package com.oracle.jipher.pki.internal;

import com.oracle.jipher.pki.internal.P12Entry;
import com.oracle.jipher.tools.asn1.Asn1;
import com.oracle.jipher.tools.asn1.Asn1BerValue;
import com.oracle.jipher.tools.asn1.Asn1Exception;
import com.oracle.jipher.tools.asn1.UniversalTag;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.KeyStoreSpi;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableEntryException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.DestroyFailedException;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:com/oracle/jipher/pki/internal/Pkcs12KeyStoreSpi.class */
public class Pkcs12KeyStoreSpi extends KeyStoreSpi {
    private static final String DEFAULT_ENC_ALG = "PBEWithHmacSHA256AndAES_128";
    private static final int DEFAULT_ENC_SALT_LEN = 20;
    private static final int DEFAULT_ENC_IV_LEN = 16;
    private static final int DEFAULT_ENC_ITER_COUNT = 50000;
    private static final int DEFAULT_MAC_ITER_COUNT = 100000;
    private static final String OID_CONTENT_TYPE_DATA = "1.2.840.113549.1.7.1";
    private static final String OID_CONTENT_TYPE_ENCRYPTED_DATA = "1.2.840.113549.1.7.6";
    private static final String OID_SAFEBAG_TYPE_KEY = "1.2.840.113549.1.12.10.1.1";
    private static final String OID_SAFEBAG_TYPE_SHROUDEDKEY = "1.2.840.113549.1.12.10.1.2";
    private static final String OID_SAFEBAG_TYPE_CERT = "1.2.840.113549.1.12.10.1.3";
    private static final String OID_SAFEBAG_TYPE_SECRET = "1.2.840.113549.1.12.10.1.5";
    private static final String OID_CERTTYPE_X509 = "1.2.840.113549.1.9.22.1";
    private Debug debug = Debug.getInstance("PKCS12");
    private Map<String, P12Entry> entries = new LinkedHashMap();
    private List<P12Entry.Cert> otherCerts = new ArrayList();
    private Map<X500Principal, X509Certificate> otherCertsMap = new LinkedHashMap();
    private int aliasCounter = 0;

    @Override // java.security.KeyStoreSpi
    public Key engineGetKey(String str, char[] cArr) throws NoSuchAlgorithmException, UnrecoverableKeyException {
        P12Entry p12Entry = this.entries.get(str.toLowerCase(Locale.ENGLISH));
        if (p12Entry == null || (p12Entry instanceof P12Entry.Cert)) {
            return null;
        }
        P12Entry.Key key = (P12Entry.Key) p12Entry;
        try {
            try {
                byte[] pbeCipher = pbeCipher(2, key.encAlgId, cArr, key.encryptedKey);
                List<Asn1BerValue> sequence = Asn1.decodeOne(pbeCipher).tag(UniversalTag.SEQUENCE).count(3, 4).sequence();
                AlgorithmId decode = AlgorithmId.decode(sequence.get(1));
                return p12Entry instanceof P12Entry.PrivKey ? KeyFactory.getInstance(decode.getAlg()).generatePrivate(new PKCS8EncodedKeySpec(pbeCipher)) : new SecretKeySpec(sequence.get(2).getOctetString(), decode.getAlg());
            } catch (IOException | GeneralSecurityException e) {
                throw new UnrecoverableKeyException("Failed to decrypt key: " + e.getMessage());
            }
        } catch (NoSuchAlgorithmException e2) {
            throw e2;
        }
    }

    @Override // java.security.KeyStoreSpi
    public Certificate[] engineGetCertificateChain(String str) {
        P12Entry p12Entry = this.entries.get(str.toLowerCase(Locale.ENGLISH));
        if (!(p12Entry instanceof P12Entry.PrivKey)) {
            return null;
        }
        P12Entry.PrivKey privKey = (P12Entry.PrivKey) p12Entry;
        if (privKey.getChain().isEmpty()) {
            return null;
        }
        return (Certificate[]) privKey.getChain().toArray(new Certificate[0]);
    }

    @Override // java.security.KeyStoreSpi
    public Certificate engineGetCertificate(String str) {
        P12Entry p12Entry = this.entries.get(str.toLowerCase(Locale.ENGLISH));
        if (p12Entry == null || (p12Entry instanceof P12Entry.SecretKey)) {
            return null;
        }
        if (!(p12Entry instanceof P12Entry.PrivKey)) {
            return ((P12Entry.Cert) p12Entry).cert;
        }
        P12Entry.PrivKey privKey = (P12Entry.PrivKey) p12Entry;
        if (privKey.getChain().isEmpty()) {
            return null;
        }
        return privKey.getChain().get(0);
    }

