package kz.akkamal.aksig;

import java.io.BufferedInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.Key;
import java.security.KeyStoreException;
import java.security.KeyStoreSpi;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import javax.crypto.SecretKey;
import javax.crypto.spec.PBEKeySpec;
import kz.akkamal.aksig.etc.p12.PKCS12BagAttributeCarrier;
import kz.akkamal.aksig.util.Arrays;
import kz.akkamal.org.bouncycastle.asn1.ASN1EncodableVector;
import kz.akkamal.org.bouncycastle.asn1.ASN1InputStream;
import kz.akkamal.org.bouncycastle.asn1.ASN1OctetString;
import kz.akkamal.org.bouncycastle.asn1.ASN1Sequence;
import kz.akkamal.org.bouncycastle.asn1.ASN1Set;
import kz.akkamal.org.bouncycastle.asn1.BERConstructedOctetString;
import kz.akkamal.org.bouncycastle.asn1.BEROutputStream;
import kz.akkamal.org.bouncycastle.asn1.DERBMPString;
import kz.akkamal.org.bouncycastle.asn1.DEREncodable;
import kz.akkamal.org.bouncycastle.asn1.DERNull;
import kz.akkamal.org.bouncycastle.asn1.DERObject;
import kz.akkamal.org.bouncycastle.asn1.DERObjectIdentifier;
import kz.akkamal.org.bouncycastle.asn1.DEROctetString;
import kz.akkamal.org.bouncycastle.asn1.DERSequence;
import kz.akkamal.org.bouncycastle.asn1.DERSet;
import kz.akkamal.org.bouncycastle.asn1.akkamal.AkKamalObjectIdentifiers;
import kz.akkamal.org.bouncycastle.asn1.pkcs.AuthenticatedSafe;
import kz.akkamal.org.bouncycastle.asn1.pkcs.CertBag;
import kz.akkamal.org.bouncycastle.asn1.pkcs.ContentInfo;
import kz.akkamal.org.bouncycastle.asn1.pkcs.EncryptedPrivateKeyInfo;
import kz.akkamal.org.bouncycastle.asn1.pkcs.MacData;
import kz.akkamal.org.bouncycastle.asn1.pkcs.PKCS12PBEParams;
import kz.akkamal.org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import kz.akkamal.org.bouncycastle.asn1.pkcs.Pfx;
import kz.akkamal.org.bouncycastle.asn1.pkcs.SafeBag;
import kz.akkamal.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import kz.akkamal.org.bouncycastle.asn1.x509.DigestInfo;

/* loaded from: classes.dex */
public class Pkcs12KeyStore extends KeyStoreSpi {
    private static final int ITERATIONS = 1024;
    private static final int SALT_SIZE = 32;
    private HashMap<String, X509CertificateObject> certMap = new HashMap<>();
    private HashMap<String, KeyWithCert> keyMap = new HashMap<>();
    private static final DERObjectIdentifier MAC_OID = AkKamalObjectIdentifiers.gost28147_mac_pbe;
    private static final DERObjectIdentifier CIPH_OID = AkKamalObjectIdentifiers.gost28147_cbc_pbe;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes.dex */
    public class KeyWithCert {
        private X509CertificateObject cert;
        private GeneralPrivateKey priKey;

        public KeyWithCert(GeneralPrivateKey generalPrivateKey, X509CertificateObject x509CertificateObject) {
            this.priKey = generalPrivateKey;
            this.cert = x509CertificateObject;
        }

        public X509CertificateObject getCert() {
            return this.cert;
        }

        public GeneralPrivateKey getPriKey() {
            return this.priKey;
        }
    }

