package by.avest.crypto.pkcs11.provider;

import by.avest.crypto.AvestExtensions;
import by.avest.crypto.pkcs11.provider.TokenKeyStoreEntry;
import by.avest.crypto.provider.Pkcs11TokenInfo;
import by.avest.crypto.util.ExtensionValueParser;
import iaik.pkcs.pkcs11.wrapper.PKCS11;
import iaik.pkcs.pkcs11.wrapper.PKCS11Constants;
import iaik.pkcs.pkcs11.wrapper.PKCS11Exception;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyStoreException;
import java.security.KeyStoreSpi;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.List;
import sun.security.util.Debug;
import sun.security.x509.X500Name;

/* loaded from: input_file:by/avest/crypto/pkcs11/provider/TokenKeyStore.class */
public abstract class TokenKeyStore extends KeyStoreSpi implements PKCS11Constants, AvestExtensions {
    private static final boolean tokenCertificateWriteEnabled;
    private final Debug debug;
    private final TokenKeyStorePolicy policy;
    private TokenKeyStoreEntries entries;
    private Pkcs11Common pkcs11Common = new Pkcs11Common();
    private DeviceHandler deviceHandler;

    /* loaded from: input_file:by/avest/crypto/pkcs11/provider/TokenKeyStore$DeviceHandler.class */
    public interface DeviceHandler {
        boolean exists(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias) throws KeyStoreException;

        void remove(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias) throws KeyStoreException;

        void addPrivateKey(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias, PrivateKeyHandleWrapper privateKeyHandleWrapper, char[] cArr) throws KeyStoreException;

        void updateChain(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias, Certificate[] certificateArr, char[] cArr) throws KeyStoreException;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:by/avest/crypto/pkcs11/provider/TokenKeyStore$TokenKeyStorePolicy.class */
    public interface TokenKeyStorePolicy {
        boolean isInputStreamRequired();

        boolean isStorePasswordRequired();

        boolean isKeyPasswordRequired();

        boolean isOutputStreamRequired();

        char[] getSecurityOfficerPassword();

        boolean isChainRequiredForKeyEntry();

        char[] getDefaultUserPassword();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TokenKeyStore(Debug debug, TokenKeyStorePolicy tokenKeyStorePolicy) {
        this.debug = debug;
        this.policy = tokenKeyStorePolicy;
    }

    protected void setPkcs11Common(Pkcs11Common pkcs11Common) {
        this.pkcs11Common = pkcs11Common;
    }

    protected PKCS11 getCryptoki() {
        return this.pkcs11Common.getCryptoki();
    }

    protected Pkcs11Session getSession() {
        Pkcs11Session session = this.pkcs11Common.getSession();
        if (this.debug != null) {
            Util.log(this.debug, "acquired session id: " + session.getSessionId());
        }
        return session;
    }

    protected long getVirtualSlotCount() {
        return this.pkcs11Common.getVirtualSlotCount();
    }

    protected long getVirtualSlotId() {
        return this.pkcs11Common.getVirtualSlotId();
    }

    protected Pkcs11VirtualToken getVirtualToken() {
        return this.pkcs11Common.getVirtualToken();
    }

    protected void release() {
        this.pkcs11Common.release();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setVirtualSlotId(long j) {
        this.pkcs11Common.setVirtualSlotId(j);
    }

    @Override // java.security.KeyStoreSpi
    public Enumeration engineAliases() {
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineAliases()");
        }
        return enumerateAliases();
    }

    protected Enumeration enumerateAliases() {
        ArrayList arrayList = new ArrayList();
        listAliases(arrayList);
        return Collections.enumeration(arrayList);
    }

    protected void listAliases(List list) {
        for (TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias : this.entries.aliasesSet()) {
            String label = tokenKeyStoreEntryAlias.getLabel() != null ? tokenKeyStoreEntryAlias.getLabel() : "";
            if (!list.contains(label)) {
                if (this.debug != null) {
                    Util.log(this.debug, "added alias: " + label);
                }
                list.add(label);
            }
        }
        if (this.debug != null) {
            Util.log(this.debug, "listAliases(): " + list.size());
        }
    }

    @Override // java.security.KeyStoreSpi
    public boolean engineContainsAlias(String str) {
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineContainsAlias(" + str + ")");
        }
        boolean containsAlias = containsAlias(new TokenKeyStoreEntryAlias(str));
        if (containsAlias) {
            if (this.debug != null) {
                Util.log(this.debug, getClass().getName() + ".engineContainsAlias(" + str + "): exists");
            }
        } else if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineContainsAlias(" + str + "): does not exist");
        }
        return containsAlias;
    }

    protected boolean containsAlias(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias) {
        return this.entries.containsEntry(tokenKeyStoreEntryAlias);
    }

    @Override // java.security.KeyStoreSpi
    public void engineDeleteEntry(String str) throws KeyStoreException {
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineDeleteEntry(" + str + ")");
        }
        try {
            deleteEntry(new TokenKeyStoreEntryAlias(str));
        } catch (PKCS11Exception e) {
            throw new KeyStoreException(e.getMessage(), e);
        }
    }

    protected boolean deleteEntry(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias) throws KeyStoreException, PKCS11Exception {
        boolean z = false;
        TokenKeyStoreEntry entry = this.entries.getKeyEntriesList().getEntry(tokenKeyStoreEntryAlias);
        if (entry != null) {
            if (this.debug != null) {
                Util.log(this.debug, "private key entry will be deleted");
            }
            destroyEntry(entry);
            this.entries.getKeyEntriesList().removeEntry(entry);
            z = true;
        }
        TokenKeyStoreEntry entry2 = this.entries.getSecretKeyEntriesList().getEntry(tokenKeyStoreEntryAlias);
        if (entry2 != null) {
            if (this.debug != null) {
                Util.log(this.debug, "secret key entry will be deleted");
            }
            destroyEntry(entry2);
            this.entries.getSecretKeyEntriesList().removeEntry(entry2);
            z = true;
        }
        TokenKeyStoreEntry entry3 = this.entries.getTrustedCertEntriesList().getEntry(tokenKeyStoreEntryAlias);
        if (entry3 != null) {
            if (this.debug != null) {
                Util.log(this.debug, "trusted certificate entry will be deleted");
            }
            destroyEntry(entry3);
            this.entries.getTrustedCertEntriesList().removeEntry(entry3);
            z = true;
        }
        TokenKeyStoreEntry entry4 = this.entries.getOtherCertEntriesList().getEntry(tokenKeyStoreEntryAlias);
        if (entry4 != null) {
            if (this.debug != null) {
                Util.log(this.debug, "other certificate entry will be deleted");
            }
            destroyEntry(entry4);
            this.entries.getOtherCertEntriesList().removeEntry(entry4);
            z = true;
        }
        return z;
    }

    private void destroyEntry(TokenKeyStoreEntry tokenKeyStoreEntry) throws PKCS11Exception {
        try {
            PKCS11 cryptoki = getCryptoki();
            Pkcs11Session session = getSession();
            long handle = tokenKeyStoreEntry.getHandle();
            if (this.debug != null) {
                Util.log(this.debug, "destroying entry, handle: " + handle);
            }
            if (handle != 0) {
                Pkcs11Tool.destroyObject(cryptoki, session, handle);
            }
            if (tokenKeyStoreEntry instanceof TokenKeyStoreEntry.PrivateKeyEntry) {
                long publicKeyHandle = ((TokenKeyStoreEntry.PrivateKeyEntry) tokenKeyStoreEntry).getPublicKeyHandle();
                if (this.debug != null) {
                    Util.log(this.debug, "destroying private key entry, public key handle: " + publicKeyHandle);
                }
                if (publicKeyHandle != 0) {
                    try {
                        Pkcs11Tool.destroyObject(cryptoki, session, publicKeyHandle);
                    } catch (PKCS11Exception e) {
                        if (e.getErrorCode() != 130) {
                            throw e;
                        }
                        if (Util.isDebug()) {
                            Util.log("associated public key handle not found (deleted previously?), ignoring");
                            e.printStackTrace();
                        }
                    }
                }
            }
        } finally {
            release();
        }
    }

    @Override // java.security.KeyStoreSpi
    public Certificate engineGetCertificate(String str) {
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineGetCertificate(" + str + ")");
        }
        Certificate certificate = getCertificate(new TokenKeyStoreEntryAlias(str));
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineGetCertificate(" + str + "): " + (certificate == null ? "not found" : "found"));
        }
        return certificate;
    }

    protected Certificate getCertificate(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias) {
        TokenKeyStoreEntry.CertificateEntry certificateEntry = (TokenKeyStoreEntry.CertificateEntry) this.entries.getTrustedCertEntriesList().getEntry(tokenKeyStoreEntryAlias);
        if (this.debug != null) {
            Util.log(this.debug, "TrustedCertificateEntry: " + certificateEntry);
        }
        if (certificateEntry != null) {
            return certificateEntry.getCertificate();
        }
        TokenKeyStoreEntry.PrivateKeyEntry privateKeyEntry = (TokenKeyStoreEntry.PrivateKeyEntry) this.entries.getKeyEntriesList().getEntry(tokenKeyStoreEntryAlias);
        if (this.debug != null) {
            Util.log(this.debug, "PrivateKeyEntry: " + privateKeyEntry);
        }
        if (privateKeyEntry != null) {
            return privateKeyEntry.getFirstChainCertificate();
        }
        TokenKeyStoreEntry.CertificateEntry certificateEntry2 = (TokenKeyStoreEntry.CertificateEntry) this.entries.getOtherCertEntriesList().getEntry(tokenKeyStoreEntryAlias);
        if (this.debug != null) {
            Util.log(this.debug, "OtherCertificateEntry: " + certificateEntry2);
        }
        if (certificateEntry2 != null) {
            return certificateEntry2.getCertificate();
        }
        return null;
    }