    @Override // java.security.KeyStoreSpi
    public KeyStore.Entry engineGetEntry(String str, KeyStore.ProtectionParameter protectionParameter) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableEntryException {
        P12Entry p12Entry = this.entries.get(str.toLowerCase(Locale.ENGLISH));
        if (p12Entry == null) {
            return null;
        }
        if (p12Entry instanceof P12Entry.Cert) {
            if (protectionParameter != null) {
                throw new KeyStoreException("Requested certificate entry does not require password");
            }
            P12Entry.Cert cert = (P12Entry.Cert) p12Entry;
            return new KeyStore.TrustedCertificateEntry(cert.cert, cert.attributes.toAttributeSet());
        }
        if (!(protectionParameter instanceof KeyStore.PasswordProtection)) {
            throw new UnrecoverableEntryException("Requested key entry required PasswordProtection");
        }
        char[] password = ((KeyStore.PasswordProtection) protectionParameter).getPassword();
        if (password == null) {
            throw new KeyStoreException("Password cannot be null");
        }
        return p12Entry instanceof P12Entry.PrivKey ? new KeyStore.PrivateKeyEntry((PrivateKey) engineGetKey(str, password), engineGetCertificateChain(str), p12Entry.attributes.toAttributeSet()) : new KeyStore.SecretKeyEntry((SecretKey) engineGetKey(str, password), p12Entry.attributes.toAttributeSet());
    }

    @Override // java.security.KeyStoreSpi
    public Date engineGetCreationDate(String str) {
        P12Entry p12Entry = this.entries.get(str.toLowerCase(Locale.ENGLISH));
        if (p12Entry == null) {
            return null;
        }
        return p12Entry.date;
    }

    @Override // java.security.KeyStoreSpi
    public void engineSetEntry(String str, KeyStore.Entry entry, KeyStore.ProtectionParameter protectionParameter) throws KeyStoreException {
        if (protectionParameter != null && !(protectionParameter instanceof KeyStore.PasswordProtection)) {
            throw new KeyStoreException("Unsupported protection parameter");
        }
        if (!(entry instanceof KeyStore.PrivateKeyEntry) && !(entry instanceof KeyStore.SecretKeyEntry)) {
            if (!(entry instanceof KeyStore.TrustedCertificateEntry)) {
                throw new KeyStoreException("Unsupported entry type: " + entry.getClass().getName());
            }
            KeyStore.TrustedCertificateEntry trustedCertificateEntry = (KeyStore.TrustedCertificateEntry) entry;
            setCertEntry(str, trustedCertificateEntry.getTrustedCertificate(), trustedCertificateEntry.getAttributes());
            return;
        }
        if (protectionParameter == null) {
            throw new KeyStoreException("Protection parameter required to store key.");
        }
        KeyStore.PasswordProtection passwordProtection = (KeyStore.PasswordProtection) protectionParameter;
        if (passwordProtection.getPassword() == null) {
            throw new KeyStoreException("Protection parameter requires non-null password to store key.");
        }
        if (entry instanceof KeyStore.PrivateKeyEntry) {
            KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) entry;
            setKeyEntry(str, privateKeyEntry.getPrivateKey(), passwordProtection, privateKeyEntry.getCertificateChain(), privateKeyEntry.getAttributes());
        } else {
            KeyStore.SecretKeyEntry secretKeyEntry = (KeyStore.SecretKeyEntry) entry;
            setKeyEntry(str, secretKeyEntry.getSecretKey(), passwordProtection, null, secretKeyEntry.getAttributes());
        }
    }

    @Override // java.security.KeyStoreSpi
    public void engineSetKeyEntry(String str, Key key, char[] cArr, Certificate[] certificateArr) throws KeyStoreException {
        KeyStore.PasswordProtection passwordProtection = new KeyStore.PasswordProtection(cArr);
        try {
            setKeyEntry(str, key, passwordProtection, certificateArr, null);
        } finally {
            try {
                passwordProtection.destroy();
            } catch (DestroyFailedException e) {
            }
        }
    }

    @Override // java.security.KeyStoreSpi
    public void engineSetKeyEntry(String str, byte[] bArr, Certificate[] certificateArr) throws KeyStoreException {
        P12Entry.Key secretKey;
        try {
            List<Asn1BerValue> sequence = Asn1.decodeOne(bArr).count(2).tag(UniversalTag.SEQUENCE).sequence();
            AlgorithmId decode = AlgorithmId.decode(sequence.get(0));
            byte[] octetString = sequence.get(1).getOctetString();
            if (certificateArr != null) {
                validateCertChain(certificateArr);
                secretKey = new P12Entry.PrivKey(octetString, decode, certificateArr);
            } else {
                secretKey = new P12Entry.SecretKey(octetString, decode);
            }
            secretKey.setAttributes(P12Attributes.create(str, P12Entry.generateKeyId()));
            this.entries.put(str.toLowerCase(Locale.ENGLISH), secretKey);
        } catch (Asn1Exception | IOException e) {
            throw new KeyStoreException("Invalid protected format key bytes", e);
        }
    }