    private static MacData calculateMac(ContentInfo contentInfo, char[] cArr) {
        byte[] octets = ((ASN1OctetString) contentInfo.getContent()).getOctets();
        byte[] bArr = new byte[32];
        AkSigProvConf.getSecureRandom(0).nextBytes(bArr);
        try {
            SecretKey engineGenerateSecret = new Gost28147PbeKeyFactory(false).engineGenerateSecret(new PBEKeySpec(cArr, bArr, ITERATIONS));
            Gost28147Mac gost28147Mac = new Gost28147Mac();
            gost28147Mac.engineInit(engineGenerateSecret, null);
            gost28147Mac.engineUpdate(octets, 0, octets.length);
            return new MacData(new DigestInfo(new AlgorithmIdentifier(MAC_OID, new DERNull()), gost28147Mac.engineDoFinal()), bArr, ITERATIONS);
        } catch (Exception e) {
            throw new RuntimeException("Can't get mac", e);
        }
    }

    private static void checkMac(Pfx pfx, char[] cArr) throws IOException {
        if (pfx.getMacData() == null) {
            throw new IOException("No macData in keystore");
        }
        MacData macData = pfx.getMacData();
        DigestInfo mac = macData.getMac();
        if (!mac.getAlgorithmId().getObjectId().equals(MAC_OID)) {
            throw new IOException("Bad mac oid");
        }
        byte[] salt = macData.getSalt();
        int intValue = macData.getIterationCount().intValue();
        byte[] octets = ((ASN1OctetString) pfx.getAuthSafe().getContent()).getOctets();
        try {
            SecretKey engineGenerateSecret = new Gost28147PbeKeyFactory(false).engineGenerateSecret(new PBEKeySpec(cArr, salt, intValue));
            Gost28147Mac gost28147Mac = new Gost28147Mac();
            gost28147Mac.engineInit(engineGenerateSecret, null);
            gost28147Mac.engineUpdate(octets, 0, octets.length);
            if (Arrays.areEqual(gost28147Mac.engineDoFinal(), mac.getDigest())) {
            } else {
                throw new IOException("Wrong password");
            }
        } catch (IOException e) {
            throw e;
        } catch (Exception e2) {
            throw new IOException("Mac checking failed");
        }
    }

    private static void copyAttrToObject(SafeBag safeBag, PKCS12BagAttributeCarrier pKCS12BagAttributeCarrier) throws IOException {
        if (safeBag.getBagAttributes() == null) {
            return;
        }
        Enumeration objects = safeBag.getBagAttributes().getObjects();
        while (objects.hasMoreElements()) {
            ASN1Sequence aSN1Sequence = (ASN1Sequence) objects.nextElement();
            DERObjectIdentifier dERObjectIdentifier = (DERObjectIdentifier) aSN1Sequence.getObjectAt(0);
            DERObject dERObject = (DERObject) ((ASN1Set) aSN1Sequence.getObjectAt(1)).getObjectAt(0);
            DEREncodable bagAttribute = pKCS12BagAttributeCarrier.getBagAttribute(dERObjectIdentifier);
            if (bagAttribute == null) {
                pKCS12BagAttributeCarrier.setBagAttribute(dERObjectIdentifier, dERObject);
            } else if (!bagAttribute.getDERObject().equals(dERObject)) {
                throw new IOException("attribute with the same oid");
            }
        }
    }

    private static String getAlias(PKCS12BagAttributeCarrier pKCS12BagAttributeCarrier) {
        DEREncodable bagAttribute = pKCS12BagAttributeCarrier.getBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName);
        if (bagAttribute == null) {
            return null;
        }
        return ((DERBMPString) bagAttribute).getString();
    }

    private static DERSet getP12Attributes(PKCS12BagAttributeCarrier pKCS12BagAttributeCarrier) {
        Enumeration bagAttributeKeys = pKCS12BagAttributeCarrier.getBagAttributeKeys();
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        while (bagAttributeKeys.hasMoreElements()) {
            DERObjectIdentifier dERObjectIdentifier = (DERObjectIdentifier) bagAttributeKeys.nextElement();
            ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
            aSN1EncodableVector2.add(dERObjectIdentifier);
            aSN1EncodableVector2.add(new DERSet(pKCS12BagAttributeCarrier.getBagAttribute(dERObjectIdentifier)));
            aSN1EncodableVector.add(new DERSequence(aSN1EncodableVector2));
        }
        return new DERSet(aSN1EncodableVector);
    }