    @Override // java.security.KeyStoreSpi
    public String engineGetCertificateAlias(Certificate certificate) {
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineGetCertificateAlias(certificate)");
        }
        if (certificate == null) {
            return null;
        }
        String certificateAlias = getCertificateAlias(certificate);
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineGetCertificateAlias(certificate): " + certificateAlias);
        }
        return certificateAlias;
    }

    protected String getCertificateAlias(Certificate certificate) {
        if (this.debug != null) {
            Util.log(this.debug, "checking trusted certificate entries");
        }
        for (TokenKeyStoreEntry.CertificateEntry certificateEntry : this.entries.getTrustedCertEntriesList().getEntries()) {
            if (certificate.equals(certificateEntry.getCertificate())) {
                return certificateEntry.getAlias().getLabel();
            }
        }
        if (this.debug != null) {
            Util.log(this.debug, "checking key entry certificate chains");
        }
        for (TokenKeyStoreEntry.PrivateKeyEntry privateKeyEntry : this.entries.getKeyEntriesList().getEntries()) {
            if (privateKeyEntry.getFirstChainCertificate() != null && certificate.equals(privateKeyEntry.getFirstChainCertificate())) {
                return privateKeyEntry.getAlias().getLabel();
            }
        }
        if (this.debug != null) {
            Util.log(this.debug, "checkig other certificate entries");
        }
        for (TokenKeyStoreEntry.CertificateEntry certificateEntry2 : this.entries.getOtherCertEntriesList().getEntries()) {
            if (certificate.equals(certificateEntry2.getCertificate())) {
                return certificateEntry2.getAlias().getLabel();
            }
        }
        return null;
    }

    @Override // java.security.KeyStoreSpi
    public Certificate[] engineGetCertificateChain(String str) {
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineGetCertificateChain(" + str + ")");
        }
        Certificate[] certificateChain = getCertificateChain(new TokenKeyStoreEntryAlias(str));
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineGetCertificateChain(" + str + "): " + (certificateChain == null ? "not found" : "found chain with " + certificateChain.length + " certificates"));
        }
        return certificateChain;
    }

    protected Certificate[] getCertificateChain(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias) {
        TokenKeyStoreEntry.PrivateKeyEntry privateKeyEntry = (TokenKeyStoreEntry.PrivateKeyEntry) this.entries.getKeyEntriesList().getEntry(tokenKeyStoreEntryAlias);
        if (privateKeyEntry != null) {
            return privateKeyEntry.getCertificateChain();
        }
        return null;
    }

    @Override // java.security.KeyStoreSpi
    public Date engineGetCreationDate(String str) {
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineGetCreationDate(" + str + ")");
        }
        Date creationDate = getCreationDate(new TokenKeyStoreEntryAlias(str));
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineGetCreationDate(" + str + "): " + creationDate);
        }
        return creationDate;
    }

    protected Date getCreationDate(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias) {
        if (this.debug != null) {
            Util.log(this.debug, "checking private key entries");
        }
        TokenKeyStoreEntry entry = this.entries.getKeyEntriesList().getEntry(tokenKeyStoreEntryAlias);
        if (entry != null) {
            return getCreationDate(entry);
        }
        if (this.debug != null) {
            Util.log(this.debug, "checking secret key entries");
        }
        TokenKeyStoreEntry entry2 = this.entries.getSecretKeyEntriesList().getEntry(tokenKeyStoreEntryAlias);
        if (entry2 != null) {
            return getCreationDate(entry2);
        }
        return null;
    }

    protected Date getCreationDate(TokenKeyStoreEntry tokenKeyStoreEntry) {
        if (this.debug != null) {
            Util.log(this.debug, "getCreationDate, handle: " + tokenKeyStoreEntry.getHandle());
        }
        if (tokenKeyStoreEntry.getHandle() == 0) {
            return null;
        }
        try {
            try {
                Date objectGenerationDate = getObjectGenerationDate(getCryptoki(), getSession(), tokenKeyStoreEntry.getHandle());
                release();
                return objectGenerationDate;
            } catch (Throwable th) {
                release();
                throw th;
            }
        } catch (PKCS11Exception e) {
            ProviderException providerException = new ProviderException(e.getMessage());
            providerException.initCause(e);
            throw providerException;
        } catch (IOException e2) {
            ProviderException providerException2 = new ProviderException(e2.getMessage());
            providerException2.initCause(e2);
            throw providerException2;
        }
    }

    private Date getObjectGenerationDate(PKCS11 pkcs11, Pkcs11Session pkcs11Session, long j) throws PKCS11Exception, IOException {
        return PKIUtil.convertAvDateTimeToDate(Pkcs11Tool.getAttributeValueBLOB(pkcs11, pkcs11Session, j, -1912602622L));
    }

    @Override // java.security.KeyStoreSpi
    public Key engineGetKey(String str, char[] cArr) throws NoSuchAlgorithmException, UnrecoverableKeyException {
        Key privateKey;
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineGetKey(" + str + ")");
        }
        if (str == null) {
            return null;
        }
        if (this.policy.isKeyPasswordRequired() && cArr == null) {
            throw new IllegalArgumentException("password is null");
        }
        try {
            try {
                try {
                    synchronized (this.pkcs11Common) {
                        privateKey = getPrivateKey(new TokenKeyStoreEntryAlias(str), cArr);
                        if (this.debug != null) {
                            Util.log(this.debug, getClass().getName() + ".engineGetKey(" + str + "): " + (privateKey == null ? "not found" : privateKey.getClass().getName()));
                        }
                    }
                    return privateKey;
                } finally {
                    release();
                }
            } catch (PKCS11Exception e) {
                UnrecoverableKeyException unrecoverableKeyException = new UnrecoverableKeyException(e.getMessage());
                unrecoverableKeyException.initCause(e);
                throw unrecoverableKeyException;
            }
        } catch (IOException e2) {
            UnrecoverableKeyException unrecoverableKeyException2 = new UnrecoverableKeyException(e2.getMessage());
            unrecoverableKeyException2.initCause(e2);
            throw unrecoverableKeyException2;
        } catch (KeyStoreException e3) {
            UnrecoverableKeyException unrecoverableKeyException3 = new UnrecoverableKeyException(e3.getMessage());
            unrecoverableKeyException3.initCause(e3);
            throw unrecoverableKeyException3;
        }
    }

    protected Key getPrivateKey(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias, char[] cArr) throws PKCS11Exception, KeyStoreException, IOException, UnrecoverableKeyException {
        if (this.debug != null) {
            Util.log(this.debug, "checking private key entries");
        }
        TokenKeyStoreEntry entry = this.entries.getKeyEntriesList().getEntry(tokenKeyStoreEntryAlias);
        if (this.debug != null) {
            Util.log(this.debug, "PrivateKeyEntry: " + entry);
        }
        if (entry != null) {
            return loadPrivateKey((TokenKeyStoreEntry.PrivateKeyEntry) entry, cArr);
        }
        if (this.debug != null) {
            Util.log(this.debug, "checking secret key entries");
        }
        TokenKeyStoreEntry entry2 = this.entries.getSecretKeyEntriesList().getEntry(tokenKeyStoreEntryAlias);
        if (this.debug != null) {
            Util.log(this.debug, "SecretKeyEntry: " + entry2);
        }
        if (entry2 != null) {
            return loadSecretKey((TokenKeyStoreEntry.SecretKeyEntry) entry2, cArr);
        }
        return null;
    }

    @Override // java.security.KeyStoreSpi
    public boolean engineIsCertificateEntry(String str) {
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineIsCertificateEntry(" + str + ")");
        }
        boolean isCertificateEntry = isCertificateEntry(new TokenKeyStoreEntryAlias(str));
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineIsCertificateEntry(" + str + "): " + isCertificateEntry);
        }
        return isCertificateEntry;
    }

    protected boolean isCertificateEntry(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias) {
        return this.entries.getTrustedCertEntriesList().containsEntry(tokenKeyStoreEntryAlias);
    }