    private void setKeyEntry(String str, Key key, KeyStore.PasswordProtection passwordProtection, Certificate[] certificateArr, Set<KeyStore.Entry.Attribute> set) throws KeyStoreException {
        P12Entry.Key secretKey;
        try {
            if (engineIsCertificateEntry(str)) {
                throw new KeyStoreException("Cannot replace existing cert entry with key entry");
            }
            char[] password = passwordProtection.getPassword();
            String protectionAlgorithm = passwordProtection.getProtectionAlgorithm();
            AlgorithmId algorithmId = protectionAlgorithm != null ? new AlgorithmId(protectionAlgorithm, passwordProtection.getProtectionParameters()) : genEncryptIdDefault();
            if (key instanceof PrivateKey) {
                validateCertChain(certificateArr);
                secretKey = new P12Entry.PrivKey(pbeCipher(1, algorithmId, password, key.getEncoded()), algorithmId, certificateArr);
            } else {
                if (!(key instanceof SecretKey)) {
                    throw new KeyStoreException("Unsupported key type.");
                }
                secretKey = new P12Entry.SecretKey(pbeCipher(1, algorithmId, password, encodeSecretKey((SecretKey) key)), algorithmId);
            }
            P12Attributes create = P12Attributes.create(str, P12Entry.generateKeyId());
            if (set != null) {
                create.addAttributes(set);
            }
            secretKey.setAttributes(create);
            this.entries.put(str.toLowerCase(Locale.ENGLISH), secretKey);
        } catch (IOException e) {
            throw new KeyStoreException(e.getCause());
        }
    }

    @Override // java.security.KeyStoreSpi
    public void engineSetCertificateEntry(String str, Certificate certificate) throws KeyStoreException {
        setCertEntry(str, certificate, null);
    }

    private void setCertEntry(String str, Certificate certificate, Set<KeyStore.Entry.Attribute> set) throws KeyStoreException {
        if (!(certificate instanceof X509Certificate)) {
            throw new KeyStoreException("Cannot set non-X509Certificate");
        }
        P12Entry p12Entry = this.entries.get(str.toLowerCase(Locale.ENGLISH));
        if (p12Entry != null && !(p12Entry instanceof P12Entry.Cert)) {
            throw new KeyStoreException("Cannot override key entry with certificate.");
        }
        P12Attributes create = P12Attributes.create(str, null);
        create.addTrustedUsage();
        if (set != null) {
            create.addAttributes(set);
        }
        this.entries.put(str.toLowerCase(Locale.ENGLISH), new P12Entry.Cert((X509Certificate) certificate, create));
    }

    @Override // java.security.KeyStoreSpi
    public void engineDeleteEntry(String str) {
        P12Entry remove = this.entries.remove(str.toLowerCase(Locale.ENGLISH));
        if (this.debug != null) {
            if (remove == null) {
                this.debug.println("No entry with alias " + str + " to delete.");
            } else {
                this.debug.println("Deleted entry " + str);
            }
        }
    }

    @Override // java.security.KeyStoreSpi
    public Enumeration<String> engineAliases() {
        return Collections.enumeration(this.entries.keySet());
    }

    @Override // java.security.KeyStoreSpi
    public boolean engineContainsAlias(String str) {
        return this.entries.keySet().contains(str.toLowerCase(Locale.ENGLISH));
    }

    @Override // java.security.KeyStoreSpi
    public int engineSize() {
        return this.entries.size();
    }

    @Override // java.security.KeyStoreSpi
    public boolean engineIsKeyEntry(String str) {
        return this.entries.get(str.toLowerCase(Locale.ENGLISH)) instanceof P12Entry.Key;
    }

    @Override // java.security.KeyStoreSpi
    public boolean engineIsCertificateEntry(String str) {
        return this.entries.get(str.toLowerCase(Locale.ENGLISH)) instanceof P12Entry.Cert;
    }

    @Override // java.security.KeyStoreSpi
    public String engineGetCertificateAlias(Certificate certificate) {
        Iterator<Map.Entry<String, P12Entry>> it = this.entries.entrySet().iterator();
        while (it.hasNext()) {
            P12Entry value = it.next().getValue();
            if (value instanceof P12Entry.Cert) {
                if (((P12Entry.Cert) value).cert.equals(certificate)) {
                    return value.alias;
                }
            } else if (value instanceof P12Entry.PrivKey) {
                P12Entry.PrivKey privKey = (P12Entry.PrivKey) value;
                if (!privKey.getChain().isEmpty() && privKey.getChain().get(0).equals(certificate)) {
                    return value.alias;
                }
            } else {
                continue;
            }
        }
        return null;
    }

