package com.ibm.mq.ese.prot;

import com.ibm.mq.ese.core.AMBIException;
import com.ibm.mq.ese.core.EseUser;
import com.ibm.mq.ese.core.MessageProtectionConstants;
import com.ibm.mq.ese.core.SecurityPolicy;
import com.ibm.mq.ese.core.SecurityProvider;
import com.ibm.mq.ese.core.X500NameWrapper;
import com.ibm.mq.ese.nls.AmsErrorMessageInserts;
import com.ibm.mq.ese.nls.AmsErrorMessages;
import com.ibm.mq.ese.pki.InvalidCertificateException;
import com.ibm.mq.ese.pki.KeyStoreAccessPKCS11Impl;
import com.ibm.mq.ese.pki.MissingCertificateException;
import com.ibm.mq.ese.pki.X509CertificateValidator;
import com.ibm.msg.client.commonservices.trace.Trace;
import com.ibm.security.pkcs7.ContentInfo;
import com.ibm.security.pkcs7.Data;
import com.ibm.security.pkcs7.EncryptedContentInfo;
import com.ibm.security.pkcs7.EnvelopedData;
import com.ibm.security.pkcs7.IssuerAndSerialNumber;
import com.ibm.security.pkcs7.OriginatorInfo;
import com.ibm.security.pkcs7.RecipientInfo;
import com.ibm.security.pkcs7.SignedData;
import com.ibm.security.pkcs7.SignerInfo;
import com.ibm.security.pkcs9.SigningTime;
import com.ibm.security.pkcsutil.PKCSAttributes;
import com.ibm.security.pkcsutil.PKCSException;
import com.ibm.security.pkcsutil.SmudgedBytes;
import com.ibm.security.util.DerOutputStream;
import com.ibm.security.util.DerValue;
import com.ibm.security.util.ObjectIdentifier;
import com.ibm.security.x509.AlgorithmId;
import java.io.IOException;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CRL;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashMap;
import java.util.Random;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.ShortBufferException;
import javax.crypto.spec.DESKeySpec;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:com/ibm/mq/ese/prot/MessageProtectionIBMJCEImpl.class */
public class MessageProtectionIBMJCEImpl implements MessageProtection {
    public static final String sccsid = "@(#) MQMBID sn=p800-009-180321.1 su=_zKBEsC0nEeiK6e5aaoO7vQ pn=com.ibm.mq.ese/src/com/ibm/mq/ese/prot/MessageProtectionIBMJCEImpl.java";
    private static final String DIGEST_ALG_SHA = "SHA";
    private static final String DIGEST_ALG_SHA256 = "SHA2";
    private static final String DIGEST_ALG_SHA384 = "SHA3";
    private static final String DIGEST_ALG_SHA512 = "SHA5";
    private static final String DIGEST_ALG_MD5 = "MD5";
    private static final int BLOCK_SIZE_DES = 8;
    private static final int BLOCK_SIZE_3DES = 8;
    private static final int BLOCK_SIZE_AES = 16;
    private static final String TRANSFORMATION_AES_CBC_NOPAD = "AES/CBC/NoPadding";
    private static final String TRANSFORMATION_DES_CBC_NOPAD = "DES/CBC/NoPadding";
    private static final String TRANSFORMATION_3DES_CBC_NOPAD = "DESede/CBC/NoPadding";
    private static final String TRANSFORMATION_CBC_PKCS5 = "/CBC/PKCS5Padding";
    private final Object contentInfoEncodeLock = new Object();
    private X509CertificateValidator certificateValidator;

    @Override // com.ibm.mq.ese.prot.MessageProtection
    public byte[] protect(byte[] bArr, SecurityPolicy securityPolicy, EseUser eseUser) throws MessageProtectionException {
        ContentInfo sign;
        byte[] encode;
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte [ ],SecurityPolicy,EseUser)", new Object[]{bArr, securityPolicy, eseUser});
        }
        if (bArr == null || bArr.length == 0) {
            if (Trace.isOn) {
                Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte[], SecurityPolicy, EseUser)", "skipping an empty message body", "");
            }
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte [ ],SecurityPolicy,EseUser)", bArr, 1);
            }
            return bArr;
        }
        try {
            if (securityPolicy == null) {
                IllegalArgumentException illegalArgumentException = new IllegalArgumentException("policy == null");
                if (Trace.isOn) {
                    Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte [ ],SecurityPolicy,EseUser)", illegalArgumentException, 1);
                }
                throw illegalArgumentException;
            }
            if (eseUser == null) {
                IllegalArgumentException illegalArgumentException2 = new IllegalArgumentException("user == null");
                if (Trace.isOn) {
                    Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte [ ],SecurityPolicy,EseUser)", illegalArgumentException2, 2);
                }
                throw illegalArgumentException2;
            }
            validateQop(securityPolicy.getQop());
            X509Certificate certificate = eseUser.getCertificate();
            if (certificate == null) {
                HashMap hashMap = new HashMap();
                hashMap.put(AmsErrorMessageInserts.AMS_INSERT_CREDENTIAL_ALIAS, eseUser.getKeystoreAlias());
                hashMap.put(AmsErrorMessageInserts.AMS_INSERT_FILENAME, eseUser.getKeyStore().toString());
                MessageProtectionException messageProtectionException = new MessageProtectionException(AmsErrorMessages.mju_user_certificate_not_found_MessageProtectionException, (HashMap<String, ? extends Object>) hashMap);
                if (Trace.isOn) {
                    Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte [ ],SecurityPolicy,EseUser)", messageProtectionException, 3);
                }
                throw messageProtectionException;
            }
            validateSenderCertificate(certificate, eseUser);
            Data data = new Data(eseUser.getProvider());
            data.setData(bArr);
            ContentInfo contentInfo = new ContentInfo(data, eseUser.getProvider());
            if (!needsToSign(securityPolicy)) {
                IllegalProtectionTypeException create = IllegalProtectionTypeException.create(Integer.toString(securityPolicy.getQop()), new IllegalArgumentException(Integer.toString(securityPolicy.getQop())));
                if (Trace.isOn) {
                    Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte [ ],SecurityPolicy,EseUser)", create, 4);
                }
                throw create;
            }
            validateSigAlg(securityPolicy.getSignAlg());
            if (isPkcs11(eseUser)) {
                synchronized (KeyStoreAccessPKCS11Impl.KS_LOCK) {
                    sign = sign(eseUser, securityPolicy.getSignAlg(), certificate, contentInfo);
                }
            } else {
                sign = sign(eseUser, securityPolicy.getSignAlg(), certificate, contentInfo);
            }
            if (needsToEncrypt(securityPolicy)) {
                validateCipherAlg(securityPolicy.getEncAlg());
                X509Certificate[] recipientsCertificates = securityPolicy.getRecipientsCertificates();
                validateRecipientsCerts(recipientsCertificates, eseUser);
                if (isPkcs11(eseUser)) {
                    synchronized (KeyStoreAccessPKCS11Impl.KS_LOCK) {
                        sign = cipher(eseUser, securityPolicy.getEncAlg(), recipientsCertificates, sign);
                    }
                } else {
                    sign = cipher(eseUser, securityPolicy.getEncAlg(), recipientsCertificates, sign);
                }
            }
            synchronized (this.contentInfoEncodeLock) {
                encode = sign.encode();
            }
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte [ ],SecurityPolicy,EseUser)", encode, 2);
            }
            return encode;
        } catch (IllegalProtectionTypeException e) {
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte [ ],SecurityPolicy,EseUser)", e, 1);
            }
            Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte[], SecurityPolicy, EseUser)", e, 1);
            AmsErrorMessages.logProtectionException("com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte[], SecurityPolicy, EseUser)", e);
            IllegalProtectionTypeException create2 = IllegalProtectionTypeException.create(e.getQop(), e);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte [ ],SecurityPolicy,EseUser)", create2, 5);
            }
            throw create2;
        } catch (InvalidKeyException e2) {
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte [ ],SecurityPolicy,EseUser)", e2, 2);
            }
            Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte[], SecurityPolicy, EseUser)", e2, 2);
            AmsErrorMessages.logProtectionException("com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte[], SecurityPolicy, EseUser)", e2);
            MessageProtectionException messageProtectionException2 = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_invalid_key_size, e2);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte [ ],SecurityPolicy,EseUser)", messageProtectionException2, 6);
            }
            throw messageProtectionException2;
        } catch (Exception e3) {
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte [ ],SecurityPolicy,EseUser)", e3, 3);
            }
            Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte[], SecurityPolicy, EseUser)", e3, 3);
            AmsErrorMessages.logProtectionException("com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte[], SecurityPolicy, EseUser)", e3);
            MessageProtectionException messageProtectionException3 = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_msg_protection_failed, e3);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "protect(byte [ ],SecurityPolicy,EseUser)", messageProtectionException3, 7);
            }
            throw messageProtectionException3;
        }
    }

    private boolean needsToEncrypt(SecurityPolicy securityPolicy) {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "needsToEncrypt(SecurityPolicy)", new Object[]{securityPolicy});
        }
        boolean z = securityPolicy.getQop() == 2;
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "needsToEncrypt(SecurityPolicy)", Boolean.valueOf(z));
        }
        return z;
    }

    private boolean needsToSign(SecurityPolicy securityPolicy) {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "needsToSign(SecurityPolicy)", new Object[]{securityPolicy});
        }
        boolean z = securityPolicy.getQop() == 1 || needsToEncrypt(securityPolicy);
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "needsToSign(SecurityPolicy)", Boolean.valueOf(z));
        }
        return z;
    }

