package com.wizarpos.crypto.util;

import com.wizarpos.util.StreamUtils;
import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintStream;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Calendar;
import java.util.Date;
import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.crypto.tls.CipherSuite;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
import sun.security.pkcs.PKCS7;

/* loaded from: input_file:com/wizarpos/crypto/util/Signaturetools.class */
public class Signaturetools extends BaseCommand {
    public static void main(String[] strArr) {
        String str = strArr[0];
        if (strArr.length > 10) {
            if (str.equals("issueappcert")) {
                Security.addProvider(new BouncyCastleProvider());
                new Signaturetools().run(strArr);
                return;
            } else if (str.equals("sign")) {
                new SignApk().run(strArr);
                return;
            } else {
                ErrorAndExist("Error: unknown command " + str);
                return;
            }
        }
        if (strArr.length == 2 && strArr[1].equals("-h")) {
            if (str.equals("sign")) {
                new SignApk().showUsage();
            } else if (str.equals("issueappcert")) {
                new Signaturetools().showUsage();
            }
            System.exit(0);
        }
        ErrorAndExist("Error: invalid command");
    }

    @Override // com.wizarpos.crypto.util.BaseCommand
    public void onShowUsage(PrintStream printStream) {
        printStream.println("usage: issueappcert [--apkcertfile <FILE>] [--out <FILE>] [--catype <String>] [--cacert <FILE>] [--cakey <FILE>] [--keypass <FILE>] [--keystore <FILE>] [--alias <String>] [--storepass <FILE>] [--isCA <Boolean>]\n\nIssue an certificate from a existing certificate.\n\n--apkcertfile: the .RSA file of the APK\n--out: the output certificate file\n--catype: jks or pk8\n--cacert: the certificate file of the issuer when using pk8 catype\n--cakey: the key file in PK8 format of the issuer when using pk8 catype\n--keypass: the password of the key file (pk8 file or the password of the alias in jks file\n--keysore: the keystore file when using jks catype\n--alias: the alias of the private key in the keystore when using jks catype.\n--storepass: the password of the keysotre file\n--isCA: whether the output certificate is issued by a certificate authority or not\n");
    }

    @Override // com.wizarpos.crypto.util.BaseCommand
    public void onRun() throws Exception {
        runIssueFromCert();
    }

    private void runIssueFromCert() {
        String nextOption;
        boolean z = true;
        String str = null;
        String str2 = null;
        String str3 = null;
        String str4 = null;
        String str5 = null;
        String str6 = null;
        String str7 = null;
        String str8 = null;
        String str9 = null;
        while (true) {
            nextOption = nextOption();
            if (nextOption == null) {
                break;
            }
            if (nextOption.equals("--catype")) {
                String nextArgRequired = nextArgRequired();
                if ("pk8".equals(nextArgRequired)) {
                    z = false;
                } else if (!"jks".equals(nextArgRequired)) {
                    ErrorAndExist("Error: Unknown option: " + nextOption);
                }
            } else if (nextOption.equals("--apkcertfile")) {
                str = nextArgRequired();
            } else if (nextOption.equals("--out")) {
                str3 = nextArgRequired();
            } else if (nextOption.equals("--cacert")) {
                str2 = nextArgRequired();
            } else if (nextOption.equals("--cakey")) {
                str4 = nextArgRequired();
            } else if (nextOption.equals("--keystore")) {
                str5 = nextArgRequired();
            } else if (nextOption.equals("--alias")) {
                str6 = nextArgRequired();
            } else if (nextOption.equals("--keypass")) {
                str7 = nextArgRequired();
            } else if (nextOption.equals("--storepass")) {
                str8 = nextArgRequired();
            } else if (nextOption.equals("--isCA")) {
                str9 = nextArgRequired();
            } else {
                showUsage();
                ErrorAndExist("issueappcert: Unknown option " + nextOption);
            }
        }
        if (str == null || !new File(str).exists()) {
            ErrorAndExist("Invalid apk cert file: " + str);
        }
        if (str3 == null) {
            ErrorAndExist("Invalid output file: " + str3);
        }
        try {
            byte[] byteArray = StreamUtils.toByteArray(new FileInputStream(str));
            if (byteArray == null) {
                throw new Exception("Certificate not found: " + str);
            }
            X509Certificate[] certificates = new PKCS7(byteArray).getCertificates();
            if (certificates == null || certificates.length == 0) {
                ErrorAndExist("There is no certificate in file: " + str);
            }
            X509Certificate x509Certificate = certificates[0];
            if (certificates.length > 1) {
                boolean z2 = true;
                while (z2) {
                    Principal issuerDN = x509Certificate.getIssuerDN();
                    int i = 0;
                    while (true) {
                        if (i >= certificates.length) {
                            break;
                        }
                        if (issuerDN.equals(certificates[i].getSubjectDN())) {
                            z2 = true;
                            x509Certificate = certificates[i];
                            break;
                        }
                        i++;
                    }
                    if (x509Certificate.getSubjectDN().equals(x509Certificate.getIssuerDN())) {
                        break;
                    }
                }
            }
            X509Certificate x509Certificate2 = null;
            PrivateKey privateKey = null;
            if (z) {
                if (str5 != null) {
                    FileInputStream fileInputStream = new FileInputStream(str5);
                    KeyStore keyStore = KeyStore.getInstance("jks");
                    keyStore.load(fileInputStream, str8 == null ? readConsole("Enter password for " + str5 + " (password will not be hidden): ").toCharArray() : str8.toCharArray());
                    Certificate certificate = keyStore.getCertificate(str6);
                    x509Certificate2 = certificate == null ? (X509Certificate) keyStore.getCertificateChain(str6)[0] : (X509Certificate) certificate;
                    privateKey = (PrivateKey) keyStore.getKey(str6, str7 == null ? readConsole("Enter password for private key (password will not be hidden): ").toCharArray() : str7.toCharArray());
                    fileInputStream.close();
                } else {
                    ErrorAndExist("Error: Unknown option: " + nextOption);
                }
            } else if (str4 == null || str2 == null) {
                ErrorAndExist("Error: Unknown option: " + nextOption);
            } else {
                privateKey = readPrivateKey(new File(str4), str7);
                x509Certificate2 = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new FileInputStream(str2));
            }
            X509Certificate issueAppRootCert = issueAppRootCert(x509Certificate, x509Certificate2, privateKey, str9 != null && str9.equals("true"));
            File file = new File(str3);
            JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(new FileWriter(file));
            jcaPEMWriter.writeObject(issueAppRootCert);
            jcaPEMWriter.close();
            LOG("Generated certificate to " + file.getCanonicalPath());
        } catch (Exception e) {
            e.printStackTrace();
            ErrorAndExist("Meet exception: " + e);
        }
    }

