package sun.security.pkcs11;

import com.sun.org.apache.xalan.internal.templates.Constants;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.UnsupportedEncodingException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.KeyStoreSpi;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.UnrecoverableEntryException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.interfaces.RSAPrivateKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.crypto.SecretKey;
import javax.crypto.interfaces.DHPrivateKey;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.x500.X500Principal;
import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
import sun.security.pkcs11.wrapper.Functions;
import sun.security.pkcs11.wrapper.PKCS11Exception;
import sun.security.util.Debug;
import sun.security.util.DerValue;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:118666-03/SUNWj5rt/reloc/jdk/instances/jdk1.5.0/jre/lib/ext/sunpkcs11.jar:sun/security/pkcs11/P11KeyStore.class */
public final class P11KeyStore extends KeyStoreSpi {
    private static final long NO_HANDLE = -1;
    private static final long MAX_NUM = 100;
    private static final String ALIAS_SEP = "/";
    private static final boolean NSS_TEST = false;
    private final Token token;
    private boolean writeDisabled = false;
    private HashMap<String, AliasInfo> aliasMap;
    private static final CK_ATTRIBUTE ATTR_CLASS_CERT = new CK_ATTRIBUTE(0, 1);
    private static final CK_ATTRIBUTE ATTR_CLASS_PKEY = new CK_ATTRIBUTE(0, 3);
    private static final CK_ATTRIBUTE ATTR_CLASS_SKEY = new CK_ATTRIBUTE(0, 4);
    private static final CK_ATTRIBUTE ATTR_X509_CERT_TYPE = new CK_ATTRIBUTE(128, 0);
    private static final CK_ATTRIBUTE ATTR_TOKEN_TRUE = new CK_ATTRIBUTE(1L, true);
    private static CK_ATTRIBUTE ATTR_SKEY_TOKEN_TRUE = ATTR_TOKEN_TRUE;
    private static final CK_ATTRIBUTE ATTR_TRUSTED_TRUE = new CK_ATTRIBUTE(134L, true);
    private static final CK_ATTRIBUTE ATTR_PRIVATE_TRUE = new CK_ATTRIBUTE(2L, true);
    private static final Debug debug = Debug.getInstance("pkcs11keystore");
    private static boolean CKA_TRUSTED_SUPPORTED = true;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:118666-03/SUNWj5rt/reloc/jdk/instances/jdk1.5.0/jre/lib/ext/sunpkcs11.jar:sun/security/pkcs11/P11KeyStore$AliasInfo.class */
    public static class AliasInfo {
        private CK_ATTRIBUTE type;
        private String label;
        private byte[] id;
        private boolean trusted;
        private X509Certificate cert;
        private X509Certificate[] chain;
        private boolean matched;

        public AliasInfo(String str) {
            this.type = null;
            this.label = null;
            this.id = null;
            this.trusted = false;
            this.cert = null;
            this.chain = null;
            this.matched = false;
            this.type = P11KeyStore.ATTR_CLASS_SKEY;
            this.label = str;
        }

        public AliasInfo(String str, byte[] bArr, boolean z, X509Certificate x509Certificate) {
            this.type = null;
            this.label = null;
            this.id = null;
            this.trusted = false;
            this.cert = null;
            this.chain = null;
            this.matched = false;
            this.type = P11KeyStore.ATTR_CLASS_PKEY;
            this.label = str;
            this.id = bArr;
            this.trusted = z;
            this.cert = x509Certificate;
        }

        public String toString() {
            StringBuilder sb = new StringBuilder();
            if (this.type == P11KeyStore.ATTR_CLASS_PKEY) {
                sb.append("\ttype=[private key]\n");
            } else if (this.type == P11KeyStore.ATTR_CLASS_SKEY) {
                sb.append("\ttype=[secret key]\n");
            } else if (this.type == P11KeyStore.ATTR_CLASS_CERT) {
                sb.append("\ttype=[trusted cert]\n");
            }
            sb.append("\tlabel=[" + this.label + "]\n");
            if (this.id == null) {
                sb.append("\tid=[null]\n");
            } else {
                sb.append("\tid=" + P11KeyStore.getID(this.id) + "\n");
            }
            sb.append("\ttrusted=[" + this.trusted + "]\n");
            sb.append("\tmatched=[" + this.matched + "]\n");
            if (this.cert == null) {
                sb.append("\tcert=[null]\n");
            } else {
                sb.append("\tcert=[\tsubject: " + ((Object) this.cert.getSubjectX500Principal()) + "\n\t\tissuer: " + ((Object) this.cert.getIssuerX500Principal()) + "\n\t\tserialNum: " + this.cert.getSerialNumber().toString() + "]");
            }
            return sb.toString();
        }
    }

    /* loaded from: input_file:118666-03/SUNWj5rt/reloc/jdk/instances/jdk1.5.0/jre/lib/ext/sunpkcs11.jar:sun/security/pkcs11/P11KeyStore$PasswordCallbackHandler.class */
    private static class PasswordCallbackHandler implements CallbackHandler {
        private char[] password;

        private PasswordCallbackHandler(char[] cArr) {
            if (cArr != null) {
                this.password = (char[]) cArr.clone();
            }
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            if (!(callbackArr[0] instanceof PasswordCallback)) {
                throw new UnsupportedCallbackException(callbackArr[0]);
            }
            ((PasswordCallback) callbackArr[0]).setPassword(this.password);
        }

        protected void finalize() throws Throwable {
            if (this.password != null) {
                Arrays.fill(this.password, ' ');
            }
            super.finalize();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:118666-03/SUNWj5rt/reloc/jdk/instances/jdk1.5.0/jre/lib/ext/sunpkcs11.jar:sun/security/pkcs11/P11KeyStore$THandle.class */
    public static class THandle {
        private final long handle;
        private final CK_ATTRIBUTE type;

        private THandle(long j, CK_ATTRIBUTE ck_attribute) {
            this.handle = j;
            this.type = ck_attribute;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public P11KeyStore(Token token) {
        this.token = token;
    }

    @Override // java.security.KeyStoreSpi
    public synchronized Key engineGetKey(String str, char[] cArr) throws NoSuchAlgorithmException, UnrecoverableKeyException {
        this.token.ensureValid();
        if (cArr != null && !this.token.config.getKeyStoreCompatibilityMode()) {
            throw new NoSuchAlgorithmException("password must be null");
        }
        AliasInfo aliasInfo = this.aliasMap.get(str);
        if (aliasInfo == null || aliasInfo.type == ATTR_CLASS_CERT) {
            return null;
        }
        try {
            try {
                Session opSession = this.token.getOpSession();
                if (aliasInfo.type == ATTR_CLASS_PKEY) {
                    THandle tokenObject = getTokenObject(opSession, aliasInfo.type, aliasInfo.id, null);
                    if (tokenObject.type == ATTR_CLASS_PKEY) {
                        PrivateKey loadPkey = loadPkey(opSession, tokenObject.handle);
                        this.token.releaseSession(opSession);
                        return loadPkey;
                    }
                } else {
                    THandle tokenObject2 = getTokenObject(opSession, ATTR_CLASS_SKEY, null, str);
                    if (tokenObject2.type == ATTR_CLASS_SKEY) {
                        SecretKey loadSkey = loadSkey(opSession, tokenObject2.handle);
                        this.token.releaseSession(opSession);
                        return loadSkey;
                    }
                }
                this.token.releaseSession(opSession);
                return null;
            } catch (KeyStoreException e) {
                throw new ProviderException(e);
            } catch (PKCS11Exception e2) {
                throw new ProviderException(e2);
            }
        } catch (Throwable th) {
            this.token.releaseSession(null);
            throw th;
        }
    }

