package iaik.security.rsa;

import iaik.asn1.structures.AlgorithmID;
import iaik.cms.SecurityProvider;
import iaik.pkcs.pkcs1.MGF1;
import iaik.pkcs.pkcs1.MaskGenerationAlgorithm;
import iaik.pkcs.pkcs1.Padding;
import iaik.pkcs.pkcs1.RSAPssParameterSpec;
import iaik.security.md.SHA;
import iaik.security.provider.IAIK;
import iaik.utils.CryptoUtils;
import iaik.utils.IaikSecurity;
import iaik.utils.Util;
import java.security.AlgorithmParameters;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.InvalidParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidParameterSpecException;

/* loaded from: input_file:BKULocal.war:WEB-INF/lib/iaik_jce_full_signed-5.52_MOA.jar:iaik/security/rsa/RSAPssSignature.class */
public class RSAPssSignature extends b {
    private static boolean f = false;
    AlgorithmID a;
    MaskGenerationAlgorithm b;
    int d;
    byte[] e;
    private byte g;
    private RSAPssParameterSpec h;
    private RSAPssParameterSpec i;

    public static void setValidateAgainstPssKeyParameters(boolean z) {
        f = z;
    }

    public RSAPssSignature() {
        this(SecurityProvider.IMPLEMENTATION_NAME_RSA_PSS);
        e();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public RSAPssSignature(String str) {
        super(str, Padding.PADDING_NONE);
        this.g = (byte) -68;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void e() {
        this.c = (AlgorithmID) AlgorithmID.sha1.clone();
        this.a = (AlgorithmID) AlgorithmID.mgf1.clone();
        this.a.setParameter(this.c.toASN1Object());
        this.hash = new SHA();
        this.b = new MGF1(this.c, new SHA());
        this.d = 20;
        this.g = (byte) -68;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // iaik.security.rsa.b, java.security.SignatureSpi
    public void engineInitSign(PrivateKey privateKey) throws InvalidKeyException {
        if (privateKey.getClass().getName().indexOf("IAIKPKCS11RsaPrivateKey") != -1) {
            super.engineInitSign(privateKey);
            if (this.b != null) {
                this.b.reset();
                return;
            }
            return;
        }
        RSAPrivateKey rSAPrivateKey = Util.getRSAPrivateKey(privateKey);
        if (rSAPrivateKey instanceof RSAPssPrivateKey) {
            try {
                AlgorithmParameterSpec params = ((RSAPssPrivateKey) rSAPrivateKey).getParams();
                if (params != null) {
                    if (this.i == null) {
                        engineSetParameter(params);
                    } else if (f) {
                        try {
                            if (!RSAPssPublicKey.a((RSAPssParameterSpec) params, this.i)) {
                                throw new InvalidKeyException("Application set parameters are not valid for PSS-Key used with this engine!");
                            }
                        } catch (InvalidParameterSpecException e) {
                        }
                    }
                    this.h = (RSAPssParameterSpec) ((RSAPssParameterSpec) params).clone();
                }
            } catch (InvalidKeyException e2) {
                throw e2;
            } catch (Exception e3) {
                throw new InvalidKeyException(new StringBuffer().append("RSA-PSS key contains invalid parameters: ").append(e3.toString()).toString());
            }
        }
        super.engineInitSign(rSAPrivateKey);
        if (this.b != null) {
            this.b.reset();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // iaik.security.rsa.b, java.security.SignatureSpi
    public void engineInitVerify(PublicKey publicKey) throws InvalidKeyException {
        RSAPublicKey rSAPublicKey = Util.getRSAPublicKey(publicKey);
        if (rSAPublicKey instanceof RSAPssPublicKey) {
            try {
                AlgorithmParameterSpec params = ((RSAPssPublicKey) rSAPublicKey).getParams();
                if (params != null) {
                    if (this.i == null) {
                        engineSetParameter(params);
                    } else if (f) {
                        try {
                            if (!RSAPssPublicKey.a((RSAPssParameterSpec) params, this.i)) {
                                throw new InvalidKeyException("Application set parameters are not valid for PSS-Key used with this engine!");
                            }
                        } catch (InvalidParameterSpecException e) {
                        }
                    }
                    this.h = (RSAPssParameterSpec) ((RSAPssParameterSpec) params).clone();
                }
            } catch (InvalidKeyException e2) {
                throw e2;
            } catch (Exception e3) {
                throw new InvalidKeyException(new StringBuffer().append("RSA-PSS key contains invalid parameters: ").append(e3.toString()).toString());
            }
        }
        super.engineInitVerify(rSAPublicKey);
        if (this.b != null) {
            this.b.reset();
        }
    }