    private X509Certificate issueAppRootCert(X509Certificate x509Certificate, X509Certificate x509Certificate2, PrivateKey privateKey, boolean z) {
        try {
            X500Name x500Name = X500Name.getInstance(x509Certificate2.getSubjectX500Principal().getEncoded());
            X500Name x500Name2 = X500Name.getInstance(x509Certificate.getSubjectX500Principal().getEncoded());
            BigInteger bigInteger = new BigInteger(64, new SecureRandom());
            Calendar calendar = Calendar.getInstance();
            calendar.setTime(new Date(System.currentTimeMillis()));
            Date time = calendar.getTime();
            calendar.add(1, 10);
            JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Name, bigInteger, time, calendar.getTime(), x500Name2, x509Certificate.getPublicKey());
            jcaX509v3CertificateBuilder.addExtension(Extension.basicConstraints, false, (ASN1Encodable) new BasicConstraints(z));
            jcaX509v3CertificateBuilder.addExtension(Extension.keyUsage, true, (ASN1Encodable) new KeyUsage(CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA));
            return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder("SHA256WithRSA").setProvider(BouncyCastleProvider.PROVIDER_NAME).build(privateKey)));
        } catch (CertificateException e) {
            e.printStackTrace();
            return null;
        } catch (CertIOException e2) {
            e2.printStackTrace();
            return null;
        } catch (OperatorCreationException e3) {
            e3.printStackTrace();
            return null;
        }
    }

    private static PKCS8EncodedKeySpec decryptPrivateKey(byte[] bArr, String str, String str2) throws GeneralSecurityException {
        try {
            EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(bArr);
            SecretKey generateSecret = SecretKeyFactory.getInstance(encryptedPrivateKeyInfo.getAlgName()).generateSecret(new PBEKeySpec(str2 == null ? readConsole("Enter password for " + str + " (password will not be hidden): ").toCharArray() : str2.toCharArray()));
            Cipher cipher = Cipher.getInstance(encryptedPrivateKeyInfo.getAlgName());
            cipher.init(2, generateSecret, encryptedPrivateKeyInfo.getAlgParameters());
            try {
                return encryptedPrivateKeyInfo.getKeySpec(cipher);
            } catch (InvalidKeySpecException e) {
                System.err.println("signapk: Password for " + str + " may be bad.");
                throw e;
            }
        } catch (IOException e2) {
            return null;
        }
    }

    public static PrivateKey readPrivateKey(File file, String str) throws IOException, GeneralSecurityException {
        DataInputStream dataInputStream = new DataInputStream(new FileInputStream(file));
        try {
            byte[] bArr = new byte[(int) file.length()];
            dataInputStream.read(bArr);
            PKCS8EncodedKeySpec decryptPrivateKey = decryptPrivateKey(bArr, file.getName(), str);
            if (decryptPrivateKey == null) {
                PemReader pemReader = new PemReader(new InputStreamReader(new ByteArrayInputStream(bArr), StandardCharsets.US_ASCII));
                PemObject readPemObject = pemReader.readPemObject();
                if (readPemObject == null) {
                    decryptPrivateKey = new PKCS8EncodedKeySpec(bArr);
                } else {
                    if (!readPemObject.getType().contains("PRIVATE KEY")) {
                        pemReader.close();
                        throw new IllegalArgumentException("Unknown private key type " + readPemObject.getType());
                    }
                    decryptPrivateKey = new PKCS8EncodedKeySpec(readPemObject.getContent());
                }
                pemReader.close();
            }
            try {
                PrivateKey generatePrivate = KeyFactory.getInstance("RSA").generatePrivate(decryptPrivateKey);
                dataInputStream.close();
                return generatePrivate;
            } catch (InvalidKeySpecException e) {
                PrivateKey generatePrivate2 = KeyFactory.getInstance("DSA").generatePrivate(decryptPrivateKey);
                dataInputStream.close();
                return generatePrivate2;
            }
        } catch (Throwable th) {
            dataInputStream.close();
            throw th;
        }
    }
}
