package org.xipki.security.pkcs11.proxy;

import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.HashSet;
import java.util.Random;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSocketFactory;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.ASN1Sequence;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.security.BadAsn1ObjectException;
import org.xipki.security.pkcs11.P11Module;
import org.xipki.security.pkcs11.P11ModuleConf;
import org.xipki.security.pkcs11.P11SlotIdentifier;
import org.xipki.security.pkcs11.P11TokenException;
import org.xipki.security.pkcs11.proxy.ProxyMessage;
import org.xipki.util.Args;
import org.xipki.util.ConfPairs;
import org.xipki.util.IoUtil;
import org.xipki.util.LogUtil;
import org.xipki.util.ObjectCreationException;
import org.xipki.util.StringUtil;
import org.xipki.util.http.HostnameVerifiers;
import org.xipki.util.http.SSLContextBuilder;

/* loaded from: input_file:WEB-INF/lib/security-5.3.0.jar:org/xipki/security/pkcs11/proxy/ProxyP11Module.class */
public class ProxyP11Module extends P11Module {
    public static final String TYPE = "proxy";
    private static final String PROP_URL = "url";
    private static final String PROP_MODULE = "module";
    private static final String PROP_SSL_STORETYPE = "ssl.storeType";
    private static final String PROP_SSL_KEYSTORE = "ssl.keystore";
    private static final String PROP_SSL_KEYSTOREPASSWORD = "ssl.keystorePassword";
    private static final String PROP_SSL_TRUSTSTORE = "ssl.truststore";
    private static final String PROP_SSL_TRUSTOREPASSWORD = "ssl.truststorePassword";
    private static final String PROP_SSL_HOStNAMEVERIFIER = "ssl.hostnameVerifier";
    private static final Logger LOG = LoggerFactory.getLogger(ProxyP11Module.class);
    private static final String REQUEST_MIMETYPE = "application/x-xipki-pkcs11";
    private static final String RESPONSE_MIMETYPE = "application/x-xipki-pkcs11";
    private final Random random;
    private final short version = 256;
    private final String description;
    private URL serverUrl;
    private short moduleId;
    private boolean readOnly;
    private SSLSocketFactory sslSocketFactory;
    private HostnameVerifier hostnameVerifier;

    private ProxyP11Module(P11ModuleConf p11ModuleConf) throws P11TokenException {
        super(p11ModuleConf);
        this.random = new Random();
        this.version = (short) 256;
        String nativeLibrary = p11ModuleConf.getNativeLibrary();
        this.description = StringUtil.concat("PKCS#11 proxy", "\nPath: ", nativeLibrary);
        ConfPairs confPairs = new ConfPairs(nativeLibrary);
        String value = confPairs.value(PROP_URL);
        try {
            this.serverUrl = new URL(value);
            String value2 = confPairs.value(PROP_MODULE);
            if (value2 == null) {
                throw new P11TokenException("module not specified");
            }
            try {
                String trim = value2.trim();
                if (trim.startsWith("0x") || trim.startsWith("0X")) {
                    this.moduleId = Short.parseShort(trim.substring(2), 16);
                } else {
                    this.moduleId = Short.parseShort(trim.trim());
                }
                String value3 = confPairs.value(PROP_SSL_STORETYPE);
                String value4 = confPairs.value(PROP_SSL_KEYSTORE);
                String value5 = confPairs.value(PROP_SSL_KEYSTOREPASSWORD);
                String value6 = confPairs.value(PROP_SSL_TRUSTSTORE);
                String value7 = confPairs.value(PROP_SSL_TRUSTOREPASSWORD);
                String value8 = confPairs.value(PROP_SSL_HOStNAMEVERIFIER);
                SSLContextBuilder sSLContextBuilder = new SSLContextBuilder();
                if (value3 != null) {
                    sSLContextBuilder.setKeyStoreType(value3);
                }
                if (value4 != null) {
                    char[] charArray = value5 == null ? null : value5.toCharArray();
                    try {
                        sSLContextBuilder.loadKeyMaterial(new File(value4), charArray, charArray);
                    } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e) {
                        throw new P11TokenException("could not load key material", e);
                    }
                }
                if (value6 != null) {
                    try {
                        sSLContextBuilder.loadTrustMaterial(new File(value6), value7 == null ? null : value7.toCharArray());
                    } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e2) {
                        throw new P11TokenException("could not load trust material", e2);
                    }
                }
                try {
                    this.sslSocketFactory = sSLContextBuilder.build().getSocketFactory();
                    try {
                        this.hostnameVerifier = HostnameVerifiers.createHostnameVerifier(value8);
                        refresh();
                    } catch (ObjectCreationException e3) {
                        throw new P11TokenException("could not create HostnameVerifier", e3);
                    }
                } catch (KeyManagementException | NoSuchAlgorithmException e4) {
                    throw new P11TokenException("could not build SSLSocketFactroy", e4);
                }
            } catch (NumberFormatException e5) {
                throw new P11TokenException("invalid module: " + value2);
            }
        } catch (MalformedURLException e6) {
            throw new IllegalArgumentException("invalid url: " + value);
        }
    }