    @Override // java.security.KeyStoreSpi
    public void engineStore(OutputStream outputStream, char[] cArr) throws IOException, CertificateException {
        if (cArr == null) {
            throw new IllegalArgumentException("password can't be null");
        }
        try {
            byte[] constructAuthSafes = constructAuthSafes(cArr);
            outputStream.write(Asn1.newSequence(Asn1.newInteger(3L), Asn1.newSequence(Asn1.newOid(OID_CONTENT_TYPE_DATA), Asn1.explicit(0).newOctetString(constructAuthSafes)), constructMacData(cArr, constructAuthSafes)).encodeDerOctets());
        } catch (AlgIdException | Asn1Exception e) {
            throw new IOException("Error during store", e);
        }
    }

    private void validateCertChain(Certificate[] certificateArr) throws KeyStoreException {
        for (Certificate certificate : certificateArr) {
            if (!(certificate instanceof X509Certificate)) {
                throw new KeyStoreException("All certificates must be X509Certificate");
            }
        }
        if (certificateArr.length == 1) {
            return;
        }
        for (int i = 0; i < certificateArr.length - 1; i++) {
            if (!((X509Certificate) certificateArr[i]).getIssuerX500Principal().equals(((X509Certificate) certificateArr[i + 1]).getSubjectX500Principal())) {
                throw new KeyStoreException("Certificate chain is not valid.");
            }
        }
        if (new HashSet(Arrays.asList(certificateArr)).size() != certificateArr.length) {
            throw new KeyStoreException("Certificate chain is not valid.");
        }
    }

    private byte[] encodeSecretKey(SecretKey secretKey) throws KeyStoreException {
        return Asn1.newSequence(Asn1.newInteger(0L), Asn1.newSequence(secretKeyAlgToOid(secretKey.getAlgorithm()), Asn1.newNull()), Asn1.newOctetString(secretKey.getEncoded())).encodeDerOctets();
    }

    private Asn1BerValue secretKeyAlgToOid(String str) throws KeyStoreException {
        if (str.equalsIgnoreCase("AES")) {
            return Asn1.newOid("2.16.840.1.101.3.4.1");
        }
        String str2 = str;
        if (str.toUpperCase(Locale.ENGLISH).startsWith("OID.")) {
            str2 = str.substring(4);
        }
        try {
            return Asn1.newOid(str2);
        } catch (Asn1Exception | IllegalArgumentException e) {
            throw new KeyStoreException("Invalid secret key alg " + str);
        }
    }

    private byte[] constructAuthSafes(char[] cArr) throws IOException, CertificateException {
        Asn1BerValue constructSafeContentData = constructSafeContentData();
        Asn1BerValue constructSafeContentEncryptedData = constructSafeContentEncryptedData(cArr);
        ArrayList arrayList = new ArrayList();
        if (constructSafeContentData != null) {
            arrayList.add(constructSafeContentData);
        }
        if (constructSafeContentEncryptedData != null) {
            arrayList.add(constructSafeContentEncryptedData);
        }
        return Asn1.newSequence(arrayList).encodeDerOctets();
    }

    private Asn1BerValue constructSafeContentData() throws IOException {
        ArrayList arrayList = new ArrayList();
        Iterator<Map.Entry<String, P12Entry>> it = this.entries.entrySet().iterator();
        while (it.hasNext()) {
            P12Entry value = it.next().getValue();
            if (value instanceof P12Entry.PrivKey) {
                arrayList.add(constructSafeBag((P12Entry.PrivKey) value));
            } else if (value instanceof P12Entry.SecretKey) {
                arrayList.add(constructSafeBag((P12Entry.SecretKey) value));
            }
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        return Asn1.newSequence(Asn1.newOid(OID_CONTENT_TYPE_DATA), Asn1.explicit(0).newOctetString(Asn1.newSequence(arrayList).encodeDerOctets()));
    }

    private Asn1BerValue constructSafeContentEncryptedData(char[] cArr) throws CertificateEncodingException, IOException {
        ArrayList arrayList = new ArrayList();
        Iterator<Map.Entry<String, P12Entry>> it = this.entries.entrySet().iterator();
        while (it.hasNext()) {
            P12Entry value = it.next().getValue();
            if (value instanceof P12Entry.Cert) {
                arrayList.add(constructSafeBag((P12Entry.Cert) value));
            } else if (value instanceof P12Entry.PrivKey) {
                P12Entry.PrivKey privKey = (P12Entry.PrivKey) value;
                int i = 0;
                while (i < privKey.getChain().size()) {
                    X509Certificate x509Certificate = privKey.getChain().get(i);
                    P12Entry.Cert cert = new P12Entry.Cert(x509Certificate);
                    cert.setAttributes(i == 0 ? P12Attributes.create(privKey.alias, privKey.localKeyId) : P12Attributes.create(x509Certificate.getSubjectX500Principal().getName(), null));
                    arrayList.add(constructSafeBag(cert));
                    i++;
                }
            }
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        byte[] encodeDerOctets = Asn1.newSequence(arrayList).encodeDerOctets();
        AlgorithmId genEncryptIdDefault = genEncryptIdDefault();
        return Asn1.newSequence(Asn1.newOid(OID_CONTENT_TYPE_ENCRYPTED_DATA), Asn1.explicit(0).newSequence(Asn1.newInteger(0L), Asn1.newSequence(Asn1.newOid(OID_CONTENT_TYPE_DATA), genEncryptIdDefault.toAsn1Value(), Asn1.explicit(0).newOctetString(pbeCipher(1, genEncryptIdDefault, cArr, encodeDerOctets)))));
    }

