA";
    private final CK_MECHANISM mechanism;
    private final int type;
    private final String mdAlg;
    private MessageDigest md;
    private Session session;
    private int mode;
    private static final int M_SIGN = 1;
    private static final int M_VERIFY = 2;
    private static final int T_DIGEST = 1;
    private static final int T_UPDATE = 2;
    private P11Key p11Key = null;
    private PSSParameterSpec sigParams = null;
    private boolean isActive = false;
    private boolean initialized = false;
    private final byte[] buffer = new byte[1];
    private int bytesProcessed = 0;

    private static boolean isDigestEqual(String str, String str2) {
        if (str == null || str2 == null) {
            return false;
        }
        if (str2.indexOf(LanguageTag.SEP) != -1) {
            return str.equalsIgnoreCase(str2);
        }
        if (str.equals("SHA-1")) {
            return str2.equalsIgnoreCase("SHA") || str2.equalsIgnoreCase("SHA1");
        }
        StringBuilder sb = new StringBuilder(str2);
        if (str2.regionMatches(true, 0, "SHA", 0, 3)) {
            return str.equalsIgnoreCase(sb.insert(3, LanguageTag.SEP).toString());
        }
        throw new ProviderException("Unsupported digest algorithm " + str2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public P11PSSSignature(Token token, String str, long j) throws NoSuchAlgorithmException, PKCS11Exception {
        this.md = null;
        this.token = token;
        this.algorithm = str;
        this.mechanism = new CK_MECHANISM(j);
        int indexOf = str.indexOf("with");
        this.mdAlg = indexOf == -1 ? null : str.substring(0, indexOf);
        switch ((int) j) {
            case 13:
                this.type = 1;
                break;
            case 14:
            case 67:
            case 68:
            case 69:
            case 71:
                this.type = 2;
                break;
            default:
                throw new ProviderException("Unsupported mechanism: " + j);
        }
        this.md = null;
    }

    private void ensureInitialized() throws SignatureException {
        this.token.ensureValid();
        if (this.p11Key == null) {
            throw new SignatureException("Missing key");
        }
        if (this.sigParams == null) {
            if (this.mdAlg == null) {
                throw new SignatureException("Parameters required for RSASSA-PSS signature");
            }
            this.sigParams = new PSSParameterSpec(this.mdAlg, "MGF1", new MGF1ParameterSpec(this.mdAlg), DIGEST_LENGTHS.get(this.mdAlg).intValue(), 1);
            this.mechanism.setParameter(new CK_RSA_PKCS_PSS_PARAMS(this.mdAlg, "MGF1", this.mdAlg, DIGEST_LENGTHS.get(this.mdAlg).intValue()));
        }
        if (this.initialized) {
            return;
        }
        initialize();
    }

    private void reset(boolean z) {
        if (this.initialized) {
            this.initialized = false;
            try {
                if (this.session == null) {
                    return;
                }
                if (z && this.token.explicitCancel) {
                    cancelOperation();
                }
            } finally {
                this.p11Key.releaseKeyID();
                this.mechanism.freeHandle();
                this.session = this.token.releaseSession(this.session);
                this.isActive = false;
            }
        }
    }

    private void cancelOperation() {
        this.token.ensureValid();
        try {
            if (this.mode != 1) {
                byte[] bArr = new byte[(this.p11Key.length() + 7) >> 3];
                if (this.type == 2) {
                    this.token.p11.C_VerifyFinal(this.session.id(), bArr);
                } else {
                    this.token.p11.C_Verify(this.session.id(), this.md == null ? new byte[0] : this.md.digest(), bArr);
                }
            } else if (this.type == 2) {
                this.token.p11.C_SignFinal(this.session.id(), 0);
            } else {
                this.token.p11.C_Sign(this.session.id(), this.md == null ? new byte[0] : this.md.digest());
            }
        } catch (PKCS11Exception e) {
            if (e.getErrorCode() != 145 && this.mode == 1) {
                throw new ProviderException("cancel failed", e);
            }
        }
    }