    private ContentInfo cipher(EseUser eseUser, String str, X509Certificate[] x509CertificateArr, ContentInfo contentInfo) throws IllegalAlgorithmNameException, IOException, GeneralSecurityException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "cipher(final EseUser,String,final X509Certificate [ ],ContentInfo)", new Object[]{eseUser, str, x509CertificateArr, contentInfo});
        }
        String str2 = str;
        int keySize = getKeySize(str2);
        if (isPkcs11(eseUser)) {
            if (str2.equals(MessageProtectionConstants.ENCRYPTION_3DES)) {
                keySize = 192;
            }
            if (str2.equals(MessageProtectionConstants.ENCRYPTION_DES)) {
                keySize = 64;
            }
        }
        if (str2.equalsIgnoreCase(MessageProtectionConstants.ENCRYPTION_AES128) || str2.equalsIgnoreCase(MessageProtectionConstants.ENCRYPTION_AES256)) {
            str2 = MessageProtectionConstants.ENCRYPTION_AES;
        }
        if (Trace.isOn) {
            Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "cipher(final EseUser, String, final X509Certificate[], ContentInfo)", "Cipher Algorithm: " + str2 + ", key size: " + keySize + ", number of recipients: " + x509CertificateArr.length, "");
        }
        DerOutputStream derOutputStream = new DerOutputStream();
        contentInfo.getContent().encode(derOutputStream);
        byte[] byteArray = new DerValue(derOutputStream.toByteArray()).getData().toByteArray();
        KeyGenerator keyGenerator = eseUser.getProvider() != null ? KeyGenerator.getInstance(str2, eseUser.getProvider()) : KeyGenerator.getInstance(str2);
        keyGenerator.init(keySize);
        SecretKey generateKey = keyGenerator.generateKey();
        int blockSize = getBlockSize(str2);
        if (blockSize == 0) {
            blockSize = byteArray.length;
        }
        Cipher cipher = isPkcs11(eseUser) ? str2.equals(MessageProtectionConstants.ENCRYPTION_3DES) ? Cipher.getInstance(TRANSFORMATION_3DES_CBC_NOPAD, eseUser.getProvider()) : str2.equals(MessageProtectionConstants.ENCRYPTION_DES) ? Cipher.getInstance(TRANSFORMATION_DES_CBC_NOPAD, eseUser.getProvider()) : str2.equals(MessageProtectionConstants.ENCRYPTION_AES) ? Cipher.getInstance(TRANSFORMATION_AES_CBC_NOPAD, eseUser.getProvider()) : Cipher.getInstance(str2, eseUser.getProvider()) : eseUser.getProvider() != null ? Cipher.getInstance(str2 + TRANSFORMATION_CBC_PKCS5, eseUser.getProvider()) : Cipher.getInstance(str2 + TRANSFORMATION_CBC_PKCS5);
        AlgorithmParameters algorithmParameters = null;
        if (!isPkcs11(eseUser)) {
            cipher.init(1, generateKey);
        } else if (str2.equals(MessageProtectionConstants.ENCRYPTION_3DES)) {
            algorithmParameters = AlgorithmParameters.getInstance(str2);
            byte[] bArr = new byte[8];
            Random random = new Random();
            random.setSeed(System.currentTimeMillis());
            random.nextBytes(bArr);
            algorithmParameters.init(new IvParameterSpec(bArr));
            cipher.init(1, generateKey, algorithmParameters);
        } else {
            cipher.init(1, generateKey);
        }
        byte[] doFinal = cipher.doFinal(isPkcs11(eseUser) ? pad(byteArray, blockSize) : byteArray);
        AlgorithmParameters parameters = cipher.getParameters();
        if (parameters == null && algorithmParameters != null) {
            parameters = algorithmParameters;
        }
        ContentInfo contentInfo2 = new ContentInfo(new EnvelopedData((OriginatorInfo) null, createRecipientsInfo(x509CertificateArr, generateKey, eseUser.getProvider()), createEncContentInfo(str2, keySize, doFinal, parameters, eseUser.getProvider()), (PKCSAttributes) null, eseUser.getProvider()), eseUser.getProvider());
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "cipher(final EseUser,String,final X509Certificate [ ],ContentInfo)", contentInfo2);
        }
        return contentInfo2;
    }

    private int getBlockSize(String str) {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "getBlockSize(String)", new Object[]{str});
        }
        int i = 0;
        if (str.equals(MessageProtectionConstants.ENCRYPTION_3DES)) {
            i = 8;
        } else if (str.equals(MessageProtectionConstants.ENCRYPTION_DES)) {
            i = 8;
        } else if (str.equals(MessageProtectionConstants.ENCRYPTION_AES)) {
            i = 16;
        }
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "getBlockSize(String)", Integer.valueOf(i));
        }
        return i;
    }

    private RecipientInfo[] createRecipientsInfo(X509Certificate[] x509CertificateArr, Key key, String str) throws IOException, PKCSException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "createRecipientsInfo(final X509Certificate [ ],Key,String)", new Object[]{x509CertificateArr, key, str});
        }
        SmudgedBytes smudgedBytes = new SmudgedBytes(key.getEncoded(), str);
        RecipientInfo[] recipientInfoArr = new RecipientInfo[x509CertificateArr.length];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            recipientInfoArr[i] = new RecipientInfo(smudgedBytes.getClearText(), x509CertificateArr[i], str);
        }
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "createRecipientsInfo(final X509Certificate [ ],Key,String)", recipientInfoArr);
        }
        return recipientInfoArr;
    }

    private EncryptedContentInfo createEncContentInfo(String str, int i, byte[] bArr, AlgorithmParameters algorithmParameters, String str2) throws IOException, NoSuchAlgorithmException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "createEncContentInfo(String,int,byte [ ],AlgorithmParameters,String)", new Object[]{str, Integer.valueOf(i), bArr, algorithmParameters, str2});
        }
        byte[] bArr2 = null;
        if (algorithmParameters != null) {
            bArr2 = algorithmParameters.getEncoded();
        }
        ObjectIdentifier oid = (str.equals(MessageProtectionConstants.ENCRYPTION_AES) ? AlgorithmId.get(str + i) : AlgorithmId.get(str)).getOID();
        EncryptedContentInfo encryptedContentInfo = new EncryptedContentInfo(new ObjectIdentifier(MessageProtectionConstants.SIGNED_DATA_OID), bArr2 != null ? new AlgorithmId(oid, bArr2, str2) : new AlgorithmId(oid, str2), bArr, str2);
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "createEncContentInfo(String,int,byte [ ],AlgorithmParameters,String)", encryptedContentInfo);
        }
        return encryptedContentInfo;
    }

    private byte[] pad(byte[] bArr, int i) {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "pad(byte [ ],int)", new Object[]{bArr, Integer.valueOf(i)});
        }
        int length = i - (bArr.length % i);
        byte[] bArr2 = new byte[bArr.length + length];
        System.arraycopy(bArr, 0, bArr2, 0, bArr.length);
        byte b = (byte) (length & 255);
        for (int i2 = 0; i2 < length; i2++) {
            bArr2[i2 + bArr.length] = b;
        }
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "pad(byte [ ],int)", bArr2);
        }
        return bArr2;
    }

    private boolean isPkcs11(EseUser eseUser) {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "isPkcs11(EseUser)", new Object[]{eseUser});
        }
        boolean z = eseUser.getProvider() != null && eseUser.getProvider().startsWith(SecurityProvider.Provider.IBMPKCS11);
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "isPkcs11(EseUser)", Boolean.valueOf(z));
        }
        return z;
    }

    private void validateRecipientsCerts(X509Certificate[] x509CertificateArr, EseUser eseUser) throws AMBIException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateRecipientsCerts(X509Certificate [ ],EseUser)", new Object[]{x509CertificateArr, eseUser});
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            MessageProtectionException messageProtectionException = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_getting_no_recipient_cert);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateRecipientsCerts(X509Certificate [ ],EseUser)", messageProtectionException);
            }
            throw messageProtectionException;
        }
        for (X509Certificate x509Certificate : x509CertificateArr) {
            validateRecipientCertificate(x509Certificate, eseUser);
        }
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateRecipientsCerts(X509Certificate [ ],EseUser)");
        }
    }

    private int getKeySize(String str) throws IllegalAlgorithmNameException {
        int i;
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "getKeySize(String)", new Object[]{str});
        }
        if (str.equalsIgnoreCase(MessageProtectionConstants.ENCRYPTION_DES)) {
            i = 56;
        } else if (str.equalsIgnoreCase(MessageProtectionConstants.ENCRYPTION_3DES)) {
            i = 112;
        } else if (str.equalsIgnoreCase(MessageProtectionConstants.ENCRYPTION_RC2)) {
            i = 40;
        } else if (str.equalsIgnoreCase(MessageProtectionConstants.ENCRYPTION_AES128)) {
            i = 128;
        } else {
            if (!str.equalsIgnoreCase(MessageProtectionConstants.ENCRYPTION_AES256)) {
                HashMap hashMap = new HashMap();
                hashMap.put(AmsErrorMessageInserts.AMS_INSERT_ENCRYPTION_STRENGTH, str);
                IllegalAlgorithmNameException illegalAlgorithmNameException = new IllegalAlgorithmNameException(AmsErrorMessages.mjp_msg_error_invalid_encryption_algorithm, hashMap, new Exception("keysize == -1"));
                if (Trace.isOn) {
                    Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "getKeySize(String)", illegalAlgorithmNameException);
                }
                throw illegalAlgorithmNameException;
            }
            i = 256;
        }
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "getKeySize(String)", Integer.valueOf(i));
        }
        return i;
    }