    @Override // iaik.security.rsa.b, java.security.SignatureSpi
    protected void engineSetParameter(AlgorithmParameterSpec algorithmParameterSpec) throws InvalidAlgorithmParameterException {
        if (algorithmParameterSpec == null) {
            this.i = null;
            e();
            return;
        }
        if (!(algorithmParameterSpec instanceof RSAPssParameterSpec)) {
            if (!"java.security.spec.PSSParameterSpec".equals(algorithmParameterSpec.getClass().getName())) {
                throw new InvalidAlgorithmParameterException("Params must be a RSAPssParameterSpec!");
            }
            engineSetParameter(new RSAPssParameterSpec(algorithmParameterSpec));
            return;
        }
        RSAPssParameterSpec rSAPssParameterSpec = (RSAPssParameterSpec) algorithmParameterSpec;
        int trailerField = rSAPssParameterSpec.getTrailerField();
        if (trailerField != 1) {
            throw new InvalidAlgorithmParameterException(new StringBuffer().append("Trailer field number ").append(trailerField).append(" not supported by RSASSA-PSS. Expected ").append(1).append("!").toString());
        }
        if (this.h != null && f) {
            try {
                if (!RSAPssPublicKey.a(this.h, rSAPssParameterSpec)) {
                    throw new InvalidAlgorithmParameterException("Parameters are not valid for PSS-Key used with this engine!");
                }
            } catch (InvalidParameterSpecException e) {
            }
        }
        this.c = rSAPssParameterSpec.getHashAlgorithm();
        try {
            this.hash = rSAPssParameterSpec.getHashEngine();
            this.a = rSAPssParameterSpec.getMaskGenAlgorithm();
            try {
                this.b = rSAPssParameterSpec.getMGFEngine();
                this.d = rSAPssParameterSpec.getSaltLength();
                if (this.d < 0) {
                    throw new InvalidAlgorithmParameterException("Cannot set saltLength parameter; must not be negative.");
                }
                this.e = rSAPssParameterSpec.getSalt();
                SecureRandom secureRandom = rSAPssParameterSpec.getSecureRandom();
                if (secureRandom != null) {
                    a(secureRandom);
                }
                this.i = (RSAPssParameterSpec) rSAPssParameterSpec.clone();
            } catch (NoSuchAlgorithmException e2) {
                throw new InvalidAlgorithmParameterException(new StringBuffer().append("Cannot set mask generation algorithm parameter; no mgf engine available: ").append(e2.getMessage()).toString());
            }
        } catch (NoSuchAlgorithmException e3) {
            throw new InvalidAlgorithmParameterException(new StringBuffer().append("Cannot set hash algorithm parameter; no hash engine available: ").append(e3.getMessage()).toString());
        }
    }

    @Override // iaik.security.rsa.b, java.security.SignatureSpi
    protected Object engineGetParameter(String str) throws InvalidParameterException {
        return engineGetParameters();
    }

    @Override // java.security.SignatureSpi
    protected AlgorithmParameters engineGetParameters() {
        AlgorithmParameters algorithmParameters = null;
        if (this.c != null && this.a != null) {
            try {
                RSAPssParameterSpec rSAPssParameterSpec = new RSAPssParameterSpec(this.c, this.a, this.d);
                algorithmParameters = IaikSecurity.getAlgorithmParametersInstance(SecurityProvider.IMPLEMENTATION_NAME_RSA_PSS, IAIK.getInstance());
                algorithmParameters.init(rSAPssParameterSpec);
                return algorithmParameters;
            } catch (Exception e) {
            }
        }
        return algorithmParameters;
    }