    private void initialize() {
        if (this.p11Key == null) {
            throw new ProviderException("No Key found, call initSign/initVerify first");
        }
        long keyID = this.p11Key.getKeyID();
        try {
            if (this.session == null) {
                this.session = this.token.getOpSession();
            }
            if (this.mode == 1) {
                this.token.p11.C_SignInit(this.session.id(), this.mechanism, keyID);
            } else {
                this.token.p11.C_VerifyInit(this.session.id(), this.mechanism, keyID);
            }
            if (this.bytesProcessed != 0) {
                this.bytesProcessed = 0;
                if (this.md != null) {
                    this.md.reset();
                }
            }
            this.initialized = true;
            this.isActive = false;
        } catch (PKCS11Exception e) {
            this.p11Key.releaseKeyID();
            this.session = this.token.releaseSession(this.session);
            throw new ProviderException("Initialization failed", e);
        }
    }

    private void checkKeySize(Key key) throws InvalidKeyException {
        if (!key.getAlgorithm().equals(KEY_ALGO)) {
            throw new InvalidKeyException("Only RSA keys are supported");
        }
        CK_MECHANISM_INFO ck_mechanism_info = null;
        try {
            ck_mechanism_info = this.token.getMechanismInfo(this.mechanism.mechanism);
        } catch (PKCS11Exception e) {
        }
        int i = 0;
        if (ck_mechanism_info != null) {
            if (key instanceof P11Key) {
                i = (((P11Key) key).length() + 7) >> 3;
            } else {
                if (!(key instanceof RSAKey)) {
                    throw new InvalidKeyException("Unrecognized key type " + ((Object) key));
                }
                i = ((RSAKey) key).getModulus().bitLength() >> 3;
            }
            if (ck_mechanism_info.iMinKeySize != 0 && i < (ck_mechanism_info.iMinKeySize >> 3)) {
                throw new InvalidKeyException("RSA key must be at least " + ck_mechanism_info.iMinKeySize + " bits");
            }
            if (ck_mechanism_info.iMaxKeySize != Integer.MAX_VALUE && i > (ck_mechanism_info.iMaxKeySize >> 3)) {
                throw new InvalidKeyException("RSA key must be at most " + ck_mechanism_info.iMaxKeySize + " bits");
            }
        }
        if (this.sigParams != null) {
            int addExact = Math.addExact(Math.addExact(this.sigParams.getSaltLength(), DIGEST_LENGTHS.get(this.sigParams.getDigestAlgorithm()).intValue()), 2);
            if (i < addExact) {
                throw new InvalidKeyException("Key is too short for current params, need min " + addExact);
            }
        }
    }