    private void validateCipherAlg(String str) throws IllegalAlgorithmNameException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateCipherAlg(String)", new Object[]{str});
        }
        if (str != null && (str == null || str.equals(MessageProtectionConstants.ENCRYPTION_RC2) || str.equals(MessageProtectionConstants.ENCRYPTION_DES) || str.equals(MessageProtectionConstants.ENCRYPTION_3DES) || str.equals(MessageProtectionConstants.ENCRYPTION_AES128) || str.equals(MessageProtectionConstants.ENCRYPTION_AES256))) {
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateCipherAlg(String)");
            }
        } else {
            HashMap hashMap = new HashMap();
            hashMap.put(AmsErrorMessageInserts.AMS_INSERT_ENCRYPTION_STRENGTH, str);
            IllegalAlgorithmNameException illegalAlgorithmNameException = new IllegalAlgorithmNameException(AmsErrorMessages.mjp_msg_error_invalid_encryption_algorithm, hashMap, new IllegalArgumentException(str));
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateCipherAlg(String)", illegalAlgorithmNameException);
            }
            throw illegalAlgorithmNameException;
        }
    }

    private ContentInfo sign(EseUser eseUser, String str, X509Certificate x509Certificate, ContentInfo contentInfo) throws PKCSException, IOException, AMBIException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "sign(EseUser,String,X509Certificate,ContentInfo)", new Object[]{eseUser, str, x509Certificate, contentInfo});
        }
        try {
            ContentInfo contentInfo2 = new ContentInfo(new SignedData(new X509Certificate[]{x509Certificate}, (CRL[]) null, contentInfo, str, new PrivateKey[]{eseUser.getPrivateKey()}, (PKCSAttributes) null, (PKCSAttributes) null, false, eseUser.getProvider()));
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "sign(EseUser,String,X509Certificate,ContentInfo)", contentInfo2);
            }
            return contentInfo2;
        } catch (AMBIException e) {
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "sign(EseUser,String,X509Certificate,ContentInfo)", e, 2);
            }
            MessageProtectionException messageProtectionException = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_msg_protection_failed, e);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "sign(EseUser,String,X509Certificate,ContentInfo)", messageProtectionException, 2);
            }
            throw messageProtectionException;
        } catch (NoSuchAlgorithmException e2) {
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "sign(EseUser,String,X509Certificate,ContentInfo)", e2, 1);
            }
            IllegalAlgorithmNameException illegalAlgorithmNameException = new IllegalAlgorithmNameException(AmsErrorMessages.mjp_msg_error_msg_protection_failed_IllegalAlgorithmNameException, e2);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "sign(EseUser,String,X509Certificate,ContentInfo)", illegalAlgorithmNameException, 1);
            }
            throw illegalAlgorithmNameException;
        }
    }

    private void validateSenderCertificate(X509Certificate x509Certificate, EseUser eseUser) throws InvalidCertificateException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateSenderCertificate(X509Certificate,EseUser)", new Object[]{x509Certificate, eseUser});
        }
        try {
            this.certificateValidator.validateX509Certificate(x509Certificate, X509CertificateValidator.SENDER_KEY_USAGE, X509CertificateValidator.SENDER_KEY_USAGE_MATCH, false, eseUser);
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateSenderCertificate(X509Certificate,EseUser)");
            }
        } catch (InvalidCertificateException e) {
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateSenderCertificate(X509Certificate,EseUser)", e, 1);
            }
            HashMap hashMap = new HashMap();
            hashMap.put(AmsErrorMessageInserts.AMS_INSERT_CERTIFICATE_SUBJECT, x509Certificate.getSubjectDN().getName());
            InvalidCertificateException invalidCertificateException = new InvalidCertificateException(AmsErrorMessages.mjp_msg_error_msg_sender_cert_not_valid_InvalidCertificateException, hashMap, e.getCause());
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateSenderCertificate(X509Certificate,EseUser)", invalidCertificateException, 1);
            }
            throw invalidCertificateException;
        } catch (Exception e2) {
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateSenderCertificate(X509Certificate,EseUser)", e2, 2);
            }
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateSenderCertificate(X509Certificate, EseUser)", e2);
            }
            HashMap hashMap2 = new HashMap();
            hashMap2.put(AmsErrorMessageInserts.AMS_INSERT_CERTIFICATE_SUBJECT, x509Certificate.getSubjectDN().getName());
            InvalidCertificateException invalidCertificateException2 = new InvalidCertificateException(AmsErrorMessages.mjp_msg_error_msg_sender_cert_not_valid_InvalidCertificateException, hashMap2, e2);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateSenderCertificate(X509Certificate,EseUser)", invalidCertificateException2, 2);
            }
            throw invalidCertificateException2;
        }
    }

    private void validateSigAlg(String str) throws IllegalAlgorithmNameException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateSigAlg(String)", new Object[]{str});
        }
        if (str != null && (str.equals(MessageProtectionConstants.MD2_WITH_RSAENCRYPTION) || str.equals(MessageProtectionConstants.MD2_WITH_RSAENCRYPTION_OID) || str.equals(MessageProtectionConstants.MD5_WITH_RSAENCRYPTION) || str.equals(MessageProtectionConstants.MD5_WITH_RSAENCRYPTION_OID) || str.equals(MessageProtectionConstants.SHA1_WITH_RSAENCRYPTION) || str.equals(MessageProtectionConstants.SHA1_WITH_RSAENCRYPTION_OID) || str.equals(MessageProtectionConstants.SHA224_WITH_RSAENCRYPTION) || str.equals(MessageProtectionConstants.SHA224_WITH_RSAENCRYPTION_OID) || str.equals(MessageProtectionConstants.SHA256_WITH_RSAENCRYPTION) || str.equals(MessageProtectionConstants.SHA256_WITH_RSAENCRYPTION_OID) || str.equals(MessageProtectionConstants.SHA384_WITH_RSAENCRYPTION) || str.equals(MessageProtectionConstants.SHA384_WITH_RSAENCRYPTION_OID) || str.equals(MessageProtectionConstants.SHA512_WITH_RSAENCRYPTION) || str.equals(MessageProtectionConstants.SHA512_WITH_RSAENCRYPTION_OID))) {
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateSigAlg(String)");
            }
        } else {
            HashMap hashMap = new HashMap();
            hashMap.put(AmsErrorMessageInserts.AMS_INSERT_SIGNATURE_ALGORITHM, str);
            IllegalAlgorithmNameException illegalAlgorithmNameException = new IllegalAlgorithmNameException(AmsErrorMessages.mjp_msg_error_invalid_signature_algorithm_IllegalAlgorithmNameException, hashMap, new IllegalArgumentException(str));
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateSigAlg(String)", illegalAlgorithmNameException);
            }
            throw illegalAlgorithmNameException;
        }
    }

    private void validateQop(int i) throws IllegalProtectionTypeException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateQop(int)", new Object[]{Integer.valueOf(i)});
        }
        if (i == 2 || i == 1) {
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateQop(int)");
            }
        } else {
            String num = Integer.toString(i);
            if (i < MessageProtectionConstants.QOP_NAMES.length) {
                num = MessageProtectionConstants.QOP_NAMES[i];
            }
            IllegalProtectionTypeException create = IllegalProtectionTypeException.create(num, new IllegalArgumentException(num));
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateQop(int)", create);
            }
            throw create;
        }
    }