    public static P11Module getInstance(P11ModuleConf p11ModuleConf) throws P11TokenException {
        Args.notNull(p11ModuleConf, "moduleConf");
        return new ProxyP11Module(p11ModuleConf);
    }

    @Override // org.xipki.security.pkcs11.P11Module
    public boolean isReadOnly() {
        return this.readOnly || super.isReadOnly();
    }

    public void refresh() throws P11TokenException {
        try {
            ProxyMessage.ServerCaps serverCaps = ProxyMessage.ServerCaps.getInstance(send((short) 1, null));
            if (!serverCaps.getVersions().contains((short) 256)) {
                throw new P11TokenException("Server does not support any version supported by the client");
            }
            this.readOnly = serverCaps.isReadOnly();
            try {
                ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(send((short) 259, null));
                int size = aSN1Sequence.size();
                HashSet hashSet = new HashSet();
                for (int i = 0; i < size; i++) {
                    try {
                        P11SlotIdentifier value = ProxyMessage.SlotIdentifier.getInstance(aSN1Sequence.getObjectAt(i)).getValue();
                        if (this.conf.isSlotIncluded(value)) {
                            if (this.conf.isSlotIncluded(value)) {
                                hashSet.add(new ProxyP11Slot(this, value, this.conf.isReadOnly(), this.conf.getP11MechanismFilter()));
                            } else {
                                LOG.info("skipped slot {}", value);
                            }
                        }
                    } catch (Exception e) {
                        throw new P11TokenException(e.getMessage(), e);
                    }
                }
                setSlots(hashSet);
            } catch (IllegalArgumentException e2) {
                throw new P11TokenException("response is not ASN1Sequence", e2);
            }
        } catch (BadAsn1ObjectException e3) {
            throw new P11TokenException("response is a valid Asn1ServerCaps", e3);
        }
    }

    @Override // org.xipki.security.pkcs11.P11Module
    public String getDescription() {
        return this.description;
    }

    @Override // org.xipki.security.pkcs11.P11Module
    public void close() {
        for (P11SlotIdentifier p11SlotIdentifier : getSlotIds()) {
            try {
                getSlot(p11SlotIdentifier).close();
            } catch (Throwable th) {
                LogUtil.error(LOG, th, "could not close PKCS#11 slot " + p11SlotIdentifier);
            }
        }
    }