    private Asn1BerValue constructSafeBag(P12Entry.Cert cert) throws CertificateEncodingException {
        return Asn1.newSequence(Asn1.newOid(OID_SAFEBAG_TYPE_CERT), Asn1.explicit(0).newSequence(Asn1.newOid(OID_CERTTYPE_X509), Asn1.explicit(0).newOctetString(cert.cert.getEncoded())), cert.attributes.toAsn1Value());
    }

    private Asn1BerValue constructSafeBag(P12Entry.PrivKey privKey) throws IOException {
        return Asn1.newSequence(Asn1.newOid(OID_SAFEBAG_TYPE_SHROUDEDKEY), Asn1.explicit(0).newSequence(privKey.encAlgId.toAsn1Value(), Asn1.newOctetString(privKey.encryptedKey)), privKey.attributes.toAsn1Value());
    }

    private Asn1BerValue constructSafeBag(P12Entry.SecretKey secretKey) throws IOException {
        return Asn1.newSequence(Asn1.newOid(OID_SAFEBAG_TYPE_SECRET), Asn1.explicit(0).newSequence(Asn1.newOid(OID_SAFEBAG_TYPE_SHROUDEDKEY), Asn1.explicit(0).newOctetString(Asn1.newSequence(secretKey.encAlgId.toAsn1Value(), Asn1.newOctetString(secretKey.encryptedKey)).encodeDerOctets())), secretKey.attributes.toAsn1Value());
    }

    private Asn1BerValue constructMacData(char[] cArr, byte[] bArr) throws IOException {
        byte[] generate = RandBytes.generate(DEFAULT_ENC_SALT_LEN);
        try {
            return Asn1.newSequence(Asn1.newSequence(Asn1.newSequence(Asn1.newOid(Oids.OID_SHA1), Asn1.newNull()), Asn1.newOctetString(computeMac("HmacPBESHA1", cArr, new PBEParameterSpec(generate, DEFAULT_MAC_ITER_COUNT), bArr))), Asn1.newOctetString(generate), Asn1.newInteger(DEFAULT_MAC_ITER_COUNT));
        } catch (GeneralSecurityException e) {
            throw new IOException("Failed to compute integrity Mac", e);
        }
    }

    @Override // java.security.KeyStoreSpi
    public void engineLoad(InputStream inputStream, char[] cArr) throws IOException {
        this.entries.clear();
        if (inputStream == null) {
            return;
        }
        byte[] readAllBytes = readAllBytes(inputStream);
        if (readAllBytes.length >= 4) {
            switch (ByteBuffer.wrap(readAllBytes, 0, 4).getInt(0)) {
                case -825307442:
                    throw new IOException("Invalid PKCS12 KeyStore: JCEKS type not supported");
                case -17957139:
                    throw new IOException("Invalid PKCS12 KeyStore: JKS type not supported");
            }
        }
        try {
            List<Asn1BerValue> sequence = Asn1.decodeOne(readAllBytes).tag(UniversalTag.SEQUENCE).count(2, 3).sequence();
            if (!sequence.get(0).tag(UniversalTag.INTEGER).getInteger().equals(BigInteger.valueOf(3L))) {
                throw new IOException("Invalid PKCS #12 version: expected 3");
            }
            List<Asn1BerValue> sequence2 = sequence.get(1).tag(UniversalTag.SEQUENCE).count(2).sequence();
            String oid = sequence2.get(0).tag(UniversalTag.OBJECT_IDENTIFIER).getOid();
            if (!oid.equals(OID_CONTENT_TYPE_DATA)) {
                throw new IOException("Invalid ContentInfo type: was " + oid + ", expected " + OID_CONTENT_TYPE_DATA);
            }
            byte[] octetString = sequence2.get(1).tag(0).explicit().getOctetString();
            if (cArr == null || sequence.size() != 3) {
                if (sequence.size() == 2) {
                    this.debug.println("No integrity info to check.");
                }
                if (cArr == null) {
                    this.debug.println("Password was null, no integrity checking done.");
                }
            } else {
                verifyIntegrity(octetString, sequence.get(2), cArr);
            }
            Iterator<Asn1BerValue> it = Asn1.decodeOne(octetString).tag(UniversalTag.SEQUENCE).sequence().iterator();
            while (it.hasNext()) {
                List<Asn1BerValue> sequence3 = it.next().tag(UniversalTag.SEQUENCE).count(2).sequence();
                String oid2 = sequence3.get(0).tag(UniversalTag.OBJECT_IDENTIFIER).getOid();
                Asn1BerValue explicit = sequence3.get(1).tag(0).explicit();
                if (oid2.equals(OID_CONTENT_TYPE_DATA)) {
                    this.debug.println("Reading Data safe...");
                    loadSafeContents(Asn1.decodeOne(explicit.tag(UniversalTag.OCTET_STRING).gatherContent()), cArr);
                } else {
                    if (!oid2.equals(OID_CONTENT_TYPE_ENCRYPTED_DATA)) {
                        throw new IOException("Unsupported content type " + oid2);
                    }
                    this.debug.println("Reading EncryptedData safe...");
                    if (cArr == null) {
                        this.debug.println("Password was null, skipping loading of encrypted data.");
                    } else {
                        loadEncryptedContents(explicit, cArr);
                    }
                }
            }
            postLoadProcess();
            this.otherCerts.clear();
            this.otherCertsMap.clear();
        } catch (AlgIdException | Asn1Exception e) {
            throw new IOException("Failed to decode PKCS #12", e);
        }
    }