    @Override // com.ibm.mq.ese.prot.MessageProtection
    public MessageUnprotectInfo unprotect(byte[] bArr, SecurityPolicy securityPolicy, EseUser eseUser) throws MessageProtectionException {
        ContentInfo verifySignedData;
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte [ ],SecurityPolicy,EseUser)", new Object[]{bArr, securityPolicy, eseUser});
        }
        int i = 0;
        Date date = null;
        try {
            if (bArr == null) {
                IllegalArgumentException illegalArgumentException = new IllegalArgumentException("protMsg is null");
                if (Trace.isOn) {
                    Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte [ ],SecurityPolicy,EseUser)", illegalArgumentException, 1);
                }
                throw illegalArgumentException;
            }
            if (securityPolicy == null) {
                IllegalArgumentException illegalArgumentException2 = new IllegalArgumentException("policy is null");
                if (Trace.isOn) {
                    Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte [ ],SecurityPolicy,EseUser)", illegalArgumentException2, 2);
                }
                throw illegalArgumentException2;
            }
            if (eseUser == null) {
                IllegalArgumentException illegalArgumentException3 = new IllegalArgumentException("userInfo is null");
                if (Trace.isOn) {
                    Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte [ ],SecurityPolicy,EseUser)", illegalArgumentException3, 3);
                }
                throw illegalArgumentException3;
            }
            validateQop(securityPolicy.getQop());
            if (Trace.isOn) {
                Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte[], SecurityPolicy, EseUser)", "Protected Message Length: ", Integer.valueOf(bArr.length));
            }
            if (bArr.length < 3) {
                ShortBufferException shortBufferException = new ShortBufferException("protMsg.length = " + bArr.length);
                if (Trace.isOn) {
                    Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte [ ],SecurityPolicy,EseUser)", shortBufferException, 4);
                }
                throw shortBufferException;
            }
            ContentInfo contentInfo = new ContentInfo(bArr, eseUser.getProvider());
            validateEnvelopedQop(securityPolicy, contentInfo);
            String str = "";
            if (contentInfo.isEnvelopedData()) {
                i = 2;
                EnvelopedData envelopedData = (EnvelopedData) contentInfo.getContent();
                str = readEncryptionAlgorithmName(envelopedData);
                if (securityPolicy.getQop() > 1) {
                    validateEncryptionStrength(str, securityPolicy.getEncAlg());
                }
                if (str.equals(MessageProtectionConstants.ENCRYPTION_AES128_CBC_OID)) {
                    str = MessageProtectionConstants.ENCRYPTION_AES128;
                } else if (str.equals(MessageProtectionConstants.ENCRYPTION_AES256_CBC_OID)) {
                    str = MessageProtectionConstants.ENCRYPTION_AES256;
                } else if (str.equals(MessageProtectionConstants.ENCRYPTION_RC2_CBC_OID)) {
                    str = MessageProtectionConstants.ENCRYPTION_RC2;
                } else if (str.equals(MessageProtectionConstants.ENCRYPTION_DES_CBC_OID)) {
                    str = MessageProtectionConstants.ENCRYPTION_DES;
                } else if (str.equals(MessageProtectionConstants.ENCRYPTION_3DES_CBC_OID)) {
                    str = MessageProtectionConstants.ENCRYPTION_3DES;
                }
                if (Trace.isOn) {
                    Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte[], SecurityPolicy, EseUser)", "Privacy Protection used. Encryption algorithm ", str);
                }
                X509Certificate certificate = eseUser.getCertificate();
                if (certificate == null) {
                    HashMap hashMap = new HashMap();
                    hashMap.put(AmsErrorMessageInserts.AMS_INSERT_CREDENTIAL_ALIAS, eseUser.getKeystoreAlias());
                    hashMap.put(AmsErrorMessageInserts.AMS_INSERT_FILENAME, eseUser.getKeyStore().toString());
                    MessageProtectionException messageProtectionException = new MessageProtectionException(AmsErrorMessages.mju_user_certificate_not_found_MessageProtectionException, (HashMap<String, ? extends Object>) hashMap);
                    if (Trace.isOn) {
                        Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte [ ],SecurityPolicy,EseUser)", messageProtectionException, 5);
                    }
                    throw messageProtectionException;
                }
                validateRecipientCertificate(certificate, eseUser);
                if (isPkcs11(eseUser)) {
                    synchronized (KeyStoreAccessPKCS11Impl.KS_LOCK) {
                        contentInfo = decipher(eseUser, certificate, envelopedData);
                    }
                } else {
                    contentInfo = decipher(eseUser, certificate, envelopedData);
                }
            }
            if (!contentInfo.isSignedData()) {
                MessageProtectionException messageProtectionException2 = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_invalid_protected_message_type);
                if (Trace.isOn) {
                    Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte [ ],SecurityPolicy,EseUser)", messageProtectionException2, 6);
                }
                throw messageProtectionException2;
            }
            if (Trace.isOn) {
                Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte[], SecurityPolicy, EseUser)", "Unpacking signed data.", "");
            }
            if (i == 0) {
                i = 1;
            }
            SignedData signedData = (SignedData) contentInfo.getContent();
            Certificate[] certificates = signedData.getCertificates();
            if (certificates == null || certificates.length < 1) {
                MissingCertificateException missingCertificateException = new MissingCertificateException(AmsErrorMessages.mjp_msg_error_sender_certificate_not_found);
                if (Trace.isOn) {
                    Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte [ ],SecurityPolicy,EseUser)", missingCertificateException, 7);
                }
                throw missingCertificateException;
            }
            if (certificates.length > 1) {
                MessageProtectionException messageProtectionException3 = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_invalid_amount_of_sender_certificate);
                if (Trace.isOn) {
                    Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte [ ],SecurityPolicy,EseUser)", messageProtectionException3, 8);
                }
                throw messageProtectionException3;
            }
            X509Certificate x509Certificate = (X509Certificate) certificates[0];
            if (x509Certificate == null) {
                MissingCertificateException missingCertificateException2 = new MissingCertificateException(AmsErrorMessages.mjp_msg_error_sender_certificate_not_found);
                if (Trace.isOn) {
                    Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte [ ],SecurityPolicy,EseUser)", missingCertificateException2, 9);
                }
                throw missingCertificateException2;
            }
            String normalizeNames = X500NameWrapper.normalizeNames(x509Certificate.getSubjectDN().getName());
            SignerInfo signerInfo = signedData.getSignerInfo(x509Certificate);
            if (signerInfo != null) {
                SigningTime signingTime = signerInfo.getSigningTime();
                date = signingTime == null ? null : signingTime.getDate();
                if (Trace.isOn) {
                    logSigner(signedData, x509Certificate, signerInfo);
                }
            } else if (Trace.isOn) {
                Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte[], SecurityPolicy, EseUser)", "SignerInfo is null, probably an empty message ", "");
            }
            String readSignatureAlgName = readSignatureAlgName(signedData);
            validateSignatureAlg(readSignatureAlgName, securityPolicy.getSignAlg());
            if (isPkcs11(eseUser)) {
                synchronized (KeyStoreAccessPKCS11Impl.KS_LOCK) {
                    verifySignedData = verifySignedData(signedData, normalizeNames, eseUser);
                }
            } else {
                verifySignedData = verifySignedData(signedData, normalizeNames, eseUser);
            }
            if (verifySignedData == null || !(verifySignedData.getContent() == null || verifySignedData.isData())) {
                MessageProtectionException messageProtectionException4 = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_invalid_protected_message_type);
                if (Trace.isOn) {
                    Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte [ ],SecurityPolicy,EseUser)", messageProtectionException4, 10);
                }
                throw messageProtectionException4;
            }
            Data content = verifySignedData.getContent();
            if (Trace.isOn) {
                Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte[], SecurityPolicy, EseUser)", "Message Unprotected", "");
            }
            MessageUnprotectInfo messageUnprotectInfo = new MessageUnprotectInfo(normalizeNames, content == null ? new byte[0] : content.getData(), i, date, readSignatureAlgName, str);
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte [ ],SecurityPolicy,EseUser)", messageUnprotectInfo);
            }
            return messageUnprotectInfo;
        } catch (Exception e) {
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte [ ],SecurityPolicy,EseUser)", e);
            }
            Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte[], SecurityPolicy, EseUser)", e);
            AmsErrorMessages.logProtectionException("com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte[], SecurityPolicy, EseUser)", e);
            MessageProtectionException messageProtectionException5 = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_msg_unprotection_failed, e);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unprotect(byte [ ],SecurityPolicy,EseUser)", messageProtectionException5, 11);
            }
            throw messageProtectionException5;
        }
    }

    private String readSignatureAlgName(SignedData signedData) throws MessageProtectionException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readSignatureAlgName(SignedData)", new Object[]{signedData});
        }
        AlgorithmId[] digestAlgorithms = signedData.getDigestAlgorithms();
        if (digestAlgorithms == null) {
            MessageProtectionException messageProtectionException = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_getting_sig_algname_from_pkcs7);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readSignatureAlgName(SignedData)", messageProtectionException, 1);
            }
            throw messageProtectionException;
        }
        if (digestAlgorithms.length != 1) {
            MessageProtectionException messageProtectionException2 = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_getting_sig_algname_from_pkcs7);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readSignatureAlgName(SignedData)", messageProtectionException2, 2);
            }
            throw messageProtectionException2;
        }
        AlgorithmId algorithmId = digestAlgorithms[0];
        if (algorithmId == null) {
            MessageProtectionException messageProtectionException3 = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_getting_sig_algname_from_pkcs7);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readSignatureAlgName(SignedData)", messageProtectionException3, 3);
            }
            throw messageProtectionException3;
        }
        String name = algorithmId.getName();
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readSignatureAlgName(SignedData)", name);
        }
        return name;
    }

    private String readEncryptionAlgorithmName(EnvelopedData envelopedData) throws IOException, MessageProtectionException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readEncryptionAlgorithmName(EnvelopedData)", new Object[]{envelopedData});
        }
        EncryptedContentInfo encryptedContentInfo = envelopedData.getEncryptedContentInfo();
        if (encryptedContentInfo == null) {
            MessageProtectionException messageProtectionException = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_getting_algname_from_pkcs7);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readEncryptionAlgorithmName(EnvelopedData)", messageProtectionException, 1);
            }
            throw messageProtectionException;
        }
        AlgorithmId contentEncryptionAlgorithm = encryptedContentInfo.getContentEncryptionAlgorithm();
        if (contentEncryptionAlgorithm == null) {
            MessageProtectionException messageProtectionException2 = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_getting_algname_from_pkcs7);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readEncryptionAlgorithmName(EnvelopedData)", messageProtectionException2, 2);
            }
            throw messageProtectionException2;
        }
        String name = contentEncryptionAlgorithm.getName();
        if (name != null && name.length() != 0) {
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readEncryptionAlgorithmName(EnvelopedData)", name);
            }
            return name;
        }
        MessageProtectionException messageProtectionException3 = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_getting_algname_from_pkcs7);
        if (Trace.isOn) {
            Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readEncryptionAlgorithmName(EnvelopedData)", messageProtectionException3, 3);
        }
        throw messageProtectionException3;
    }

