package de.trustable.cmp.client.cmpClient;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collection;
import java.util.Date;
import java.util.Locale;
import java.util.Random;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Encoding;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.cmp.CMPCertificate;
import org.bouncycastle.asn1.cmp.CertRepMessage;
import org.bouncycastle.asn1.cmp.CertResponse;
import org.bouncycastle.asn1.cmp.ErrorMsgContent;
import org.bouncycastle.asn1.cmp.PKIBody;
import org.bouncycastle.asn1.cmp.PKIFailureInfo;
import org.bouncycastle.asn1.cmp.PKIFreeText;
import org.bouncycastle.asn1.cmp.PKIHeader;
import org.bouncycastle.asn1.cmp.PKIMessage;
import org.bouncycastle.asn1.cmp.PKIStatusInfo;
import org.bouncycastle.asn1.cmp.RevDetails;
import org.bouncycastle.asn1.cmp.RevRepContent;
import org.bouncycastle.asn1.cmp.RevReqContent;
import org.bouncycastle.asn1.crmf.CertId;
import org.bouncycastle.asn1.crmf.CertReqMessages;
import org.bouncycastle.asn1.crmf.CertTemplateBuilder;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.CRLReason;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.cmp.CMPException;
import org.bouncycastle.cert.cmp.GeneralPKIMessage;
import org.bouncycastle.cert.cmp.ProtectedPKIMessage;
import org.bouncycastle.cert.cmp.ProtectedPKIMessageBuilder;
import org.bouncycastle.cert.crmf.CRMFException;
import org.bouncycastle.cert.crmf.CertificateRequestMessage;
import org.bouncycastle.cert.crmf.CertificateRequestMessageBuilder;
import org.bouncycastle.cert.crmf.PKMACBuilder;
import org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator;
import org.bouncycastle.cert.jcajce.JcaX500NameUtil;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.operator.MacCalculator;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCSException;

/* loaded from: input_file:de/trustable/cmp/client/cmpClient/CMPClient.class */
public class CMPClient {
    SecureRandom secRandom;
    private String plainSecret;
    private String caUrl;
    private String alias;
    boolean verbose;

    private CMPClient() {
        this.secRandom = new SecureRandom();
        this.plainSecret = "foo123";
        this.caUrl = "http://...,";
        this.alias = "test";
        this.verbose = false;
        Security.addProvider(new BouncyCastleProvider());
    }

    public CMPClient(String str, String str2, String str3, boolean z) {
        this();
        this.plainSecret = str3;
        this.caUrl = str;
        this.alias = str2;
        this.verbose = z;
    }

    public static void main(String[] strArr) {
        int handleArgs = handleArgs(strArr);
        if (handleArgs != 0) {
            System.exit(handleArgs);
        }
    }