    private void postLoadProcess() {
        boolean z = true;
        for (Map.Entry<String, P12Entry> entry : this.entries.entrySet()) {
            if (entry.getValue() instanceof P12Entry.PrivKey) {
                P12Entry.PrivKey privKey = (P12Entry.PrivKey) entry.getValue();
                X509Certificate matchCert = matchCert(privKey, z);
                if (matchCert != null) {
                    privKey.setChain(findChain(matchCert));
                } else {
                    this.debug.println(() -> {
                        return "Unable to find certificate for privateKey " + privKey.alias;
                    });
                }
                z = false;
            }
        }
    }

    private X509Certificate matchCert(P12Entry.PrivKey privKey, boolean z) {
        X509Certificate x509Certificate = null;
        X509Certificate x509Certificate2 = null;
        if (privKey.localKeyId != null) {
            for (P12Entry.Cert cert : this.otherCerts) {
                if (Arrays.equals(privKey.localKeyId, cert.localKeyId)) {
                    if (privKey.alias.equals(cert.alias)) {
                        return cert.cert;
                    }
                    x509Certificate = cert.cert;
                }
                if (privKey.alias.equals(cert.alias)) {
                    x509Certificate2 = cert.cert;
                }
            }
            if (x509Certificate != null) {
                return x509Certificate;
            }
        } else {
            for (P12Entry.Cert cert2 : this.otherCerts) {
                if (privKey.alias.equals(cert2.alias)) {
                    return cert2.cert;
                }
            }
            if (z && !this.otherCerts.isEmpty()) {
                return this.otherCerts.get(0).cert;
            }
        }
        return x509Certificate2;
    }

    private List<X509Certificate> findChain(X509Certificate x509Certificate) {
        ArrayList arrayList = new ArrayList();
        LinkedHashMap linkedHashMap = new LinkedHashMap(this.otherCertsMap);
        for (X509Certificate x509Certificate2 = x509Certificate; x509Certificate2 != null; x509Certificate2 = (X509Certificate) linkedHashMap.get(x509Certificate2.getIssuerX500Principal())) {
            linkedHashMap.remove(x509Certificate.getSubjectX500Principal());
            arrayList.add(x509Certificate2);
            if (x509Certificate2.getSubjectX500Principal().equals(x509Certificate2.getIssuerX500Principal())) {
                break;
            }
        }
        return arrayList;
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:8:0x009c. Please report as an issue. */
    private void loadSafeContents(Asn1BerValue asn1BerValue, char[] cArr) throws IOException {
        Iterator<Asn1BerValue> it = asn1BerValue.tag(UniversalTag.SEQUENCE).sequence().iterator();
        while (it.hasNext()) {
            List<Asn1BerValue> sequence = it.next().tag(UniversalTag.SEQUENCE).count(2, 3).sequence();
            String oid = sequence.get(0).tag(UniversalTag.OBJECT_IDENTIFIER).getOid();
            Asn1BerValue tag = sequence.get(1).tag(0);
            Asn1BerValue explicit = tag.explicit();
            P12Attributes create = sequence.size() == 2 ? P12Attributes.create() : P12Attributes.load(sequence.get(2).tag(UniversalTag.SET));
            boolean z = -1;
            switch (oid.hashCode()) {
                case -392531135:
                    if (oid.equals(OID_SAFEBAG_TYPE_KEY)) {
                        z = 3;
                        break;
                    }
                    break;
                case -392531134:
                    if (oid.equals(OID_SAFEBAG_TYPE_SHROUDEDKEY)) {
                        z = true;
                        break;
                    }
                    break;
                case -392531133:
                    if (oid.equals(OID_SAFEBAG_TYPE_CERT)) {
                        z = false;
                        break;
                    }
                    break;
                case -392531131:
                    if (oid.equals(OID_SAFEBAG_TYPE_SECRET)) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    loadCert(explicit, create);
                    break;
                case true:
                    loadShroudedKey(explicit, create);
                    break;
                case true:
                    loadSecret(explicit, create);
                    break;
                case true:
                    loadKey(tag.octets(), create, cArr);
                    break;
                default:
                    this.debug.println(() -> {
                        return "Ignoring unsupported bag type " + oid;
                    });
                    break;
            }
        }
    }