    private ContentInfo verifySignedData(SignedData signedData, String str, EseUser eseUser) throws MessageProtectionException, InvalidCertificateException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "verifySignedData(SignedData,String,EseUser)", new Object[]{signedData, str, eseUser});
        }
        X509Certificate x509Certificate = (X509Certificate) signedData.getCertificates()[0];
        validateSenderCertificate(x509Certificate, eseUser);
        if (Trace.isOn) {
            Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "verifySignedData(SignedData, String, EseUser)", "Verifying SignedData.", "");
        }
        doVerifySignedData(signedData, x509Certificate);
        try {
            this.certificateValidator.validateX509Certificate(x509Certificate, null, null, eseUser);
            ContentInfo contentInfo = signedData.getEncapsulatedContentInfo().getContentInfo();
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "verifySignedData(SignedData,String,EseUser)", contentInfo);
            }
            return contentInfo;
        } catch (InvalidCertificateException e) {
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "verifySignedData(SignedData,String,EseUser)", e, 1);
            }
            HashMap hashMap = new HashMap();
            hashMap.put(AmsErrorMessageInserts.AMS_INSERT_CERTIFICATE_SUBJECT, x509Certificate.getSubjectDN().getName());
            InvalidCertificateException invalidCertificateException = new InvalidCertificateException(AmsErrorMessages.mjp_msg_error_failed_to_verify_cert_chain, hashMap, e.getCause());
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "verifySignedData(SignedData,String,EseUser)", invalidCertificateException, 1);
            }
            throw invalidCertificateException;
        } catch (Exception e2) {
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "verifySignedData(SignedData,String,EseUser)", e2, 2);
            }
            HashMap hashMap2 = new HashMap();
            hashMap2.put(AmsErrorMessageInserts.AMS_INSERT_CERTIFICATE_SUBJECT, x509Certificate.getSubjectDN().getName());
            InvalidCertificateException invalidCertificateException2 = new InvalidCertificateException(AmsErrorMessages.mjp_msg_error_failed_to_verify_cert_chain, hashMap2, e2);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "verifySignedData(SignedData,String,EseUser)", invalidCertificateException2, 2);
            }
            throw invalidCertificateException2;
        }
    }

    private void logSigner(SignedData signedData, X509Certificate x509Certificate, SignerInfo signerInfo) throws IOException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "logSigner(SignedData,X509Certificate,SignerInfo)", new Object[]{signedData, x509Certificate, signerInfo});
        }
        Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "logSigner(SignedData, X509Certificate, SignerInfo)", "The digest algorithm used is " + signerInfo.getDigestAlgorithm(), "");
        Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "logSigner(SignedData, X509Certificate, SignerInfo)", "The signature algorithm used is " + signerInfo.getSignatureAlgorithm(), "");
        Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "logSigner(SignedData, X509Certificate, SignerInfo)", "Checking if SignedData/SignerInfo has the certificate.", "");
        if (signedData.hasCertificate(x509Certificate)) {
            Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "logSigner(SignedData, X509Certificate, SignerInfo)", "SignedData has certificate ", "");
        }
        if (signerInfo.hasCertificate(x509Certificate)) {
            Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "logSigner(SignedData, X509Certificate, SignerInfo)", "SignerInfo has certificate ", "");
        }
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "logSigner(SignedData,X509Certificate,SignerInfo)");
        }
    }

    private ContentInfo decipher(EseUser eseUser, X509Certificate x509Certificate, EnvelopedData envelopedData) throws IOException, AMBIException {
        byte[] bArr;
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "decipher(EseUser,X509Certificate,EnvelopedData)", new Object[]{eseUser, x509Certificate, envelopedData});
        }
        if (eseUser.getPrivateKey() == null) {
            HashMap hashMap = new HashMap();
            hashMap.put(AmsErrorMessageInserts.AMS_INSERT_CREDENTIAL_ALIAS, eseUser.getKeystoreAlias());
            hashMap.put(AmsErrorMessageInserts.AMS_INSERT_FILENAME, eseUser.getKeyStore().toString());
            MessageProtectionException messageProtectionException = new MessageProtectionException(AmsErrorMessages.mju_user_privatekey_not_found_MessageProtectionException, (HashMap<String, ? extends Object>) hashMap);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "decipher(EseUser,X509Certificate,EnvelopedData)", messageProtectionException, 1);
            }
            throw messageProtectionException;
        }
        if (Trace.isOn) {
            logRecipients(envelopedData);
        }
        try {
            if (envelopedData.getRecipientInfos() == null || envelopedData.getRecipientInfos().length == 0) {
                MessageProtectionException messageProtectionException2 = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_invalid_recipients);
                if (Trace.isOn) {
                    Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "decipher(EseUser,X509Certificate,EnvelopedData)", messageProtectionException2, 2);
                }
                throw messageProtectionException2;
            }
            RecipientInfo[] copyRecipientInfosWithProvider = copyRecipientInfosWithProvider(envelopedData.getRecipientInfos(), eseUser.getProvider());
            EnvelopedData envelopedData2 = new EnvelopedData(envelopedData.getOriginator(), copyRecipientInfosWithProvider, copyEncryptedContentInfoWithProvider(envelopedData.getEncryptedContentInfo(), eseUser.getProvider()), envelopedData.getUnprotectedAttributes(), eseUser.getProvider());
            RecipientInfo recipientInfo = null;
            int i = 0;
            while (true) {
                if (i >= copyRecipientInfosWithProvider.length) {
                    break;
                }
                RecipientInfo recipientInfo2 = copyRecipientInfosWithProvider[i];
                if (recipientInfo2.identifies(eseUser.getCertificate())) {
                    recipientInfo = recipientInfo2;
                    break;
                }
                i++;
            }
            if (recipientInfo == null) {
                HashMap hashMap2 = new HashMap();
                hashMap2.put(AmsErrorMessageInserts.AMS_INSERT_DISTINGUISHED_NAME, eseUser.getUserDN());
                AMBIException aMBIException = new AMBIException(AmsErrorMessages.mjp_msg_error_user_not_in_recipient, (HashMap<String, ? extends Object>) hashMap2);
                if (Trace.isOn) {
                    Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "decipher(EseUser,X509Certificate,EnvelopedData)", aMBIException, 3);
                }
                throw aMBIException;
            }
            byte[] encryptedKey = recipientInfo.getEncryptedKey();
            Cipher cipher = eseUser.getProvider() != null ? Cipher.getInstance(MessageProtectionConstants.ENCRYPTION_RSA, eseUser.getProvider()) : Cipher.getInstance(MessageProtectionConstants.ENCRYPTION_RSA);
            cipher.init(2, eseUser.getPrivateKey());
            byte[] doFinal = cipher.doFinal(encryptedKey);
            byte[] encryptedContent = envelopedData2.getEncryptedContentInfo().getEncryptedContent();
            String readEncryptionAlgorithmName = readEncryptionAlgorithmName(envelopedData2);
            if (readEncryptionAlgorithmName.equals(MessageProtectionConstants.ENCRYPTION_3DES) || readEncryptionAlgorithmName.equals(MessageProtectionConstants.ENCRYPTION_3DES_CBC_OID)) {
                cipher = isPkcs11(eseUser) ? Cipher.getInstance(TRANSFORMATION_3DES_CBC_NOPAD, eseUser.getProvider()) : eseUser.getProvider() != null ? Cipher.getInstance(readEncryptionAlgorithmName + TRANSFORMATION_CBC_PKCS5, eseUser.getProvider()) : Cipher.getInstance(readEncryptionAlgorithmName + TRANSFORMATION_CBC_PKCS5);
                cipher.init(2, (eseUser.getProvider() != null ? SecretKeyFactory.getInstance(MessageProtectionConstants.ENCRYPTION_3DES, eseUser.getProvider()) : SecretKeyFactory.getInstance(MessageProtectionConstants.ENCRYPTION_3DES)).generateSecret(new DESedeKeySpec(doFinal)), readAlgParameters(envelopedData));
            } else if (readEncryptionAlgorithmName.equals(MessageProtectionConstants.ENCRYPTION_DES) || readEncryptionAlgorithmName.equals(MessageProtectionConstants.ENCRYPTION_DES_CBC_OID)) {
                cipher = isPkcs11(eseUser) ? Cipher.getInstance(TRANSFORMATION_DES_CBC_NOPAD, eseUser.getProvider()) : eseUser.getProvider() != null ? Cipher.getInstance(readEncryptionAlgorithmName + TRANSFORMATION_CBC_PKCS5, eseUser.getProvider()) : Cipher.getInstance(readEncryptionAlgorithmName + TRANSFORMATION_CBC_PKCS5);
                cipher.init(2, (isPkcs11(eseUser) ? SecretKeyFactory.getInstance(MessageProtectionConstants.ENCRYPTION_DES, eseUser.getProvider()) : eseUser.getProvider() != null ? SecretKeyFactory.getInstance(MessageProtectionConstants.ENCRYPTION_DES, eseUser.getProvider()) : SecretKeyFactory.getInstance(MessageProtectionConstants.ENCRYPTION_DES)).generateSecret(new DESKeySpec(doFinal)), readAlgParameters(envelopedData));
            } else if (readEncryptionAlgorithmName.equals(MessageProtectionConstants.ENCRYPTION_AES128_CBC_OID) || readEncryptionAlgorithmName.equals(MessageProtectionConstants.ENCRYPTION_AES256_CBC_OID) || readEncryptionAlgorithmName.equals(MessageProtectionConstants.ENCRYPTION_AES) || readEncryptionAlgorithmName.equals(MessageProtectionConstants.ENCRYPTION_AES128) || readEncryptionAlgorithmName.equals(MessageProtectionConstants.ENCRYPTION_AES256)) {
                cipher = isPkcs11(eseUser) ? Cipher.getInstance(TRANSFORMATION_AES_CBC_NOPAD, eseUser.getProvider()) : eseUser.getProvider() != null ? Cipher.getInstance("AES/CBC/PKCS5Padding", eseUser.getProvider()) : Cipher.getInstance("AES/CBC/PKCS5Padding");
                SecretKey generateSecret = (eseUser.getProvider() != null ? SecretKeyFactory.getInstance(MessageProtectionConstants.ENCRYPTION_AES, eseUser.getProvider()) : SecretKeyFactory.getInstance(MessageProtectionConstants.ENCRYPTION_AES)).generateSecret(new SecretKeySpec(doFinal, MessageProtectionConstants.ENCRYPTION_AES));
                AlgorithmParameters algorithmParameters = eseUser.getProvider() != null ? AlgorithmParameters.getInstance(MessageProtectionConstants.ENCRYPTION_AES, eseUser.getProvider()) : AlgorithmParameters.getInstance(MessageProtectionConstants.ENCRYPTION_AES);
                byte[] readEncodedParameters = readEncodedParameters(envelopedData);
                if (readEncodedParameters != null) {
                    algorithmParameters.init(readEncodedParameters);
                    cipher.init(2, generateSecret, algorithmParameters);
                } else {
                    cipher.init(2, generateSecret);
                }
            } else if (readEncryptionAlgorithmName.equals(MessageProtectionConstants.ENCRYPTION_RC2) || readEncryptionAlgorithmName.equals(MessageProtectionConstants.ENCRYPTION_RC2_CBC_OID)) {
                cipher = eseUser.getProvider() != null ? Cipher.getInstance(readEncryptionAlgorithmName + TRANSFORMATION_CBC_PKCS5, eseUser.getProvider()) : Cipher.getInstance(readEncryptionAlgorithmName + TRANSFORMATION_CBC_PKCS5);
                cipher.init(2, (eseUser.getProvider() != null ? SecretKeyFactory.getInstance(readEncryptionAlgorithmName, eseUser.getProvider()) : SecretKeyFactory.getInstance(readEncryptionAlgorithmName)).generateSecret(new SecretKeySpec(doFinal, readEncryptionAlgorithmName)), readAlgParameters(envelopedData));
            }
            byte[] doFinal2 = cipher.doFinal(encryptedContent);
            if (isPkcs11(eseUser)) {
                int blockSize = getBlockSize(readEncryptionAlgorithmName);
                if (blockSize == 0) {
                    blockSize = doFinal2.length;
                }
                bArr = unpad(doFinal2, blockSize);
            } else {
                bArr = doFinal2;
            }
            DerOutputStream derOutputStream = new DerOutputStream();
            derOutputStream.write((byte) 48, bArr);
            DerValue derValue = new DerValue(derOutputStream.toByteArray());
            derOutputStream.close();
            ContentInfo contentInfo = new ContentInfo(new SignedData(derValue.toByteArray(), eseUser.getProvider()));
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "decipher(EseUser,X509Certificate,EnvelopedData)", contentInfo);
            }
            return contentInfo;
        } catch (AMBIException e) {
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "decipher(EseUser,X509Certificate,EnvelopedData)", e, 1);
            }
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "decipher(EseUser,X509Certificate,EnvelopedData)", e, 4);
            }
            throw e;
        } catch (Exception e2) {
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "decipher(EseUser,X509Certificate,EnvelopedData)", e2, 2);
            }
            MessageProtectionException messageProtectionException3 = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_msg_decrytion_error, e2);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "decipher(EseUser,X509Certificate,EnvelopedData)", messageProtectionException3, 5);
            }
            throw messageProtectionException3;
        }
    }

