package org.jscep.transaction;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.CertStore;
import java.security.cert.X509Certificate;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.jscep.asn1.IssuerAndSubject;
import org.jscep.content.CertRepContentHandler;
import org.jscep.message.CertRep;
import org.jscep.message.GetCertInitial;
import org.jscep.message.PKCSReq;
import org.jscep.message.PkiMessage;
import org.jscep.message.PkiMessageDecoder;
import org.jscep.message.PkiMessageEncoder;
import org.jscep.transaction.Transaction;
import org.jscep.transport.Transport;
import org.jscep.util.LoggingUtil;
import org.jscep.x509.X509Util;
import org.slf4j.Logger;

/* loaded from: input_file:org/jscep/transaction/EnrolmentTransaction.class */
public class EnrolmentTransaction extends Transaction {
    private final TransactionId transId;
    private final PKCSReq request;
    private X509Certificate issuer;
    private static Logger LOGGER = LoggingUtil.getLogger((Class<?>) EnrolmentTransaction.class);
    private static NonceQueue QUEUE = new NonceQueue(20);

    public EnrolmentTransaction(Transport transport, PkiMessageEncoder pkiMessageEncoder, PkiMessageDecoder pkiMessageDecoder, CertificationRequest certificationRequest) throws IOException {
        super(transport, pkiMessageEncoder, pkiMessageDecoder);
        this.transId = TransactionId.createTransactionId(X509Util.getPublicKey(certificationRequest), "SHA-1");
        this.request = new PKCSReq(this.transId, Nonce.nextNonce(), certificationRequest);
    }

    @Override // org.jscep.transaction.Transaction
    public TransactionId getId() {
        return this.transId;
    }

    @Override // org.jscep.transaction.Transaction
    public Transaction.State send() throws IOException {
        CMSSignedData encode = this.encoder.encode(this.request);
        LOGGER.debug("Sending {}", encode);
        CMSSignedData cMSSignedData = (CMSSignedData) this.transport.sendRequest(new org.jscep.request.PKCSReq(encode, new CertRepContentHandler()));
        LOGGER.debug("Received response {}", cMSSignedData);
        CertRep certRep = (CertRep) this.decoder.decode(cMSSignedData);
        validateExchange(this.request, certRep);
        LOGGER.debug("Response: {}", certRep);
        if (certRep.getPkiStatus() == PkiStatus.FAILURE) {
            this.failInfo = certRep.getFailInfo();
            this.state = Transaction.State.CERT_NON_EXISTANT;
        } else if (certRep.getPkiStatus() == PkiStatus.SUCCESS) {
            this.certStore = extractCertStore(certRep);
            this.state = Transaction.State.CERT_ISSUED;
        } else {
            this.state = Transaction.State.CERT_REQ_PENDING;
        }
        return this.state;
    }

    public Transaction.State poll() throws IOException {
        GetCertInitial getCertInitial = new GetCertInitial(this.transId, Nonce.nextNonce(), new IssuerAndSubject(X509Util.toX509Name(this.issuer.getSubjectX500Principal()), ((CertificationRequest) this.request.getMessageData()).getCertificationRequestInfo().getSubject()));
        CertRep certRep = (CertRep) this.decoder.decode((CMSSignedData) this.transport.sendRequest(new org.jscep.request.PKCSReq(this.encoder.encode(getCertInitial), new CertRepContentHandler())));
        validateExchange(getCertInitial, certRep);
        if (certRep.getPkiStatus() == PkiStatus.FAILURE) {
            this.failInfo = certRep.getFailInfo();
            this.state = Transaction.State.CERT_NON_EXISTANT;
        } else if (certRep.getPkiStatus() == PkiStatus.SUCCESS) {
            this.certStore = extractCertStore(certRep);
            this.state = Transaction.State.CERT_ISSUED;
        } else {
            this.state = Transaction.State.CERT_REQ_PENDING;
        }
        return this.state;
    }

    private CertStore extractCertStore(CertRep certRep) throws IOException {
        try {
            return certRep.getCMSSignedData().getCertificatesAndCRLs("Collection", (String) null);
        } catch (CMSException e) {
            throw new IOException((Throwable) e);
        } catch (GeneralSecurityException e2) {
            throw new IOException(e2);
        }
    }

    private void validateExchange(PkiMessage<?> pkiMessage, CertRep certRep) throws IOException {
        LOGGER.debug("Validating SCEP message exchange");
        if (!certRep.getTransactionId().equals(pkiMessage.getTransactionId())) {
            throw new IOException("Transaction ID Mismatch");
        }
        LOGGER.debug("Matched transaction IDs");
        if (!certRep.getRecipientNonce().equals(pkiMessage.getSenderNonce())) {
            throw new InvalidNonceException("Response recipient nonce and request sender nonce are not equal");
        }
        LOGGER.debug("Matched request senderNonce and response recipientNonce");
        if (certRep.getSenderNonce() == null) {
            LOGGER.warn("Response senderNonce is null");
        } else {
            if (QUEUE.contains(certRep.getSenderNonce())) {
                throw new InvalidNonceException("This nonce has been encountered before.  Possible replay attack?");
            }
            QUEUE.offer(certRep.getSenderNonce());
            LOGGER.debug("Nonce has not been encountered before");
            LOGGER.debug("SCEP message exchange validated successfully");
        }
    }

    public void setIssuer(X509Certificate x509Certificate) {
        this.issuer = x509Certificate;
    }
}