    private void setSigParams(AlgorithmParameterSpec algorithmParameterSpec) throws InvalidAlgorithmParameterException {
        int length;
        if (algorithmParameterSpec == null) {
            throw new InvalidAlgorithmParameterException("PSS Parameter required");
        }
        if (!(algorithmParameterSpec instanceof PSSParameterSpec)) {
            throw new InvalidAlgorithmParameterException("Only PSSParameterSpec is supported");
        }
        PSSParameterSpec pSSParameterSpec = (PSSParameterSpec) algorithmParameterSpec;
        if (pSSParameterSpec == this.sigParams) {
            return;
        }
        String digestAlgorithm = pSSParameterSpec.getDigestAlgorithm();
        if (this.mdAlg != null && !isDigestEqual(digestAlgorithm, this.mdAlg)) {
            throw new InvalidAlgorithmParameterException("Digest algorithm in Signature parameters must be " + this.mdAlg);
        }
        Integer num = DIGEST_LENGTHS.get(digestAlgorithm);
        if (num == null) {
            throw new InvalidAlgorithmParameterException("Unsupported digest algorithm in Signature parameters: " + digestAlgorithm);
        }
        if (!pSSParameterSpec.getMGFAlgorithm().equalsIgnoreCase("MGF1")) {
            throw new InvalidAlgorithmParameterException("Only supports MGF1");
        }
        if (pSSParameterSpec.getTrailerField() != 1) {
            throw new InvalidAlgorithmParameterException("Only supports TrailerFieldBC(1)");
        }
        int saltLength = pSSParameterSpec.getSaltLength();
        if (this.p11Key != null && ((length = (((this.p11Key.length() + 7) >> 3) - num.intValue()) - 2) < 0 || saltLength > length)) {
            throw new InvalidAlgorithmParameterException("Invalid with current key size");
        }
        try {
            this.mechanism.setParameter(new CK_RSA_PKCS_PSS_PARAMS(digestAlgorithm, "MGF1", digestAlgorithm, saltLength));
            this.sigParams = pSSParameterSpec;
        } catch (IllegalArgumentException e) {
            throw new InvalidAlgorithmParameterException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // java.security.SignatureSpi
    public void engineInitVerify(PublicKey publicKey) throws InvalidKeyException {
        if (publicKey == null) {
            throw new InvalidKeyException("Key must not be null");
        }
        if (publicKey != this.p11Key) {
            checkKeySize(publicKey);
        }
        reset(true);
        this.mode = 2;
        this.p11Key = P11KeyFactory.convertKey(this.token, publicKey, KEY_ALGO);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // java.security.SignatureSpi
    public void engineInitSign(PrivateKey privateKey) throws InvalidKeyException {
        if (privateKey == null) {
            throw new InvalidKeyException("Key must not be null");
        }
        if (privateKey != this.p11Key) {
            checkKeySize(privateKey);
        }
        reset(true);
        this.mode = 1;
        this.p11Key = P11KeyFactory.convertKey(this.token, privateKey, KEY_ALGO);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // java.security.SignatureSpi
    public void engineUpdate(byte b) throws SignatureException {
        ensureInitialized();
        this.isActive = true;
        this.buffer[0] = b;
        engineUpdate(this.buffer, 0, 1);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // java.security.SignatureSpi
    public void engineUpdate(byte[] bArr, int i, int i2) throws SignatureException {
        ensureInitialized();
        if (i2 == 0) {
            return;
        }
        if (i2 + this.bytesProcessed < 0) {
            throw new ProviderException("Processed bytes limits exceeded.");
        }
        this.isActive = true;
        switch (this.type) {
            case 1:
                if (this.md == null) {
                    throw new ProviderException("PSS Parameters required");
                }
                this.md.update(bArr, i, i2);
                this.bytesProcessed += i2;
                return;
            case 2:
                try {
                    if (this.mode == 1) {
                        this.token.p11.C_SignUpdate(this.session.id(), 0L, bArr, i, i2);
                    } else {
                        this.token.p11.C_VerifyUpdate(this.session.id(), 0L, bArr, i, i2);
                    }
                    this.bytesProcessed += i2;
                    return;
                } catch (PKCS11Exception e) {
                    reset(false);
                    throw new ProviderException(e);
                }
            default:
                throw new ProviderException("Internal error");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Multi-variable type inference failed */
    @Override // java.security.SignatureSpi
    public void engineUpdate(ByteBuffer byteBuffer) {
        try {
            ensureInitialized();
            int remaining = byteBuffer.remaining();
            if (remaining <= 0) {
                return;
            }
            this.isActive = true;
            switch (this.type) {
                case 1:
                    if (this.md == null) {
                        throw new ProviderException("PSS Parameters required");
                    }
                    this.md.update(byteBuffer);
                    this.bytesProcessed += remaining;
                    return;
                case 2:
                    if (!(byteBuffer instanceof DirectBuffer)) {
                        super.engineUpdate(byteBuffer);
                        return;
                    }
                    long address = ((DirectBuffer) byteBuffer).address();