    private byte[] unpad(byte[] bArr, int i) throws BadPaddingException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unpad(byte [ ],int)", new Object[]{bArr, Integer.valueOf(i)});
        }
        if (bArr.length == 0) {
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unpad(byte [ ],int)", bArr, 1);
            }
            return bArr;
        }
        byte b = bArr[bArr.length - 1];
        if (i > 0 && b > i) {
            BadPaddingException badPaddingException = new BadPaddingException("last is " + ((int) b) + " whereas blockSize is " + i);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unpad(byte [ ],int)", badPaddingException, 1);
            }
            throw badPaddingException;
        }
        if (bArr.length - b <= 0) {
            BadPaddingException badPaddingException2 = new BadPaddingException("last is " + ((int) b) + " whereas buffer length is " + bArr.length);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unpad(byte [ ],int)", badPaddingException2, 2);
            }
            throw badPaddingException2;
        }
        byte[] bArr2 = new byte[bArr.length - b];
        System.arraycopy(bArr, 0, bArr2, 0, bArr2.length);
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "unpad(byte [ ],int)", bArr2, 2);
        }
        return bArr2;
    }

    private byte[] readEncodedParameters(EnvelopedData envelopedData) throws IOException, MessageProtectionException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readEncodedParameters(EnvelopedData)", new Object[]{envelopedData});
        }
        byte[] encodedParams = readContentAlgId(envelopedData).getEncodedParams();
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readEncodedParameters(EnvelopedData)", encodedParams);
        }
        return encodedParams;
    }

    private AlgorithmId readContentAlgId(EnvelopedData envelopedData) throws IOException, MessageProtectionException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readContentAlgId(EnvelopedData)", new Object[]{envelopedData});
        }
        AlgorithmId contentEncryptionAlgorithm = envelopedData.getEncryptedContentInfo().getContentEncryptionAlgorithm();
        if (contentEncryptionAlgorithm != null) {
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readContentAlgId(EnvelopedData)", contentEncryptionAlgorithm);
            }
            return contentEncryptionAlgorithm;
        }
        MessageProtectionException messageProtectionException = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_getting_algname_from_pkcs7);
        if (Trace.isOn) {
            Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readContentAlgId(EnvelopedData)", messageProtectionException);
        }
        throw messageProtectionException;
    }

    private AlgorithmParameters readAlgParameters(EnvelopedData envelopedData) throws IOException, MessageProtectionException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readAlgParameters(EnvelopedData)", new Object[]{envelopedData});
        }
        AlgorithmParameters algParameters = readContentAlgId(envelopedData).getAlgParameters();
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "readAlgParameters(EnvelopedData)", algParameters);
        }
        return algParameters;
    }

    private EncryptedContentInfo copyEncryptedContentInfoWithProvider(EncryptedContentInfo encryptedContentInfo, String str) throws IOException, MessageProtectionException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "copyEncryptedContentInfoWithProvider(EncryptedContentInfo,String)", new Object[]{encryptedContentInfo, str});
        }
        AlgorithmId contentEncryptionAlgorithm = encryptedContentInfo.getContentEncryptionAlgorithm();
        if (contentEncryptionAlgorithm == null) {
            MessageProtectionException messageProtectionException = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_getting_algname_from_pkcs7);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "copyEncryptedContentInfoWithProvider(EncryptedContentInfo,String)", messageProtectionException);
            }
            throw messageProtectionException;
        }
        EncryptedContentInfo encryptedContentInfo2 = new EncryptedContentInfo(encryptedContentInfo.getContentType(), new AlgorithmId(contentEncryptionAlgorithm.getOID(), contentEncryptionAlgorithm.getAlgParameters() == null ? null : contentEncryptionAlgorithm.getAlgParameters().getEncoded(), str), encryptedContentInfo.getEncryptedContent(), str);
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "copyEncryptedContentInfoWithProvider(EncryptedContentInfo,String)", encryptedContentInfo2);
        }
        return encryptedContentInfo2;
    }

    private RecipientInfo[] copyRecipientInfosWithProvider(RecipientInfo[] recipientInfoArr, String str) throws IOException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "copyRecipientInfosWithProvider(RecipientInfo [ ],String)", new Object[]{recipientInfoArr, str});
        }
        RecipientInfo[] recipientInfoArr2 = new RecipientInfo[recipientInfoArr.length];
        for (int i = 0; i < recipientInfoArr.length; i++) {
            recipientInfoArr2[i] = new RecipientInfo(recipientInfoArr[i].getRecipientIdentifier(), recipientInfoArr[i].getEntityIdentifier(), recipientInfoArr[i].getKeyEncryptionAlgorithm(), recipientInfoArr[i].getEncryptedKey(), str);
        }
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "copyRecipientInfosWithProvider(RecipientInfo [ ],String)", recipientInfoArr2);
        }
        return recipientInfoArr2;
    }

    private void doVerifySignedData(SignedData signedData, X509Certificate x509Certificate) throws MessageProtectionException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "doVerifySignedData(SignedData,X509Certificate)", new Object[]{signedData, x509Certificate});
        }
        try {
            if (signedData.verify(x509Certificate)) {
                if (Trace.isOn) {
                    Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "doVerifySignedData(SignedData, X509Certificate)", "SignedData verified with public key from certificate ", x509Certificate);
                }
                if (Trace.isOn) {
                    Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "doVerifySignedData(SignedData,X509Certificate)");
                    return;
                }
                return;
            }
            if (Trace.isOn) {
                Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "doVerifySignedData(SignedData, X509Certificate)", "SignedData NOT verified with public key from certificate ", x509Certificate);
            }
            MessageProtectionException messageProtectionException = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_failed_to_verify_msg_signature, (HashMap<String, ? extends Object>) new HashMap());
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "doVerifySignedData(SignedData,X509Certificate)", messageProtectionException, 1);
            }
            throw messageProtectionException;
        } catch (Exception e) {
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "doVerifySignedData(SignedData,X509Certificate)", e);
            }
            MessageProtectionException messageProtectionException2 = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_failed_to_verify_msg_signature, new HashMap(), e);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "doVerifySignedData(SignedData,X509Certificate)", messageProtectionException2, 2);
            }
            throw messageProtectionException2;
        }
    }