    @Override // java.security.KeyStoreSpi
    public synchronized Certificate[] engineGetCertificateChain(String str) {
        this.token.ensureValid();
        AliasInfo aliasInfo = this.aliasMap.get(str);
        if (aliasInfo == null || aliasInfo.type != ATTR_CLASS_PKEY) {
            return null;
        }
        return aliasInfo.chain;
    }

    @Override // java.security.KeyStoreSpi
    public synchronized Certificate engineGetCertificate(String str) {
        this.token.ensureValid();
        AliasInfo aliasInfo = this.aliasMap.get(str);
        if (aliasInfo == null) {
            return null;
        }
        return aliasInfo.cert;
    }

    @Override // java.security.KeyStoreSpi
    public Date engineGetCreationDate(String str) {
        this.token.ensureValid();
        throw new ProviderException(new UnsupportedOperationException());
    }

    @Override // java.security.KeyStoreSpi
    public synchronized void engineSetKeyEntry(String str, Key key, char[] cArr, Certificate[] certificateArr) throws KeyStoreException {
        this.token.ensureValid();
        checkWrite();
        if (!(key instanceof PrivateKey) && !(key instanceof SecretKey)) {
            throw new KeyStoreException("key must be PrivateKey or SecretKey");
        }
        if ((key instanceof PrivateKey) && certificateArr == null) {
            throw new KeyStoreException("PrivateKey must be accompanied by non-null chain");
        }
        if ((key instanceof SecretKey) && certificateArr != null) {
            throw new KeyStoreException("SecretKey must be accompanied by null chain");
        }
        if (cArr != null && !this.token.config.getKeyStoreCompatibilityMode()) {
            throw new KeyStoreException("Password must be null");
        }
        KeyStore.Entry entry = null;
        try {
            if (key instanceof PrivateKey) {
                entry = new KeyStore.PrivateKeyEntry((PrivateKey) key, certificateArr);
            } else if (key instanceof SecretKey) {
                entry = new KeyStore.SecretKeyEntry((SecretKey) key);
            }
            engineSetEntry(str, entry, new KeyStore.PasswordProtection(cArr));
        } catch (IllegalArgumentException e) {
            throw new KeyStoreException(e);
        } catch (NullPointerException e2) {
            throw new KeyStoreException(e2);
        }
    }

    @Override // java.security.KeyStoreSpi
    public void engineSetKeyEntry(String str, byte[] bArr, Certificate[] certificateArr) throws KeyStoreException {
        this.token.ensureValid();
        throw new ProviderException(new UnsupportedOperationException());
    }

    @Override // java.security.KeyStoreSpi
    public synchronized void engineSetCertificateEntry(String str, Certificate certificate) throws KeyStoreException {
        this.token.ensureValid();
        checkWrite();
        if (certificate == null) {
            throw new KeyStoreException("invalid null certificate");
        }
        engineSetEntry(str, new KeyStore.TrustedCertificateEntry(certificate), null);
    }

    @Override // java.security.KeyStoreSpi
    public synchronized void engineDeleteEntry(String str) throws KeyStoreException {
        this.token.ensureValid();
        if (this.token.isWriteProtected()) {
            throw new KeyStoreException("token write-protected");
        }
        checkWrite();
        deleteEntry(str);
    }

    private boolean deleteEntry(String str) throws KeyStoreException {
        AliasInfo aliasInfo = this.aliasMap.get(str);
        if (aliasInfo == null) {
            return false;
        }
        this.aliasMap.remove(str);
        try {
            if (aliasInfo.type == ATTR_CLASS_CERT) {
                return destroyCert(aliasInfo.id);
            }
            if (aliasInfo.type == ATTR_CLASS_PKEY) {
                return destroyPkey(aliasInfo.id) && destroyChain(aliasInfo.id);
            }
            if (aliasInfo.type == ATTR_CLASS_SKEY) {
                return destroySkey(str);
            }
            throw new KeyStoreException("unexpected entry type");
        } catch (CertificateException e) {
            throw new KeyStoreException(e);
        } catch (PKCS11Exception e2) {
            throw new KeyStoreException(e2);
        }
    }

    @Override // java.security.KeyStoreSpi
    public synchronized Enumeration engineAliases() {
        this.token.ensureValid();
        return Collections.enumeration(new HashSet(this.aliasMap.keySet()));
    }

    @Override // java.security.KeyStoreSpi
    public synchronized boolean engineContainsAlias(String str) {
        this.token.ensureValid();
        return this.aliasMap.containsKey(str);
    }

    @Override // java.security.KeyStoreSpi
    public synchronized int engineSize() {
        this.token.ensureValid();
        return this.aliasMap.size();
    }

    @Override // java.security.KeyStoreSpi
    public synchronized boolean engineIsKeyEntry(String str) {
        this.token.ensureValid();
        AliasInfo aliasInfo = this.aliasMap.get(str);
        return (aliasInfo == null || aliasInfo.type == ATTR_CLASS_CERT) ? false : true;
    }

    @Override // java.security.KeyStoreSpi
    public synchronized boolean engineIsCertificateEntry(String str) {
        this.token.ensureValid();
        AliasInfo aliasInfo = this.aliasMap.get(str);
        return aliasInfo != null && aliasInfo.type == ATTR_CLASS_CERT;
    }

    @Override // java.security.KeyStoreSpi
    public synchronized String engineGetCertificateAlias(Certificate certificate) {
        this.token.ensureValid();
        Enumeration engineAliases = engineAliases();
        while (engineAliases.hasMoreElements()) {
            String str = (String) engineAliases.nextElement2();
            Certificate engineGetCertificate = engineGetCertificate(str);
            if (engineGetCertificate != null && engineGetCertificate.equals(certificate)) {
                return str;
            }
        }
        return null;
    }

    @Override // java.security.KeyStoreSpi
    public synchronized void engineStore(OutputStream outputStream, char[] cArr) throws IOException, NoSuchAlgorithmException, CertificateException {
        this.token.ensureValid();
        if (outputStream != null && !this.token.config.getKeyStoreCompatibilityMode()) {
            throw new IOException("output stream must be null");
        }
        if (cArr != null && !this.token.config.getKeyStoreCompatibilityMode()) {
            throw new IOException("password must be null");
        }
    }

    @Override // java.security.KeyStoreSpi
    public synchronized void engineStore(KeyStore.LoadStoreParameter loadStoreParameter) throws IOException, NoSuchAlgorithmException, CertificateException {
        this.token.ensureValid();
        if (loadStoreParameter != null) {
            throw new IllegalArgumentException("LoadStoreParameter must be null");
        }
    }

    @Override // java.security.KeyStoreSpi
    public synchronized void engineLoad(InputStream inputStream, char[] cArr) throws IOException, NoSuchAlgorithmException, CertificateException {
        this.token.ensureValid();
        if (inputStream != null && !this.token.config.getKeyStoreCompatibilityMode()) {
            throw new IOException("input stream must be null");
        }
        try {
            if (cArr == null) {
                login(null);
            } else {
                login(new PasswordCallbackHandler(cArr));
            }
            if (mapLabels()) {
                this.writeDisabled = true;
            }
            if (debug != null) {
                dumpTokenMap();
            }
        } catch (KeyStoreException e) {
            IOException iOException = new IOException("load failed");
            iOException.initCause(e);
            throw iOException;
        } catch (LoginException e2) {
            IOException iOException2 = new IOException("load failed");
            iOException2.initCause(e2);
            throw iOException2;
        } catch (PKCS11Exception e3) {
            IOException iOException3 = new IOException("load failed");
            iOException3.initCause(e3);
            throw iOException3;
        }
    }

