package sun.security.pkcs11;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.Provider;
import java.security.ProviderException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import jonelo.jacksum.algorithm.AbstractChecksum;
import org.catcert.utils.AppletConstants;
import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
import sun.security.pkcs11.wrapper.PKCS11;
import sun.security.pkcs11.wrapper.PKCS11Constants;
import sun.security.pkcs11.wrapper.PKCS11Exception;

/* loaded from: input_file:sun/security/pkcs11/Secmod.class */
public final class Secmod {
    private static final boolean DEBUG = false;
    private static final Secmod INSTANCE;
    private static final String NSS_LIB_NAME = "nss3";
    private static final String SOFTTOKEN_LIB_NAME = "softokn3";
    private static final String TRUST_LIB_NAME = "nssckbi";
    private long nssHandle;
    private boolean supported;
    private List<Module> modules;
    private String configDir;
    private String nssLibDir;
    static final String TEMPLATE_EXTERNAL = "library = %s\nname = \"%s\"\nslotListIndex = %d\n";
    static final String TEMPLATE_TRUSTANCHOR = "library = %s\nname = \"NSS Trust Anchors\"\nslotListIndex = 0\nenabledMechanisms = { KeyStore }\nnssUseSecmodTrust = true\n";
    static final String TEMPLATE_CRYPTO = "library = %s\nname = \"NSS SoftToken Crypto\"\nslotListIndex = 0\ndisabledMechanisms = { KeyStore }\n";
    static final String TEMPLATE_KEYSTORE = "library = %s\nname = \"NSS SoftToken KeyStore\"\nslotListIndex = 1\nnssUseSecmodTrust = true\n";
    static final String TEMPLATE_FIPS = "library = %s\nname = \"NSS FIPS SoftToken\"\nslotListIndex = 0\nnssUseSecmodTrust = true\n";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:sun/security/pkcs11/Secmod$Bytes.class */
    public static class Bytes {
        final byte[] b;

        Bytes(byte[] bArr) {
            this.b = bArr;
        }

        public int hashCode() {
            return Arrays.hashCode(this.b);
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj instanceof Bytes) {
                return Arrays.equals(this.b, ((Bytes) obj).b);
            }
            return false;
        }
    }

    /* loaded from: input_file:sun/security/pkcs11/Secmod$DbMode.class */
    public enum DbMode {
        READ_WRITE("NSS_InitReadWrite"),
        READ_ONLY("NSS_Init"),
        NO_DB("NSS_NoDB_Init");

        final String functionName;

        DbMode(String str) {
            this.functionName = str;
        }

        /* renamed from: values, reason: to resolve conflict with enum method */
        public static DbMode[] valuesCustom() {
            DbMode[] valuesCustom = values();
            int length = valuesCustom.length;
            DbMode[] dbModeArr = new DbMode[length];
            System.arraycopy(valuesCustom, 0, dbModeArr, 0, length);
            return dbModeArr;
        }
    }

    /* loaded from: input_file:sun/security/pkcs11/Secmod$KeyStoreLoadParameter.class */
    public static final class KeyStoreLoadParameter implements KeyStore.LoadStoreParameter {
        final TrustType trustType;
        final KeyStore.ProtectionParameter protection;

        public KeyStoreLoadParameter(TrustType trustType, char[] cArr) {
            this(trustType, new KeyStore.PasswordProtection(cArr));
        }

        public KeyStoreLoadParameter(TrustType trustType, KeyStore.ProtectionParameter protectionParameter) {
            if (trustType == null) {
                throw new NullPointerException("trustType must not be null");
            }
            this.trustType = trustType;
            this.protection = protectionParameter;
        }

        @Override // java.security.KeyStore.LoadStoreParameter
        public KeyStore.ProtectionParameter getProtectionParameter() {
            return this.protection;
        }

        public TrustType getTrustType() {
            return this.trustType;
        }
    }

    /* loaded from: input_file:sun/security/pkcs11/Secmod$Module.class */
    public static final class Module {
        final String libraryName;
        final String commonName;
        final int slot;
        final ModuleType type;
        private String config;
        private SunPKCS11 provider;
        private Map<Bytes, TrustAttributes> trust;
        private static /* synthetic */ int[] $SWITCH_TABLE$sun$security$pkcs11$Secmod$ModuleType;