    public static int handleArgs(String[] strArr) {
        Object obj = "Request";
        String str = null;
        String str2 = null;
        String str3 = null;
        String str4 = "unspecified";
        String str5 = "test.csr";
        String str6 = "test.crt";
        String str7 = "PEM";
        boolean z = false;
        if (strArr.length == 0) {
            printHelp();
            return 1;
        }
        int i = 0;
        while (i < strArr.length) {
            String str8 = strArr[i];
            boolean z2 = i + 1 < strArr.length;
            if ("-c".equals(str8)) {
                obj = "Request";
            } else if ("-r".equals(str8)) {
                obj = "Revoke";
            } else if ("-v".equals(str8)) {
                z = true;
            } else {
                if ("-h".equals(str8)) {
                    printHelp();
                    return 0;
                }
                if (z2) {
                    i++;
                    String str9 = strArr[i];
                    if ("-u".equals(str8)) {
                        str2 = str9;
                    } else if ("-a".equals(str8)) {
                        str3 = str9;
                    } else if ("-s".equals(str8)) {
                        str = str9;
                    } else if ("-e".equals(str8)) {
                        str4 = str9;
                    } else if ("-i".equals(str8)) {
                        str5 = str9;
                    } else if ("-of".equals(str8)) {
                        str7 = str9.toUpperCase(Locale.ROOT);
                    } else if ("-o".equals(str8)) {
                        str6 = str9;
                    }
                } else {
                    System.err.println("option '" + str8 + "' requires argument!");
                }
            }
            i++;
        }
        if (str == null) {
            System.err.println("'secret' must be provided! Exiting ...");
            return 1;
        }
        if (str2 == null) {
            System.err.println("'caUrl' must be provided! Exiting ...");
            return 1;
        }
        if (str3 == null) {
            System.err.println("'alias' must be provided! Exiting ...");
            return 1;
        }
        if (!str7.equals(ASN1Encoding.DER) && !str7.equals("PEM")) {
            System.err.println("unrecognized output format! Only PEM and DER are supported. Exiting ...");
            return 1;
        }
        try {
            CMPClient cMPClient = new CMPClient(str2, str3, str, z);
            if ("Request".equals(obj)) {
                System.out.println("Requesting certificate from csr file '" + str5 + "' ...");
                File file = new File(str5);
                if (!file.exists()) {
                    System.err.println("CSR file '" + file + "' does not exist! Exiting ...");
                    return 1;
                }
                if (!file.canRead()) {
                    System.err.println("No read access to CSR file '" + file + "'! Exiting ...");
                    return 1;
                }
                File file2 = new File(str6);
                if (file2.exists()) {
                    System.err.println("Certificate file '" + file2 + "' already exist! Exiting ...");
                    return 1;
                }
                cMPClient.signCertificateRequest(file, file2, str7);
                return 0;
            }
            if (!"Revoke".equals(obj)) {
                System.err.println("Either an option '-c' (certificate creation) or '-r' (revocation)!");
                printHelp();
                return 1;
            }
            System.out.println("Revoking certificate from file '" + str5 + "' ...");
            File file3 = new File(str5);
            if (!file3.exists()) {
                System.err.println("Certificate file '" + str5 + "' does not exist! Exiting ...");
                return 1;
            }
            if (file3.canRead()) {
                cMPClient.revokeCertificate(file3, str4);
                return 0;
            }
            System.err.println("No read access to certificate file '" + str5 + "'! Exiting ...");
            return 1;
        } catch (IOException | GeneralSecurityException e) {
            System.err.println(" WARN: problem occurred " + e.getMessage());
            if (!z) {
                return 0;
            }
            e.printStackTrace();
            return 0;
        }
    }

    private static void printHelp() {
        System.out.println("\nSimple CMP Client\n");
        System.out.println("Options:\n");
        System.out.println("-c\t\tRequest a certificate");
        System.out.println("-r\t\tRevoke a certificate");
        System.out.println("-h\t\tPrint help");
        System.out.println("\nArguments:\n");
        System.out.println("-u caURL\tCA URL (required)");
        System.out.println("-a alias\tAlias configuration (required)");
        System.out.println("-s secret\tCMP access secret (required)");
        System.out.println("-e reason\trevocation reason (required for revocation), valid values are");
        System.out.println("\t\tkeyCompromise");
        System.out.println("\t\tcACompromise");
        System.out.println("\t\taffiliationChanged");
        System.out.println("\t\tsuperseded");
        System.out.println("\t\tcessationOfOperation");
        System.out.println("\t\tprivilegeWithdrawn");
        System.out.println("\t\taACompromise");
        System.out.println("\t\tcertificateHold");
        System.out.println("\t\tremoveFromCRL");
        System.out.println("\t\tunspecified\n");
        System.out.println("-i input\tCSR (required for request) / certificate file (required for revocation)");
        System.out.println("-o output\tCertificate file");
        System.out.println("-of format\tselect PEM or DER format");
        System.out.println("-v verbose\tenable verbose log output");
        System.out.println("\nSample use of keytool to create a csr and submit a request:");
        System.out.println("keytool -genkeypair -keyalg RSA -keysize 2048 -keystore test.p12 -storepass s3cr3t -alias keyAlias -storetype pkcs12 -dname \"C=DE, OU=dev, O=trustable, CN=test.trustable.de\" ");
        System.out.println("keytool -certreq -keystore test.p12 -storepass s3cr3t -alias keyAlias -ext \"SAN=dns:www.test.trustable.de\" -file test.csr");
        System.out.println("java -jar cmpClient-1.2.0-jar-with-dependencies.jar -c -u http://{yourServer}/ejbca/publicweb/cmp -a {yourCMPAlias} -s {yourPassword} -i test.csr -o test.crt");
        System.out.println("\nRevocation sample (DER and PEM certificate format supported):");
        System.out.println("java -jar cmpClient-1.2.0-jar-with-dependencies.jar -r -u http://{yourServer}/ejbca/publicweb/cmp -a {yourCMPAlias} -s {yourPassword} -i test.crt -e superseded");
        System.out.println("\ncode available at https://github.com/kuehne-trustable-de/cmpClient");
    }