    private static boolean isKeyPair(PrivateKey privateKey, PublicKey publicKey) {
        String str;
        if (privateKey instanceof RsaPrivateKey) {
            if (!(publicKey instanceof RsaPublicKey)) {
                return false;
            }
            str = "Sha1WithRsa";
        } else {
            if (!(privateKey instanceof Gost3410PrivateKey)) {
                throw new RuntimeException("Unsupported key type");
            }
            if (!(publicKey instanceof Gost3410PublicKey)) {
                return false;
            }
            str = "ECGOST3410";
        }
        byte[] bArr = {1, 2, 3, 4};
        try {
            Signature signature = Signature.getInstance(str, "AkSig");
            signature.initSign(privateKey);
            signature.update(bArr);
            byte[] sign = signature.sign();
            signature.initVerify(publicKey);
            signature.update(bArr);
            return signature.verify(sign);
        } catch (Exception e) {
            return false;
        }
    }

    private void parseKeyWithCertContentInfo(ContentInfo contentInfo, char[] cArr) throws IOException {
        if (!contentInfo.getContentType().equals(PKCSObjectIdentifiers.data)) {
            throw new IOException("Unsupported ContentInfo type");
        }
        ASN1Sequence aSN1Sequence = (ASN1Sequence) new ASN1InputStream(((ASN1OctetString) contentInfo.getContent()).getOctets()).readObject();
        SafeBag safeBag = new SafeBag((ASN1Sequence) aSN1Sequence.getObjectAt(0));
        if (!safeBag.getBagId().equals(PKCSObjectIdentifiers.pkcs8ShroudedKeyBag)) {
            throw new IOException("Bad first object in keyCI");
        }
        GeneralPrivateKey unwrapKey = unwrapKey(new EncryptedPrivateKeyInfo((ASN1Sequence) safeBag.getBagValue()), cArr);
        copyAttrToObject(safeBag, unwrapKey);
        SafeBag safeBag2 = new SafeBag((ASN1Sequence) aSN1Sequence.getObjectAt(1));
        if (!safeBag2.getBagId().equals(PKCSObjectIdentifiers.certBag)) {
            throw new IOException("Bad second object in keyCI");
        }
        CertBag certBag = new CertBag((ASN1Sequence) safeBag2.getBagValue());
        if (!certBag.getCertId().equals(PKCSObjectIdentifiers.x509Certificate)) {
            throw new IOException("Unsupported certificate type");
        }
        try {
            X509CertificateObject x509CertificateObject = (X509CertificateObject) AkSigUtil.getCertificate(((ASN1OctetString) certBag.getCertValue()).getOctets());
            copyAttrToObject(safeBag2, x509CertificateObject);
            String alias = getAlias(x509CertificateObject);
            if (!alias.equals(getAlias(unwrapKey))) {
                throw new IOException("Different aliases in object in one keyCI");
            }
            this.keyMap.put(alias, new KeyWithCert(unwrapKey, x509CertificateObject));
        } catch (CertificateException e) {
            e.printStackTrace();
            throw new IOException("Can't parse certificate: " + e.getMessage());
        }
    }

    private void parseTrustCertContentInfo(ContentInfo contentInfo) throws IOException {
        if (!contentInfo.getContentType().equals(PKCSObjectIdentifiers.data)) {
            throw new IOException("Unsupported ContentInfo type");
        }
        ASN1Sequence aSN1Sequence = (ASN1Sequence) new ASN1InputStream(((ASN1OctetString) contentInfo.getContent()).getOctets()).readObject();
        for (int i = 0; i < aSN1Sequence.size(); i++) {
            SafeBag safeBag = new SafeBag((ASN1Sequence) aSN1Sequence.getObjectAt(i));
            if (!safeBag.getBagId().equals(PKCSObjectIdentifiers.certBag)) {
                throw new IOException("Bad SafeBag type int TrustCert CI");
            }
            CertBag certBag = new CertBag((ASN1Sequence) safeBag.getBagValue());
            if (!certBag.getCertId().equals(PKCSObjectIdentifiers.x509Certificate)) {
                throw new IOException("Unsupported certificate type");
            }
            try {
                X509CertificateObject x509CertificateObject = (X509CertificateObject) AkSigUtil.getCertificate(((ASN1OctetString) certBag.getCertValue()).getOctets());
                copyAttrToObject(safeBag, x509CertificateObject);
                String alias = getAlias(x509CertificateObject);
                if (alias == null) {
                    throw new IOException("Can't find alias attribute");
                }
                this.certMap.put(alias, x509CertificateObject);
            } catch (CertificateException e) {
                throw new IOException("Can't parse certificate");
            }
        }
    }