    @Override // java.security.KeyStoreSpi
    public boolean engineIsKeyEntry(String str) {
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineIsKeyEntry(" + str + ")");
        }
        boolean isKeyEntry = isKeyEntry(new TokenKeyStoreEntryAlias(str));
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineIsKeyEntry(" + str + "): " + isKeyEntry);
        }
        return isKeyEntry;
    }

    protected boolean isKeyEntry(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias) {
        TokenKeyStoreEntry.PrivateKeyEntry privateKeyEntry = (TokenKeyStoreEntry.PrivateKeyEntry) this.entries.getKeyEntriesList().getEntry(tokenKeyStoreEntryAlias);
        if (privateKeyEntry != null && privateKeyEntry.getHandle() != 0) {
            if (this.debug == null) {
                return true;
            }
            Util.log(this.debug, "entry is PrivateKeyEntry");
            return true;
        }
        TokenKeyStoreEntry.SecretKeyEntry secretKeyEntry = (TokenKeyStoreEntry.SecretKeyEntry) this.entries.getSecretKeyEntriesList().getEntry(tokenKeyStoreEntryAlias);
        if (secretKeyEntry == null || secretKeyEntry.getHandle() == 0) {
            return false;
        }
        if (this.debug == null) {
            return true;
        }
        Util.log(this.debug, "entry is SecretKeyEntry");
        return true;
    }

    @Override // java.security.KeyStoreSpi
    public void engineLoad(InputStream inputStream, char[] cArr) throws IOException, NoSuchAlgorithmException, CertificateException {
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineLoad(stream, password)");
        }
        if (this.policy.isInputStreamRequired() && inputStream == null) {
            throw new IOException("inputstream should not be null");
        }
        if (this.policy.isStorePasswordRequired() && cArr == null) {
            throw new IOException("password required");
        }
        try {
            load(inputStream, cArr);
        } catch (PKCS11Exception e) {
            IOException iOException = new IOException(e.getMessage());
            iOException.initCause(e);
            throw iOException;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void load(InputStream inputStream, char[] cArr) throws CertificateException, PKCS11Exception, IOException {
        login(cArr);
        loadAliasList();
    }

    protected void loadAliasList() throws PKCS11Exception, CertificateException {
        if (this.debug != null) {
            Util.log(this.debug, "loading token contents");
        }
        if (this.entries == null) {
            this.entries = new TokenKeyStoreEntries();
        } else {
            this.entries.clear();
        }
        try {
            PKCS11 cryptoki = getCryptoki();
            Pkcs11Session session = getSession();
            initializeCertificates(cryptoki, session);
            initializePrivateKeys(cryptoki, session);
            initializeSecretKeys(cryptoki, session);
            release();
            if (this.debug != null) {
                Util.log(this.debug, "token contents loaded");
            }
        } catch (Throwable th) {
            release();
            throw th;
        }
    }

    protected void login(char[] cArr) throws PKCS11Exception {
        Pkcs11VirtualToken virtualToken = this.pkcs11Common.getVirtualToken();
        Pkcs11TokenInfo info = virtualToken.getInfo();
        char[] defaultUserPassword = cArr == null ? this.policy.getDefaultUserPassword() : cArr;
        if (!info.isUserPinInitialized()) {
            if (this.debug != null) {
                Util.log(this.debug, "user pin was not initialized");
            }
            virtualToken.loginAs(this.policy.getSecurityOfficerPassword(), 0L);
            if (this.debug != null) {
                Util.log(this.debug, "initializing user pin");
            }
            virtualToken.initPin(defaultUserPassword);
            virtualToken.logout();
            if (this.debug != null) {
                Util.log(this.debug, "user pin initialized successfully");
            }
        }
        if (this.debug != null) {
            Util.log(this.debug, "logging in");
        }
        virtualToken.login(defaultUserPassword);
    }

    @Override // java.security.KeyStoreSpi
    public void engineSetCertificateEntry(String str, Certificate certificate) throws KeyStoreException {
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineSetCertificateEntry(" + str + ", certificate)");
        }
        if (certificate == null) {
            throw new IllegalArgumentException(ProviderExcptMessages.TKS_NULL_CERT);
        }
        if (!(certificate instanceof X509Certificate)) {
            throw new IllegalArgumentException(ProviderExcptMessages.TKS_X509_CERTS_SUPPORTED);
        }
        try {
            setCertificateEntry(new TokenKeyStoreEntryAlias(str), (X509Certificate) certificate);
        } catch (PKCS11Exception e) {
            KeyStoreException keyStoreException = new KeyStoreException(e.getMessage());
            keyStoreException.initCause(e);
            throw keyStoreException;
        } catch (CertificateException e2) {
            KeyStoreException keyStoreException2 = new KeyStoreException(e2.getMessage());
            keyStoreException2.initCause(e2);
            throw keyStoreException2;
        }
    }

    protected void setCertificateEntry(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias, X509Certificate x509Certificate) throws CertificateParsingException, PKCS11Exception, CertificateException {
        try {
            PKCS11 cryptoki = getCryptoki();
            Pkcs11Session session = getSession();
            if (this.debug != null) {
                Util.log(this.debug, "cheking if certificate already exists on token");
            }
            byte[] parseSubjectKeyIdentifierExtension = ExtensionValueParser.parseSubjectKeyIdentifierExtension(x509Certificate);
            if (this.debug != null) {
                Util.log(this.debug, "looking for certificate with id: " + ByteArrayUtil.toHexString(parseSubjectKeyIdentifierExtension));
            }
            long findObjectForId = findObjectForId(cryptoki, session, parseSubjectKeyIdentifierExtension, 1L);
            if (this.debug != null) {
                Util.log(this.debug, "found certificate handle: " + findObjectForId);
            }
            long createCertificate = createCertificate(cryptoki, session, tokenKeyStoreEntryAlias, x509Certificate, parseSubjectKeyIdentifierExtension, true);
            if (this.debug != null) {
                Util.log(this.debug, "creating new certificate entry");
            }
            TokenKeyStoreEntry.CertificateEntry certificateEntry = new TokenKeyStoreEntry.CertificateEntry(Pkcs11Tool.getAttributeValueBLOB(cryptoki, session, createCertificate, 258L));
            certificateEntry.setHandle(createCertificate);
            certificateEntry.setCertificate(x509Certificate);
            certificateEntry.setLabel(Pkcs11Tool.getAttributeValueString(cryptoki, session, createCertificate, 3L));
            certificateEntry.setSubject(Pkcs11Tool.getAttributeValueBLOB(cryptoki, session, createCertificate, 257L));
            this.entries.getTrustedCertEntriesList().putEntry(certificateEntry);
            if (findObjectForId > 0) {
                if (this.debug != null) {
                    Util.log(this.debug, "removing old certificate");
                }
                Pkcs11Tool.destroyObject(cryptoki, session, findObjectForId);
            }
        } finally {
            release();
        }
    }

    @Override // java.security.KeyStoreSpi
    public void engineSetKeyEntry(String str, byte[] bArr, Certificate[] certificateArr) throws KeyStoreException {
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineSetKeyEntry(" + str + ", protected key, certificate chain)");
        }
        if (str == null) {
            throw new IllegalArgumentException("alias must be specified");
        }
        if (bArr == null) {
            throw new IllegalArgumentException("alias must be specified");
        }
        if (this.policy.isChainRequiredForKeyEntry() && certificateArr == null) {
            throw new IllegalArgumentException("certificate chain is null");
        }
        if (this.policy.isChainRequiredForKeyEntry() && certificateArr != null && certificateArr.length == 0) {
            throw new IllegalArgumentException("certificate chain is empty");
        }
        try {
            setKeyEntry(new TokenKeyStoreEntryAlias(str), bArr, certificateArr);
        } catch (PKCS11Exception e) {
            KeyStoreException keyStoreException = new KeyStoreException(e.getMessage());
            keyStoreException.initCause(e);
            throw keyStoreException;
        } catch (IOException e2) {
            KeyStoreException keyStoreException2 = new KeyStoreException(e2.getMessage());
            keyStoreException2.initCause(e2);
            throw keyStoreException2;
        } catch (InvalidKeyException e3) {
            KeyStoreException keyStoreException3 = new KeyStoreException(e3.getMessage());
            keyStoreException3.initCause(e3);
            throw keyStoreException3;
        } catch (NoSuchAlgorithmException e4) {
            KeyStoreException keyStoreException4 = new KeyStoreException(e4.getMessage());
            keyStoreException4.initCause(e4);
            throw keyStoreException4;
        } catch (CertificateParsingException e5) {
            KeyStoreException keyStoreException5 = new KeyStoreException(e5.getMessage());
            keyStoreException5.initCause(e5);
            throw keyStoreException5;
        }
    }

    protected void setKeyEntry(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias, byte[] bArr, Certificate[] certificateArr) throws CertificateParsingException, PKCS11Exception, InvalidKeyException, IOException, NoSuchAlgorithmException, KeyStoreException {
        throw new UnsupportedOperationException();
    }