    public void signCertificateRequest(File file, File file2, String str) throws GeneralSecurityException, IOException {
        X509Certificate signCertificateRequest = signCertificateRequest(new FileInputStream(file));
        if (ASN1Encoding.DER.equals(str)) {
            FileOutputStream fileOutputStream = new FileOutputStream(file2);
            try {
                fileOutputStream.write(signCertificateRequest.getEncoded());
                fileOutputStream.close();
            } catch (Throwable th) {
                try {
                    fileOutputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } else {
            PEMWriter pEMWriter = new PEMWriter(new FileWriter(file2));
            try {
                pEMWriter.writeObject(signCertificateRequest);
                pEMWriter.close();
            } catch (Throwable th3) {
                try {
                    pEMWriter.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
                throw th3;
            }
        }
        if (signCertificateRequest.getSubjectDN() == null || signCertificateRequest.getSubjectDN().getName() == null) {
            log("creation of certificate written to file '" + file2.getName() + "'");
        } else {
            log("creation of certificate with subject '" + signCertificateRequest.getSubjectDN().getName() + "' written to file '" + file2.getName() + "' (in " + str + " format)");
        }
    }

    public X509Certificate signCertificateRequest(InputStream inputStream) throws GeneralSecurityException {
        try {
            PKIMessage buildCertRequest = buildCertRequest(this.secRandom.nextLong(), inputStream, this.plainSecret);
            byte[] encoded = buildCertRequest.getEncoded();
            trace("requestBytes : " + Base64.getEncoder().encodeToString(encoded));
            trace("cmp client calls url '" + this.caUrl + "' with alias '" + this.alias + "'");
            byte[] sendHttpReq = sendHttpReq(this.caUrl + "/" + this.alias, encoded);
            if (sendHttpReq == null) {
                throw new GeneralSecurityException("remote connector returned 'null'");
            }
            trace("responseBytes : " + Base64.getEncoder().encodeToString(sendHttpReq));
            return readCertResponse(sendHttpReq, buildCertRequest);
        } catch (IOException e) {
            log("IO / encoding problem", e);
            throw new GeneralSecurityException(e.getMessage());
        } catch (CMPException e2) {
            log("CMP problem", e2);
            throw new GeneralSecurityException(e2.getMessage());
        } catch (CRMFException e3) {
            log("CMS format problem", e3);
            throw new GeneralSecurityException(e3.getMessage());
        }
    }