        Module(String str, String str2, boolean z, int i) {
            ModuleType moduleType;
            if (str == null || str.length() == 0) {
                str = System.mapLibraryName(Secmod.SOFTTOKEN_LIB_NAME);
                if (z) {
                    moduleType = ModuleType.FIPS;
                    if (i != 0) {
                        throw new RuntimeException("Slot index should be 0 for FIPS slot");
                    }
                } else {
                    moduleType = i == 0 ? ModuleType.CRYPTO : ModuleType.KEYSTORE;
                }
            } else {
                moduleType = (str.endsWith(System.mapLibraryName(Secmod.TRUST_LIB_NAME)) || str2.equals("Builtin Roots Module")) ? ModuleType.TRUSTANCHOR : ModuleType.EXTERNAL;
                if (z) {
                    throw new RuntimeException("FIPS flag set for non-internal module: " + str + ", " + str2);
                }
            }
            this.libraryName = str;
            this.commonName = str2;
            this.slot = i;
            this.type = moduleType;
            initConfiguration();
        }

        private void initConfiguration() {
            switch ($SWITCH_TABLE$sun$security$pkcs11$Secmod$ModuleType()[this.type.ordinal()]) {
                case 1:
                    this.config = String.format(Secmod.TEMPLATE_CRYPTO, this.libraryName);
                    return;
                case 2:
                    this.config = String.format(Secmod.TEMPLATE_KEYSTORE, this.libraryName);
                    return;
                case 3:
                    this.config = String.format(Secmod.TEMPLATE_FIPS, this.libraryName);
                    return;
                case 4:
                    this.config = String.format(Secmod.TEMPLATE_TRUSTANCHOR, this.libraryName);
                    return;
                case 5:
                    this.config = String.format(Secmod.TEMPLATE_EXTERNAL, this.libraryName, String.valueOf(this.commonName) + AppletConstants.BLANK + this.slot, Integer.valueOf(this.slot));
                    return;
                default:
                    throw new RuntimeException("Unknown module type: " + this.type);
            }
        }

        @Deprecated
        public synchronized String getConfiguration() {
            return this.config;
        }

        @Deprecated
        public synchronized void setConfiguration(String str) {
            if (this.provider != null) {
                throw new IllegalStateException("Provider instance already created");
            }
            this.config = str;
        }

        public String getLibraryName() {
            return this.libraryName;
        }

        public ModuleType getType() {
            return this.type;
        }

        @Deprecated
        public synchronized Provider getProvider() {
            if (this.provider == null) {
                this.provider = newProvider();
            }
            return this.provider;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public synchronized boolean hasInitializedProvider() {
            return this.provider != null;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void setProvider(SunPKCS11 sunPKCS11) {
            if (this.provider != null) {
                throw new ProviderException("Secmod provider already initialized");
            }
            this.provider = sunPKCS11;
        }

        private SunPKCS11 newProvider() {
            try {
                return new SunPKCS11(new ByteArrayInputStream(this.config.getBytes("UTF8")));
            } catch (Exception e) {
                throw new ProviderException(e);
            }
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public synchronized void setTrust(Token token, X509Certificate x509Certificate) {
            Bytes bytes = new Bytes(Secmod.getDigest(x509Certificate, AppletConstants.SHA1ID));
            TrustAttributes trust = getTrust(bytes);
            if (trust == null) {
                this.trust.put(bytes, new TrustAttributes(token, x509Certificate, bytes, PKCS11Constants.CKT_NETSCAPE_TRUSTED_DELEGATOR));
            } else if (!trust.isTrusted(TrustType.ALL)) {
                throw new ProviderException("Cannot change existing trust attributes");
            }
        }

        /* JADX WARN: Multi-variable type inference failed */
        /* JADX WARN: Type inference failed for: r0v11 */
        /* JADX WARN: Type inference failed for: r0v13, types: [sun.security.pkcs11.Secmod$Module] */
        /* JADX WARN: Type inference failed for: r0v17 */
        /* JADX WARN: Type inference failed for: r0v18 */
        /* JADX WARN: Type inference failed for: r0v6 */
        /* JADX WARN: Type inference failed for: r0v7, types: [java.lang.Throwable] */
        TrustAttributes getTrust(Bytes bytes) {
            if (this.trust == null) {
                ?? r0 = this;
                synchronized (r0) {
                    SunPKCS11 sunPKCS11 = this.provider;
                    SunPKCS11 sunPKCS112 = sunPKCS11;
                    r0 = sunPKCS112;
                    if (sunPKCS112 == null) {
                        SunPKCS11 newProvider = newProvider();
                        sunPKCS11 = newProvider;
                        r0 = newProvider;
                    }
                    try {
                        r0 = this;
                        r0.trust = Secmod.getTrust(sunPKCS11);
                    } catch (PKCS11Exception e) {
                        throw new RuntimeException(e);
                    }
                }
            }
            return this.trust.get(bytes);
        }