    @Override // java.security.KeyStoreSpi
    public void engineSetKeyEntry(String str, Key key, char[] cArr, Certificate[] certificateArr) throws KeyStoreException {
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineSetKeyEntry(" + str + ", " + Util.getClassName(key) + ", password, certificate chain)");
        }
        if (str == null) {
            throw new IllegalArgumentException("alias must be specified");
        }
        if (key == null) {
            throw new IllegalArgumentException("alias must be specified");
        }
        if (this.policy.isKeyPasswordRequired() && cArr == null) {
            throw new IllegalArgumentException("password required");
        }
        if (this.policy.isChainRequiredForKeyEntry() && certificateArr == null) {
            throw new IllegalArgumentException("certificate chain is null");
        }
        if (this.policy.isChainRequiredForKeyEntry() && certificateArr != null && certificateArr.length == 0) {
            throw new IllegalArgumentException("certificate chain is empty");
        }
        try {
            setKeyEntry(new TokenKeyStoreEntryAlias(str), key, cArr, certificateArr);
        } catch (PKCS11Exception e) {
            KeyStoreException keyStoreException = new KeyStoreException(e.getMessage());
            keyStoreException.initCause(e);
            throw keyStoreException;
        } catch (IOException e2) {
            KeyStoreException keyStoreException2 = new KeyStoreException(e2.getMessage());
            keyStoreException2.initCause(e2);
            throw keyStoreException2;
        } catch (InvalidKeyException e3) {
            KeyStoreException keyStoreException3 = new KeyStoreException(e3.getMessage());
            keyStoreException3.initCause(e3);
            throw keyStoreException3;
        } catch (NoSuchAlgorithmException e4) {
            KeyStoreException keyStoreException4 = new KeyStoreException(e4.getMessage());
            keyStoreException4.initCause(e4);
            throw keyStoreException4;
        } catch (CertificateParsingException e5) {
            KeyStoreException keyStoreException5 = new KeyStoreException(e5.getMessage());
            keyStoreException5.initCause(e5);
            throw keyStoreException5;
        }
    }

    protected void setKeyEntry(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias, Key key, char[] cArr, Certificate[] certificateArr) throws CertificateParsingException, PKCS11Exception, InvalidKeyException, IOException, NoSuchAlgorithmException, KeyStoreException {
        if (key instanceof PrivateKeyAbstr) {
            setPrivateKey(tokenKeyStoreEntryAlias, (PrivateKeyAbstr) key, cArr, certificateArr);
        } else {
            if (!(key instanceof SecretKeyAbstr)) {
                throw new InvalidKeyException("unknown key format");
            }
            setSecretKey(tokenKeyStoreEntryAlias, (SecretKeyAbstr) key, cArr);
        }
    }

    protected void setSecretKey(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias, SecretKeyAbstr secretKeyAbstr, char[] cArr) throws InvalidKeyException, PKCS11Exception, IOException, NoSuchAlgorithmException, KeyStoreException {
        throw new InvalidKeyException("storing secret key is not supported yet");
    }

    protected void setPrivateKey(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias, PrivateKeyAbstr privateKeyAbstr, char[] cArr, Certificate[] certificateArr) throws KeyStoreException, CertificateParsingException, PKCS11Exception, NoSuchAlgorithmException, InvalidKeyException, IOException {
        if (this.debug != null) {
            Util.log(this.debug, "comparing private key and current virtual slot ids: " + privateKeyAbstr.getVirtualSlotId() + "==" + getVirtualSlotId());
        }
        X500Name subject = privateKeyAbstr.getSubject();
        if (privateKeyAbstr.getVirtualSlotId() != getVirtualSlotId()) {
            if (this.debug != null) {
                Util.log(this.debug, "token differs, need to export key");
            }
            PrivateKeyHandleWrapper exportImportPrivateKey = exportImportPrivateKey(privateKeyAbstr, tokenKeyStoreEntryAlias);
            try {
                setPrivateKeySubjectSafe(exportImportPrivateKey.getHandle(), subject);
                TokenKeyStoreEntry.PrivateKeyEntry addPrivateKeyEntry = addPrivateKeyEntry(tokenKeyStoreEntryAlias, exportImportPrivateKey);
                setCertificateChain(addPrivateKeyEntry, certificateArr);
                if (this.debug != null) {
                    Util.log(this.debug, "new PrivateKeyEntry: " + addPrivateKeyEntry);
                }
                deviceAddPrivateKey(tokenKeyStoreEntryAlias, exportImportPrivateKey, cArr);
                deviceUpdatePrivateKeyChain(tokenKeyStoreEntryAlias, certificateArr, cArr);
                release();
                return;
            } finally {
            }
        }
        if (this.debug != null) {
            Util.log(this.debug, "we are on the same token");
        }
        try {
            PKCS11 cryptoki = getCryptoki();
            Pkcs11Session session = getSession();
            byte[] id = privateKeyAbstr.getId();
            if (hasKeyEntry(tokenKeyStoreEntryAlias)) {
                if (this.debug != null) {
                    Util.log(this.debug, "there is a cached entry");
                }
                TokenKeyStoreEntry.PrivateKeyEntry privateKeyEntry = (TokenKeyStoreEntry.PrivateKeyEntry) this.entries.getKeyEntriesList().getEntry(tokenKeyStoreEntryAlias);
                if (areIdsEquals(privateKeyEntry.getId(), id)) {
                    if (this.debug != null) {
                        Util.log(this.debug, "same key here, so just update the chain");
                    }
                    setCertificateChain(privateKeyEntry, certificateArr);
                    deviceUpdatePrivateKeyChain(tokenKeyStoreEntryAlias, certificateArr, cArr);
                    return;
                }
                if (this.debug != null) {
                    Util.log(this.debug, "keyId differs, deleting existing entry");
                }
                this.entries.getKeyEntriesList().removeEntry(privateKeyEntry);
                destroyEntry(privateKeyEntry);
                deviceRemovePrivateKey(tokenKeyStoreEntryAlias);
            } else if (this.debug != null) {
                Util.log(this.debug, "there is no entry with such alias, creating one");
            }
            long[] findStoredPrivateKeys = findStoredPrivateKeys(cryptoki, session, id);
            if (findStoredPrivateKeys.length > 0) {
                int length = findStoredPrivateKeys.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    long j = findStoredPrivateKeys[i];
                    if (this.debug != null) {
                        Util.log(this.debug, "processing found private key handle: " + j);
                    }
                    if (areLabelsEqual(privateKeyAbstr.getLabel(), Pkcs11Tool.getAttributeValueString(cryptoki, session, j, 3L))) {
                        i++;
                    } else {
                        PrivateKeyHandleWrapper clonePrivateKey = clonePrivateKey(cryptoki, session, new PrivateKeyHandleWrapper(j, privateKeyAbstr), tokenKeyStoreEntryAlias);
                        setPrivateKeySubjectSafe(clonePrivateKey.getHandle(), subject);
                        TokenKeyStoreEntry.PrivateKeyEntry addPrivateKeyEntry2 = addPrivateKeyEntry(tokenKeyStoreEntryAlias, clonePrivateKey);
                        setCertificateChain(addPrivateKeyEntry2, certificateArr);
                        if (this.debug != null) {
                            Util.log(this.debug, "new PrivateKeyEntry: " + addPrivateKeyEntry2);
                        }
                        deviceAddPrivateKey(tokenKeyStoreEntryAlias, clonePrivateKey, cArr);
                        deviceUpdatePrivateKeyChain(tokenKeyStoreEntryAlias, certificateArr, cArr);
                    }
                }
            } else {
                if (this.debug != null) {
                    Util.log(this.debug, "key not found, assuming that this key was just generated");
                }
                PrivateKeyHandleWrapper storeGeneratedPrivateKey = storeGeneratedPrivateKey(cryptoki, session, new PrivateKeyHandleWrapper(findGeneratedPrivateKey(cryptoki, session, id), privateKeyAbstr), tokenKeyStoreEntryAlias);
                privateKeyAbstr.setLabel(tokenKeyStoreEntryAlias.getLabel().toCharArray());
                setPrivateKeySubjectSafe(storeGeneratedPrivateKey.getHandle(), subject);
                TokenKeyStoreEntry.PrivateKeyEntry addPrivateKeyEntry3 = addPrivateKeyEntry(tokenKeyStoreEntryAlias, storeGeneratedPrivateKey);
                setCertificateChain(addPrivateKeyEntry3, certificateArr);
                if (this.debug != null) {
                    Util.log(this.debug, "new PrivateKeyEntry: " + addPrivateKeyEntry3);
                }
                deviceAddPrivateKey(tokenKeyStoreEntryAlias, storeGeneratedPrivateKey, cArr);
                deviceUpdatePrivateKeyChain(tokenKeyStoreEntryAlias, certificateArr, cArr);
            }
            release();
        } finally {
            release();
        }
    }

    private boolean hasKeyEntry(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias) throws KeyStoreException {
        boolean containsEntry = this.entries.getKeyEntriesList().containsEntry(tokenKeyStoreEntryAlias);
        return this.deviceHandler == null ? containsEntry : containsEntry && this.deviceHandler.exists(tokenKeyStoreEntryAlias);
    }

    protected void deviceRemovePrivateKey(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias) throws KeyStoreException {
        if (this.deviceHandler != null) {
            if (this.debug != null) {
                Util.log(this.debug, "removing private key from device");
            }
            this.deviceHandler.remove(tokenKeyStoreEntryAlias);
        }
    }

    protected void deviceUpdatePrivateKeyChain(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias, Certificate[] certificateArr, char[] cArr) throws KeyStoreException {
        if (this.deviceHandler != null) {
            if (this.debug != null) {
                Util.log(this.debug, "updating private key chain on device");
            }
            this.deviceHandler.updateChain(tokenKeyStoreEntryAlias, certificateArr, cArr);
        }
    }