    public void revokeCertificate(File file, String str) throws GeneralSecurityException, IOException {
        FileInputStream fileInputStream = new FileInputStream(file);
        try {
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(fileInputStream);
            revokeCertificate(JcaX500NameUtil.getIssuer(x509Certificate), JcaX500NameUtil.getSubject(x509Certificate), x509Certificate.getSerialNumber(), crlReasonFromString(str));
            log("revocation of certificate '" + x509Certificate.getSubjectDN().getName() + "' with reason '" + str + "' succeeded!");
            fileInputStream.close();
        } catch (Throwable th) {
            try {
                fileInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public void revokeCertificate(X500Name x500Name, X500Name x500Name2, BigInteger bigInteger, CRLReason cRLReason) throws GeneralSecurityException {
        try {
            byte[] buildRevocationRequest = buildRevocationRequest(new Random().nextLong(), x500Name, x500Name2, bigInteger, cRLReason);
            trace("revocation requestBytes : " + Base64.getEncoder().encodeToString(buildRevocationRequest));
            byte[] sendHttpReq = sendHttpReq(this.caUrl + "/" + this.alias, buildRevocationRequest);
            trace("revocation responseBytes : " + Base64.getEncoder().encodeToString(sendHttpReq));
            readRevResponse(sendHttpReq);
        } catch (IOException e) {
            log("IO / encoding problem", e);
            throw new GeneralSecurityException(e.getMessage());
        } catch (CMPException e2) {
            log("CMP problem", e2);
            throw new GeneralSecurityException(e2.getMessage());
        } catch (CRMFException e3) {
            log("CMS format problem", e3);
            throw new GeneralSecurityException(e3.getMessage());
        }
    }

    public PKIMessage buildCertRequest(long j, InputStream inputStream, String str) throws GeneralSecurityException {
        PKCS10CertificationRequest convertPemToPKCS10CertificationRequest = convertPemToPKCS10CertificationRequest(inputStream);
        trace("subjectDN : " + convertPemToPKCS10CertificationRequest.getSubject().toString());
        ArrayList arrayList = new ArrayList();
        for (Attribute attribute : convertPemToPKCS10CertificationRequest.getAttributes()) {
            for (ASN1Encodable aSN1Encodable : attribute.getAttributeValues()) {
                if (aSN1Encodable != null) {
                    Extensions extensions = Extensions.getInstance(aSN1Encodable);
                    for (ASN1ObjectIdentifier aSN1ObjectIdentifier : extensions.getExtensionOIDs()) {
                        trace("copying oid '" + aSN1ObjectIdentifier.toString() + "' from csr to PKIMessage");
                        arrayList.add(extensions.getExtension(aSN1ObjectIdentifier));
                    }
                }
            }
        }
        SubjectPublicKeyInfo subjectPublicKeyInfo = convertPemToPKCS10CertificationRequest.getSubjectPublicKeyInfo();
        try {
            if (convertPemToPKCS10CertificationRequest.isSignatureValid(new JcaContentVerifierProviderBuilder().build(subjectPublicKeyInfo))) {
                return buildCertRequest(j, convertPemToPKCS10CertificationRequest.getSubject(), arrayList, subjectPublicKeyInfo, str);
            }
            throw new GeneralSecurityException("CSR signature validation failed");
        } catch (OperatorCreationException | PKCSException e) {
            throw new GeneralSecurityException(e);
        }
    }

    public PKIMessage buildCertRequest(long j, X500Name x500Name, Collection<Extension> collection, SubjectPublicKeyInfo subjectPublicKeyInfo, String str) throws GeneralSecurityException {
        CertificateRequestMessageBuilder certificateRequestMessageBuilder = new CertificateRequestMessageBuilder(BigInteger.valueOf(j));
        X500Name x500Name2 = X500Name.getInstance(new X500Name("CN=AdminCA1").toASN1Primitive());
        certificateRequestMessageBuilder.setSubject(x500Name);
        certificateRequestMessageBuilder.setIssuer(x500Name2);
        try {
            for (Extension extension : collection) {
                trace("Csr Extension : " + extension.getExtnId().getId() + " -> " + extension.getExtnValue());
                certificateRequestMessageBuilder.addExtension(extension.getExtnId(), extension.isCritical(), extension.getParsedValue());
            }
            certificateRequestMessageBuilder.setPublicKey(subjectPublicKeyInfo);
            certificateRequestMessageBuilder.setAuthInfoSender(new GeneralName(x500Name));
            certificateRequestMessageBuilder.setProofOfPossessionRaVerified();
            CertificateRequestMessage build = certificateRequestMessageBuilder.build();
            trace("CertTemplate : " + build.getCertTemplate());
            ProtectedPKIMessageBuilder pKIBuilder = getPKIBuilder(x500Name2, x500Name);
            pKIBuilder.setBody(new PKIBody(0, new CertReqMessages(build.toASN1Structure())));
            return pKIBuilder.build(getMacCalculator(str)).toASN1Structure();
        } catch (IOException | CMPException | CRMFException e) {
            log("Exception occured processing extensions", e);
            throw new GeneralSecurityException(e.getMessage());
        }
    }