    private void validateRecipientCertificate(X509Certificate x509Certificate, EseUser eseUser) throws InvalidCertificateException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateRecipientCertificate(X509Certificate,EseUser)", new Object[]{x509Certificate, eseUser});
        }
        try {
            this.certificateValidator.validateX509Certificate(x509Certificate, X509CertificateValidator.RECIPIENT_KEY_USAGE, X509CertificateValidator.RECIPIENT_KEY_USAGE_MATCH, eseUser);
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateRecipientCertificate(X509Certificate,EseUser)");
            }
        } catch (InvalidCertificateException e) {
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateRecipientCertificate(X509Certificate,EseUser)", e, 1);
            }
            HashMap hashMap = new HashMap();
            hashMap.put(AmsErrorMessageInserts.AMS_INSERT_CERTIFICATE_SUBJECT, x509Certificate.getSubjectDN().getName());
            InvalidCertificateException invalidCertificateException = new InvalidCertificateException(AmsErrorMessages.mjp_msg_error_msg_recipient_cert_not_valid, hashMap, e.getCause());
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateRecipientCertificate(X509Certificate,EseUser)", invalidCertificateException, 1);
            }
            throw invalidCertificateException;
        } catch (Exception e2) {
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateRecipientCertificate(X509Certificate,EseUser)", e2, 2);
            }
            if (Trace.isOn) {
                Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateRecipientCertificate(X509Certificate, EseUser)", "caught exception while validating sender's certificate", "");
            }
            HashMap hashMap2 = new HashMap();
            hashMap2.put(AmsErrorMessageInserts.AMS_INSERT_CERTIFICATE_SUBJECT, x509Certificate.getSubjectDN().getName());
            InvalidCertificateException invalidCertificateException2 = new InvalidCertificateException(AmsErrorMessages.mjp_msg_error_msg_recipient_cert_not_valid, hashMap2, e2);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateRecipientCertificate(X509Certificate,EseUser)", invalidCertificateException2, 2);
            }
            throw invalidCertificateException2;
        }
    }

    private void logRecipients(EnvelopedData envelopedData) throws IOException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "logRecipients(EnvelopedData)", new Object[]{envelopedData});
        }
        RecipientInfo[] recipientInfos = envelopedData.getRecipientInfos();
        StringBuilder sb = new StringBuilder("INFO: ");
        sb.append(recipientInfos.length).append(" recipients;\n");
        for (int i = 0; i < recipientInfos.length; i++) {
            IssuerAndSerialNumber recipientIdentifier = recipientInfos[i].getRecipientIdentifier();
            AlgorithmId keyEncryptionAlgorithm = recipientInfos[i].getKeyEncryptionAlgorithm();
            sb.append("[").append(i + 1).append("] version: ").append(recipientInfos[i].getVersion());
            sb.append(" [").append(i + 1).append("] recipient serial number: ").append(recipientIdentifier.getSerialNumber().toString(16));
            sb.append("[").append(i + 1).append("] issuer name: ").append(recipientIdentifier.getIssuer().getName());
            sb.append(" [").append(i + 1).append("] originator info: ").append(recipientInfos[i].getEntityIdentifier());
            sb.append(" [").append(i + 1).append("] key encryption algorithm: ").append(keyEncryptionAlgorithm);
        }
        Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "logRecipients(EnvelopedData)", sb.toString(), "");
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "logRecipients(EnvelopedData)");
        }
    }