    @Override // java.security.KeyStoreSpi
    public synchronized void engineLoad(KeyStore.LoadStoreParameter loadStoreParameter) throws IOException, NoSuchAlgorithmException, CertificateException {
        CallbackHandler callbackHandler;
        this.token.ensureValid();
        if (loadStoreParameter == null) {
            throw new IllegalArgumentException("invalid null LoadStoreParameter");
        }
        KeyStore.ProtectionParameter protectionParameter = loadStoreParameter.getProtectionParameter();
        if (protectionParameter instanceof KeyStore.PasswordProtection) {
            char[] password = ((KeyStore.PasswordProtection) protectionParameter).getPassword();
            callbackHandler = password == null ? null : new PasswordCallbackHandler(password);
        } else {
            if (!(protectionParameter instanceof KeyStore.CallbackHandlerProtection)) {
                throw new IllegalArgumentException("ProtectionParameter must be either PasswordProtection or CallbackHandlerProtection");
            }
            callbackHandler = ((KeyStore.CallbackHandlerProtection) protectionParameter).getCallbackHandler();
        }
        try {
            login(callbackHandler);
            if (mapLabels()) {
                this.writeDisabled = true;
            }
            if (debug != null) {
                dumpTokenMap();
            }
        } catch (KeyStoreException e) {
            IOException iOException = new IOException("load failed");
            iOException.initCause(e);
            throw iOException;
        } catch (LoginException e2) {
            IOException iOException2 = new IOException("load failed");
            iOException2.initCause(e2);
            throw iOException2;
        } catch (PKCS11Exception e3) {
            IOException iOException3 = new IOException("load failed");
            iOException3.initCause(e3);
            throw iOException3;
        }
    }

    private void login(CallbackHandler callbackHandler) throws LoginException {
        if ((this.token.tokenInfo.flags & 256) == 0) {
            this.token.provider.login(null, callbackHandler);
        } else {
            if (callbackHandler != null && !this.token.config.getKeyStoreCompatibilityMode()) {
                throw new LoginException("can not specify password if token supports protected authentication path");
            }
            this.token.provider.login(null, null);
        }
    }

    @Override // java.security.KeyStoreSpi
    public synchronized KeyStore.Entry engineGetEntry(String str, KeyStore.ProtectionParameter protectionParameter) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableEntryException {
        this.token.ensureValid();
        if (protectionParameter != null && (protectionParameter instanceof KeyStore.PasswordProtection) && ((KeyStore.PasswordProtection) protectionParameter).getPassword() != null && !this.token.config.getKeyStoreCompatibilityMode()) {
            throw new KeyStoreException("ProtectionParameter must be null");
        }
        AliasInfo aliasInfo = this.aliasMap.get(str);
        if (aliasInfo == null) {
            if (debug == null) {
                return null;
            }
            debug.println("engineGetEntry did not find alias [" + str + "] in map");
            return null;
        }
        try {
            try {
                Session opSession = this.token.getOpSession();
                if (aliasInfo.type == ATTR_CLASS_CERT) {
                    if (debug != null) {
                        debug.println("engineGetEntry found trusted cert entry");
                    }
                    KeyStore.TrustedCertificateEntry trustedCertificateEntry = new KeyStore.TrustedCertificateEntry(aliasInfo.cert);
                    this.token.releaseSession(opSession);
                    return trustedCertificateEntry;
                }
                if (aliasInfo.type == ATTR_CLASS_SKEY) {
                    if (debug != null) {
                        debug.println("engineGetEntry found secret key entry");
                    }
                    THandle tokenObject = getTokenObject(opSession, ATTR_CLASS_SKEY, null, aliasInfo.label);
                    if (tokenObject.type != ATTR_CLASS_SKEY) {
                        throw new KeyStoreException("expected but could not find secret key");
                    }
                    KeyStore.SecretKeyEntry secretKeyEntry = new KeyStore.SecretKeyEntry(loadSkey(opSession, tokenObject.handle));
                    this.token.releaseSession(opSession);
                    return secretKeyEntry;
                }
                if (debug != null) {
                    debug.println("engineGetEntry found private key entry");
                }
                THandle tokenObject2 = getTokenObject(opSession, ATTR_CLASS_PKEY, aliasInfo.id, null);
                if (tokenObject2.type != ATTR_CLASS_PKEY) {
                    throw new KeyStoreException("expected but could not find private key");
                }
                PrivateKey loadPkey = loadPkey(opSession, tokenObject2.handle);
                X509Certificate[] x509CertificateArr = aliasInfo.chain;
                if (x509CertificateArr != null) {
                    KeyStore.PrivateKeyEntry privateKeyEntry = new KeyStore.PrivateKeyEntry(loadPkey, x509CertificateArr);
                    this.token.releaseSession(opSession);
                    return privateKeyEntry;
                }
                if (debug != null) {
                    debug.println("engineGetEntry got null cert chain");
                }
                this.token.releaseSession(opSession);
                return null;
            } catch (PKCS11Exception e) {
                throw new KeyStoreException(e);
            }
        } catch (Throwable th) {
            this.token.releaseSession(null);
            throw th;
        }
    }

    @Override // java.security.KeyStoreSpi
    public synchronized void engineSetEntry(String str, KeyStore.Entry entry, KeyStore.ProtectionParameter protectionParameter) throws KeyStoreException {
        this.token.ensureValid();
        checkWrite();
        if (protectionParameter != null && (protectionParameter instanceof KeyStore.PasswordProtection) && ((KeyStore.PasswordProtection) protectionParameter).getPassword() != null && !this.token.config.getKeyStoreCompatibilityMode()) {
            throw new KeyStoreException(new UnsupportedOperationException("ProtectionParameter must be null"));
        }
        if (this.token.isWriteProtected()) {
            throw new KeyStoreException("token write-protected");
        }
        if (entry instanceof KeyStore.TrustedCertificateEntry) {
            throw new KeyStoreException(new UnsupportedOperationException("trusted certificates may only be set by token initialization application"));
        }
        if (entry instanceof KeyStore.PrivateKeyEntry) {
            PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
            if (!(privateKey instanceof P11Key) && !(privateKey instanceof RSAPrivateKey) && !(privateKey instanceof DSAPrivateKey) && !(privateKey instanceof DHPrivateKey)) {
                throw new KeyStoreException("unsupported key type: " + privateKey.getClass().getName());
            }
            Certificate[] certificateChain = ((KeyStore.PrivateKeyEntry) entry).getCertificateChain();
            if (!(certificateChain instanceof X509Certificate[])) {
                throw new KeyStoreException(new UnsupportedOperationException("unsupported certificate array type: " + certificateChain.getClass().getName()));
            }
            try {
                boolean z = false;
                Iterator<String> it = this.aliasMap.keySet().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    AliasInfo aliasInfo = this.aliasMap.get(it.next());
                    if (aliasInfo.type == ATTR_CLASS_PKEY && aliasInfo.cert.getPublicKey().equals(certificateChain[0].getPublicKey())) {
                        updatePkey(str, aliasInfo.id, (X509Certificate[]) certificateChain, !aliasInfo.cert.equals(certificateChain[0]));
                        z = true;
                    }
                }
                if (!z) {
                    engineDeleteEntry(str);
                    storePkey(str, (KeyStore.PrivateKeyEntry) entry);
                }
            } catch (CertificateException e) {
                throw new KeyStoreException(e);
            } catch (PKCS11Exception e2) {
                throw new KeyStoreException(e2);
            }
        } else {
            if (!(entry instanceof KeyStore.SecretKeyEntry)) {
                throw new KeyStoreException(new UnsupportedOperationException("unsupported entry type: " + entry.getClass().getName()));
            }
            KeyStore.SecretKeyEntry secretKeyEntry = (KeyStore.SecretKeyEntry) entry;
            secretKeyEntry.getSecretKey();
            try {
                if (!updateSkey(str)) {
                    engineDeleteEntry(str);
                    storeSkey(str, secretKeyEntry);
                }
            } catch (PKCS11Exception e3) {
                throw new KeyStoreException(e3);
            }
        }
        try {
            mapLabels();
            if (debug != null) {
                dumpTokenMap();
            }
            if (debug != null) {
                debug.println("engineSetEntry added new entry for [" + str + "] to token");
            }
        } catch (CertificateException e4) {
            throw new KeyStoreException(e4);
        } catch (PKCS11Exception e5) {
            throw new KeyStoreException(e5);
        }
    }