    private static void setAlias(PKCS12BagAttributeCarrier pKCS12BagAttributeCarrier, String str) {
        pKCS12BagAttributeCarrier.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(str));
    }

    private static GeneralPrivateKey unwrapKey(EncryptedPrivateKeyInfo encryptedPrivateKeyInfo, char[] cArr) throws IOException {
        AlgorithmIdentifier encryptionAlgorithm = encryptedPrivateKeyInfo.getEncryptionAlgorithm();
        if (!encryptionAlgorithm.getObjectId().equals(CIPH_OID)) {
            throw new IOException("Bad keyencrypt oid");
        }
        PKCS12PBEParams pKCS12PBEParams = new PKCS12PBEParams((ASN1Sequence) encryptionAlgorithm.getParameters());
        try {
            SecretKey engineGenerateSecret = new Gost28147PbeKeyFactory(true).engineGenerateSecret(new PBEKeySpec(cArr, pKCS12PBEParams.getIV(), pKCS12PBEParams.getIterations().intValue()));
            Gost28147CbcCipher gost28147CbcCipher = new Gost28147CbcCipher();
            gost28147CbcCipher.engineInit(4, engineGenerateSecret, null);
            return (GeneralPrivateKey) gost28147CbcCipher.engineUnwrap(encryptedPrivateKeyInfo.getEncryptedData(), null, 2);
        } catch (Exception e) {
            throw new RuntimeException("exception unwrapping private key", e);
        }
    }

    private static EncryptedPrivateKeyInfo wrapKey(PrivateKey privateKey, char[] cArr) throws IOException {
        byte[] bArr = new byte[32];
        AkSigProvConf.getSecureRandom(0).nextBytes(bArr);
        try {
            SecretKey engineGenerateSecret = new Gost28147PbeKeyFactory(true).engineGenerateSecret(new PBEKeySpec(cArr, bArr, ITERATIONS));
            Gost28147CbcCipher gost28147CbcCipher = new Gost28147CbcCipher();
            gost28147CbcCipher.engineInit(3, engineGenerateSecret, null);
            return new EncryptedPrivateKeyInfo(new AlgorithmIdentifier(CIPH_OID, new PKCS12PBEParams(bArr, ITERATIONS).getDERObject()), gost28147CbcCipher.engineWrap(privateKey));
        } catch (Exception e) {
            throw new RuntimeException("Can't wrap key", e);
        }
    }

    @Override // java.security.KeyStoreSpi
    public Enumeration<String> engineAliases() {
        Hashtable hashtable = new Hashtable();
        Iterator<String> it = this.keyMap.keySet().iterator();
        while (it.hasNext()) {
            hashtable.put(it.next(), "1");
        }
        for (String str : this.certMap.keySet()) {
            if (hashtable.get(str) == null) {
                hashtable.put(str, "2");
            }
        }
        return hashtable.keys();
    }

    @Override // java.security.KeyStoreSpi
    public boolean engineContainsAlias(String str) {
        return this.keyMap.containsKey(str) || this.certMap.containsKey(str);
    }

    @Override // java.security.KeyStoreSpi
    public void engineDeleteEntry(String str) throws KeyStoreException {
        this.keyMap.remove(str);
        this.certMap.remove(str);
    }