    public X509Certificate readCertResponse(byte[] bArr, PKIMessage pKIMessage) throws IOException, CRMFException, CMPException, GeneralSecurityException {
        Certificate x509v3PKCert;
        PKIFreeText statusString;
        buildPKIMessage(bArr);
        PKIMessage pKIMessage2 = PKIMessage.getInstance(getDERObject(bArr));
        if (pKIMessage2 == null) {
            throw new GeneralSecurityException("No CMP message could be parsed from received Der object.");
        }
        PKIHeader header = pKIMessage.getHeader();
        PKIHeader header2 = pKIMessage2.getHeader();
        if (!header.getSenderNonce().equals((ASN1Primitive) header2.getRecipNonce())) {
            ASN1OctetString recipNonce = header2.getRecipNonce();
            if (recipNonce == null) {
                log("Recip nonce == null");
            } else {
                log("sender nonce differ from recepient nonce " + Base64.getEncoder().encodeToString(header.getSenderNonce().getOctets()) + " != " + Base64.getEncoder().encodeToString(recipNonce.getOctets()));
            }
            throw new GeneralSecurityException("Sender / Recip nonce mismatch");
        }
        if (!header.getTransactionID().equals((ASN1Primitive) header2.getTransactionID())) {
            ASN1OctetString transactionID = header2.getTransactionID();
            if (transactionID == null) {
                log("transaction id == null");
            } else {
                log("transaction id differ between request and response: " + Base64.getEncoder().encodeToString(header.getTransactionID().getOctets()) + " != " + Base64.getEncoder().encodeToString(transactionID.getOctets()));
            }
            throw new GeneralSecurityException("Sender / Recip Transaction Id mismatch");
        }
        PKIBody body = pKIMessage2.getBody();
        int type = body.getType();
        if (type == 23) {
            handleCMPError(body);
            return null;
        }
        if (type != 3 && type != 1) {
            throw new GeneralSecurityException("unexpected PKI body type :" + type);
        }
        CertRepMessage certRepMessage = CertRepMessage.getInstance(body.getContent());
        try {
            CMPCertificate[] extraCerts = pKIMessage2.getExtraCerts();
            log("CMP Response body contains " + extraCerts.length + " extra certificates");
            for (CMPCertificate cMPCertificate : extraCerts) {
                trace("Added CA '" + cMPCertificate.getX509v3PKCert().getSubject() + "' from CMP Response body");
            }
        } catch (NullPointerException e) {
        }
        CertResponse[] response = certRepMessage.getResponse();
        if (response == null || response.length == 0) {
            throw new GeneralSecurityException("No CMP response found.");
        }
        trace("CMP Response body contains " + response.length + " elements");
        for (int i = 0; i < response.length; i++) {
            if (response[i] == null) {
                throw new GeneralSecurityException("CMP response element #" + i + " of " + response.length + " returns no content.");
            }
            BigInteger bigInteger = BigInteger.ZERO;
            String str = "";
            PKIStatusInfo status = response[i].getStatus();
            if (status != null && (statusString = status.getStatusString()) != null) {
                for (int i2 = 0; i2 < statusString.size(); i2++) {
                    str = statusString.getStringAt(i2) + "\n";
                }
            }
            if (response[i].getCertifiedKeyPair() == null || response[i].getCertifiedKeyPair().getCertOrEncCert() == null) {
                throw new GeneralSecurityException("CMP response contains no certificate, status :" + bigInteger + "\n" + str);
            }
            CMPCertificate certificate = response[i].getCertifiedKeyPair().getCertOrEncCert().getCertificate();
            if (certificate != null && (x509v3PKCert = certificate.getX509v3PKCert()) != null) {
                trace("#" + i + ": " + x509v3PKCert);
                X509Certificate x509Certificate = ((X509Certificate[]) CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME).generateCertificates(new ByteArrayInputStream(x509v3PKCert.getEncoded())).toArray(new X509Certificate[0]))[0];
                trace("#" + i + ": " + x509Certificate);
                return x509Certificate;
            }
        }
        return null;
    }