    private void loadCert(Asn1BerValue asn1BerValue, P12Attributes p12Attributes) throws IOException {
        List<Asn1BerValue> sequence = asn1BerValue.tag(UniversalTag.SEQUENCE).count(2).sequence();
        if (!sequence.get(0).tag(UniversalTag.OBJECT_IDENTIFIER).getOid().equals(OID_CERTTYPE_X509)) {
            throw new IOException("Unsupported certificate type.");
        }
        try {
            saveCert((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(sequence.get(1).tag(0).explicit().tag(UniversalTag.OCTET_STRING).getOctetString())), p12Attributes);
        } catch (CertificateException e) {
            throw new IOException("Failed to decode certificate", e);
        }
    }

    private void saveCert(X509Certificate x509Certificate, P12Attributes p12Attributes) {
        if (p12Attributes.hasTrustAttr()) {
            saveEntry(new P12Entry.Cert(x509Certificate), p12Attributes);
            return;
        }
        this.debug.println(" read untrusted certificate " + x509Certificate.getSubjectX500Principal());
        this.otherCerts.add(new P12Entry.Cert(x509Certificate, p12Attributes));
        this.otherCertsMap.put(x509Certificate.getSubjectX500Principal(), x509Certificate);
    }

    private void saveEntry(P12Entry p12Entry, P12Attributes p12Attributes) {
        String friendlyName = p12Attributes.getFriendlyName();
        if (friendlyName == null) {
            friendlyName = nextAlias();
            p12Attributes.setFriendlyName(friendlyName);
        }
        p12Entry.setAttributes(p12Attributes);
        this.entries.put(friendlyName.toLowerCase(Locale.ENGLISH), p12Entry);
        this.debug.println(() -> {
            return " loaded " + p12Entry;
        });
    }

    private void loadShroudedKey(Asn1BerValue asn1BerValue, P12Attributes p12Attributes) throws IOException {
        List<Asn1BerValue> sequence = asn1BerValue.tag(UniversalTag.SEQUENCE).count(2).sequence();
        saveEntry(new P12Entry.PrivKey(sequence.get(1).tag(UniversalTag.OCTET_STRING).getOctetString(), AlgorithmId.decode(sequence.get(0))), p12Attributes);
    }

    private void loadKey(byte[] bArr, P12Attributes p12Attributes, char[] cArr) throws IOException {
        AlgorithmId genEncryptIdDefault = genEncryptIdDefault();
        saveEntry(new P12Entry.PrivKey(pbeCipher(1, genEncryptIdDefault, cArr, bArr), genEncryptIdDefault), p12Attributes);
    }

    private AlgorithmId genEncryptIdDefault() {
        return new AlgorithmId(DEFAULT_ENC_ALG, new PBEParameterSpec(RandBytes.generate(DEFAULT_ENC_SALT_LEN), DEFAULT_ENC_ITER_COUNT, new IvParameterSpec(RandBytes.generate(DEFAULT_ENC_IV_LEN))));
    }

    private void loadSecret(Asn1BerValue asn1BerValue, P12Attributes p12Attributes) throws IOException {
        List<Asn1BerValue> sequence = asn1BerValue.tag(UniversalTag.SEQUENCE).count(2).sequence();
        String oid = sequence.get(0).tag(UniversalTag.OBJECT_IDENTIFIER).getOid();
        if (!oid.equals(OID_SAFEBAG_TYPE_SHROUDEDKEY)) {
            this.debug.println(() -> {
                return "Skipping secret of unknown type " + oid;
            });
            return;
        }
        List<Asn1BerValue> sequence2 = Asn1.decodeOne(sequence.get(1).tag(0).explicit().tag(UniversalTag.OCTET_STRING).getOctetString()).tag(UniversalTag.SEQUENCE).count(2).sequence();
        saveEntry(new P12Entry.SecretKey(sequence2.get(1).tag(UniversalTag.OCTET_STRING).getOctetString(), AlgorithmId.decode(sequence2.get(0))), p12Attributes);
    }