    protected void deviceAddPrivateKey(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias, PrivateKeyHandleWrapper privateKeyHandleWrapper, char[] cArr) throws KeyStoreException {
        if (this.deviceHandler != null) {
            if (this.debug != null) {
                Util.log(this.debug, "adding private key to device");
            }
            this.deviceHandler.addPrivateKey(tokenKeyStoreEntryAlias, privateKeyHandleWrapper, cArr);
        }
    }

    private boolean areIdsEquals(byte[] bArr, byte[] bArr2) {
        if (this.debug != null) {
            Util.log(this.debug, "comparing existing and given ids: " + ByteArrayUtil.toHexString(bArr) + "==" + ByteArrayUtil.toHexString(bArr2));
        }
        return Arrays.equals(bArr, bArr2);
    }

    private long[] findStoredCertificates(PKCS11 pkcs11, Pkcs11Session pkcs11Session, byte[] bArr) throws PKCS11Exception {
        TemplateBuilder buildObjectIdTemplate = TokenKeyStoreEntry.buildObjectIdTemplate(1L, bArr);
        if (this.debug != null) {
            Util.log(this.debug, "searching for handles of given certificate by (id) with (token)");
        }
        long[] findObjects = Pkcs11Tool.findObjects(pkcs11, pkcs11Session, buildObjectIdTemplate.toCkAttributeArray());
        if (this.debug != null) {
            Util.log(this.debug, "found handle: " + findObjects.length);
        }
        return findObjects;
    }

    private long findStoredUserCertificate(PKCS11 pkcs11, Pkcs11Session pkcs11Session, byte[] bArr, String str) throws PKCS11Exception {
        TemplateBuilder buildUserCertificateTemplate = buildUserCertificateTemplate(bArr, str);
        if (this.debug != null) {
            Util.log(this.debug, "searching for handle of given certificate by (id, label) with (token)");
        }
        long findObject = Pkcs11Tool.findObject(pkcs11, pkcs11Session, buildUserCertificateTemplate.toCkAttributeArray());
        if (this.debug != null) {
            Util.log(this.debug, "found handle: " + findObject);
        }
        return findObject;
    }

    private long[] findStoredPrivateKeys(PKCS11 pkcs11, Pkcs11Session pkcs11Session, byte[] bArr) throws PKCS11Exception {
        TemplateBuilder buildPrivateKeyTemplate = buildPrivateKeyTemplate(bArr, true, true);
        if (this.debug != null) {
            Util.log(this.debug, "searching for handles of given key by (id) with (token, private)");
        }
        long[] findObjects = Pkcs11Tool.findObjects(pkcs11, pkcs11Session, buildPrivateKeyTemplate.toCkAttributeArray());
        if (this.debug != null) {
            Util.log(this.debug, "found handles: " + findObjects.length);
        }
        return findObjects;
    }

    protected void setPrivateKeySubjectSafe(long j, X500Name x500Name) throws PKCS11Exception, IOException {
        if (x500Name != null) {
            Pkcs11Tool.setAttributeValue(getCryptoki(), getSession(), j, 257L, x500Name.getEncoded());
        }
    }

    private long findGeneratedPrivateKey(PKCS11 pkcs11, Pkcs11Session pkcs11Session, byte[] bArr) throws PKCS11Exception, KeyStoreException {
        TemplateBuilder buildPrivateKeyTemplate = buildPrivateKeyTemplate(bArr, false, false);
        if (this.debug != null) {
            Util.log(this.debug, "searching for handle of given key by (id) with (!token, !private)");
        }
        long findObject = Pkcs11Tool.findObject(pkcs11, pkcs11Session, buildPrivateKeyTemplate.toCkAttributeArray());
        if (this.debug != null) {
            Util.log(this.debug, "found handle: " + findObject);
        }
        if (findObject == 0) {
            throw new KeyStoreException("could not find such key");
        }
        return findObject;
    }

    private TemplateBuilder buildUserCertificateTemplate(byte[] bArr, String str) {
        TemplateBuilder templateBuilder = new TemplateBuilder();
        templateBuilder.append(1L, true);
        templateBuilder.append(0L, 1L);
        templateBuilder.append(258L, bArr);
        templateBuilder.append(3L, str.toCharArray());
        return templateBuilder;
    }

    private TemplateBuilder buildPrivateKeyTemplate(byte[] bArr, boolean z, boolean z2) {
        TemplateBuilder templateBuilder = new TemplateBuilder();
        templateBuilder.append(1L, z);
        templateBuilder.append(2L, z2);
        templateBuilder.append(0L, 3L);
        templateBuilder.append(258L, bArr);
        return templateBuilder;
    }

    private boolean areLabelsEqual(char[] cArr, String str) {
        return (cArr == null || str == null || Arrays.equals(cArr, str.toCharArray())) ? false : true;
    }

    protected TokenKeyStoreEntry.PrivateKeyEntry addPrivateKeyEntry(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias, PrivateKeyHandleWrapper privateKeyHandleWrapper) throws PKCS11Exception {
        if (this.debug != null) {
            Util.log(this.debug, "creating new PrivateKeyEntry");
        }
        PKCS11 cryptoki = getCryptoki();
        Pkcs11Session session = getSession();
        byte[] id = privateKeyHandleWrapper.getPrivateKey().getId();
        String label = tokenKeyStoreEntryAlias.getLabel();
        TokenKeyStoreEntry.PrivateKeyEntry privateKeyEntry = new TokenKeyStoreEntry.PrivateKeyEntry(privateKeyHandleWrapper.getPrivateKey().getId());
        privateKeyEntry.setHandle(privateKeyHandleWrapper.getHandle());
        privateKeyEntry.setLabel(label);
        long findObjectForId = findObjectForId(cryptoki, session, id, 2L);
        updatePublicKeyLabel(cryptoki, session, label, findObjectForId);
        privateKeyEntry.setPublicKeyHandle(findObjectForId);
        privateKeyEntry.setSubject(Pkcs11Tool.getAttributeValueBLOB(cryptoki, session, privateKeyHandleWrapper.getHandle(), 257L));
        this.entries.getKeyEntriesList().putEntry(privateKeyEntry);
        return privateKeyEntry;
    }

    private void updatePublicKeyLabel(PKCS11 pkcs11, Pkcs11Session pkcs11Session, String str, long j) throws PKCS11Exception {
        if (j <= 0 || str.equals(Pkcs11Tool.getAttributeValueString(pkcs11, pkcs11Session, j, 3L))) {
            return;
        }
        Pkcs11Tool.setAttributeValue(pkcs11, pkcs11Session, j, 3L, str);
    }

    private PrivateKeyHandleWrapper clonePrivateKey(PKCS11 pkcs11, Pkcs11Session pkcs11Session, PrivateKeyHandleWrapper privateKeyHandleWrapper, TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias) throws PKCS11Exception {
        return copyPrivateKey(pkcs11, pkcs11Session, privateKeyHandleWrapper, tokenKeyStoreEntryAlias, false);
    }

    private PrivateKeyHandleWrapper storeGeneratedPrivateKey(PKCS11 pkcs11, Pkcs11Session pkcs11Session, PrivateKeyHandleWrapper privateKeyHandleWrapper, TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias) throws PKCS11Exception {
        return copyPrivateKey(pkcs11, pkcs11Session, privateKeyHandleWrapper, tokenKeyStoreEntryAlias, true);
    }

    protected PrivateKeyHandleWrapper copyPrivateKey(PKCS11 pkcs11, Pkcs11Session pkcs11Session, PrivateKeyHandleWrapper privateKeyHandleWrapper, TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias, boolean z) throws PKCS11Exception {
        TemplateBuilder templateBuilder = new TemplateBuilder();
        templateBuilder.append(1L, true);
        templateBuilder.append(2L, true);
        templateBuilder.append(3L, tokenKeyStoreEntryAlias.getLabel());
        try {
            long C_CopyObject = pkcs11.C_CopyObject(pkcs11Session.getSessionId(), privateKeyHandleWrapper.getHandle(), templateBuilder.toCkAttributeArray());
            if (z) {
                Pkcs11Tool.destroyObject(pkcs11, pkcs11Session, privateKeyHandleWrapper.getHandle());
            }
            return new PrivateKeyHandleWrapper(C_CopyObject, (PrivateKeyAbstr) EncryptedPrivateKeyInfo.getPrivateKey(pkcs11, pkcs11Session, getVirtualSlotId(), C_CopyObject));
        } catch (PKCS11Exception e) {
            if (e.getErrorCode() != 26) {
                throw e;
            }
            if (this.debug != null) {
                Util.log(this.debug, "failed to copy stored private key: PROHIBITED; so just change its label");
            }
            Pkcs11Tool.setAttributeValue(pkcs11, pkcs11Session, privateKeyHandleWrapper.getHandle(), 3L, tokenKeyStoreEntryAlias.getLabel());
            return privateKeyHandleWrapper;
        }
    }

