package org.xipki.p11proxy.servlet;

import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.security.BadAsn1ObjectException;
import org.xipki.security.XiSecurityException;
import org.xipki.security.pkcs11.P11CryptService;
import org.xipki.security.pkcs11.P11DuplicateEntityException;
import org.xipki.security.pkcs11.P11Identity;
import org.xipki.security.pkcs11.P11IdentityId;
import org.xipki.security.pkcs11.P11ObjectIdentifier;
import org.xipki.security.pkcs11.P11Params;
import org.xipki.security.pkcs11.P11Slot;
import org.xipki.security.pkcs11.P11SlotIdentifier;
import org.xipki.security.pkcs11.P11TokenException;
import org.xipki.security.pkcs11.P11UnknownEntityException;
import org.xipki.security.pkcs11.P11UnsupportedMechanismException;
import org.xipki.security.pkcs11.proxy.P11ProxyConstants;
import org.xipki.security.pkcs11.proxy.ProxyMessage;
import org.xipki.security.util.KeyUtil;
import org.xipki.security.util.X509Util;
import org.xipki.util.Hex;
import org.xipki.util.IoUtil;
import org.xipki.util.LogUtil;

/* loaded from: input_file:WEB-INF/classes/org/xipki/p11proxy/servlet/P11ProxyResponder.class */
public class P11ProxyResponder {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) P11ProxyResponder.class);
    private static final Set<Short> actionsRequireNonNullRequest;
    private static final Set<Short> actionsRequireNullRequest;
    private final Set<Short> versions;

    public P11ProxyResponder() {
        HashSet hashSet = new HashSet();
        hashSet.add((short) 256);
        this.versions = Collections.unmodifiableSet(hashSet);
    }