    @Override // java.security.KeyStoreSpi
    public synchronized boolean engineEntryInstanceOf(String str, Class<? extends KeyStore.Entry> cls) {
        this.token.ensureValid();
        return super.engineEntryInstanceOf(str, cls);
    }

    private X509Certificate loadCert(Session session, long j) throws PKCS11Exception, CertificateException {
        CK_ATTRIBUTE[] ck_attributeArr = {new CK_ATTRIBUTE(17L)};
        this.token.p11.C_GetAttributeValue(session.id(), j, ck_attributeArr);
        byte[] byteArray = ck_attributeArr[0].getByteArray();
        if (byteArray == null) {
            throw new CertificateException("unexpectedly retrieved null byte array");
        }
        return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(byteArray));
    }

    private X509Certificate[] loadChain(Session session, X509Certificate x509Certificate) throws PKCS11Exception, CertificateException {
        if (x509Certificate.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal())) {
            return new X509Certificate[]{x509Certificate};
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(x509Certificate);
        X509Certificate x509Certificate2 = x509Certificate;
        do {
            this.token.p11.C_FindObjectsInit(session.id(), new CK_ATTRIBUTE[]{ATTR_TOKEN_TRUE, ATTR_CLASS_CERT, new CK_ATTRIBUTE(257L, x509Certificate2.getIssuerX500Principal().getEncoded())});
            long[] C_FindObjects = this.token.p11.C_FindObjects(session.id(), 100L);
            this.token.p11.C_FindObjectsFinal(session.id());
            if (C_FindObjects == null || C_FindObjects.length == 0) {
                break;
            }
            if (debug != null && C_FindObjects.length > 1) {
                debug.println("engineGetEntry found " + C_FindObjects.length + " certificate entries for subject [" + x509Certificate2.getIssuerX500Principal().toString() + "] in token - using first entry");
            }
            x509Certificate2 = loadCert(session, C_FindObjects[0]);
            arrayList.add(x509Certificate2);
        } while (!x509Certificate2.getSubjectX500Principal().equals(x509Certificate2.getIssuerX500Principal()));
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
    }

    private SecretKey loadSkey(Session session, long j) throws PKCS11Exception {
        CK_ATTRIBUTE[] ck_attributeArr = {new CK_ATTRIBUTE(256L)};
        this.token.p11.C_GetAttributeValue(session.id(), j, ck_attributeArr);
        long j2 = ck_attributeArr[0].getLong();
        String str = null;
        int i = -1;
        if (j2 != 19 && j2 != 21) {
            if (j2 == 31) {
                str = "AES";
            } else if (j2 == 32) {
                str = "Blowfish";
            } else if (j2 == 18) {
                str = "ARCFOUR";
            } else {
                if (debug != null) {
                    debug.println("unknown key type [" + j2 + "] - using 'Generic Secret'");
                }
                str = "Generic Secret";
            }
            CK_ATTRIBUTE[] ck_attributeArr2 = {new CK_ATTRIBUTE(353L)};
            this.token.p11.C_GetAttributeValue(session.id(), j, ck_attributeArr2);
            i = (int) ck_attributeArr2[0].getLong();
        } else if (j2 == 19) {
            str = "DES";
            i = 64;
        } else if (j2 == 21) {
            str = "DESede";
            i = 192;
        }
        return P11Key.secretKey(session, j, str, i, null);
    }

    private PrivateKey loadPkey(Session session, long j) throws PKCS11Exception, KeyStoreException {
        CK_ATTRIBUTE[] ck_attributeArr = {new CK_ATTRIBUTE(256L)};
        this.token.p11.C_GetAttributeValue(session.id(), j, ck_attributeArr);
        long j2 = ck_attributeArr[0].getLong();
        if (j2 == 0) {
            CK_ATTRIBUTE[] ck_attributeArr2 = {new CK_ATTRIBUTE(288L)};
            this.token.p11.C_GetAttributeValue(session.id(), j, ck_attributeArr2);
            return P11Key.privateKey(session, j, "RSA", ck_attributeArr2[0].getBigInteger().bitLength(), null);
        }
        if (j2 == 1) {
            CK_ATTRIBUTE[] ck_attributeArr3 = {new CK_ATTRIBUTE(304L)};
            this.token.p11.C_GetAttributeValue(session.id(), j, ck_attributeArr3);
            return P11Key.privateKey(session, j, "DSA", ck_attributeArr3[0].getBigInteger().bitLength(), null);
        }
        if (j2 == 2) {
            CK_ATTRIBUTE[] ck_attributeArr4 = {new CK_ATTRIBUTE(304L)};
            this.token.p11.C_GetAttributeValue(session.id(), j, ck_attributeArr4);
            return P11Key.privateKey(session, j, "DH", ck_attributeArr4[0].getBigInteger().bitLength(), null);
        }
        if (debug != null) {
            debug.println("unknown key type [" + j2 + "]");
        }
        throw new KeyStoreException("unknown key type");
    }

    private boolean updateSkey(String str) throws KeyStoreException, PKCS11Exception {
        try {
            Session opSession = this.token.getOpSession();
            THandle tokenObject = getTokenObject(opSession, ATTR_CLASS_SKEY, null, str);
            if (tokenObject.type != ATTR_CLASS_SKEY) {
                if (debug != null) {
                    debug.println("did not find secret key with CKA_LABEL [" + str + "]");
                }
                this.token.releaseSession(opSession);
                return false;
            }
            this.token.p11.C_SetAttributeValue(opSession.id(), tokenObject.handle, new CK_ATTRIBUTE[]{new CK_ATTRIBUTE(3L, str)});
            if (debug != null) {
                debug.println("updateSkey set new alias [" + str + "] for secret key entry");
            }
            this.token.releaseSession(opSession);
            return true;
        } catch (Throwable th) {
            this.token.releaseSession(null);
            throw th;
        }
    }