                    int position = byteBuffer.position();
                    try {
                        if (this.mode == 1) {
                            this.token.p11.C_SignUpdate(this.session.id(), address + position, null, 0, remaining);
                        } else {
                            this.token.p11.C_VerifyUpdate(this.session.id(), address + position, null, 0, remaining);
                        }
                        this.bytesProcessed += remaining;
                        byteBuffer.position(position + remaining);
                        return;
                    } catch (PKCS11Exception e) {
                        reset(false);
                        throw new ProviderException("Update failed", e);
                    }
                default:
                    reset(false);
                    throw new ProviderException("Internal error");
            }
        } catch (SignatureException e2) {
            throw new ProviderException(e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // java.security.SignatureSpi
    public byte[] engineSign() throws SignatureException {
        byte[] C_Sign;
        ensureInitialized();
        try {
            try {
                if (this.type == 2) {
                    C_Sign = this.token.p11.C_SignFinal(this.session.id(), 0);
                } else {
                    if (this.md == null) {
                        throw new ProviderException("PSS Parameters required");
                    }
                    C_Sign = this.token.p11.C_Sign(this.session.id(), this.md.digest());
                }
                byte[] bArr = C_Sign;
                reset(false);
                return bArr;
            } catch (ProviderException e) {
                throw e;
            } catch (PKCS11Exception e2) {
                throw new ProviderException(e2);
            }
        } catch (Throwable th) {
            reset(true);
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // java.security.SignatureSpi
    public boolean engineVerify(byte[] bArr) throws SignatureException {
        ensureInitialized();
        try {
            try {
                if (this.type == 2) {
                    this.token.p11.C_VerifyFinal(this.session.id(), bArr);
                } else {
                    if (this.md == null) {
                        throw new ProviderException("PSS Parameters required");
                    }
                    this.token.p11.C_Verify(this.session.id(), this.md.digest(), bArr);
                }
                reset(false);
                return true;
            } catch (ProviderException e) {
                throw e;
            } catch (PKCS11Exception e2) {
                long errorCode = e2.getErrorCode();
                if (errorCode == 192) {
                    reset(false);
                    return false;
                }
                if (errorCode == 193) {
                    reset(false);
                    return false;
                }
                if (errorCode != 33) {
                    throw new ProviderException(e2);
                }
                reset(false);
                return false;
            }
        } catch (Throwable th) {
            reset(true);
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // java.security.SignatureSpi
    public void engineSetParameter(String str, Object obj) throws InvalidParameterException {
        throw new UnsupportedOperationException("setParameter() not supported");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // java.security.SignatureSpi
    public void engineSetParameter(AlgorithmParameterSpec algorithmParameterSpec) throws InvalidAlgorithmParameterException {
        if (this.isActive) {
            throw new ProviderException("Cannot set parameters during operations");
        }
        setSigParams(algorithmParameterSpec);
        if (this.type == 1) {
            try {
                this.md = MessageDigest.getInstance(this.sigParams.getDigestAlgorithm());
            } catch (NoSuchAlgorithmException e) {
                throw new InvalidAlgorithmParameterException(e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // java.security.SignatureSpi
    public Object engineGetParameter(String str) throws InvalidParameterException {
        throw new UnsupportedOperationException("getParameter() not supported");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // java.security.SignatureSpi
    public AlgorithmParameters engineGetParameters() {
        if (this.sigParams == null) {
            return null;
        }
        try {
            AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("RSASSA-PSS");
            algorithmParameters.init(this.sigParams);
            return algorithmParameters;
        } catch (GeneralSecurityException e) {
            throw new RuntimeException(e);
        }
    }

    static {
        DIGEST_LENGTHS.put("SHA-1", 20);
        DIGEST_LENGTHS.put("SHA", 20);
        DIGEST_LENGTHS.put("SHA1", 20);
        DIGEST_LENGTHS.put("SHA-224", 28);
        DIGEST_LENGTHS.put("SHA224", 28);
        DIGEST_LENGTHS.put("SHA-256", 32);
        DIGEST_LENGTHS.put("SHA256", 32);
        DIGEST_LENGTHS.put("SHA-384", 48);
        DIGEST_LENGTHS.put("SHA384", 48);
        DIGEST_LENGTHS.put("SHA-512", 64);
        DIGEST_LENGTHS.put("SHA512", 64);
        DIGEST_LENGTHS.put("SHA-512/224", 28);
        DIGEST_LENGTHS.put("SHA512/224", 28);
        DIGEST_LENGTHS.put("SHA-512/256", 32);
        DIGEST_LENGTHS.put("SHA512/256", 32);
    }
}