    protected PrivateKeyHandleWrapper exportImportPrivateKey(PrivateKeyAbstr privateKeyAbstr, TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias) throws NoSuchAlgorithmException, InvalidKeyException, PKCS11Exception {
        byte[] bArr = new byte[20];
        SecureRandom.getInstance("BelPrd").nextBytes(bArr);
        byte[] encrypt = new EncryptedPrivateKeyInfo(privateKeyAbstr).encrypt(bArr);
        if (this.entries.getKeyEntriesList().containsEntry(tokenKeyStoreEntryAlias)) {
            if (this.debug != null) {
                Util.log(this.debug, "entry with same alias found, deleting");
            }
            TokenKeyStoreEntry.PrivateKeyEntry privateKeyEntry = (TokenKeyStoreEntry.PrivateKeyEntry) this.entries.getKeyEntriesList().getEntry(tokenKeyStoreEntryAlias);
            destroyEntry(privateKeyEntry);
            this.entries.getKeyEntriesList().removeEntry(privateKeyEntry);
        }
        EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(encrypt);
        encryptedPrivateKeyInfo.setVirtualSlotId(getVirtualSlotId());
        PrivateKeyHandleWrapper decryptWrapped = encryptedPrivateKeyInfo.decryptWrapped(bArr, tokenKeyStoreEntryAlias.getLabel());
        Arrays.fill(bArr, (byte) 0);
        return decryptWrapped;
    }

    protected void setCertificateChain(TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias, Certificate[] certificateArr) throws KeyStoreException, CertificateParsingException {
        if (this.debug != null) {
            Util.log(this.debug, "setCertificateChain(" + tokenKeyStoreEntryAlias.getLabel() + "," + (certificateArr == null ? "null" : String.valueOf(certificateArr.length)) + ")");
        }
        if (certificateArr == null || certificateArr.length == 0) {
            if (this.debug != null) {
                Util.log(this.debug, "no chain to import");
            }
        } else {
            TokenKeyStoreEntry.PrivateKeyEntry privateKeyEntry = (TokenKeyStoreEntry.PrivateKeyEntry) this.entries.getKeyEntriesList().getEntry(tokenKeyStoreEntryAlias);
            if (privateKeyEntry == null) {
                throw new KeyStoreException("corresponding private key entry not found");
            }
            setCertificateChain(privateKeyEntry, certificateArr);
        }
    }

    protected void setCertificateChain(TokenKeyStoreEntry.PrivateKeyEntry privateKeyEntry, Certificate[] certificateArr) throws KeyStoreException, CertificateParsingException {
        if (!tokenCertificateWriteEnabled) {
            if (this.debug != null) {
                Util.log(this.debug, "writing the certificate into pkcs11 DISABLED");
                return;
            }
            return;
        }
        if (this.debug != null) {
            Util.log(this.debug, "setCertificateChain(entry, " + (certificateArr == null ? "null" : String.valueOf(certificateArr.length)) + ")");
        }
        if (certificateArr == null || certificateArr.length == 0) {
            if (this.debug != null) {
                Util.log(this.debug, "no chain to import");
                return;
            }
            return;
        }
        try {
            PKCS11 cryptoki = getCryptoki();
            Pkcs11Session session = getSession();
            TokenKeyStoreEntryAlias alias = privateKeyEntry.getAlias();
            int i = 0;
            while (i < certificateArr.length) {
                if (this.debug != null) {
                    Util.log(this.debug, "iterating certificate: " + i);
                }
                boolean z = i == 0;
                X509Certificate x509Certificate = (X509Certificate) certificateArr[i];
                byte[] parseSubjectKeyIdentifierExtension = ExtensionValueParser.parseSubjectKeyIdentifierExtension(x509Certificate);
                if (parseSubjectKeyIdentifierExtension == null) {
                    if (Util.isDebug()) {
                        Util.log("certificate does not contain SubjectKeyIdentifierExtension, trying to parse public key and generate key id");
                    }
                    try {
                        parseSubjectKeyIdentifierExtension = KeyPairGeneratorAbstr.generateKeyIdentifier(PublicKeyAbstr.generate(x509Certificate.getPublicKey().getEncoded(), getVirtualSlotId()));
                    } catch (Exception e) {
                        if (Util.isDebug()) {
                            Util.log("failed to parse public key");
                            e.printStackTrace();
                        }
                    }
                }
                if (parseSubjectKeyIdentifierExtension == null && z) {
                    parseSubjectKeyIdentifierExtension = privateKeyEntry.getId();
                }
                if (this.debug != null) {
                    Util.log(this.debug, "looking for old certificate handle with id: " + ByteArrayUtil.toHexString(parseSubjectKeyIdentifierExtension));
                }
                long j = 0;
                if (z) {
                    j = findStoredUserCertificate(cryptoki, session, parseSubjectKeyIdentifierExtension, alias.getLabel());
                    if (isCertificateTrusted(cryptoki, session, j)) {
                        throw new KeyStoreException("you are trying to import end-user certificate with alias which had already taken by trusted certificate, please choose another one");
                    }
                } else {
                    for (long j2 : findStoredCertificates(cryptoki, session, parseSubjectKeyIdentifierExtension)) {
                        if (Pkcs11Tool.getAttributeValueString(cryptoki, session, j2, 3L) == null && !isCertificateTrusted(cryptoki, session, j2)) {
                            j = j2;
                        }
                    }
                }
                if (this.debug != null) {
                    Util.log(this.debug, "old certificate handle: " + j);
                }
                long createCertificate = createCertificate(cryptoki, session, z ? alias : null, x509Certificate, parseSubjectKeyIdentifierExtension, false);
                if (this.debug != null) {
                    Util.log(this.debug, "creating new CertificateEntry");
                }
                TokenKeyStoreEntry.CertificateEntry certificateEntry = new TokenKeyStoreEntry.CertificateEntry(parseSubjectKeyIdentifierExtension);
                certificateEntry.setHandle(createCertificate);
                certificateEntry.setCertificate(x509Certificate);
                certificateEntry.setLabel(Pkcs11Tool.getAttributeValueString(cryptoki, session, createCertificate, 3L));
                certificateEntry.setSubject(Pkcs11Tool.getAttributeValueBLOB(cryptoki, session, createCertificate, 257L));
                if (this.debug != null) {
                    Util.log(this.debug, "new CertificateEntry: " + certificateEntry);
                }
                if (j > 0) {
                    if (this.debug != null) {
                        Util.log(this.debug, "destroying old certificate");
                    }
                    Pkcs11Tool.destroyObject(cryptoki, session, j);
                    TokenKeyStoreEntry entry = this.entries.getOtherCertEntriesList().getEntry(j);
                    if (entry != null) {
                        if (this.debug != null) {
                            Util.log(this.debug, "destroying old certificate cached entry");
                        }
                        this.entries.getOtherCertEntriesList().removeEntry(entry);
                    } else if (this.debug != null) {
                        Util.log(this.debug, "no old certificate cached entry found");
                    }
                }
                this.entries.getOtherCertEntriesList().putEntry(certificateEntry);
                i++;
            }
            privateKeyEntry.setCertificateChain(loadCertificateChain(cryptoki, session, alias.getLabel()));
            if (this.debug != null) {
                Util.log(this.debug, "setCertificateChain(entry, chain) end");
            }
        } catch (PKCS11Exception e2) {
            KeyStoreException keyStoreException = new KeyStoreException(e2.getMessage());
            keyStoreException.initCause(e2);
            throw keyStoreException;
        } catch (CertificateException e3) {
            KeyStoreException keyStoreException2 = new KeyStoreException(e3.getMessage());
            keyStoreException2.initCause(e3);
            throw keyStoreException2;
        }
    }

    private boolean isCertificateTrusted(PKCS11 pkcs11, Pkcs11Session pkcs11Session, long j) throws PKCS11Exception {
        return j > 0 && Pkcs11Tool.getAttributeValueBoolean(pkcs11, pkcs11Session, j, 2L);
    }

    @Override // java.security.KeyStoreSpi
    public int engineSize() {
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineSize()");
        }
        ArrayList arrayList = new ArrayList();
        listAliases(arrayList);
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineSize(): " + arrayList.size());
        }
        return arrayList.size();
    }