    private GeneralPKIMessage buildPKIMessage(byte[] bArr) throws IOException, CMPException, CRMFException, GeneralSecurityException {
        GeneralPKIMessage generalPKIMessage = new GeneralPKIMessage(bArr);
        printPKIMessageInfo(generalPKIMessage);
        if (generalPKIMessage.hasProtection()) {
            ProtectedPKIMessage protectedPKIMessage = new ProtectedPKIMessage(generalPKIMessage);
            if (!protectedPKIMessage.hasPasswordBasedMacProtection()) {
                throw new GeneralSecurityException("received response message has unexpected protection scheme, pbe expected!");
            }
            if (!protectedPKIMessage.verify(getMacCalculatorBuilder(), this.plainSecret.toCharArray())) {
                throw new GeneralSecurityException("received response message failed verification (by HMAC)!");
            }
            trace("received response message verified successfully by HMAC");
        } else {
            warn("received response message contains NO content protection!");
        }
        return generalPKIMessage;
    }

    public byte[] buildRevocationRequest(long j, X500Name x500Name, X500Name x500Name2, BigInteger bigInteger, CRLReason cRLReason) throws IOException, CRMFException, CMPException {
        CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder();
        certTemplateBuilder.setIssuer(x500Name);
        certTemplateBuilder.setSerialNumber(new ASN1Integer(bigInteger));
        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        extensionsGenerator.addExtension(Extension.reasonCode, false, (ASN1Encodable) cRLReason);
        Extensions generate = extensionsGenerator.generate();
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(certTemplateBuilder.build());
        aSN1EncodableVector.add(generate);
        RevReqContent revReqContent = new RevReqContent(RevDetails.getInstance(new DERSequence(aSN1EncodableVector)));
        ProtectedPKIMessageBuilder pKIBuilder = getPKIBuilder(x500Name, x500Name2);
        pKIBuilder.setBody(new PKIBody(11, revReqContent));
        PKIMessage aSN1Structure = pKIBuilder.build(getMacCalculator(this.plainSecret)).toASN1Structure();
        trace("sender nonce : " + org.bouncycastle.util.encoders.Base64.toBase64String(aSN1Structure.getHeader().getSenderNonce().getOctets()));
        return aSN1Structure.getEncoded();
    }

    public RevRepContent readRevResponse(byte[] bArr) throws IOException, CRMFException, CMPException, GeneralSecurityException {
        GeneralPKIMessage buildPKIMessage = buildPKIMessage(bArr);
        PKIHeader header = buildPKIMessage.getHeader();
        if (header.getRecipNonce() == null) {
            trace("no recipient nonce");
        } else {
            trace("recipient nonce : " + org.bouncycastle.util.encoders.Base64.toBase64String(header.getRecipNonce().getOctets()));
        }
        if (header.getSenderNonce() == null) {
            trace("no sender nonce");
        } else {
            trace("sender nonce : " + org.bouncycastle.util.encoders.Base64.toBase64String(header.getSenderNonce().getOctets()));
        }
        PKIBody body = buildPKIMessage.getBody();
        int type = body.getType();
        if (type == 23) {
            handleCMPError(body);
            return null;
        }
        if (type != 12) {
            throw new GeneralSecurityException("unexpected PKI body type :" + type);
        }
        trace("Rev response received");
        if (body.getContent() == null) {
            return null;
        }
        RevRepContent revRepContent = RevRepContent.getInstance(body.getContent());
        CertId[] revCerts = revRepContent.getRevCerts();
        if (revCerts != null) {
            for (CertId certId : revCerts) {
                trace("revoked certId : " + certId.getIssuer() + " / " + certId.getSerialNumber().getValue());
            }
        } else {
            trace("no certId ");
        }
        return revRepContent;
    }