    private void loadEncryptedContents(Asn1BerValue asn1BerValue, char[] cArr) throws IOException {
        List<Asn1BerValue> sequence = asn1BerValue.tag(UniversalTag.SEQUENCE).count(2).sequence();
        sequence.get(0).tag(UniversalTag.INTEGER).getInteger();
        Iterator<Asn1BerValue> it = sequence.get(1).tag(UniversalTag.SEQUENCE).count(3).sequence().iterator();
        String oid = it.next().tag(UniversalTag.OBJECT_IDENTIFIER).getOid();
        if (!oid.equals(OID_CONTENT_TYPE_DATA)) {
            throw new IOException("Unexpected content type in EncryptedData: " + oid);
        }
        loadSafeContents(Asn1.decodeOne(pbeCipher(2, AlgorithmId.decode(it.next()), cArr, it.next().tag(0).getOctetString())), cArr);
    }

    private byte[] pbeCipher(int i, AlgorithmId algorithmId, char[] cArr, byte[] bArr) throws IOException {
        SecretKey secretKey = null;
        try {
            try {
                secretKey = pbeKey(cArr, algorithmId.getAlg());
                Cipher cipher = Cipher.getInstance(algorithmId.getAlg());
                cipher.init(i, secretKey, algorithmId.getParameterSpec());
                byte[] doFinal = cipher.doFinal(bArr);
                if (i == 1) {
                    algorithmId.updateParams(cipher.getParameters().getParameterSpec(PBEParameterSpec.class));
                }
                destroyQuietly(secretKey);
                return doFinal;
            } catch (GeneralSecurityException e) {
                throw new IOException("Cipher operation failed", e);
            }
        } catch (Throwable th) {
            destroyQuietly(secretKey);
            throw th;
        }
    }

    private void verifyIntegrity(byte[] bArr, Asn1BerValue asn1BerValue, char[] cArr) throws IOException {
        List<Asn1BerValue> sequence = asn1BerValue.tag(UniversalTag.SEQUENCE).count(3).sequence();
        List<Asn1BerValue> sequence2 = sequence.get(0).tag(UniversalTag.SEQUENCE).count(2).sequence();
        try {
            if (MessageDigest.isEqual(computeMac("HmacPBE" + AlgorithmId.decode(sequence2.get(0)).getShortAlg(), cArr, new PBEParameterSpec(sequence.get(1).tag(UniversalTag.OCTET_STRING).getOctetString(), sequence.get(2).tag(UniversalTag.INTEGER).getInteger().intValueExact()), bArr), sequence2.get(1).tag(UniversalTag.OCTET_STRING).getOctetString())) {
            } else {
                throw new IOException("Integrity check failed.");
            }
        } catch (GeneralSecurityException e) {
            throw new IOException("Failed to compute integrity check value", e);
        }
    }

    private byte[] computeMac(String str, char[] cArr, PBEParameterSpec pBEParameterSpec, byte[] bArr) throws GeneralSecurityException {
        SecretKey secretKey = null;
        try {
            secretKey = pbeKey(cArr, "OID.1.2.840.113549.1.12.1.3");
            Mac mac = Mac.getInstance(str);
            mac.init(secretKey, pBEParameterSpec);
            byte[] doFinal = mac.doFinal(bArr);
            destroyQuietly(secretKey);
            return doFinal;
        } catch (Throwable th) {
            destroyQuietly(secretKey);
            throw th;
        }
    }

    private SecretKey pbeKey(char[] cArr, String str) throws GeneralSecurityException {
        PBEKeySpec pBEKeySpec = new PBEKeySpec(cArr);
        try {
            SecretKey generateSecret = SecretKeyFactory.getInstance(str).generateSecret(pBEKeySpec);
            pBEKeySpec.clearPassword();
            return generateSecret;
        } catch (Throwable th) {
            pBEKeySpec.clearPassword();
            throw th;
        }
    }

    private String nextAlias() {
        this.aliasCounter++;
        return String.valueOf(this.aliasCounter);
    }

    private byte[] readAllBytes(InputStream inputStream) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byte[] bArr = new byte[4096];
        while (true) {
            int read = inputStream.read(bArr);
            if (read == -1) {
                return byteArrayOutputStream.toByteArray();
            }
            byteArrayOutputStream.write(bArr, 0, read);
        }
    }

    private void destroyQuietly(SecretKey secretKey) {
        if (secretKey != null) {
            try {
                secretKey.destroy();
            } catch (DestroyFailedException e) {
            }
        }
    }
}