    public Set<Short> versions() {
        return this.versions;
    }

    public byte[] processRequest(LocalP11CryptServicePool localP11CryptServicePool, byte[] bArr) {
        byte[] bArr2;
        Set<P11ObjectIdentifier> hashSet;
        int length = bArr.length;
        byte[] bArr3 = new byte[4];
        if (length > 5) {
            System.arraycopy(bArr, 2, bArr3, 0, 4);
        }
        short s = 0;
        if (length > 11) {
            s = IoUtil.parseShort(bArr, 10);
        }
        if (length < 14) {
            LOG.error("response too short");
            return getResp((short) 256, bArr3, (short) 4, s);
        }
        short parseShort = IoUtil.parseShort(bArr, 0);
        if (!this.versions.contains(Short.valueOf(parseShort))) {
            LOG.error("unsupported version {}", Short.valueOf(parseShort));
            return getResp((short) 256, bArr3, (short) 2, s);
        }
        if (IoUtil.parseInt(bArr, 6) + 10 != length) {
            LOG.error("message length unmatch");
            return getResp(parseShort, bArr3, (short) 4, s);
        }
        short parseShort2 = IoUtil.parseShort(bArr, 12);
        int i = length - 14;
        if (i == 0) {
            if (actionsRequireNonNullRequest.contains(Short.valueOf(s))) {
                LOG.error("content is not present but is required");
                return getResp(parseShort, bArr3, (short) 4, s);
            }
            bArr2 = null;
        } else {
            if (actionsRequireNullRequest.contains(Short.valueOf(s))) {
                LOG.error("content is present but is not permitted");
                return getResp(parseShort, bArr3, (short) 4, s);
            }
            bArr2 = new byte[i];
            System.arraycopy(bArr, 14, bArr2, 0, i);
        }
        P11CryptService p11CryptService = localP11CryptServicePool.getP11CryptService(parseShort2);
        if (p11CryptService == null) {
            LOG.error("no module {} available", Short.valueOf(parseShort2));
            return getResp(parseShort, bArr3, (short) 257, s);
        }
        try {
            try {
                switch (s) {
                    case 1:
                        return getSuccessResp(parseShort, bArr3, s, new ProxyMessage.ServerCaps(p11CryptService.getModule().isReadOnly(), this.versions));
                    case 2:
                        Set<Long> mechanisms = p11CryptService.getSlot(ProxyMessage.SlotIdentifier.getInstance(bArr2).getValue()).getMechanisms();
                        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
                        Iterator<Long> it = mechanisms.iterator();
                        while (it.hasNext()) {
                            aSN1EncodableVector.add(new ASN1Integer(it.next().longValue()));
                        }
                        return getSuccessResp(parseShort, bArr3, s, (ASN1Object) new DERSequence(aSN1EncodableVector));
                    case 257:
                        ProxyMessage.SlotIdAndObjectId slotIdAndObjectId = ProxyMessage.SlotIdAndObjectId.getInstance(bArr2);
                        P11SlotIdentifier value = slotIdAndObjectId.getSlotId().getValue();
                        P11ObjectIdentifier value2 = slotIdAndObjectId.getObjectId().getValue();
                        PublicKey publicKey = null;
                        P11Slot slot = getSlot(p11CryptService, value);
                        Iterator<P11ObjectIdentifier> it2 = slot.getIdentityKeyIds().iterator();
                        while (it2.hasNext()) {
                            P11Identity identity = slot.getIdentity(it2.next());
                            if (value2.equals(identity.getId().getPublicKeyId())) {
                                publicKey = identity.getPublicKey();
                            }
                        }
                        if (publicKey == null) {
                            throw new P11UnknownEntityException(value, value2);
                        }
                        return getSuccessResp(parseShort, bArr3, s, (ASN1Object) KeyUtil.createSubjectPublicKeyInfo(publicKey));
                    case 258:
                        ProxyMessage.SlotIdAndObjectId slotIdAndObjectId2 = ProxyMessage.SlotIdAndObjectId.getInstance(bArr2);
                        P11SlotIdentifier value3 = slotIdAndObjectId2.getSlotId().getValue();
                        P11ObjectIdentifier value4 = slotIdAndObjectId2.getObjectId().getValue();
                        X509Certificate cert = p11CryptService.getCert(value3, value4);
                        if (cert == null) {
                            throw new P11UnknownEntityException(value3, value4);
                        }
                        return getSuccessResp(parseShort, bArr3, s, cert.getEncoded());
                    case 259:
                        List<P11SlotIdentifier> slotIds = p11CryptService.getModule().getSlotIds();
                        ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
                        Iterator<P11SlotIdentifier> it3 = slotIds.iterator();
                        while (it3.hasNext()) {
                            aSN1EncodableVector2.add(new ProxyMessage.SlotIdentifier(it3.next()));
                        }
                        return getSuccessResp(parseShort, bArr3, s, (ASN1Object) new DERSequence(aSN1EncodableVector2));
                    case 260:
                    case 261:
                    case P11ProxyConstants.ACTION_GET_PUBLICKEY_IDS /* 262 */:
                        P11Slot slot2 = p11CryptService.getModule().getSlot(ProxyMessage.SlotIdentifier.getInstance(bArr2).getValue());