    @Override // java.security.KeyStoreSpi
    public void engineStore(OutputStream outputStream, char[] cArr) throws IOException, NoSuchAlgorithmException, CertificateException {
        if (this.debug != null) {
            Util.log(this.debug, getClass().getName() + ".engineStore(stream, password)");
        }
        if (this.policy.isOutputStreamRequired() && outputStream == null) {
            throw new IllegalArgumentException("stream should be not null");
        }
        if (this.policy.isStorePasswordRequired() && cArr == null) {
            throw new IllegalArgumentException("password should be not null");
        }
        try {
            store(outputStream, cArr);
        } catch (PKCS11Exception e) {
            IOException iOException = new IOException(e.getMessage());
            iOException.initCause(e);
            throw iOException;
        }
    }

    protected void store(OutputStream outputStream, char[] cArr) throws IOException, NoSuchAlgorithmException, CertificateException, PKCS11Exception {
    }

    protected void initializePrivateKeys(PKCS11 pkcs11, Pkcs11Session pkcs11Session) throws PKCS11Exception, CertificateException {
        if (this.debug != null) {
            Util.log(this.debug, "loading private keys");
        }
        long[] findObjects = Pkcs11Tool.findObjects(pkcs11, pkcs11Session, TokenKeyStoreEntry.PrivateKeyEntry.TEMPLATE.toCkAttributeArray());
        if (findObjects != null) {
            if (this.debug != null) {
                Util.log(this.debug, "found private keys: " + findObjects.length);
            }
            for (int i = 0; i < findObjects.length; i++) {
                try {
                    long j = findObjects[i];
                    if (this.debug != null) {
                        Util.log(this.debug, "processing found result, index: " + i + ", handle: " + j);
                    }
                    byte[] attributeValueBLOB = Pkcs11Tool.getAttributeValueBLOB(pkcs11, pkcs11Session, j, 258L);
                    if (this.debug != null) {
                        Util.log(this.debug, "id: " + ByteArrayUtil.toHexString(attributeValueBLOB));
                    }
                    if (attributeValueBLOB != null && attributeValueBLOB.length != 0) {
                        TokenKeyStoreEntry.PrivateKeyEntry privateKeyEntry = new TokenKeyStoreEntry.PrivateKeyEntry(attributeValueBLOB);
                        privateKeyEntry.setHandle(j);
                        privateKeyEntry.setLabel(Pkcs11Tool.getAttributeValueString(pkcs11, pkcs11Session, j, 3L));
                        privateKeyEntry.setSubject(Pkcs11Tool.getAttributeValueBLOB(pkcs11, pkcs11Session, j, 257L));
                        if (this.entries.getKeyEntriesList().getEntry(privateKeyEntry.getAlias()) == null) {
                            long findObjectForId = findObjectForId(pkcs11, pkcs11Session, attributeValueBLOB, 2L);
                            if (this.debug != null) {
                                Util.log(this.debug, "corresponding public key handle: " + findObjectForId);
                            }
                            if (findObjectForId >= 0) {
                                privateKeyEntry.setPublicKeyHandle(findObjectForId);
                            }
                            X509Certificate[] loadCertificateChain = loadCertificateChain(pkcs11, pkcs11Session, privateKeyEntry.getLabel());
                            if (this.debug != null) {
                                Util.log(this.debug, "certificate chain length: " + (loadCertificateChain == null ? 0 : loadCertificateChain.length));
                            }
                            privateKeyEntry.setCertificateChain(loadCertificateChain);
                            this.entries.getKeyEntriesList().putEntry(privateKeyEntry);
                            if (this.debug != null) {
                                Util.log(this.debug, "new PrivateKeyEntry added: " + privateKeyEntry);
                            }
                        } else if (this.debug != null) {
                            Util.log(this.debug, "object already loaded");
                        }
                    } else if (this.debug != null) {
                        Util.log(this.debug, "id is null, skipping wtf?");
                    }
                } catch (PKCS11Exception e) {
                    if (e.getErrorCode() != 130) {
                        throw e;
                    }
                    if (Util.isDebug()) {
                        Util.log("ignored invalid handle exception:");
                        e.printStackTrace();
                    }
                }
            }
        }
    }

    private long findObjectForId(PKCS11 pkcs11, Pkcs11Session pkcs11Session, byte[] bArr, long j) throws PKCS11Exception {
        if (this.debug != null) {
            Util.log(this.debug, "looking for object with id: " + ByteArrayUtil.toHexString(bArr) + ", objectType: " + j);
        }
        long[] findObjects = Pkcs11Tool.findObjects(pkcs11, pkcs11Session, TokenKeyStoreEntry.buildObjectIdTemplate(j, bArr).toCkAttributeArray());
        if (findObjects == null) {
            return 0L;
        }
        if (this.debug != null) {
            Util.log(this.debug, "found objects: " + findObjects.length);
        }
        return findObjects.length == 1 ? findObjects[0] : findObjects.length > 1 ? -1L : 0L;
    }

    protected X509Certificate[] loadCertificateChain(PKCS11 pkcs11, Pkcs11Session pkcs11Session, String str) throws PKCS11Exception, CertificateException {
        if (this.debug != null) {
            Util.log(this.debug, "loading certificate chain for end-user with alias: " + str);
        }
        ArrayList arrayList = new ArrayList();
        TokenKeyStoreEntry entry = this.entries.getOtherCertEntriesList().getEntry(new TokenKeyStoreEntryAlias(str));
        if (entry == null) {
            if (this.debug == null) {
                return null;
            }
            Util.log(this.debug, "end-user certificate cached entry is not on the list! wtf?");
            return null;
        }
        if (this.debug != null) {
            Util.log(this.debug, "end-user certificate, ADDING TO THE CHAIN");
        }
        X509Certificate certificate = ((TokenKeyStoreEntry.CertificateEntry) entry).getCertificate();
        arrayList.add(certificate);
        byte[] parseSubjectKeyIdentifierExtension = ExtensionValueParser.parseSubjectKeyIdentifierExtension(certificate);
        byte[] parseAuthorityKeyIdentifierExtension = ExtensionValueParser.parseAuthorityKeyIdentifierExtension(certificate);
        if (!areIdsEquals(parseAuthorityKeyIdentifierExtension, parseSubjectKeyIdentifierExtension)) {
            if (this.debug != null) {
                Util.log(this.debug, "end-user certificate is not self signed, lets build the chain");
            }
            while (true) {
                if (parseAuthorityKeyIdentifierExtension == null) {
                    break;
                }
                if (this.debug != null) {
                    Util.log(this.debug, "looking for next certificate in trusted list with id: " + ByteArrayUtil.toHexString(parseAuthorityKeyIdentifierExtension));
                }
                TokenKeyStoreEntry entry2 = this.entries.getTrustedCertEntriesList().getEntry(parseAuthorityKeyIdentifierExtension);
                if (entry2 == null) {
                    if (this.debug != null) {
                        Util.log(this.debug, "certificate is not in trusted list, lets check other list");
                    }
                    entry2 = this.entries.getOtherCertEntriesList().getEntry(parseAuthorityKeyIdentifierExtension);
                    if (entry2 == null) {
                        if (this.debug != null) {
                            Util.log(this.debug, "certificate is not in other list - CHAIN WILL CONTAIN ONLY END-USER CERTIFICATE");
                        }
                    } else if (this.debug != null) {
                        Util.log(this.debug, "certificate is in other list, ADDING TO THE CHAIN");
                    }
                } else if (this.debug != null) {
                    Util.log(this.debug, "certificate is in trusted list, ADDING TO THE CHAIN");
                }
                X509Certificate certificate2 = ((TokenKeyStoreEntry.CertificateEntry) entry2).getCertificate();
                arrayList.add(certificate2);
                if (!certificate2.getSubjectX500Principal().equals(certificate2.getIssuerX500Principal())) {
                    parseAuthorityKeyIdentifierExtension = ExtensionValueParser.parseAuthorityKeyIdentifierExtension(certificate2);
                } else if (this.debug != null) {
                    Util.log(this.debug, "certificate is self signed, CHAIN COMPLETE!");
                }
            }
        } else if (this.debug != null) {
            Util.log(this.debug, "end-user certificate is self signed");
        }
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
    }

    protected void initializeSecretKeys(PKCS11 pkcs11, Pkcs11Session pkcs11Session) throws PKCS11Exception {
        if (this.debug != null) {
            Util.log(this.debug, "loading secret keys");
        }
        long[] findObjects = Pkcs11Tool.findObjects(pkcs11, pkcs11Session, TokenKeyStoreEntry.SecretKeyEntry.TEMPLATE.toCkAttributeArray());
        if (findObjects != null) {
            if (this.debug != null) {
                Util.log(this.debug, "found secret keys: " + findObjects.length);
            }
            for (int i = 0; i < findObjects.length; i++) {
                try {
                    long j = findObjects[i];
                    if (this.debug != null) {
                        Util.log(this.debug, "processing found result, index: " + i + ", handle: " + j);
                    }
                    byte[] attributeValueBLOB = Pkcs11Tool.getAttributeValueBLOB(pkcs11, pkcs11Session, j, 258L);
                    if (this.debug != null) {
                        Util.log(this.debug, "id: " + ByteArrayUtil.toHexString(attributeValueBLOB));
                    }
                    if (attributeValueBLOB != null && attributeValueBLOB.length != 0) {
                        TokenKeyStoreEntry.SecretKeyEntry secretKeyEntry = new TokenKeyStoreEntry.SecretKeyEntry(attributeValueBLOB);
                        secretKeyEntry.setHandle(j);
                        secretKeyEntry.setLabel(Pkcs11Tool.getAttributeValueString(pkcs11, pkcs11Session, j, 3L));
                        if (this.entries.getSecretKeyEntriesList().getEntry(secretKeyEntry.getAlias()) == null) {
                            this.entries.getSecretKeyEntriesList().putEntry(secretKeyEntry);
                            if (this.debug != null) {
                                Util.log(this.debug, "new SecretKeyEntry added: " + secretKeyEntry);
                            }
                        } else if (this.debug != null) {
                            Util.log(this.debug, "object already loaded");
                        }
                    } else if (this.debug != null) {
                        Util.log(this.debug, "id is null, skipping wtf?");
                    }
                } catch (PKCS11Exception e) {
                    if (e.getErrorCode() != 130) {
                        throw e;
                    }
                    if (Util.isDebug()) {
                        Util.log("ignored invalid handle exception:");
                        e.printStackTrace();
                    }
                }
            }
        }
    }

