package org.jscep.client;

import java.io.IOException;
import java.net.Proxy;
import java.net.URL;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Logger;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.jscep.FingerprintVerificationCallback;
import org.jscep.request.GetCACaps;
import org.jscep.request.GetCACert;
import org.jscep.request.GetNextCACert;
import org.jscep.response.Capabilities;
import org.jscep.transaction.Transaction;
import org.jscep.transport.Transport;
import org.jscep.util.LoggingUtil;

/* loaded from: input_file:org/jscep/client/Client.class */
public class Client {
    private static Logger LOGGER = LoggingUtil.getLogger(Client.class);
    private Map<String, Capabilities> capabilitiesCache;
    private Set<X509Certificate> verified;
    private String preferredDigestAlg;
    private String preferredCipherAlg;
    private URL url;
    private Proxy proxy;
    private String caIdentifier;
    private KeyPair keyPair;
    private X509Certificate identity;
    private byte[] fingerprint;
    private String hashAlgorithm;
    private CallbackHandler callbackHandler;

    /* loaded from: input_file:org/jscep/client/Client$Builder.class */
    public static class Builder {
        private URL url;
        private Proxy proxy = Proxy.NO_PROXY;
        private byte[] fingerprint;
        private String hashAlgorithm;
        private String caIdentifier;
        private X509Certificate identity;
        private KeyPair keyPair;
        private CallbackHandler callbackHandler;

        public Builder url(URL url) {
            this.url = url;
            return this;
        }

        public Builder proxy(Proxy proxy) {
            this.proxy = proxy;
            return this;
        }

        public Builder caFingerprint(byte[] bArr, String str) {
            this.fingerprint = bArr;
            this.hashAlgorithm = str;
            return this;
        }

        public Builder caIdentifier(String str) {
            this.caIdentifier = str;
            return this;
        }

        public Builder identity(X509Certificate x509Certificate, KeyPair keyPair) {
            this.identity = x509Certificate;
            this.keyPair = keyPair;
            return this;
        }

        public Builder callbackHandler(CallbackHandler callbackHandler) {
            this.callbackHandler = callbackHandler;
            return this;
        }

        public Client build() throws IllegalStateException {
            return new Client(this);
        }
    }

    /* loaded from: input_file:org/jscep/client/Client$FingerprintCallbackHandler.class */
    private static class FingerprintCallbackHandler implements CallbackHandler {
        private final byte[] fingerprint;
        private final String hashAlgorithm;

        public FingerprintCallbackHandler(byte[] bArr, String str) {
            this.fingerprint = bArr;
            this.hashAlgorithm = str;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (int i = 0; i < callbackArr.length; i++) {
                if (!(callbackArr[i] instanceof FingerprintVerificationCallback)) {
                    throw new UnsupportedCallbackException(callbackArr[i]);
                }
                FingerprintVerificationCallback fingerprintVerificationCallback = (FingerprintVerificationCallback) callbackArr[i];
                if (!fingerprintVerificationCallback.getAlgorithm().equals(this.hashAlgorithm)) {
                    fingerprintVerificationCallback.setVerified(false);
                } else if (Arrays.equals(fingerprintVerificationCallback.getFingerprint(), this.fingerprint)) {
                    fingerprintVerificationCallback.setVerified(true);
                } else {
                    fingerprintVerificationCallback.setVerified(false);
                }
            }
        }
    }

    private Client(Builder builder) throws IllegalStateException {
        this.capabilitiesCache = new HashMap();
        this.verified = new HashSet(1);
        this.url = builder.url;
        this.proxy = builder.proxy;
        this.caIdentifier = builder.caIdentifier;
        this.keyPair = builder.keyPair;
        this.identity = builder.identity;
        this.fingerprint = builder.fingerprint;
        this.hashAlgorithm = builder.hashAlgorithm;
        this.callbackHandler = builder.callbackHandler;
        if (this.keyPair == null) {
            throw new IllegalStateException("keyPair is null");
        }
        if (this.callbackHandler == null) {
            this.callbackHandler = new FingerprintCallbackHandler(this.fingerprint, this.hashAlgorithm);
        }
        if (!isValid(this.url)) {
            throw new IllegalStateException("Invalid URL");
        }
        if (this.proxy == null) {
            this.proxy = Proxy.NO_PROXY;
        }
        if (!isValid(this.keyPair)) {
            throw new IllegalStateException("Invalid KeyPair");
        }
        if (!this.identity.getPublicKey().equals(this.keyPair.getPublic())) {
            throw new IllegalStateException("Public Key Mismatch");
        }
    }

    private boolean isValid(KeyPair keyPair) {
        return keyPair.getPrivate().getAlgorithm().equals("RSA") && keyPair.getPublic().getAlgorithm().equals("RSA");
    }

    private boolean isValid(URL url) {
        return url != null && url.getProtocol().matches("^https?$") && url.getPath().endsWith("pkiclient.exe") && url.getRef() == null && url.getQuery() == null;
    }