    private void updatePkey(String str, byte[] bArr, X509Certificate[] x509CertificateArr, boolean z) throws KeyStoreException, CertificateException, PKCS11Exception {
        try {
            Session opSession = this.token.getOpSession();
            THandle tokenObject = getTokenObject(opSession, ATTR_CLASS_PKEY, bArr, null);
            if (tokenObject.type != ATTR_CLASS_PKEY) {
                throw new KeyStoreException("expected but could not find private key with CKA_ID " + getID(bArr));
            }
            long j = tokenObject.handle;
            THandle tokenObject2 = getTokenObject(opSession, ATTR_CLASS_CERT, bArr, null);
            if (tokenObject2.type != ATTR_CLASS_CERT) {
                throw new KeyStoreException("expected but could not find private key with CKA_ID " + getID(bArr));
            }
            if (1 != 0) {
                destroyChain(bArr);
            } else {
                this.token.p11.C_SetAttributeValue(opSession.id(), tokenObject2.handle, new CK_ATTRIBUTE[]{new CK_ATTRIBUTE(3L, str), new CK_ATTRIBUTE(258L, str)});
            }
            if (1 != 0) {
                storeChain(str, x509CertificateArr);
            } else {
                storeCaCerts(x509CertificateArr, 1);
            }
            this.token.p11.C_SetAttributeValue(opSession.id(), j, new CK_ATTRIBUTE[]{new CK_ATTRIBUTE(258L, str)});
            if (debug != null) {
                debug.println("updatePkey set new alias [" + str + "] for private key entry");
            }
            this.token.releaseSession(opSession);
        } catch (Throwable th) {
            this.token.releaseSession(null);
            throw th;
        }
    }

    private void updateP11Skey(String str, P11Key p11Key) throws PKCS11Exception {
        Session session = null;
        try {
            session = this.token.getOpSession();
            this.token.p11.C_CopyObject(session.id(), p11Key.keyID, new CK_ATTRIBUTE[]{ATTR_TOKEN_TRUE, new CK_ATTRIBUTE(3L, str)});
            if (debug != null) {
                debug.println("updateP11Skey copied secret session key for [" + str + "] to token entry");
            }
            this.token.releaseSession(session);
        } catch (Throwable th) {
            this.token.releaseSession(session);
            throw th;
        }
    }

    private void updateP11Pkey(String str, P11Key p11Key) throws PKCS11Exception {
        try {
            Session opSession = this.token.getOpSession();
            if (p11Key.tokenObject) {
                this.token.p11.C_SetAttributeValue(opSession.id(), p11Key.keyID, new CK_ATTRIBUTE[]{new CK_ATTRIBUTE(258L, str)});
                if (debug != null) {
                    debug.println("updateP11Pkey set new alias [" + str + "] for key entry");
                }
            } else {
                this.token.p11.C_CopyObject(opSession.id(), p11Key.keyID, new CK_ATTRIBUTE[]{ATTR_TOKEN_TRUE, new CK_ATTRIBUTE(258L, str)});
                if (debug != null) {
                    debug.println("updateP11Pkey copied private session key for [" + str + "] to token entry");
                }
            }
            this.token.releaseSession(opSession);
        } catch (Throwable th) {
            this.token.releaseSession(null);
            throw th;
        }
    }

    private void storeCert(String str, X509Certificate x509Certificate) throws PKCS11Exception, CertificateException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(ATTR_TOKEN_TRUE);
        arrayList.add(ATTR_CLASS_CERT);
        arrayList.add(ATTR_X509_CERT_TYPE);
        arrayList.add(new CK_ATTRIBUTE(257L, x509Certificate.getSubjectX500Principal().getEncoded()));
        arrayList.add(new CK_ATTRIBUTE(129L, x509Certificate.getIssuerX500Principal().getEncoded()));
        arrayList.add(new CK_ATTRIBUTE(130L, x509Certificate.getSerialNumber().toByteArray()));
        arrayList.add(new CK_ATTRIBUTE(17L, x509Certificate.getEncoded()));
        if (str != null) {
            arrayList.add(new CK_ATTRIBUTE(3L, str));
            arrayList.add(new CK_ATTRIBUTE(258L, str));
        } else {
            arrayList.add(new CK_ATTRIBUTE(258L, getID(x509Certificate.getSubjectX500Principal().getName(X500Principal.CANONICAL), x509Certificate)));
        }
        Session session = null;
        try {
            session = this.token.getOpSession();
            this.token.p11.C_CreateObject(session.id(), (CK_ATTRIBUTE[]) arrayList.toArray(new CK_ATTRIBUTE[arrayList.size()]));
            this.token.releaseSession(session);
        } catch (Throwable th) {
            this.token.releaseSession(session);
            throw th;
        }
    }

    private void storeChain(String str, X509Certificate[] x509CertificateArr) throws PKCS11Exception, CertificateException {
        storeCert(str, x509CertificateArr[0]);
        storeCaCerts(x509CertificateArr, 1);
    }

    private void storeCaCerts(X509Certificate[] x509CertificateArr, int i) throws PKCS11Exception, CertificateException {
        Session session = null;
        HashSet hashSet = new HashSet();
        try {
            session = this.token.getOpSession();
            this.token.p11.C_FindObjectsInit(session.id(), new CK_ATTRIBUTE[]{ATTR_TOKEN_TRUE, ATTR_CLASS_CERT});
            long[] C_FindObjects = this.token.p11.C_FindObjects(session.id(), 100L);
            this.token.p11.C_FindObjectsFinal(session.id());
            for (long j : C_FindObjects) {
                hashSet.add(loadCert(session, j));
            }
            this.token.releaseSession(session);
            for (int i2 = i; i2 < x509CertificateArr.length; i2++) {
                if (!hashSet.contains(x509CertificateArr[i2])) {
                    storeCert(null, x509CertificateArr[i2]);
                } else if (debug != null) {
                    debug.println("ignoring duplicate CA cert for [" + ((Object) x509CertificateArr[i2].getSubjectX500Principal()) + "]");
                }
            }
        } catch (Throwable th) {
            this.token.releaseSession(session);
            throw th;
        }
    }

    private void storeSkey(String str, KeyStore.SecretKeyEntry secretKeyEntry) throws PKCS11Exception, KeyStoreException {
        Key secretKey = secretKeyEntry.getSecretKey();
        long j = 16;
        if ((secretKey instanceof P11Key) && this.token == ((P11Key) secretKey).token) {
            updateP11Skey(str, (P11Key) secretKey);
            return;
        }
        if ("AES".equalsIgnoreCase(secretKey.getAlgorithm())) {
            j = 31;
        } else if ("Blowfish".equalsIgnoreCase(secretKey.getAlgorithm())) {
            j = 32;
        } else if ("DES".equalsIgnoreCase(secretKey.getAlgorithm())) {
            j = 19;
        } else if ("DESede".equalsIgnoreCase(secretKey.getAlgorithm())) {
            j = 21;
        } else if ("RC4".equalsIgnoreCase(secretKey.getAlgorithm()) || "ARCFOUR".equalsIgnoreCase(secretKey.getAlgorithm())) {
            j = 18;
        }
        CK_ATTRIBUTE[] attributes = this.token.getAttributes(Constants.ELEMNAME_IMPORT_STRING, 4L, j, new CK_ATTRIBUTE[]{ATTR_SKEY_TOKEN_TRUE, ATTR_CLASS_SKEY, ATTR_PRIVATE_TRUE, new CK_ATTRIBUTE(256L, j), new CK_ATTRIBUTE(3L, str), new CK_ATTRIBUTE(17L, secretKey.getEncoded())});
        Session session = null;
        try {
            session = this.token.getOpSession();
            this.token.p11.C_CreateObject(session.id(), attributes);
            if (debug != null) {
                debug.println("storeSkey created token secret key for [" + str + "]");
            }
            this.token.releaseSession(session);
        } catch (Throwable th) {
            this.token.releaseSession(session);
            throw th;
        }
    }