    @Override // java.security.SignatureSpi
    protected byte[] engineSign() throws SignatureException {
        if (this.hash == null) {
            throw new NullPointerException("Cannot calculate signature. Digest engine must not be null!");
        }
        if (this.b == null) {
            throw new NullPointerException("Cannot calculate signature. MGF engine must not be null!");
        }
        int b = b();
        int i = b - 1;
        int i2 = (i + 7) / 8;
        byte[] bArr = new byte[i2];
        byte[] a = a();
        int length = a.length;
        if (this.d < 0) {
            this.d = 20;
        }
        if (i2 < length + this.d + 2) {
            throw new SignatureException(new StringBuffer().append("Encoding error: emLen (").append(i2).append(") shorter than hashLen + saltLen + 2!").toString());
        }
        byte[] bArr2 = this.e;
        byte[] bArr3 = new byte[8 + length + this.d];
        System.arraycopy(a, 0, bArr3, 8, length);
        if (this.d > 0) {
            if (bArr2 == null) {
                SecureRandom c = c();
                if (c == null) {
                    throw new NullPointerException("Cannot calculate signature. No SecureRandom available!");
                }
                bArr2 = new byte[this.d];
                c.nextBytes(bArr2);
            }
            System.arraycopy(bArr2, 0, bArr3, 8 + length, this.d);
        }
        byte[] digest = this.hash.digest(bArr3);
        int i3 = (i2 - length) - 1;
        bArr[(i3 - this.d) - 1] = 1;
        if (this.d > 0) {
            System.arraycopy(bArr2, 0, bArr, i3 - this.d, this.d);
        }
        this.b.mask(digest, 0, digest.length, i3, bArr, 0);
        bArr[0] = (byte) (bArr[0] & (255 >> ((8 * i2) - i)));
        System.arraycopy(digest, 0, bArr, i3, length);
        bArr[i2 - 1] = this.g;
        try {
            byte[] a2 = a(bArr);
            int i4 = (b + 7) / 8;
            if (a2.length < i4) {
                byte[] bArr4 = new byte[i4];
                System.arraycopy(a2, 0, bArr4, i4 - a2.length, a2.length);
                CryptoUtils.zeroBlock(a2);
                a2 = bArr4;
            }
            return a2;
        } catch (Exception e) {
            throw new SignatureException(new StringBuffer().append("Signing error: ").append(e.toString()).toString());
        }
    }

    @Override // java.security.SignatureSpi
    protected boolean engineVerify(byte[] bArr) throws SignatureException {
        if (this.hash == null) {
            throw new NullPointerException("Cannot verify signature. Digest engine must not be null!");
        }
        if (this.b == null) {
            throw new NullPointerException("Cannot verify signature. MGF engine must not be null!");
        }
        int b = b();
        int i = (b + 7) / 8;
        int i2 = b - 1;
        if (bArr.length != i) {
            throw new SignatureException(new StringBuffer().append("Invalid signature (length is not k (").append(i).append(") octets!").toString());
        }
        try {
            byte[] a = a(bArr);
            int i3 = (i2 + 7) / 8;
            if (i3 < a.length) {
                if ((b - 1) % 8 != 0 || i3 != a.length - 1) {
                    CryptoUtils.zeroBlock(a);
                    throw new SignatureException("Invalid signature. Decrypted message too long");
                }
                byte[] bArr2 = new byte[i3];
                System.arraycopy(a, a.length - i3, bArr2, 0, i3);
                CryptoUtils.zeroBlock(a);
                a = bArr2;
            }
            byte[] a2 = a();
            int length = a2.length;
            if (this.d < 0) {
                this.d = 20;
            }
            if (i3 < length + this.d + 2) {
                CryptoUtils.zeroBlock(a);
                throw new SignatureException(new StringBuffer().append("Inconsitent length: emLen (").append(i3).append(") shorter than hashLen + saltLen + 2!").toString());
            }
            if (a[a.length - 1] != this.g) {
                CryptoUtils.zeroBlock(a);
                throw new SignatureException("Invalid signature. Inconsistent trailer field.");
            }
            if ((a[0] & (65280 >> ((8 * i3) - i2)) & 255) != 0) {
                CryptoUtils.zeroBlock(a);
                throw new SignatureException("Invalid signature. Leftmost 8emLen - emBits not all zero.");
            }
            int i4 = (i3 - length) - 1;
            this.b.mask(a, i4, length, i4, a, 0);
            a[0] = (byte) (a[0] & (255 >> ((8 * i3) - i2)));
            int i5 = ((i3 - length) - this.d) - 2;
            for (int i6 = 0; i6 < i5; i6++) {
                if (a[i6] != 0) {
                    CryptoUtils.zeroBlock(a);
                    throw new SignatureException("Invalid signature. Not all leftmost octets of DB are zero");
                }
            }
            if (a[i5] != 1) {
                CryptoUtils.zeroBlock(a);
                throw new SignatureException("Invalid signature. Missing 0x01 octet");
            }
            byte[] bArr3 = new byte[8 + length + this.d];
            System.arraycopy(a2, 0, bArr3, 8, length);
            if (this.d > 0) {
                System.arraycopy(a, ((i3 - length) - this.d) - 1, bArr3, 8 + length, this.d);
            }
            boolean secureEqualsBlock = CryptoUtils.secureEqualsBlock(this.hash.digest(bArr3), 0, a, i4, length);
            CryptoUtils.zeroBlock(a);
            CryptoUtils.zeroBlock(bArr3);
            return secureEqualsBlock;
        } catch (Exception e) {
            throw new SignatureException(new StringBuffer().append("Signature decryption error: ").append(e.toString()).toString());
        }
    }

    @Override // iaik.security.rsa.b
    int d() {
        return 100;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // iaik.security.rsa.b
    public byte[] a() {
        return super.a();
    }
}