    protected byte[] send(byte[] bArr) throws IOException {
        Args.notNull(bArr, "request");
        HttpURLConnection openHttpConn = IoUtil.openHttpConn(this.serverUrl);
        if (openHttpConn instanceof HttpsURLConnection) {
            if (this.sslSocketFactory != null) {
                ((HttpsURLConnection) openHttpConn).setSSLSocketFactory(this.sslSocketFactory);
            }
            if (this.hostnameVerifier != null) {
                ((HttpsURLConnection) openHttpConn).setHostnameVerifier(this.hostnameVerifier);
            }
        }
        openHttpConn.setDoOutput(true);
        openHttpConn.setUseCaches(false);
        int length = bArr.length;
        openHttpConn.setRequestMethod("POST");
        openHttpConn.setRequestProperty("Content-Type", "application/x-xipki-pkcs11");
        openHttpConn.setRequestProperty("Content-Length", Integer.toString(length));
        OutputStream outputStream = openHttpConn.getOutputStream();
        outputStream.write(bArr);
        outputStream.flush();
        if (openHttpConn.getResponseCode() != 200) {
            try {
                InputStream inputStream = openHttpConn.getInputStream();
                if (inputStream != null) {
                    inputStream.close();
                }
            } catch (IOException e) {
                InputStream errorStream = openHttpConn.getErrorStream();
                if (errorStream != null) {
                    errorStream.close();
                }
            }
            throw new IOException("bad response: code=" + openHttpConn.getResponseCode() + ", message=" + openHttpConn.getResponseMessage());
        }
        try {
            InputStream inputStream2 = openHttpConn.getInputStream();
            try {
                String contentType = openHttpConn.getContentType();
                boolean z = false;
                if (contentType != null && contentType.equalsIgnoreCase("application/x-xipki-pkcs11")) {
                    z = true;
                }
                if (!z) {
                    throw new IOException("bad response: mime type " + contentType + " is not supported!");
                }
                byte[] bArr2 = new byte[4096];
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                while (true) {
                    int read = inputStream2.read(bArr2);
                    if (read == -1) {
                        byte[] byteArray = byteArrayOutputStream.toByteArray();
                        inputStream2.close();
                        return byteArray;
                    }
                    byteArrayOutputStream.write(bArr2, 0, read);
                }
            } catch (Throwable th) {
                inputStream2.close();
                throw th;
            }
        } catch (IOException e2) {
            InputStream errorStream2 = openHttpConn.getErrorStream();
            if (errorStream2 != null) {
                errorStream2.close();
            }
            throw e2;
        }
    }

    public byte[] send(short s, ASN1Object aSN1Object) throws P11TokenException {
        byte[] encoded;
        if (aSN1Object == null) {
            encoded = null;
        } else {
            try {
                encoded = aSN1Object.getEncoded();
            } catch (IOException e) {
                throw new P11TokenException("could encode the content", e);
            }
        }
        int i = 4;
        if (encoded != null) {
            i = 4 + encoded.length;
        }
        byte[] bArr = new byte[10 + i];
        IoUtil.writeShort((short) 256, bArr, 0);
        byte[] randomTransactionId = randomTransactionId();
        System.arraycopy(randomTransactionId, 0, bArr, 2, 4);
        IoUtil.writeInt(i, bArr, 6);
        IoUtil.writeShort(s, bArr, 10);
        IoUtil.writeShort(this.moduleId, bArr, 12);
        if (encoded != null) {
            System.arraycopy(encoded, 0, bArr, 14, encoded.length);
        }
        try {
            byte[] send = send(bArr);
            int length = send.length;
            if (length < 12) {
                throw new P11TokenException("response too short");
            }
            if (IoUtil.parseInt(send, 6) + 10 != length) {
                throw new P11TokenException("message lengt unmatch");
            }
            short parseShort = IoUtil.parseShort(send, 10);
            if (parseShort != 0) {
                throw new P11TokenException("server returned RC " + P11ProxyConstants.getReturnCodeName(parseShort));
            }
            if (256 != IoUtil.parseShort(send, 0)) {
                throw new P11TokenException("version of response and request unmatch");
            }
            if (!equals(randomTransactionId, send, 2)) {
                throw new P11TokenException("version of response and request unmatch");
            }
            if (length < 14) {
                throw new P11TokenException("too short successful response");
            }
            if (s != IoUtil.parseShort(send, 12)) {
                throw new P11TokenException("action of response and request unmatch");
            }
            int i2 = length - 14;
            if (i2 == 0) {
                return null;
            }
            byte[] bArr2 = new byte[i2];
            System.arraycopy(send, 14, bArr2, 0, i2);
            return bArr2;
        } catch (IOException e2) {
            LOG.error("could not send the request {}", bArr);
            throw new P11TokenException("could not send the request: " + e2.getMessage(), e2);
        }
    }

    private byte[] randomTransactionId() {
        byte[] bArr = new byte[4];
        this.random.nextBytes(bArr);
        return bArr;
    }

    private static boolean equals(byte[] bArr, byte[] bArr2, int i) {
        if (bArr2.length - i < bArr.length) {
            return false;
        }
        for (int i2 = 0; i2 < bArr.length; i2++) {
            if (bArr[i2] != bArr2[i + i2]) {
                return false;
            }
        }
        return true;
    }
}