        public String toString() {
            return String.valueOf(this.commonName) + " (" + this.type + ", " + this.libraryName + ", slot " + this.slot + ")";
        }

        static /* synthetic */ int[] $SWITCH_TABLE$sun$security$pkcs11$Secmod$ModuleType() {
            int[] iArr = $SWITCH_TABLE$sun$security$pkcs11$Secmod$ModuleType;
            if (iArr != null) {
                return iArr;
            }
            int[] iArr2 = new int[ModuleType.valuesCustom().length];
            try {
                iArr2[ModuleType.CRYPTO.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                iArr2[ModuleType.EXTERNAL.ordinal()] = 5;
            } catch (NoSuchFieldError unused2) {
            }
            try {
                iArr2[ModuleType.FIPS.ordinal()] = 3;
            } catch (NoSuchFieldError unused3) {
            }
            try {
                iArr2[ModuleType.KEYSTORE.ordinal()] = 2;
            } catch (NoSuchFieldError unused4) {
            }
            try {
                iArr2[ModuleType.TRUSTANCHOR.ordinal()] = 4;
            } catch (NoSuchFieldError unused5) {
            }
            $SWITCH_TABLE$sun$security$pkcs11$Secmod$ModuleType = iArr2;
            return iArr2;
        }
    }

    /* loaded from: input_file:sun/security/pkcs11/Secmod$ModuleType.class */
    public enum ModuleType {
        CRYPTO,
        KEYSTORE,
        FIPS,
        TRUSTANCHOR,
        EXTERNAL;

        /* renamed from: values, reason: to resolve conflict with enum method */
        public static ModuleType[] valuesCustom() {
            ModuleType[] valuesCustom = values();
            int length = valuesCustom.length;
            ModuleType[] moduleTypeArr = new ModuleType[length];
            System.arraycopy(valuesCustom, 0, moduleTypeArr, 0, length);
            return moduleTypeArr;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:sun/security/pkcs11/Secmod$TrustAttributes.class */
    public static class TrustAttributes {
        final long handle;
        final long clientAuth;
        final long serverAuth;
        final long codeSigning;
        final long emailProtection;
        final byte[] shaHash;
        private static /* synthetic */ int[] $SWITCH_TABLE$sun$security$pkcs11$Secmod$TrustType;

        TrustAttributes(Token token, X509Certificate x509Certificate, Bytes bytes, long j) {
            Session session = null;
            try {
                try {
                    session = token.getOpSession();
                    this.handle = token.p11.C_CreateObject(session.id(), new CK_ATTRIBUTE[]{new CK_ATTRIBUTE(1L, true), new CK_ATTRIBUTE(0L, 3461563219L), new CK_ATTRIBUTE(PKCS11Constants.CKA_NETSCAPE_TRUST_SERVER_AUTH, j), new CK_ATTRIBUTE(PKCS11Constants.CKA_NETSCAPE_TRUST_CODE_SIGNING, j), new CK_ATTRIBUTE(PKCS11Constants.CKA_NETSCAPE_TRUST_EMAIL_PROTECTION, j), new CK_ATTRIBUTE(PKCS11Constants.CKA_NETSCAPE_TRUST_CLIENT_AUTH, j), new CK_ATTRIBUTE(PKCS11Constants.CKA_NETSCAPE_CERT_SHA1_HASH, bytes.b), new CK_ATTRIBUTE(PKCS11Constants.CKA_NETSCAPE_CERT_MD5_HASH, Secmod.getDigest(x509Certificate, "MD5")), new CK_ATTRIBUTE(129L, x509Certificate.getIssuerX500Principal().getEncoded()), new CK_ATTRIBUTE(130L, x509Certificate.getSerialNumber().toByteArray())});
                    this.shaHash = bytes.b;
                    this.clientAuth = j;
                    this.serverAuth = j;
                    this.codeSigning = j;
                    this.emailProtection = j;
                    token.releaseSession(session);
                } catch (PKCS11Exception e) {
                    throw new ProviderException("Could not create trust object", e);
                }
            } catch (Throwable th) {
                token.releaseSession(session);
                throw th;
            }
        }