    @Override // java.security.KeyStoreSpi
    public Certificate engineGetCertificate(String str) {
        KeyWithCert keyWithCert = this.keyMap.get(str);
        return keyWithCert != null ? keyWithCert.getCert() : this.certMap.get(str);
    }

    @Override // java.security.KeyStoreSpi
    public String engineGetCertificateAlias(Certificate certificate) {
        if (!(certificate instanceof X509CertificateObject)) {
            return null;
        }
        for (String str : this.keyMap.keySet()) {
            if (this.keyMap.get(str).getCert().equals(certificate)) {
                return str;
            }
        }
        for (String str2 : this.certMap.keySet()) {
            if (this.certMap.get(str2).equals(certificate)) {
                return str2;
            }
        }
        return null;
    }

    @Override // java.security.KeyStoreSpi
    public Certificate[] engineGetCertificateChain(String str) {
        KeyWithCert keyWithCert = this.keyMap.get(str);
        if (keyWithCert == null) {
            return null;
        }
        keyWithCert.getCert();
        throw new UnsupportedOperationException("Not supported yet.");
    }

    @Override // java.security.KeyStoreSpi
    public Date engineGetCreationDate(String str) {
        return null;
    }

    @Override // java.security.KeyStoreSpi
    public Key engineGetKey(String str, char[] cArr) throws NoSuchAlgorithmException, UnrecoverableKeyException {
        KeyWithCert keyWithCert = this.keyMap.get(str);
        if (keyWithCert == null) {
            return null;
        }
        return keyWithCert.getPriKey();
    }

    @Override // java.security.KeyStoreSpi
    public boolean engineIsCertificateEntry(String str) {
        return engineContainsAlias(str);
    }

    @Override // java.security.KeyStoreSpi
    public boolean engineIsKeyEntry(String str) {
        return this.keyMap.containsKey(str);
    }

    @Override // java.security.KeyStoreSpi
    public void engineLoad(InputStream inputStream, char[] cArr) throws IOException, NoSuchAlgorithmException, CertificateException {
        this.certMap = new HashMap<>();
        this.keyMap = new HashMap<>();
        if (inputStream == null) {
            return;
        }
        BufferedInputStream bufferedInputStream = new BufferedInputStream(inputStream);
        bufferedInputStream.mark(10);
        if (bufferedInputStream.read() != 48) {
            throw new IOException("stream does not represent a PKCS12 key store");
        }
        bufferedInputStream.reset();
        Pfx pfx = new Pfx((ASN1Sequence) new ASN1InputStream(bufferedInputStream).readObject());
        checkMac(pfx, cArr);
        ContentInfo authSafe = pfx.getAuthSafe();
        if (!authSafe.getContentType().equals(PKCSObjectIdentifiers.data)) {
            throw new IOException("Bad PKCS#12 format. PFX.AuthSafe not data");
        }
        ContentInfo[] contentInfo = new AuthenticatedSafe(((ASN1OctetString) authSafe.getContent()).getOctets()).getContentInfo();
        if (contentInfo.length >= 1) {
            parseTrustCertContentInfo(contentInfo[0]);
            for (int i = 1; i < contentInfo.length; i++) {
                parseKeyWithCertContentInfo(contentInfo[i], cArr);
            }
        }
    }

    @Override // java.security.KeyStoreSpi
    public void engineSetCertificateEntry(String str, Certificate certificate) throws KeyStoreException {
        if (!(certificate instanceof X509CertificateObject)) {
            throw new KeyStoreException("Unsupported certificate object");
        }
        KeyWithCert keyWithCert = this.keyMap.get(str);
        if (keyWithCert == null) {
            this.certMap.put(str, (X509CertificateObject) certificate);
        } else {
            if (!isKeyPair(keyWithCert.getPriKey(), (Gost3410PublicKey) certificate.getPublicKey())) {
                throw new KeyStoreException("Bad key for keypair");
            }
            this.keyMap.put(str, new KeyWithCert(keyWithCert.getPriKey(), (X509CertificateObject) certificate));
        }
    }