    private void handleCMPError(PKIBody pKIBody) throws GeneralSecurityException {
        String str = "";
        ErrorMsgContent errorMsgContent = ErrorMsgContent.getInstance(pKIBody.getContent());
        if (errorMsgContent.getErrorCode() != null) {
            str = "errMsg : #" + errorMsgContent.getErrorCode() + " " + errorMsgContent.getErrorDetails() + " / " + errorMsgContent.getPKIStatusInfo().getFailInfo();
            log(str);
        }
        try {
            if (errorMsgContent.getPKIStatusInfo() != null) {
                PKIFreeText statusString = errorMsgContent.getPKIStatusInfo().getStatusString();
                for (int i = 0; i < statusString.size(); i++) {
                    trace("#" + i + ": " + statusString.getStringAt(i));
                }
            }
        } catch (NullPointerException e) {
        }
        throw new GeneralSecurityException(str);
    }

    private void printPKIMessageInfo(GeneralPKIMessage generalPKIMessage) {
        PKIHeader header = generalPKIMessage.getHeader();
        PKIBody body = generalPKIMessage.getBody();
        trace("Received " + (generalPKIMessage.hasProtection() ? " protected " : "") + "CMP message with pvno=" + header.getPvno() + ", sender=" + header.getSender().toString() + ", recipient=" + header.getRecipient().toString());
        trace("Body is of type: " + body.getType());
        trace("Transaction id: " + header.getTransactionID());
    }

    public PKCS10CertificationRequest convertPemToPKCS10CertificationRequest(InputStream inputStream) throws GeneralSecurityException {
        PKCS10CertificationRequest pKCS10CertificationRequest = null;
        PEMParser pEMParser = new PEMParser(new InputStreamReader(inputStream));
        try {
            try {
                Object readObject = pEMParser.readObject();
                if (readObject == null) {
                    throw new GeneralSecurityException("Parsing of CSR failed! Not PEM encoded?");
                }
                if (readObject instanceof PKCS10CertificationRequest) {
                    pKCS10CertificationRequest = (PKCS10CertificationRequest) readObject;
                }
                return pKCS10CertificationRequest;
            } finally {
                try {
                    pEMParser.close();
                } catch (IOException e) {
                    log("IOException on close()", e);
                }
            }
        } catch (IOException e2) {
            log("IOException, convertPemToPublicKey", e2);
            throw new GeneralSecurityException("Parsing of CSR failed! Not PEM encoded?");
        }
    }

    ProtectedPKIMessageBuilder getPKIBuilder(X500Name x500Name, X500Name x500Name2) {
        long nextLong = this.secRandom.nextLong();
        return getPKIBuilder(x500Name, x500Name2, ("nonce" + nextLong).getBytes(), null, ("transactionId" + nextLong).getBytes(), ("keyId" + nextLong).getBytes(), null);
    }

    public ProtectedPKIMessageBuilder getPKIBuilder(X500Name x500Name, X500Name x500Name2, byte[] bArr, byte[] bArr2, byte[] bArr3, byte[] bArr4, byte[] bArr5) {
        ProtectedPKIMessageBuilder protectedPKIMessageBuilder = new ProtectedPKIMessageBuilder(new GeneralName(x500Name2), new GeneralName(x500Name));
        protectedPKIMessageBuilder.setMessageTime(new Date());
        if (bArr != null) {
            protectedPKIMessageBuilder.setSenderNonce(bArr);
        }
        if (bArr2 != null) {
            protectedPKIMessageBuilder.setRecipNonce(bArr2);
        }
        if (bArr3 != null) {
            protectedPKIMessageBuilder.setTransactionID(bArr3);
        }
        if (bArr4 != null) {
            protectedPKIMessageBuilder.setSenderKID(bArr4);
        }
        if (bArr5 != null) {
            protectedPKIMessageBuilder.setRecipKID(bArr5);
        }
        return protectedPKIMessageBuilder;
    }