    private void storePkey(String str, KeyStore.PrivateKeyEntry privateKeyEntry) throws PKCS11Exception, CertificateException, KeyStoreException {
        CK_ATTRIBUTE[] attributes;
        Object privateKey = privateKeyEntry.getPrivateKey();
        if ((privateKey instanceof P11Key) && this.token == ((P11Key) privateKey).token) {
            updateP11Pkey(str, (P11Key) privateKey);
            storeChain(str, (X509Certificate[]) privateKeyEntry.getCertificateChain());
            return;
        }
        if (privateKey instanceof RSAPrivateKey) {
            attributes = getRsaPrivKeyAttrs(str, (RSAPrivateKey) privateKey, ((X509Certificate) privateKeyEntry.getCertificate()).getSubjectX500Principal());
        } else if (privateKey instanceof DSAPrivateKey) {
            DSAPrivateKey dSAPrivateKey = (DSAPrivateKey) privateKey;
            attributes = this.token.getAttributes(Constants.ELEMNAME_IMPORT_STRING, 3L, 1L, new CK_ATTRIBUTE[]{ATTR_TOKEN_TRUE, ATTR_CLASS_PKEY, ATTR_PRIVATE_TRUE, new CK_ATTRIBUTE(256L, 1L), new CK_ATTRIBUTE(258L, str), new CK_ATTRIBUTE(304L, dSAPrivateKey.getParams().getP()), new CK_ATTRIBUTE(305L, dSAPrivateKey.getParams().getQ()), new CK_ATTRIBUTE(306L, dSAPrivateKey.getParams().getG()), new CK_ATTRIBUTE(17L, dSAPrivateKey.getX())});
            if (debug != null) {
                debug.println("storePkey created DSA template");
            }
        } else {
            if (!(privateKey instanceof DHPrivateKey)) {
                throw new KeyStoreException("unsupported key type: " + privateKey);
            }
            DHPrivateKey dHPrivateKey = (DHPrivateKey) privateKey;
            attributes = this.token.getAttributes(Constants.ELEMNAME_IMPORT_STRING, 3L, 2L, new CK_ATTRIBUTE[]{ATTR_TOKEN_TRUE, ATTR_CLASS_PKEY, ATTR_PRIVATE_TRUE, new CK_ATTRIBUTE(256L, 2L), new CK_ATTRIBUTE(258L, str), new CK_ATTRIBUTE(304L, dHPrivateKey.getParams().getP()), new CK_ATTRIBUTE(306L, dHPrivateKey.getParams().getG()), new CK_ATTRIBUTE(17L, dHPrivateKey.getX()), new CK_ATTRIBUTE(352L, dHPrivateKey.getParams().getL())});
        }
        Session session = null;
        try {
            session = this.token.getOpSession();
            this.token.p11.C_CreateObject(session.id(), attributes);
            if (debug != null) {
                debug.println("storePkey created token key for [" + str + "]");
            }
            this.token.releaseSession(session);
            storeChain(str, (X509Certificate[]) privateKeyEntry.getCertificateChain());
        } catch (Throwable th) {
            this.token.releaseSession(session);
            throw th;
        }
    }

    private CK_ATTRIBUTE[] getRsaPrivKeyAttrs(String str, RSAPrivateKey rSAPrivateKey, X500Principal x500Principal) throws PKCS11Exception {
        CK_ATTRIBUTE[] attributes;
        if (rSAPrivateKey instanceof RSAPrivateCrtKey) {
            if (debug != null) {
                debug.println("creating RSAPrivateCrtKey attrs");
            }
            RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) rSAPrivateKey;
            attributes = this.token.getAttributes(Constants.ELEMNAME_IMPORT_STRING, 3L, 0L, new CK_ATTRIBUTE[]{ATTR_TOKEN_TRUE, ATTR_CLASS_PKEY, ATTR_PRIVATE_TRUE, new CK_ATTRIBUTE(256L, 0L), new CK_ATTRIBUTE(258L, str), new CK_ATTRIBUTE(288L, rSAPrivateCrtKey.getModulus()), new CK_ATTRIBUTE(291L, rSAPrivateCrtKey.getPrivateExponent()), new CK_ATTRIBUTE(290L, rSAPrivateCrtKey.getPublicExponent()), new CK_ATTRIBUTE(292L, rSAPrivateCrtKey.getPrimeP()), new CK_ATTRIBUTE(293L, rSAPrivateCrtKey.getPrimeQ()), new CK_ATTRIBUTE(294L, rSAPrivateCrtKey.getPrimeExponentP()), new CK_ATTRIBUTE(295L, rSAPrivateCrtKey.getPrimeExponentQ()), new CK_ATTRIBUTE(296L, rSAPrivateCrtKey.getCrtCoefficient())});
        } else {
            if (debug != null) {
                debug.println("creating RSAPrivateKey attrs");
            }
            attributes = this.token.getAttributes(Constants.ELEMNAME_IMPORT_STRING, 3L, 0L, new CK_ATTRIBUTE[]{ATTR_TOKEN_TRUE, ATTR_CLASS_PKEY, ATTR_PRIVATE_TRUE, new CK_ATTRIBUTE(256L, 0L), new CK_ATTRIBUTE(258L, str), new CK_ATTRIBUTE(288L, rSAPrivateKey.getModulus()), new CK_ATTRIBUTE(291L, rSAPrivateKey.getPrivateExponent())});
        }
        return attributes;
    }

    private boolean destroyCert(byte[] bArr) throws PKCS11Exception, KeyStoreException {
        Session session = null;
        try {
            session = this.token.getOpSession();
            THandle tokenObject = getTokenObject(session, ATTR_CLASS_CERT, bArr, null);
            if (tokenObject.type != ATTR_CLASS_CERT) {
                this.token.releaseSession(session);
                return false;
            }
            this.token.p11.C_DestroyObject(session.id(), tokenObject.handle);
            if (debug != null) {
                debug.println("destroyCert destroyed cert with CKA_ID [" + getID(bArr) + "]");
            }
            this.token.releaseSession(session);
            return true;
        } catch (Throwable th) {
            this.token.releaseSession(session);
            throw th;
        }
    }