    public Transaction createTransaction() throws IOException {
        X509Certificate retrieveCA = retrieveCA();
        Transport createTransport = createTransport();
        Capabilities caCapabilities = getCaCapabilities(true);
        String str = this.preferredCipherAlg;
        if (str == null) {
            str = caCapabilities.getStrongestCipher();
        }
        String str2 = this.preferredDigestAlg;
        if (str2 == null) {
            str2 = caCapabilities.getStrongestMessageDigest();
        }
        return Transaction.createTransaction(retrieveCA, getRecipientCertificate(), this.identity, this.keyPair, str2, str, createTransport);
    }

    private Transport createTransport() throws IOException {
        LOGGER.entering(getClass().getName(), "createTransport");
        Transport createTransport = getCaCapabilities(true).isPostSupported() ? Transport.createTransport(Transport.Method.POST, this.url, this.proxy) : Transport.createTransport(Transport.Method.GET, this.url, this.proxy);
        LOGGER.exiting(getClass().getName(), "createTransport", createTransport);
        return createTransport;
    }

    public Capabilities getCaCapabilities() throws IOException {
        return getCaCapabilities(false);
    }

    private Capabilities getCaCapabilities(boolean z) throws IOException {
        LOGGER.entering(getClass().getName(), "getCaCapabilities", Boolean.valueOf(z));
        Capabilities capabilities = null;
        if (z) {
            capabilities = this.capabilitiesCache.get(this.caIdentifier);
        }
        if (capabilities == null) {
            capabilities = (Capabilities) Transport.createTransport(Transport.Method.GET, this.url, this.proxy).sendMessage(new GetCACaps(this.caIdentifier));
            this.capabilitiesCache.put(this.caIdentifier, capabilities);
        }
        LOGGER.exiting(getClass().getName(), "getCaCapabilities", capabilities);
        return capabilities;
    }

    public List<X509Certificate> getCaCertificate() throws IOException {
        LOGGER.entering(getClass().getName(), "getCaCertificate");
        List<X509Certificate> list = (List) Transport.createTransport(Transport.Method.GET, this.url, this.proxy).sendMessage(new GetCACert(this.caIdentifier));
        verifyCA(selectCA(list));
        LOGGER.exiting(getClass().getName(), "getCaCertificate", list);
        return list;
    }

    private byte[] createFingerprint(X509Certificate x509Certificate, String str) throws NoSuchAlgorithmException, CertificateEncodingException {
        return MessageDigest.getInstance(str).digest(x509Certificate.getEncoded());
    }

    private void verifyCA(X509Certificate x509Certificate) throws IOException {
        if (this.verified.contains(x509Certificate)) {
            LOGGER.finer("Verification Cache Hit.");
            return;
        }
        LOGGER.finer("Verification Cache Missed.");
        String strongestMessageDigest = this.hashAlgorithm != null ? this.hashAlgorithm : getCaCapabilities(true).getStrongestMessageDigest();
        try {
            Callback fingerprintVerificationCallback = new FingerprintVerificationCallback(createFingerprint(x509Certificate, strongestMessageDigest), strongestMessageDigest);
            try {
                this.callbackHandler.handle(new Callback[]{fingerprintVerificationCallback});
                if (!fingerprintVerificationCallback.isVerified()) {
                    throw new IOException("CA certificate fingerprint could not be verified (using " + strongestMessageDigest + ").");
                }
                this.verified.add(x509Certificate);
            } catch (UnsupportedCallbackException e) {
                throw new RuntimeException(e);
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new RuntimeException(e2);
        } catch (CertificateEncodingException e3) {
            throw new RuntimeException(e3);
        }
    }

    public List<X509Certificate> getRolloverCertificate() throws IOException {
        if (!getCaCapabilities().isRolloverSupported()) {
            throw new UnsupportedOperationException();
        }
        return (List) Transport.createTransport(Transport.Method.GET, this.url, this.proxy).sendMessage(new GetNextCACert(retrieveCA(), this.caIdentifier));
    }

    private X509Certificate retrieveCA() throws IOException {
        return selectCA(getCaCertificate());
    }

    private X509Certificate getRecipientCertificate() throws IOException {
        return selectRecipient(getCaCertificate());
    }

    private X509Certificate selectRecipient(List<X509Certificate> list) {
        int size = list.size();
        if (size == 2) {
            return list.get(1 - list.indexOf(selectCA(list)));
        }
        if (size == 1) {
            return list.get(0);
        }
        throw new IllegalStateException();
    }

    private X509Certificate selectCA(List<X509Certificate> list) {
        if (list.size() == 1) {
            return list.get(0);
        }
        X509Certificate x509Certificate = list.get(0);
        X509Certificate x509Certificate2 = list.get(1);
        try {
            x509Certificate.verify(x509Certificate2.getPublicKey());
            return x509Certificate2;
        } catch (InvalidKeyException e) {
            try {
                x509Certificate2.verify(x509Certificate.getPublicKey());
                return x509Certificate;
            } catch (Exception e2) {
                throw new RuntimeException(e2);
            }
        } catch (Exception e3) {
            throw new RuntimeException(e3);
        }
    }

    void setPreferredCipherAlgorithm(String str) {
        this.preferredCipherAlg = str;
    }

    void setPreferredDigestAlgorithm(String str) {
        this.preferredDigestAlg = str;
    }
}