    public CRLReason crlReasonFromString(String str) {
        int i = 0;
        try {
            i = Integer.parseInt(str);
        } catch (NumberFormatException e) {
            if ("keyCompromise".equalsIgnoreCase(str)) {
                i = 1;
            } else if ("cACompromise".equalsIgnoreCase(str)) {
                i = 2;
            } else if ("affiliationChanged".equalsIgnoreCase(str)) {
                i = 3;
            } else if ("superseded".equalsIgnoreCase(str)) {
                i = 4;
            } else if ("cessationOfOperation".equalsIgnoreCase(str)) {
                i = 5;
            } else if ("privilegeWithdrawn".equalsIgnoreCase(str)) {
                i = 9;
            } else if ("aACompromise".equalsIgnoreCase(str)) {
                i = 10;
            } else if ("certificateHold".equalsIgnoreCase(str)) {
                i = 6;
            } else if ("removeFromCRL".equalsIgnoreCase(str)) {
                i = 8;
            } else if ("unspecified".equalsIgnoreCase(str)) {
                i = 0;
            }
        }
        return CRLReason.lookup(i);
    }

    public PKMACBuilder getMacCalculatorBuilder() throws CRMFException {
        JcePKMACValuesCalculator jcePKMACValuesCalculator = new JcePKMACValuesCalculator();
        jcePKMACValuesCalculator.setup(new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26")), new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.840.113549.2.7")));
        return new PKMACBuilder(jcePKMACValuesCalculator);
    }

    public MacCalculator getMacCalculator(String str) throws CRMFException {
        return getMacCalculatorBuilder().build(str.toCharArray());
    }

    public ASN1Primitive getDERObject(byte[] bArr) throws IOException {
        ASN1InputStream aSN1InputStream = new ASN1InputStream(bArr);
        try {
            ASN1Primitive readObject = aSN1InputStream.readObject();
            aSN1InputStream.close();
            return readObject;
        } catch (Throwable th) {
            aSN1InputStream.close();
            throw th;
        }
    }

    String getHashAsBase64(byte[] bArr) throws GeneralSecurityException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
        messageDigest.update(bArr);
        return org.bouncycastle.util.encoders.Base64.toBase64String(messageDigest.digest());
    }

    public byte[] sendHttpReq(String str, byte[] bArr) throws IOException {
        trace("Sending request to: " + str);
        long currentTimeMillis = System.currentTimeMillis();
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(str).openConnection();
        httpURLConnection.setDoOutput(true);
        httpURLConnection.setRequestMethod("POST");
        httpURLConnection.setRequestProperty("Content-Type", "application/octet-stream;charset=UTF-8");
        OutputStream outputStream = httpURLConnection.getOutputStream();
        outputStream.write(bArr);
        outputStream.close();
        InputStream inputStream = null;
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            inputStream = httpURLConnection.getInputStream();
            byte[] bArr2 = new byte[PKIFailureInfo.certConfirmed];
            while (true) {
                int read = inputStream.read(bArr2);
                if (read <= 0) {
                    break;
                }
                byteArrayOutputStream.write(bArr2, 0, read);
            }
            trace("# " + byteArrayOutputStream.size() + " response bytes recieved");
            if (inputStream != null) {
                inputStream.close();
            }
            if (httpURLConnection.getResponseCode() != 200) {
                throw new IOException("Error sending CMP request. Response codse != 200 : " + httpURLConnection.getResponseCode());
            }
            trace("Received certificate reply.");
            httpURLConnection.disconnect();
            trace("duration of remote CMP call " + (System.currentTimeMillis() - currentTimeMillis));
            return byteArrayOutputStream.toByteArray();
        } catch (Throwable th) {
            if (inputStream != null) {
                inputStream.close();
            }
            throw th;
        }
    }

    void warn(String str) {
        System.err.println(" WARN: " + str);
    }

    void log(String str) {
        System.out.println(" log: " + str);
    }

    void log(String str, Exception exc) {
        System.out.println("  log: " + str);
        exc.printStackTrace();
    }

    void trace(String str) {
        if (this.verbose) {
            System.out.println("trace: " + str);
        }
    }
}