    private boolean destroyChain(byte[] bArr) throws PKCS11Exception, CertificateException, KeyStoreException {
        try {
            Session opSession = this.token.getOpSession();
            THandle tokenObject = getTokenObject(opSession, ATTR_CLASS_CERT, bArr, null);
            if (tokenObject.type != ATTR_CLASS_CERT) {
                if (debug != null) {
                    debug.println("destroyChain could not find end entity cert with CKA_ID [0x" + Functions.toHexString(bArr) + "]");
                }
                this.token.releaseSession(opSession);
                return false;
            }
            X509Certificate loadCert = loadCert(opSession, tokenObject.handle);
            this.token.p11.C_DestroyObject(opSession.id(), tokenObject.handle);
            if (debug != null) {
                debug.println("destroyChain destroyed end entity cert with CKA_ID [" + getID(bArr) + "]");
            }
            X509Certificate x509Certificate = loadCert;
            while (!x509Certificate.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal())) {
                this.token.p11.C_FindObjectsInit(opSession.id(), new CK_ATTRIBUTE[]{ATTR_TOKEN_TRUE, ATTR_CLASS_CERT, new CK_ATTRIBUTE(257L, x509Certificate.getIssuerX500Principal().getEncoded())});
                long[] C_FindObjects = this.token.p11.C_FindObjects(opSession.id(), 100L);
                this.token.p11.C_FindObjectsFinal(opSession.id());
                if (C_FindObjects == null || C_FindObjects.length == 0) {
                    break;
                }
                if (debug != null && C_FindObjects.length > 1) {
                    debug.println("destroyChain found " + C_FindObjects.length + " certificate entries for subject [" + ((Object) x509Certificate.getIssuerX500Principal()) + "] in token - using first entry");
                }
                x509Certificate = loadCert(opSession, C_FindObjects[0]);
                this.token.p11.C_FindObjectsInit(opSession.id(), new CK_ATTRIBUTE[]{ATTR_TOKEN_TRUE, ATTR_CLASS_CERT, new CK_ATTRIBUTE(129L, x509Certificate.getSubjectX500Principal().getEncoded())});
                long[] C_FindObjects2 = this.token.p11.C_FindObjects(opSession.id(), 100L);
                this.token.p11.C_FindObjectsFinal(opSession.id());
                boolean z = false;
                if (C_FindObjects2 == null || C_FindObjects2.length == 0) {
                    z = true;
                } else if (C_FindObjects2.length == 1 && x509Certificate.equals(loadCert(opSession, C_FindObjects2[0]))) {
                    z = true;
                }
                if (z) {
                    this.token.p11.C_DestroyObject(opSession.id(), C_FindObjects[0]);
                    if (debug != null) {
                        debug.println("destroyChain destroyed cert in chain with subject [" + ((Object) x509Certificate.getSubjectX500Principal()) + "]");
                    }
                } else if (debug != null) {
                    debug.println("destroyChain did not destroy shared cert in chain with subject [" + ((Object) x509Certificate.getSubjectX500Principal()) + "]");
                }
            }
            this.token.releaseSession(opSession);
            return true;
        } catch (Throwable th) {
            this.token.releaseSession(null);
            throw th;
        }
    }

    private boolean destroySkey(String str) throws PKCS11Exception, KeyStoreException {
        try {
            Session opSession = this.token.getOpSession();
            THandle tokenObject = getTokenObject(opSession, ATTR_CLASS_SKEY, null, str);
            if (tokenObject.type == ATTR_CLASS_SKEY) {
                this.token.p11.C_DestroyObject(opSession.id(), tokenObject.handle);
                this.token.releaseSession(opSession);
                return true;
            }
            if (debug != null) {
                debug.println("destroySkey did not find secret key with CKA_LABEL [" + str + "]");
            }
            this.token.releaseSession(opSession);
            return false;
        } catch (Throwable th) {
            this.token.releaseSession(null);
            throw th;
        }
    }

    private boolean destroyPkey(byte[] bArr) throws PKCS11Exception, KeyStoreException {
        try {
            Session opSession = this.token.getOpSession();
            THandle tokenObject = getTokenObject(opSession, ATTR_CLASS_PKEY, bArr, null);
            if (tokenObject.type == ATTR_CLASS_PKEY) {
                this.token.p11.C_DestroyObject(opSession.id(), tokenObject.handle);
                this.token.releaseSession(opSession);
                return true;
            }
            if (debug != null) {
                debug.println("destroyPkey did not find private key with CKA_ID [" + getID(bArr) + "]");
            }
            this.token.releaseSession(opSession);
            return false;
        } catch (Throwable th) {
            this.token.releaseSession(null);
            throw th;
        }
    }

    private String getID(String str, X509Certificate x509Certificate) {
        return str + "/" + x509Certificate.getIssuerX500Principal().getName(X500Principal.CANONICAL) + "/" + x509Certificate.getSerialNumber().toString();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getID(byte[] bArr) {
        boolean z = true;
        int i = 0;
        while (true) {
            if (i >= bArr.length) {
                break;
            }
            if (!DerValue.isPrintableStringChar((char) bArr[i])) {
                z = false;
                break;
            }
            i++;
        }
        if (!z) {
            return "0x" + Functions.toHexString(bArr);
        }
        try {
            return new String(bArr, "UTF-8");
        } catch (UnsupportedEncodingException e) {
            return "0x" + Functions.toHexString(bArr);
        }
    }

    private THandle getTokenObject(Session session, CK_ATTRIBUTE ck_attribute, byte[] bArr, String str) throws PKCS11Exception, KeyStoreException {
        this.token.p11.C_FindObjectsInit(session.id(), ck_attribute == ATTR_CLASS_SKEY ? new CK_ATTRIBUTE[]{ATTR_SKEY_TOKEN_TRUE, new CK_ATTRIBUTE(3L, str), ck_attribute} : new CK_ATTRIBUTE[]{ATTR_TOKEN_TRUE, new CK_ATTRIBUTE(258L, bArr), ck_attribute});
        long[] C_FindObjects = this.token.p11.C_FindObjects(session.id(), 100L);
        this.token.p11.C_FindObjectsFinal(session.id());
        if (C_FindObjects.length == 0) {
            if (debug != null) {
                if (ck_attribute == ATTR_CLASS_SKEY) {
                    debug.println("getTokenObject did not find secret key with CKA_LABEL [" + str + "]");
                } else if (ck_attribute == ATTR_CLASS_CERT) {
                    debug.println("getTokenObject did not find cert with CKA_ID [" + getID(bArr) + "]");
                } else {
                    debug.println("getTokenObject did not find private key with CKA_ID [" + getID(bArr) + "]");
                }
            }
            return new THandle(-1L, null);
        }
        if (C_FindObjects.length == 1) {
            return new THandle(C_FindObjects[0], ck_attribute);
        }
        if (ck_attribute != ATTR_CLASS_SKEY) {
            if (ck_attribute == ATTR_CLASS_CERT) {
                throw new KeyStoreException("invalid KeyStore state: found " + C_FindObjects.length + " certificates sharing CKA_ID " + getID(bArr));
            }
            throw new KeyStoreException("invalid KeyStore state: found " + C_FindObjects.length + " private keys sharing CKA_ID " + getID(bArr));
        }
        ArrayList arrayList = new ArrayList(C_FindObjects.length);
        for (int i = 0; i < C_FindObjects.length; i++) {
            CK_ATTRIBUTE[] ck_attributeArr = {new CK_ATTRIBUTE(3L)};
            this.token.p11.C_GetAttributeValue(session.id(), C_FindObjects[i], ck_attributeArr);
            if (ck_attributeArr[0].pValue != null && str.equals(new String(ck_attributeArr[0].getCharArray()))) {
                arrayList.add(new THandle(C_FindObjects[i], ATTR_CLASS_SKEY));
            }
        }
        if (arrayList.size() == 1) {
            return (THandle) arrayList.get(0);
        }
        throw new KeyStoreException("invalid KeyStore state: found " + arrayList.size() + " secret keys sharing CKA_LABEL [" + str + "]");
    }