    private void validateEnvelopedQop(SecurityPolicy securityPolicy, ContentInfo contentInfo) throws IllegalProtectionTypeException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateEnvelopedQop(SecurityPolicy,ContentInfo)", new Object[]{securityPolicy, contentInfo});
        }
        if (securityPolicy.getQop() != 2 || contentInfo.isEnvelopedData()) {
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateEnvelopedQop(SecurityPolicy,ContentInfo)");
            }
        } else {
            HashMap hashMap = new HashMap();
            hashMap.put(AmsErrorMessageInserts.AMS_INSERT_EXPECTED_QUALITY_OF_PROTECTION, MessageProtectionConstants.QOP_NAMES[2]);
            hashMap.put(AmsErrorMessageInserts.AMS_INSERT_QUALITY_OF_PROTECTION, MessageProtectionConstants.QOP_NAMES[1]);
            IllegalProtectionTypeException illegalProtectionTypeException = new IllegalProtectionTypeException(AmsErrorMessages.mjp_msg_error_qop_mismatch, hashMap);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateEnvelopedQop(SecurityPolicy,ContentInfo)", illegalProtectionTypeException);
            }
            throw illegalProtectionTypeException;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v32 */
    /* JADX WARN: Type inference failed for: r0v33 */
    /* JADX WARN: Type inference failed for: r0v35 */
    /* JADX WARN: Type inference failed for: r0v36 */
    /* JADX WARN: Type inference failed for: r0v38 */
    /* JADX WARN: Type inference failed for: r0v39 */
    /* JADX WARN: Type inference failed for: r0v41 */
    /* JADX WARN: Type inference failed for: r0v42 */
    /* JADX WARN: Type inference failed for: r0v44 */
    /* JADX WARN: Type inference failed for: r0v45 */
    private void validateEncryptionStrength(String str, String str2) throws MessageProtectionException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateEncryptionStrength(String,String)", new Object[]{str, str2});
        }
        boolean z = false;
        boolean z2 = true;
        boolean z3 = false;
        boolean z4 = -1;
        switch (str2.hashCode()) {
            case -2071450589:
                if (str2.equals(MessageProtectionConstants.ENCRYPTION_RC2_CBC_OID)) {
                    z4 = 8;
                    break;
                }
                break;
            case -2071450584:
                if (str2.equals(MessageProtectionConstants.ENCRYPTION_3DES_CBC_OID)) {
                    z4 = 4;
                    break;
                }
                break;
            case -1225950656:
                if (str2.equals(MessageProtectionConstants.ENCRYPTION_AES128_CBC_OID)) {
                    z4 = 2;
                    break;
                }
                break;
            case 67570:
                if (str2.equals(MessageProtectionConstants.ENCRYPTION_DES)) {
                    z4 = 7;
                    break;
                }
                break;
            case 80929:
                if (str2.equals(MessageProtectionConstants.ENCRYPTION_RC2)) {
                    z4 = 9;
                    break;
                }
                break;
            case 650235440:
                if (str2.equals(MessageProtectionConstants.ENCRYPTION_AES256_CBC_OID)) {
                    z4 = false;
                    break;
                }
                break;
            case 1927139112:
                if (str2.equals(MessageProtectionConstants.ENCRYPTION_AES128)) {
                    z4 = 3;
                    break;
                }
                break;
            case 1927140164:
                if (str2.equals(MessageProtectionConstants.ENCRYPTION_AES256)) {
                    z4 = true;
                    break;
                }
                break;
            case 2013078132:
                if (str2.equals(MessageProtectionConstants.ENCRYPTION_3DES)) {
                    z4 = 5;
                    break;
                }
                break;
            case 2068260589:
                if (str2.equals(MessageProtectionConstants.ENCRYPTION_DES_CBC_OID)) {
                    z4 = 6;
                    break;
                }
                break;
        }
        switch (z4) {
            case false:
            case true:
                z3 = 5;
                break;
            case true:
            case true:
                z3 = 4;
                break;
            case true:
            case true:
                z3 = 3;
                break;
            case true:
            case true:
                z3 = 2;
                break;
            case true:
            case true:
                z3 = true;
                break;
            default:
                z2 = false;
                break;
        }
        if (z2) {
            boolean z5 = -1;
            switch (str.hashCode()) {
                case -2071450589:
                    if (str.equals(MessageProtectionConstants.ENCRYPTION_RC2_CBC_OID)) {
                        z5 = 8;
                        break;
                    }
                    break;
                case -2071450584:
                    if (str.equals(MessageProtectionConstants.ENCRYPTION_3DES_CBC_OID)) {
                        z5 = 4;
                        break;
                    }
                    break;
                case -1225950656:
                    if (str.equals(MessageProtectionConstants.ENCRYPTION_AES128_CBC_OID)) {
                        z5 = 2;
                        break;
                    }
                    break;
                case 67570:
                    if (str.equals(MessageProtectionConstants.ENCRYPTION_DES)) {
                        z5 = 7;
                        break;
                    }
                    break;
                case 80929:
                    if (str.equals(MessageProtectionConstants.ENCRYPTION_RC2)) {
                        z5 = 9;
                        break;
                    }
                    break;
                case 650235440:
                    if (str.equals(MessageProtectionConstants.ENCRYPTION_AES256_CBC_OID)) {
                        z5 = false;
                        break;
                    }
                    break;
                case 1927139112:
                    if (str.equals(MessageProtectionConstants.ENCRYPTION_AES128)) {
                        z5 = 3;
                        break;
                    }
                    break;
                case 1927140164:
                    if (str.equals(MessageProtectionConstants.ENCRYPTION_AES256)) {
                        z5 = true;
                        break;
                    }
                    break;
                case 2013078132:
                    if (str.equals(MessageProtectionConstants.ENCRYPTION_3DES)) {
                        z5 = 5;
                        break;
                    }
                    break;
                case 2068260589:
                    if (str.equals(MessageProtectionConstants.ENCRYPTION_DES_CBC_OID)) {
                        z5 = 6;
                        break;
                    }
                    break;
            }
            switch (z5) {
                case false:
                case true:
                    if (z3 >= 0 && z3 <= 5) {
                        z = true;
                        break;
                    }
                    break;
                case true:
                case true:
                    if (z3 >= 0 && z3 <= 4) {
                        z = true;
                        break;
                    }
                    break;
                case true:
                case true:
                    if (z3 >= 0 && z3 <= 3) {
                        z = true;
                        break;
                    }
                    break;
                case true:
                case true:
                    if (z3 >= 0 && z3 <= 2) {
                        z = true;
                        break;
                    }
                    break;
                case true:
                case true:
                    if (z3 >= 0 && z3 <= 1) {
                        z = true;
                        break;
                    }
                    break;
            }
        }
        if (z) {
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateEncryptionStrength(String,String)");
            }
        } else {
            HashMap hashMap = new HashMap();
            hashMap.put(AmsErrorMessageInserts.AMS_INSERT_EXPECTED_ENCRYPTION_STRENGTH, str2.length() == 0 ? "NONE" : str2);
            hashMap.put(AmsErrorMessageInserts.AMS_INSERT_ENCRYPTION_STRENGTH, str);
            MessageProtectionException messageProtectionException = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_encryption_strength_mismatch, (HashMap<String, ? extends Object>) hashMap);
            if (Trace.isOn) {
                Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateEncryptionStrength(String,String)", messageProtectionException);
            }
            throw messageProtectionException;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v32 */
    /* JADX WARN: Type inference failed for: r0v33 */
    /* JADX WARN: Type inference failed for: r0v35 */
    /* JADX WARN: Type inference failed for: r0v36 */
    /* JADX WARN: Type inference failed for: r0v38 */
    /* JADX WARN: Type inference failed for: r0v39 */
    /* JADX WARN: Type inference failed for: r0v41 */
    /* JADX WARN: Type inference failed for: r0v42 */
    /* JADX WARN: Type inference failed for: r0v44 */
    /* JADX WARN: Type inference failed for: r0v45 */
    private void validateSignatureAlg(String str, String str2) throws MessageProtectionException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateSignatureAlg(String,String)", new Object[]{str, str2});
        }
        boolean z = false;
        boolean z2 = true;
        boolean z3 = false;
        boolean z4 = -1;
        switch (str2.hashCode()) {
            case -2096004506:
                if (str2.equals(MessageProtectionConstants.MD5_WITH_RSAENCRYPTION_OID)) {
                    z4 = 12;
                    break;
                }
                break;
            case -2096004505:
                if (str2.equals(MessageProtectionConstants.SHA1_WITH_RSAENCRYPTION_OID)) {
                    z4 = 9;
                    break;
                }
                break;
            case -1563462509:
                if (str2.equals(MessageProtectionConstants.SHA384_WITH_RSAENCRYPTION)) {
                    z4 = 4;
                    break;
                }
                break;
            case -1364698020:
                if (str2.equals(MessageProtectionConstants.MD5_WITH_RSAENCRYPTION)) {
                    z4 = 13;
                    break;
                }
                break;
            case -754115883:
                if (str2.equals(MessageProtectionConstants.SHA1_WITH_RSAENCRYPTION)) {
                    z4 = 10;
                    break;
                }
                break;
            case -551630290:
                if (str2.equals(MessageProtectionConstants.SHA256_WITH_RSAENCRYPTION_OID)) {
                    z4 = 6;
                    break;
                }
                break;
            case -551630289:
                if (str2.equals(MessageProtectionConstants.SHA384_WITH_RSAENCRYPTION_OID)) {
                    z4 = 3;
                    break;
                }
                break;
            case -551630288:
                if (str2.equals(MessageProtectionConstants.SHA512_WITH_RSAENCRYPTION_OID)) {
                    z4 = false;
                    break;
                }
                break;
            case 76158:
                if (str2.equals(DIGEST_ALG_MD5)) {
                    z4 = 14;
                    break;
                }
                break;
            case 82060:
                if (str2.equals(DIGEST_ALG_SHA)) {
                    z4 = 11;
                    break;
                }
                break;
            case 2543910:
                if (str2.equals(DIGEST_ALG_SHA256)) {
                    z4 = 8;
                    break;
                }
                break;
            case 2543911:
                if (str2.equals(DIGEST_ALG_SHA384)) {
                    z4 = 5;
                    break;
                }
                break;
            case 2543913:
                if (str2.equals(DIGEST_ALG_SHA512)) {
                    z4 = 2;
                    break;
                }
                break;
            case 988694452:
                if (str2.equals(MessageProtectionConstants.SHA256_WITH_RSAENCRYPTION)) {
                    z4 = 7;
                    break;
                }
                break;
            case 1922158161:
                if (str2.equals(MessageProtectionConstants.SHA512_WITH_RSAENCRYPTION)) {
                    z4 = true;
                    break;
                }
                break;
        }
        switch (z4) {
            case false:
            case true:
            case true:
                z3 = 6;
                break;
            case true:
            case true:
            case true:
                z3 = 5;
                break;
            case true:
            case true:
            case true:
                z3 = 4;
                break;
            case true:
            case true:
            case true:
                z3 = 2;
                break;
            case true:
            case true:
            case true:
                z3 = true;
                break;
            default:
                z2 = false;
                break;
        }
        if (z2) {
            boolean z5 = -1;
            switch (str.hashCode()) {
                case -2096004506:
                    if (str.equals(MessageProtectionConstants.MD5_WITH_RSAENCRYPTION_OID)) {
                        z5 = 12;
                        break;
                    }
                    break;
                case -2096004505:
                    if (str.equals(MessageProtectionConstants.SHA1_WITH_RSAENCRYPTION_OID)) {
                        z5 = 9;
                        break;
                    }
                    break;
                case -1563462509:
                    if (str.equals(MessageProtectionConstants.SHA384_WITH_RSAENCRYPTION)) {
                        z5 = 4;
                        break;
                    }
                    break;
                case -1364698020:
                    if (str.equals(MessageProtectionConstants.MD5_WITH_RSAENCRYPTION)) {
                        z5 = 13;
                        break;
                    }
                    break;
                case -754115883:
                    if (str.equals(MessageProtectionConstants.SHA1_WITH_RSAENCRYPTION)) {
                        z5 = 10;
                        break;
                    }
                    break;
                case -551630290:
                    if (str.equals(MessageProtectionConstants.SHA256_WITH_RSAENCRYPTION_OID)) {
                        z5 = 6;
                        break;
                    }
                    break;
                case -551630289:
                    if (str.equals(MessageProtectionConstants.SHA384_WITH_RSAENCRYPTION_OID)) {
                        z5 = 3;
                        break;
                    }
                    break;
                case -551630288:
                    if (str.equals(MessageProtectionConstants.SHA512_WITH_RSAENCRYPTION_OID)) {
                        z5 = false;
                        break;
                    }
                    break;
                case 76158:
                    if (str.equals(DIGEST_ALG_MD5)) {
                        z5 = 14;
                        break;
                    }
                    break;
                case 82060:
                    if (str.equals(DIGEST_ALG_SHA)) {
                        z5 = 11;
                        break;
                    }
                    break;
                case 2543910:
                    if (str.equals(DIGEST_ALG_SHA256)) {
                        z5 = 8;
                        break;
                    }
                    break;
                case 2543911:
                    if (str.equals(DIGEST_ALG_SHA384)) {
                        z5 = 5;
                        break;
                    }
                    break;
                case 2543913:
                    if (str.equals(DIGEST_ALG_SHA512)) {
                        z5 = 2;
                        break;
                    }
                    break;
                case 988694452:
                    if (str.equals(MessageProtectionConstants.SHA256_WITH_RSAENCRYPTION)) {
                        z5 = 7;
                        break;
                    }
                    break;
                case 1922158161:
                    if (str.equals(MessageProtectionConstants.SHA512_WITH_RSAENCRYPTION)) {
                        z5 = true;
                        break;
                    }
                    break;
            }
            switch (z5) {
                case false:
                case true:
                case true:
                    if (z3 >= 0 && z3 <= 6) {
                        z = true;
                        break;
                    }
                    break;
                case true:
                case true:
                case true:
                    if (z3 >= 0 && z3 <= 5) {
                        z = true;
                        break;
                    }
                    break;
                case true:
                case true:
                case true:
                    if (z3 >= 0 && z3 <= 4) {
                        z = true;
                        break;
                    }
                    break;
                case true:
                case true:
                case true:
                    if (z3 >= 0 && z3 <= 2) {
                        z = true;
                        break;
                    }
                    break;
                case true:
                case true:
                case true:
                    if (z3 >= 0 && z3 <= 1) {
                        z = true;
                        break;
                    }
                    break;
            }
        }
        if (z) {
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateSignatureAlg(String,String)");
                return;
            }
            return;
        }
        if (Trace.isOn) {
            Trace.traceInfo(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateSignatureAlg(String, String)", "Signature algorithm '" + str + "' does not match policy settings '" + str2 + "'", "");
        }
        HashMap hashMap = new HashMap();
        hashMap.put(AmsErrorMessageInserts.AMS_INSERT_SIGNATURE_ALGORITHM, str);
        MessageProtectionException messageProtectionException = new MessageProtectionException(AmsErrorMessages.mjp_msg_error_invalid_signature_algorithm, (HashMap<String, ? extends Object>) hashMap);
        if (Trace.isOn) {
            Trace.throwing(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "validateSignatureAlg(String,String)", messageProtectionException);
        }
        throw messageProtectionException;
    }

    public void setCertificateValidator(X509CertificateValidator x509CertificateValidator) {
        if (Trace.isOn) {
            Trace.data(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "setCertificateValidator(X509CertificateValidator)", "setter", x509CertificateValidator);
        }
        this.certificateValidator = x509CertificateValidator;
    }

    @Override // com.ibm.mq.ese.prot.MessageProtection
    public boolean isValid() {
        if (!Trace.isOn) {
            return true;
        }
        Trace.data(this, "com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "isValid()", "getter", true);
        return true;
    }

    static {
        if (Trace.isOn) {
            Trace.data("com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl", "static", "SCCS id", (Object) sccsid);
        }
    }
}