                        if (261 == s) {
                            hashSet = slot2.getCertIds();
                        } else if (260 == s) {
                            hashSet = slot2.getIdentityKeyIds();
                        } else {
                            Set<P11ObjectIdentifier> identityKeyIds = slot2.getIdentityKeyIds();
                            hashSet = new HashSet();
                            Iterator<P11ObjectIdentifier> it4 = identityKeyIds.iterator();
                            while (it4.hasNext()) {
                                hashSet.add(slot2.getIdentity(it4.next()).getId().getPublicKeyId());
                            }
                        }
                        ASN1EncodableVector aSN1EncodableVector3 = new ASN1EncodableVector();
                        Iterator<P11ObjectIdentifier> it5 = hashSet.iterator();
                        while (it5.hasNext()) {
                            aSN1EncodableVector3.add(new ProxyMessage.ObjectIdentifier(it5.next()));
                        }
                        return getSuccessResp(parseShort, bArr3, s, (ASN1Object) new DERSequence(aSN1EncodableVector3));
                    case P11ProxyConstants.ACTION_SIGN /* 288 */:
                        ProxyMessage.SignTemplate signTemplate = ProxyMessage.SignTemplate.getInstance(bArr2);
                        long mechanism = signTemplate.getMechanism().getMechanism();
                        ProxyMessage.P11Params params = signTemplate.getMechanism().getParams();
                        P11Params p11Params = null;
                        if (params != null) {
                            switch (params.getTagNo()) {
                                case 0:
                                    p11Params = ProxyMessage.RSAPkcsPssParams.getInstance(params).getPkcsPssParams();
                                    break;
                                case 1:
                                    p11Params = new P11Params.P11ByteArrayParams(ASN1OctetString.getInstance(params).getOctets());
                                    break;
                                case 2:
                                    p11Params = new P11Params.P11IVParams(ASN1OctetString.getInstance(params).getOctets());
                                    break;
                                default:
                                    throw new BadAsn1ObjectException("unknown SignTemplate.params: unknown tag " + params.getTagNo());
                            }
                        }
                        byte[] message = signTemplate.getMessage();
                        P11Identity identity2 = p11CryptService.getIdentity(signTemplate.getSlotId().getValue(), signTemplate.getObjectId().getValue());
                        if (identity2 == null) {
                            return getResp(parseShort, bArr3, (short) 258, s);
                        }
                        return getSuccessResp(parseShort, bArr3, s, (ASN1Object) new DEROctetString(identity2.sign(mechanism, p11Params, message)));
                    case P11ProxyConstants.ACTION_GEN_KEYPAIR_RSA /* 304 */:
                        ProxyMessage.GenRSAKeypairParams genRSAKeypairParams = ProxyMessage.GenRSAKeypairParams.getInstance(bArr2);
                        return getSuccessResp(parseShort, bArr3, s, new ProxyMessage.IdentityId(getSlot(p11CryptService, genRSAKeypairParams.getSlotId()).generateRSAKeypair(genRSAKeypairParams.getKeysize(), genRSAKeypairParams.getPublicExponent(), genRSAKeypairParams.getControl())));
                    case P11ProxyConstants.ACTION_GEN_KEYPAIR_DSA /* 305 */:
                        ProxyMessage.GenDSAKeypairParams genDSAKeypairParams = ProxyMessage.GenDSAKeypairParams.getInstance(bArr2);
                        return getSuccessResp(parseShort, bArr3, s, new ProxyMessage.IdentityId(getSlot(p11CryptService, genDSAKeypairParams.getSlotId()).generateDSAKeypair(genDSAKeypairParams.getP(), genDSAKeypairParams.getQ(), genDSAKeypairParams.getG(), genDSAKeypairParams.getControl())));
                    case P11ProxyConstants.ACTION_GEN_KEYPAIR_EC /* 307 */:
                        ProxyMessage.GenECKeypairParams genECKeypairParams = ProxyMessage.GenECKeypairParams.getInstance(bArr2);
                        return getSuccessResp(parseShort, bArr3, s, new ProxyMessage.IdentityId(getSlot(p11CryptService, genECKeypairParams.getSlotId()).generateECKeypair(genECKeypairParams.getCurveId(), genECKeypairParams.getControl())));
                    case P11ProxyConstants.ACTION_DIGEST_SECRETKEY /* 308 */:
                        ProxyMessage.DigestSecretKeyTemplate digestSecretKeyTemplate = ProxyMessage.DigestSecretKeyTemplate.getInstance(bArr2);
                        return getSuccessResp(parseShort, bArr3, s, (ASN1Object) new DEROctetString(p11CryptService.getIdentity(digestSecretKeyTemplate.getSlotId().getValue(), digestSecretKeyTemplate.getObjectId().getValue()).digestSecretKey(digestSecretKeyTemplate.getMechanism().getMechanism())));
                    case P11ProxyConstants.ACTION_GEN_SECRET_KEY /* 309 */:
                        ProxyMessage.GenSecretKeyParams genSecretKeyParams = ProxyMessage.GenSecretKeyParams.getInstance(bArr2);
                        return getSuccessResp(parseShort, bArr3, s, new ProxyMessage.IdentityId(getSlot(p11CryptService, genSecretKeyParams.getSlotId()).generateSecretKey(genSecretKeyParams.getKeyType(), genSecretKeyParams.getKeysize(), genSecretKeyParams.getControl())));