    private boolean mapLabels() throws PKCS11Exception, CertificateException, KeyStoreException {
        CK_ATTRIBUTE[] ck_attributeArr = {new CK_ATTRIBUTE(134L)};
        Session session = null;
        try {
            session = this.token.getOpSession();
            ArrayList<byte[]> arrayList = new ArrayList<>();
            this.token.p11.C_FindObjectsInit(session.id(), new CK_ATTRIBUTE[]{ATTR_TOKEN_TRUE, ATTR_CLASS_PKEY});
            long[] C_FindObjects = this.token.p11.C_FindObjects(session.id(), 100L);
            this.token.p11.C_FindObjectsFinal(session.id());
            for (long j : C_FindObjects) {
                CK_ATTRIBUTE[] ck_attributeArr2 = {new CK_ATTRIBUTE(258L)};
                this.token.p11.C_GetAttributeValue(session.id(), j, ck_attributeArr2);
                if (ck_attributeArr2[0].pValue != null) {
                    arrayList.add(ck_attributeArr2[0].getByteArray());
                }
            }
            HashMap<String, HashSet<AliasInfo>> hashMap = new HashMap<>();
            this.token.p11.C_FindObjectsInit(session.id(), new CK_ATTRIBUTE[]{ATTR_TOKEN_TRUE, ATTR_CLASS_CERT});
            long[] C_FindObjects2 = this.token.p11.C_FindObjects(session.id(), 100L);
            this.token.p11.C_FindObjectsFinal(session.id());
            for (long j2 : C_FindObjects2) {
                CK_ATTRIBUTE[] ck_attributeArr3 = {new CK_ATTRIBUTE(3L)};
                byte[] bArr = null;
                try {
                    this.token.p11.C_GetAttributeValue(session.id(), j2, ck_attributeArr3);
                    r23 = ck_attributeArr3[0].pValue != null ? new String(ck_attributeArr3[0].getCharArray()) : null;
                } catch (PKCS11Exception e) {
                    if (e.getErrorCode() != 18) {
                        throw e;
                    }
                }
                CK_ATTRIBUTE[] ck_attributeArr4 = {new CK_ATTRIBUTE(258L)};
                this.token.p11.C_GetAttributeValue(session.id(), j2, ck_attributeArr4);
                if (ck_attributeArr4[0].pValue != null) {
                    if (r23 == null) {
                        r23 = getID(ck_attributeArr4[0].getByteArray());
                    }
                    bArr = ck_attributeArr4[0].getByteArray();
                } else if (r23 == null) {
                }
                boolean z = false;
                if (CKA_TRUSTED_SUPPORTED) {
                    try {
                        this.token.p11.C_GetAttributeValue(session.id(), j2, ck_attributeArr);
                        z = ck_attributeArr[0].getBoolean();
                    } catch (PKCS11Exception e2) {
                        if (e2.getErrorCode() == 18) {
                            CKA_TRUSTED_SUPPORTED = false;
                            if (debug != null) {
                                debug.println("CKA_TRUSTED attribute not supported");
                            }
                        }
                    }
                }
                HashSet<AliasInfo> hashSet = hashMap.get(r23);
                if (hashSet == null) {
                    hashSet = new HashSet<>(2);
                    hashMap.put(r23, hashSet);
                }
                hashSet.add(new AliasInfo(r23, bArr, z, loadCert(session, j2)));
            }
            HashSet<String> hashSet2 = new HashSet<>();
            this.token.p11.C_FindObjectsInit(session.id(), new CK_ATTRIBUTE[]{ATTR_SKEY_TOKEN_TRUE, ATTR_CLASS_SKEY});
            long[] C_FindObjects3 = this.token.p11.C_FindObjects(session.id(), 100L);
            this.token.p11.C_FindObjectsFinal(session.id());
            for (long j3 : C_FindObjects3) {
                CK_ATTRIBUTE[] ck_attributeArr5 = {new CK_ATTRIBUTE(3L)};
                this.token.p11.C_GetAttributeValue(session.id(), j3, ck_attributeArr5);
                if (ck_attributeArr5[0].pValue != null) {
                    String str = new String(ck_attributeArr5[0].getCharArray());
                    if (hashSet2.contains(str)) {
                        throw new KeyStoreException("invalid KeyStore state: found multiple secret keys sharing same CKA_LABEL [" + str + "]");
                    }
                    hashSet2.add(str);
                }
            }
            boolean mapCerts = mapCerts(mapPrivateKeys(arrayList, hashMap), hashMap);
            mapSecretKeys(hashSet2);
            this.token.releaseSession(session);
            return mapCerts;
        } catch (Throwable th) {
            this.token.releaseSession(session);
            throw th;
        }
    }

    private ArrayList<AliasInfo> mapPrivateKeys(ArrayList<byte[]> arrayList, HashMap<String, HashSet<AliasInfo>> hashMap) throws PKCS11Exception, CertificateException {
        this.aliasMap = new HashMap<>();
        ArrayList<AliasInfo> arrayList2 = new ArrayList<>();
        Iterator<byte[]> it = arrayList.iterator();
        while (it.hasNext()) {
            byte[] next = it.next();
            boolean z = false;
            for (String str : hashMap.keySet()) {
                HashSet<AliasInfo> hashSet = hashMap.get(str);
                Iterator<AliasInfo> it2 = hashSet.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    AliasInfo next2 = it2.next();
                    if (Arrays.equals(next, next2.id)) {
                        if (hashSet.size() == 1) {
                            next2.matched = true;
                            this.aliasMap.put(str, next2);
                        } else {
                            next2.matched = true;
                            this.aliasMap.put(getID(str, next2.cert), next2);
                        }
                        arrayList2.add(next2);
                        z = true;
                    }
                }
                if (z) {
                    break;
                }
            }
            if (!z && debug != null) {
                debug.println("did not find match for private key with CKA_ID [" + getID(next) + "] (ignoring entry)");
            }
        }
        return arrayList2;
    }

    private boolean mapCerts(ArrayList<AliasInfo> arrayList, HashMap<String, HashSet<AliasInfo>> hashMap) throws PKCS11Exception, CertificateException {
        Iterator<AliasInfo> it = arrayList.iterator();
        while (it.hasNext()) {
            AliasInfo next = it.next();
            Session session = null;
            try {
                session = this.token.getOpSession();
                next.chain = loadChain(session, next.cert);
                this.token.releaseSession(session);
            } catch (Throwable th) {
                this.token.releaseSession(session);
                throw th;
            }
        }
        boolean z = false;
        for (String str : hashMap.keySet()) {
            HashSet<AliasInfo> hashSet = hashMap.get(str);
            Iterator<AliasInfo> it2 = hashSet.iterator();
            while (it2.hasNext()) {
                AliasInfo next2 = it2.next();
                if (next2.matched) {
                    next2.trusted = false;
                } else if (CKA_TRUSTED_SUPPORTED && next2.trusted && mapTrustedCert(str, next2, hashSet)) {
                    z = true;
                }
            }
        }
        return z;
    }

    private boolean mapTrustedCert(String str, AliasInfo aliasInfo, HashSet<AliasInfo> hashSet) {
        boolean z = false;
        aliasInfo.type = ATTR_CLASS_CERT;
        aliasInfo.trusted = true;
        if (hashSet.size() == 1) {
            this.aliasMap.put(str, aliasInfo);
        } else {
            z = true;
            this.aliasMap.put(getID(str, aliasInfo.cert), aliasInfo);
        }
        return z;
    }

    private void mapSecretKeys(HashSet<String> hashSet) throws KeyStoreException {
        Iterator<String> it = hashSet.iterator();
        while (it.hasNext()) {
            String next = it.next();
            if (this.aliasMap.containsKey(next)) {
                throw new KeyStoreException("invalid KeyStore state: found secret key sharing CKA_LABEL [" + next + "] with another token object");
            }
            this.aliasMap.put(next, new AliasInfo(next));
        }
    }

    private void dumpTokenMap() {
        Set<String> keySet = this.aliasMap.keySet();
        System.out.println("Token Alias Map:");
        if (keySet.size() == 0) {
            System.out.println("  [empty]");
            return;
        }
        for (String str : keySet) {
            System.out.println(sun.security.pkcs11.wrapper.Constants.INDENT + str + ((Object) this.aliasMap.get(str)));
        }
    }

    private void checkWrite() throws KeyStoreException {
        if (this.writeDisabled) {
            throw new KeyStoreException("This PKCS11KeyStore does not support write capabilities");
        }
    }
}