    protected void initializeCertificates(PKCS11 pkcs11, Pkcs11Session pkcs11Session) throws PKCS11Exception, CertificateException {
        if (this.debug != null) {
            Util.log(this.debug, "loading certificates");
        }
        long[] findObjects = Pkcs11Tool.findObjects(pkcs11, pkcs11Session, TokenKeyStoreEntry.CertificateEntry.TEMPLATE.toCkAttributeArray());
        if (findObjects != null) {
            if (this.debug != null) {
                Util.log(this.debug, "found certificates: " + findObjects.length);
            }
            for (int i = 0; i < findObjects.length; i++) {
                try {
                    long j = findObjects[i];
                    if (this.debug != null) {
                        Util.log(this.debug, "processing found result, index: " + i + ", handle: " + j);
                    }
                    byte[] attributeValueBLOB = Pkcs11Tool.getAttributeValueBLOB(pkcs11, pkcs11Session, j, 258L);
                    if (this.debug != null) {
                        Util.log(this.debug, "id: " + ByteArrayUtil.toHexString(attributeValueBLOB));
                    }
                    if (attributeValueBLOB != null && attributeValueBLOB.length != 0) {
                        TokenKeyStoreEntry.CertificateEntry certificateEntry = new TokenKeyStoreEntry.CertificateEntry(attributeValueBLOB);
                        certificateEntry.setHandle(j);
                        certificateEntry.setCertificate(loadCertificate(pkcs11, pkcs11Session, j));
                        certificateEntry.setLabel(Pkcs11Tool.getAttributeValueString(pkcs11, pkcs11Session, j, 3L));
                        certificateEntry.setSubject(Pkcs11Tool.getAttributeValueBLOB(pkcs11, pkcs11Session, j, 257L));
                        boolean attributeValueBoolean = Pkcs11Tool.getAttributeValueBoolean(pkcs11, pkcs11Session, j, 2L);
                        if (this.debug != null) {
                            Util.log(this.debug, "trusted certificate: " + attributeValueBoolean);
                        }
                        TokenKeyStoreEntryList trustedCertEntriesList = attributeValueBoolean ? this.entries.getTrustedCertEntriesList() : this.entries.getOtherCertEntriesList();
                        if (trustedCertEntriesList.getEntry(certificateEntry.getAlias()) == null) {
                            trustedCertEntriesList.putEntry(certificateEntry);
                            if (this.debug != null) {
                                Util.log(this.debug, "new CertificateEntry added: " + certificateEntry);
                            }
                        } else if (this.debug != null) {
                            Util.log(this.debug, "object already loaded");
                        }
                    } else if (this.debug != null) {
                        Util.log(this.debug, "id is null, skipping wtf?");
                    }
                } catch (PKCS11Exception e) {
                    if (e.getErrorCode() != 130) {
                        throw e;
                    }
                    if (Util.isDebug()) {
                        Util.log("ignored invalid handle exception:");
                        e.printStackTrace();
                    }
                }
            }
        }
    }

    private static X509Certificate loadCertificate(PKCS11 pkcs11, Pkcs11Session pkcs11Session, long j) throws PKCS11Exception, CertificateException {
        byte[] attributeValueBLOB = Pkcs11Tool.getAttributeValueBLOB(pkcs11, pkcs11Session, j, 17L);
        if (attributeValueBLOB == null) {
            throw new CertificateException(ProviderExcptMessages.TKS_NULL_TOKEN_CERT_DATA);
        }
        return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(attributeValueBLOB));
    }

    protected PrivateKey loadPrivateKey(TokenKeyStoreEntry.PrivateKeyEntry privateKeyEntry, char[] cArr) throws PKCS11Exception, IOException, KeyStoreException, UnrecoverableKeyException {
        PKCS11 cryptoki = getCryptoki();
        Pkcs11Session session = getSession();
        long handle = privateKeyEntry.getHandle();
        byte[] id = privateKeyEntry.getId();
        String label = privateKeyEntry.getAlias().getLabel();
        X500Name subjectX500 = privateKeyEntry.getSubjectX500();
        if (this.debug != null) {
            Util.log(this.debug, "looking for the private key type, handle: " + handle);
        }
        int intValue = new Long(Pkcs11Tool.getAttributeValueLong(cryptoki, session, handle, 256L)).intValue();
        if (this.debug != null) {
            Util.log(this.debug, "constructing private key object with type: " + intValue);
        }
        PrivateKey createPrivateKey = createPrivateKey(handle, id, intValue);
        if (createPrivateKey instanceof PrivateKeyAbstr) {
            ((PrivateKeyAbstr) createPrivateKey).setSubject(subjectX500);
            if (label != null) {
                ((PrivateKeyAbstr) createPrivateKey).setLabel(label.toCharArray());
            }
        }
        return createPrivateKey;
    }

    protected PrivateKey createPrivateKey(long j, byte[] bArr, int i) throws PKCS11Exception, KeyStoreException {
        PrivateKeyAbstr privateKeyBdsProBdh;
        switch (i) {
            case -1912602623:
                privateKeyBdsProBdh = new PrivateKeyBds(getVirtualSlotId(), bArr);
                break;
            case -1912602620:
                if (!Pkcs11Tool.getAttributeValueBoolean(getCryptoki(), getSession(), j, 1L)) {
                    privateKeyBdsProBdh = null;
                    break;
                } else {
                    privateKeyBdsProBdh = new PrivateKeyBdh(getVirtualSlotId(), bArr);
                    break;
                }
            case -1912602618:
                privateKeyBdsProBdh = new PrivateKeyBdsBdh(getVirtualSlotId(), bArr);
                break;
            case -1912602615:
                privateKeyBdsProBdh = new PrivateKeyBdsPro(getVirtualSlotId(), bArr);
                break;
            case -1912602614:
                privateKeyBdsProBdh = new PrivateKeyBdsProBdh(getVirtualSlotId(), bArr);
                break;
            case 0:
                privateKeyBdsProBdh = null;
                break;
            case 1:
                privateKeyBdsProBdh = null;
                break;
            default:
                if (this.debug != null) {
                    Util.log(this.debug, "unknown key type!");
                }
                throw new KeyStoreException(ProviderExcptMessages.TKS_UNKNOWN_KEY_TYPE);
        }
        return privateKeyBdsProBdh;
    }

    protected SecretKeyAbstr loadSecretKey(TokenKeyStoreEntry.SecretKeyEntry secretKeyEntry, char[] cArr) throws PKCS11Exception, IOException, KeyStoreException, UnrecoverableKeyException {
        PKCS11 cryptoki = getCryptoki();
        Pkcs11Session session = getSession();
        long handle = secretKeyEntry.getHandle();
        byte[] id = secretKeyEntry.getId();
        if (this.debug != null) {
            Util.log(this.debug, "looking for the secret key type, handle: " + handle);
        }
        int intValue = new Long(Pkcs11Tool.getAttributeValueLong(cryptoki, session, handle, 256L)).intValue();
        if (this.debug != null) {
            Util.log(this.debug, "constructing secret key object with type: " + intValue);
        }
        if (intValue == -1912602624) {
            return new SecretKeyGOST_28147_89(getVirtualSlotId(), id);
        }
        throw new KeyStoreException(ProviderExcptMessages.TKS_UNKNOWN_KEY_TYPE);
    }

    private long createCertificate(PKCS11 pkcs11, Pkcs11Session pkcs11Session, TokenKeyStoreEntryAlias tokenKeyStoreEntryAlias, X509Certificate x509Certificate, byte[] bArr, boolean z) throws PKCS11Exception, CertificateException {
        if (this.debug != null) {
            Util.log(this.debug, "importing certificate, alias: " + tokenKeyStoreEntryAlias + ", trusted: " + z);
        }
        char[] cArr = null;
        if (tokenKeyStoreEntryAlias != null && tokenKeyStoreEntryAlias.getLabel() != null) {
            cArr = tokenKeyStoreEntryAlias.getLabel().toCharArray();
        }
        long createObject = Pkcs11Tool.createObject(pkcs11, pkcs11Session, TokenKeyStoreEntry.CertificateEntry.buildFullCertificateTemplate(bArr, cArr, z, x509Certificate).toCkAttributeArray());
        if (this.debug != null) {
            Util.log(this.debug, "imported certificate handle: " + createObject);
        }
        return createObject;
    }

    public TokenKeyStoreEntries getEntries() {
        return this.entries;
    }

    public TokenKeyStorePolicy getPolicy() {
        return this.policy;
    }

    protected void setDeviceHandler(DeviceHandler deviceHandler) {
        this.deviceHandler = deviceHandler;
    }

    static {
        tokenCertificateWriteEnabled = !"true".equalsIgnoreCase(System.getProperty("by.avest.crypto.provider.pkcs11.write.certificate.disabled", "false"));
    }
}