    @Override // java.security.KeyStoreSpi
    public void engineSetKeyEntry(String str, Key key, char[] cArr, Certificate[] certificateArr) throws KeyStoreException {
        if (!(key instanceof GeneralPrivateKey)) {
            throw new KeyStoreException("Unsupported key type");
        }
        GeneralPrivateKey generalPrivateKey = (GeneralPrivateKey) key;
        for (Certificate certificate : certificateArr) {
            if (!(certificate instanceof X509CertificateObject)) {
                throw new KeyStoreException("Unsupported cert type int chain");
            }
        }
        if (certificateArr.length < 1) {
            throw new KeyStoreException("No certificate present");
        }
        if (this.certMap.containsKey(str)) {
            throw new KeyStoreException("Certificate with this alias already exist");
        }
        if (!isKeyPair(generalPrivateKey, (GeneralPublicKey) certificateArr[0].getPublicKey())) {
            throw new KeyStoreException("Certificate not for this key");
        }
        this.keyMap.put(str, new KeyWithCert(generalPrivateKey, (X509CertificateObject) certificateArr[0]));
    }

    @Override // java.security.KeyStoreSpi
    public void engineSetKeyEntry(String str, byte[] bArr, Certificate[] certificateArr) throws KeyStoreException {
        throw new UnsupportedOperationException("Not supported yet.");
    }

    @Override // java.security.KeyStoreSpi
    public int engineSize() {
        return (this.keyMap.size() * 2) + this.certMap.size();
    }

    @Override // java.security.KeyStoreSpi
    public void engineStore(OutputStream outputStream, char[] cArr) throws IOException, NoSuchAlgorithmException, CertificateException {
        if (cArr == null) {
            throw new NullPointerException("No password supplied.");
        }
        ContentInfo[] contentInfoArr = new ContentInfo[this.keyMap.size() + 1];
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        for (String str : this.certMap.keySet()) {
            X509CertificateObject x509CertificateObject = this.certMap.get(str);
            setAlias(x509CertificateObject, str);
            aSN1EncodableVector.add(new SafeBag(PKCSObjectIdentifiers.certBag, new CertBag(PKCSObjectIdentifiers.x509Certificate, new DEROctetString(x509CertificateObject.getEncoded())).getDERObject(), getP12Attributes(x509CertificateObject)));
        }
        contentInfoArr[0] = new ContentInfo(PKCSObjectIdentifiers.data, new DEROctetString(new DERSequence(aSN1EncodableVector)));
        int i = 1;
        for (String str2 : this.keyMap.keySet()) {
            KeyWithCert keyWithCert = this.keyMap.get(str2);
            GeneralPrivateKey priKey = keyWithCert.getPriKey();
            X509CertificateObject cert = keyWithCert.getCert();
            ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
            EncryptedPrivateKeyInfo wrapKey = wrapKey(priKey, cArr);
            setAlias(priKey, str2);
            aSN1EncodableVector2.add(new SafeBag(PKCSObjectIdentifiers.pkcs8ShroudedKeyBag, wrapKey.getDERObject(), getP12Attributes(priKey)));
            setAlias(cert, str2);
            aSN1EncodableVector2.add(new SafeBag(PKCSObjectIdentifiers.certBag, new CertBag(PKCSObjectIdentifiers.x509Certificate, new DEROctetString(cert.getEncoded())).getDERObject(), getP12Attributes(cert)));
            contentInfoArr[i] = new ContentInfo(PKCSObjectIdentifiers.data, new DEROctetString(new DERSequence(aSN1EncodableVector2)));
            i++;
        }
        AuthenticatedSafe authenticatedSafe = new AuthenticatedSafe(contentInfoArr);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        new BEROutputStream(byteArrayOutputStream).writeObject(authenticatedSafe);
        ContentInfo contentInfo = new ContentInfo(PKCSObjectIdentifiers.data, new BERConstructedOctetString(byteArrayOutputStream.toByteArray()));
        new BEROutputStream(outputStream).writeObject(new Pfx(contentInfo, calculateMac(contentInfo, cArr)));
    }
}