                    case P11ProxyConstants.ACTION_IMPORT_SECRET_KEY /* 310 */:
                        ProxyMessage.ImportSecretKeyParams importSecretKeyParams = ProxyMessage.ImportSecretKeyParams.getInstance(bArr2);
                        return getSuccessResp(parseShort, bArr3, s, new ProxyMessage.IdentityId(new P11IdentityId(importSecretKeyParams.getSlotId(), getSlot(p11CryptService, importSecretKeyParams.getSlotId()).importSecretKey(importSecretKeyParams.getKeyType(), importSecretKeyParams.getKeyValue(), importSecretKeyParams.getControl()), null, null)));
                    case P11ProxyConstants.ACTION_ADD_CERT /* 320 */:
                        ProxyMessage.AddCertParams addCertParams = ProxyMessage.AddCertParams.getInstance(bArr2);
                        getSlot(p11CryptService, addCertParams.getSlotId()).addCert(X509Util.toX509Cert(addCertParams.getCertificate()), addCertParams.getControl());
                        return getSuccessResp(parseShort, bArr3, s, (byte[]) null);
                    case P11ProxyConstants.ACTION_REMOVE_IDENTITY /* 321 */:
                        ProxyMessage.SlotIdAndObjectId slotIdAndObjectId3 = ProxyMessage.SlotIdAndObjectId.getInstance(bArr2);
                        getSlot(p11CryptService, slotIdAndObjectId3.getSlotId().getValue()).removeIdentityByKeyId(slotIdAndObjectId3.getObjectId().getValue());
                        return getSuccessResp(parseShort, bArr3, s, (byte[]) null);
                    case P11ProxyConstants.ACTION_REMOVE_CERTS /* 322 */:
                        ProxyMessage.SlotIdAndObjectId slotIdAndObjectId4 = ProxyMessage.SlotIdAndObjectId.getInstance(bArr2);
                        getSlot(p11CryptService, slotIdAndObjectId4.getSlotId().getValue()).removeCerts(slotIdAndObjectId4.getObjectId().getValue());
                        return getSuccessResp(parseShort, bArr3, s, (byte[]) null);
                    case P11ProxyConstants.ACTION_UPDATE_CERT /* 323 */:
                        ProxyMessage.ObjectIdAndCert objectIdAndCert = ProxyMessage.ObjectIdAndCert.getInstance(bArr2);
                        getSlot(p11CryptService, objectIdAndCert.getSlotId().getValue()).updateCertificate(objectIdAndCert.getObjectId().getValue(), X509Util.toX509Cert(objectIdAndCert.getCertificate()));
                        return getSuccessResp(parseShort, bArr3, s, (byte[]) null);
                    case P11ProxyConstants.ACTION_REMOVE_OBJECTS /* 324 */:
                        ProxyMessage.RemoveObjectsParams removeObjectsParams = ProxyMessage.RemoveObjectsParams.getInstance(bArr2);
                        return getSuccessResp(parseShort, bArr3, s, (ASN1Object) new ASN1Integer(getSlot(p11CryptService, removeObjectsParams.getSlotId()).removeObjects(removeObjectsParams.getOjectId(), removeObjectsParams.getObjectLabel())));
                    case P11ProxyConstants.ACTION_GEN_KEYPAIR_SM2 /* 325 */:
                        ProxyMessage.GenSM2KeypairParams genSM2KeypairParams = ProxyMessage.GenSM2KeypairParams.getInstance(bArr2);
                        return getSuccessResp(parseShort, bArr3, s, new ProxyMessage.IdentityId(getSlot(p11CryptService, genSM2KeypairParams.getSlotId()).generateSM2Keypair(genSM2KeypairParams.getControl())));
                    case P11ProxyConstants.ACTION_GEN_KEYPAIR_EC_EDWARDS /* 326 */:
                        ProxyMessage.GenECEdwardsOrMontgomeryKeypairParams genECEdwardsOrMontgomeryKeypairParams = ProxyMessage.GenECEdwardsOrMontgomeryKeypairParams.getInstance(bArr2);
                        return getSuccessResp(parseShort, bArr3, s, new ProxyMessage.IdentityId(getSlot(p11CryptService, genECEdwardsOrMontgomeryKeypairParams.getSlotId()).generateECEdwardsKeypair(genECEdwardsOrMontgomeryKeypairParams.getCurveOid(), genECEdwardsOrMontgomeryKeypairParams.getControl())));
                    case P11ProxyConstants.ACTION_GEN_KEYPAIR_EC_MONTGOMERY /* 327 */:
                        ProxyMessage.GenECEdwardsOrMontgomeryKeypairParams genECEdwardsOrMontgomeryKeypairParams2 = ProxyMessage.GenECEdwardsOrMontgomeryKeypairParams.getInstance(bArr2);
                        return getSuccessResp(parseShort, bArr3, s, new ProxyMessage.IdentityId(getSlot(p11CryptService, genECEdwardsOrMontgomeryKeypairParams2.getSlotId()).generateECMontgomeryKeypair(genECEdwardsOrMontgomeryKeypairParams2.getCurveOid(), genECEdwardsOrMontgomeryKeypairParams2.getControl())));
                    default:
                        LOG.error("unsupported XiPKI action code '{}'", Short.valueOf(s));
                        return getResp(parseShort, bArr3, (short) 3, s);
                }
            } catch (InvalidKeyException | CertificateException | XiSecurityException e) {
                LogUtil.error(LOG, e, buildErrorMsg(s, bArr3));
                return getResp(parseShort, bArr3, (short) 1, s);
            }
        } catch (BadAsn1ObjectException e2) {
            LogUtil.error(LOG, e2, "could not process decode requested content (tid=" + Hex.encode(bArr3) + ")");
            return getResp(parseShort, bArr3, (short) 4, s);
        } catch (P11TokenException e3) {
            LogUtil.error(LOG, e3, buildErrorMsg(s, bArr3));
            return getResp(parseShort, bArr3, e3 instanceof P11UnknownEntityException ? (short) 258 : e3 instanceof P11DuplicateEntityException ? (short) 259 : e3 instanceof P11UnsupportedMechanismException ? (short) 260 : (short) 261, s);
        } catch (Throwable th) {
            LogUtil.error(LOG, th, buildErrorMsg(s, bArr3));
            return getResp(parseShort, bArr3, (short) 1, s);
        }
    }

