package net.ripe.rpki.commons.provisioning.x509.pkcs10;

import java.io.IOException;
import java.net.URI;
import java.security.PublicKey;
import java.util.Enumeration;
import net.ripe.rpki.commons.crypto.x509cert.X509CertificateInformationAccessDescriptor;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCSException;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;

/* loaded from: input_file:net/ripe/rpki/commons/provisioning/x509/pkcs10/RpkiCaCertificateRequestParser.class */
public class RpkiCaCertificateRequestParser {
    private static final String DEFAULT_SIGNATURE_PROVIDER = "SunRsaSign";
    private JcaPKCS10CertificationRequest pkcs10CertificationRequest;
    private URI caRepositoryUri;
    private URI manifestUri;
    private PublicKey publicKey;

    public RpkiCaCertificateRequestParser(PKCS10CertificationRequest pKCS10CertificationRequest) throws RpkiCaCertificateRequestParserException {
        this.pkcs10CertificationRequest = new JcaPKCS10CertificationRequest(pKCS10CertificationRequest);
        process();
        if (this.caRepositoryUri == null) {
            throw new RpkiCaCertificateRequestParserException("No CA Repository URI included in SIA in request");
        }
        if (this.manifestUri == null) {
            throw new RpkiCaCertificateRequestParserException("No Manifest URI included in SIA in request");
        }
        if (this.publicKey == null) {
            throw new RpkiCaCertificateRequestParserException("No Public Key included in request");
        }
    }

    public URI getCaRepositoryUri() {
        return this.caRepositoryUri;
    }

    public URI getManifestUri() {
        return this.manifestUri;
    }

    public PublicKey getPublicKey() {
        return this.publicKey;
    }

    private void process() throws RpkiCaCertificateRequestParserException {
        extractPublicKey();
        extractSiaUris();
        verifyRequest();
    }

    private void extractPublicKey() throws RpkiCaCertificateRequestParserException {
        try {
            this.publicKey = this.pkcs10CertificationRequest.getPublicKey();
        } catch (Exception e) {
            throw new RpkiCaCertificateRequestParserException(e);
        }
    }

    private void extractSiaUris() throws RpkiCaCertificateRequestParserException {
        try {
            Enumeration objects = ASN1Sequence.fromByteArray(getPkcs9Extensions().getExtension(X509Extension.subjectInfoAccess).getExtnValue().getOctets()).getObjects();
            while (objects.hasMoreElements()) {
                X509CertificateInformationAccessDescriptor x509CertificateInformationAccessDescriptor = new X509CertificateInformationAccessDescriptor(AccessDescription.getInstance(objects.nextElement()));
                ASN1ObjectIdentifier method = x509CertificateInformationAccessDescriptor.getMethod();
                if (method.equals(X509CertificateInformationAccessDescriptor.ID_AD_CA_REPOSITORY)) {
                    this.caRepositoryUri = x509CertificateInformationAccessDescriptor.getLocation();
                } else {
                    if (!method.equals(X509CertificateInformationAccessDescriptor.ID_AD_RPKI_MANIFEST)) {
                        throw new RpkiCaCertificateRequestParserException("Don't understand access descriptor using method: " + method);
                    }
                    this.manifestUri = x509CertificateInformationAccessDescriptor.getLocation();
                }
            }
        } catch (IOException e) {
            throw new RpkiCaCertificateRequestParserException(e);
        }
    }

    private Extensions getPkcs9Extensions() throws RpkiCaCertificateRequestParserException {
        Object nextElement = getPkcs9ExtensionRequest().getObjects().nextElement();
        if (nextElement instanceof Extensions) {
            return (Extensions) nextElement;
        }
        if (nextElement instanceof ASN1Sequence) {
            return Extensions.getInstance((ASN1Sequence) nextElement);
        }
        throw new RpkiCaCertificateRequestParserException("Encountered an element I do not understand, type: " + nextElement.getClass().getSimpleName());
    }

    private ASN1Set getPkcs9ExtensionRequest() throws RpkiCaCertificateRequestParserException {
        for (Attribute attribute : this.pkcs10CertificationRequest.getAttributes()) {
            if (attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
                return attribute.getAttrValues();
            }
        }
        throw new RpkiCaCertificateRequestParserException("Could not find PKCS 9 Extension Request");
    }

    private void verifyRequest() throws RpkiCaCertificateRequestParserException {
        try {
            if (this.pkcs10CertificationRequest.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("SunRsaSign").build(this.publicKey))) {
            } else {
                throw new RpkiCaCertificateRequestParserException("signature validation failed");
            }
        } catch (PKCSException e) {
            throw new RpkiCaCertificateRequestParserException("Could not verify request", e);
        } catch (OperatorCreationException e2) {
            throw new RpkiCaCertificateRequestParserException("Could not verify request", e2);
        }
    }
}