        TrustAttributes(Token token, Session session, long j) throws PKCS11Exception {
            long j2;
            this.handle = j;
            CK_ATTRIBUTE[] ck_attributeArr = {new CK_ATTRIBUTE(PKCS11Constants.CKA_NETSCAPE_TRUST_SERVER_AUTH), new CK_ATTRIBUTE(PKCS11Constants.CKA_NETSCAPE_TRUST_CODE_SIGNING), new CK_ATTRIBUTE(PKCS11Constants.CKA_NETSCAPE_TRUST_EMAIL_PROTECTION), new CK_ATTRIBUTE(PKCS11Constants.CKA_NETSCAPE_CERT_SHA1_HASH)};
            token.p11.C_GetAttributeValue(session.id(), j, ck_attributeArr);
            this.serverAuth = ck_attributeArr[0].getLong();
            this.codeSigning = ck_attributeArr[1].getLong();
            this.emailProtection = ck_attributeArr[2].getLong();
            this.shaHash = ck_attributeArr[3].getByteArray();
            CK_ATTRIBUTE[] ck_attributeArr2 = {new CK_ATTRIBUTE(PKCS11Constants.CKA_NETSCAPE_TRUST_CLIENT_AUTH)};
            try {
                token.p11.C_GetAttributeValue(session.id(), j, ck_attributeArr2);
                j2 = ck_attributeArr2[0].getLong();
            } catch (PKCS11Exception e) {
                j2 = this.serverAuth;
            }
            this.clientAuth = j2;
        }

        Bytes getHash() {
            return new Bytes(this.shaHash);
        }

        boolean isTrusted(TrustType trustType) {
            switch ($SWITCH_TABLE$sun$security$pkcs11$Secmod$TrustType()[trustType.ordinal()]) {
                case 1:
                    return isTrusted(TrustType.CLIENT_AUTH) && isTrusted(TrustType.SERVER_AUTH) && isTrusted(TrustType.CODE_SIGNING) && isTrusted(TrustType.EMAIL_PROTECTION);
                case 2:
                    return isTrusted(this.clientAuth);
                case 3:
                    return isTrusted(this.serverAuth);
                case 4:
                    return isTrusted(this.codeSigning);
                case 5:
                    return isTrusted(this.emailProtection);
                default:
                    return false;
            }
        }

        private boolean isTrusted(long j) {
            return j == PKCS11Constants.CKT_NETSCAPE_TRUSTED_DELEGATOR;
        }

        static /* synthetic */ int[] $SWITCH_TABLE$sun$security$pkcs11$Secmod$TrustType() {
            int[] iArr = $SWITCH_TABLE$sun$security$pkcs11$Secmod$TrustType;
            if (iArr != null) {
                return iArr;
            }
            int[] iArr2 = new int[TrustType.valuesCustom().length];
            try {
                iArr2[TrustType.ALL.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                iArr2[TrustType.CLIENT_AUTH.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            try {
                iArr2[TrustType.CODE_SIGNING.ordinal()] = 4;
            } catch (NoSuchFieldError unused3) {
            }
            try {
                iArr2[TrustType.EMAIL_PROTECTION.ordinal()] = 5;
            } catch (NoSuchFieldError unused4) {
            }
            try {
                iArr2[TrustType.SERVER_AUTH.ordinal()] = 3;
            } catch (NoSuchFieldError unused5) {
            }
            $SWITCH_TABLE$sun$security$pkcs11$Secmod$TrustType = iArr2;
            return iArr2;
        }
    }

    /* loaded from: input_file:sun/security/pkcs11/Secmod$TrustType.class */
    public enum TrustType {
        ALL,
        CLIENT_AUTH,
        SERVER_AUTH,
        CODE_SIGNING,
        EMAIL_PROTECTION;

        /* renamed from: values, reason: to resolve conflict with enum method */
        public static TrustType[] valuesCustom() {
            TrustType[] valuesCustom = values();
            int length = valuesCustom.length;
            TrustType[] trustTypeArr = new TrustType[length];
            System.arraycopy(valuesCustom, 0, trustTypeArr, 0, length);
            return trustTypeArr;
        }
    }

    static {
        PKCS11.loadNative();
        INSTANCE = new Secmod();
    }

    private Secmod() {
    }

    public static Secmod getInstance() {
        return INSTANCE;
    }

    private boolean isLoaded() {
        if (this.nssHandle == 0) {
            this.nssHandle = nssGetLibraryHandle(System.mapLibraryName(NSS_LIB_NAME));
            if (this.nssHandle != 0) {
                fetchVersions();
            }
        }
        return this.nssHandle != 0;
    }

    private void fetchVersions() {
        this.supported = nssVersionCheck(this.nssHandle, "3.7");
    }

    public synchronized boolean isInitialized() throws IOException {
        if (!isLoaded()) {
            return false;
        }
        if (this.supported) {
            return true;
        }
        throw new IOException("An incompatible version of NSS is already loaded, 3.7 or later required");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getConfigDir() {
        return this.configDir;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getLibDir() {
        return this.nssLibDir;
    }