    private static String buildErrorMsg(short s, byte[] bArr) {
        return "could not process action " + P11ProxyConstants.getActionName(s) + " (tid=" + Hex.encode(bArr) + ")";
    }

    private P11Slot getSlot(P11CryptService p11CryptService, P11SlotIdentifier p11SlotIdentifier) throws P11TokenException {
        P11Slot slot = p11CryptService.getModule().getSlot(p11SlotIdentifier);
        if (slot == null) {
            throw new P11UnknownEntityException(p11SlotIdentifier);
        }
        return slot;
    }

    private static byte[] getResp(short s, byte[] bArr, short s2, short s3) {
        byte[] bArr2 = new byte[14];
        IoUtil.writeShort(s, bArr2, 0);
        System.arraycopy(bArr, 0, bArr2, 2, 4);
        IoUtil.writeInt(4, bArr2, 6);
        IoUtil.writeShort(s2, bArr2, 10);
        IoUtil.writeShort(s3, bArr2, 12);
        return bArr2;
    }

    private static byte[] getSuccessResp(short s, byte[] bArr, short s2, ASN1Object aSN1Object) {
        try {
            return getSuccessResp(s, bArr, s2, aSN1Object.getEncoded());
        } catch (IOException e) {
            LogUtil.error(LOG, e, "could not encode response ASN1Object");
            return getResp(s, bArr, (short) 1, s2);
        }
    }

    private static byte[] getSuccessResp(short s, byte[] bArr, short s2, byte[] bArr2) {
        int i = 4;
        if (bArr2 != null) {
            i = 4 + bArr2.length;
        }
        byte[] bArr3 = bArr2 == null ? new byte[14] : new byte[10 + i];
        IoUtil.writeShort(s, bArr3, 0);
        System.arraycopy(bArr, 0, bArr3, 2, 4);
        IoUtil.writeInt(i, bArr3, 6);
        IoUtil.writeShort((short) 0, bArr3, 10);
        IoUtil.writeShort(s2, bArr3, 12);
        if (bArr2 != null) {
            System.arraycopy(bArr2, 0, bArr3, 14, bArr2.length);
        }
        return bArr3;
    }

    static {
        HashSet hashSet = new HashSet();
        hashSet.add((short) 1);
        hashSet.add((short) 259);
        actionsRequireNullRequest = Collections.unmodifiableSet(hashSet);
        HashSet hashSet2 = new HashSet();
        hashSet2.add((short) 320);
        hashSet2.add((short) 305);
        hashSet2.add((short) 307);
        hashSet2.add((short) 326);
        hashSet2.add((short) 327);
        hashSet2.add((short) 325);
        hashSet2.add((short) 304);
        hashSet2.add((short) 309);
        hashSet2.add((short) 310);
        hashSet2.add((short) 258);
        hashSet2.add((short) 261);
        hashSet2.add((short) 260);
        hashSet2.add((short) 2);
        hashSet2.add((short) 257);
        hashSet2.add((short) 322);
        hashSet2.add((short) 321);
        hashSet2.add((short) 324);
        hashSet2.add((short) 288);
        hashSet2.add((short) 323);
        hashSet2.add((short) 308);
        hashSet2.add((short) 310);
        hashSet2.add((short) 325);
        actionsRequireNonNullRequest = Collections.unmodifiableSet(hashSet2);
    }
}