    public void initialize(String str, String str2) throws IOException {
        initialize(DbMode.READ_WRITE, str, str2);
    }

    public synchronized void initialize(DbMode dbMode, String str, String str2) throws IOException {
        String path;
        if (isInitialized()) {
            throw new IOException("NSS is already initialized");
        }
        if (dbMode == null) {
            throw new NullPointerException();
        }
        if (dbMode != DbMode.NO_DB && str == null) {
            throw new NullPointerException();
        }
        String mapLibraryName = System.mapLibraryName(NSS_LIB_NAME);
        if (str2 == null) {
            path = mapLibraryName;
        } else {
            File file = new File(str2);
            if (!file.isDirectory()) {
                throw new IOException("nssLibDir must be a directory:" + str2);
            }
            File file2 = new File(file, mapLibraryName);
            if (!file2.isFile()) {
                throw new FileNotFoundException(file2.getPath());
            }
            path = file2.getPath();
        }
        if (str != null) {
            File file3 = new File(str);
            if (!file3.isDirectory()) {
                throw new IOException("configDir must be a directory: " + str);
            }
            File file4 = new File(file3, "secmod.db");
            if (!file4.isFile()) {
                throw new FileNotFoundException(file4.getPath());
            }
        }
        this.nssHandle = nssLoadLibrary(path);
        fetchVersions();
        if (!this.supported) {
            throw new IOException("The specified version of NSS is incompatible, 3.7 or later required");
        }
        if (!nssInit(dbMode.functionName, this.nssHandle, str)) {
            throw new IOException("NSS initialization failed");
        }
        this.configDir = str;
        this.nssLibDir = str2;
    }

    public synchronized List<Module> getModules() {
        try {
            if (!isInitialized()) {
                throw new IllegalStateException("NSS not initialized");
            }
            if (this.modules == null) {
                this.modules = Collections.unmodifiableList((List) nssGetModuleList(this.nssHandle));
            }
            return this.modules;
        } catch (IOException e) {
            throw new IllegalStateException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static byte[] getDigest(X509Certificate x509Certificate, String str) {
        try {
            return MessageDigest.getInstance(str).digest(x509Certificate.getEncoded());
        } catch (GeneralSecurityException e) {
            throw new ProviderException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isTrusted(X509Certificate x509Certificate, TrustType trustType) {
        Bytes bytes = new Bytes(getDigest(x509Certificate, AppletConstants.SHA1ID));
        TrustAttributes moduleTrust = getModuleTrust(ModuleType.KEYSTORE, bytes);
        if (moduleTrust == null) {
            moduleTrust = getModuleTrust(ModuleType.FIPS, bytes);
            if (moduleTrust == null) {
                moduleTrust = getModuleTrust(ModuleType.TRUSTANCHOR, bytes);
            }
        }
        if (moduleTrust == null) {
            return false;
        }
        return moduleTrust.isTrusted(trustType);
    }

    private TrustAttributes getModuleTrust(ModuleType moduleType, Bytes bytes) {
        Module module = getModule(moduleType);
        return module == null ? null : module.getTrust(bytes);
    }

    public Module getModule(ModuleType moduleType) {
        for (Module module : getModules()) {
            if (module.getType() == moduleType) {
                return module;
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Map<Bytes, TrustAttributes> getTrust(SunPKCS11 sunPKCS11) throws PKCS11Exception {
        HashMap hashMap = new HashMap();
        Token token = sunPKCS11.getToken();
        Session session = null;
        try {
            session = token.getOpSession();
            token.p11.C_FindObjectsInit(session.id(), new CK_ATTRIBUTE[]{new CK_ATTRIBUTE(0L, 3461563219L)});
            long[] C_FindObjects = token.p11.C_FindObjects(session.id(), AbstractChecksum.BUFFERSIZE);
            token.p11.C_FindObjectsFinal(session.id());
            for (long j : C_FindObjects) {
                TrustAttributes trustAttributes = new TrustAttributes(token, session, j);
                hashMap.put(trustAttributes.getHash(), trustAttributes);
            }
            token.releaseSession(session);
            return hashMap;
        } catch (Throwable th) {
            token.releaseSession(session);
            throw th;
        }
    }

    private static native long nssGetLibraryHandle(String str);

    private static native long nssLoadLibrary(String str) throws IOException;

    private static native boolean nssVersionCheck(long j, String str);

    private static native boolean nssInit(String str, long j, String str2);

    private static native Object nssGetModuleList(long j);
}
