package org.xipki.ca.server;

import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.concurrent.atomic.AtomicInteger;
import org.bouncycastle.cert.X509CertificateHolder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.security.HashAlgo;
import org.xipki.security.X509Cert;
import org.xipki.security.ctlog.CtLog;
import org.xipki.security.ctlog.CtLogMessages;
import org.xipki.security.util.JSON;
import org.xipki.util.Args;
import org.xipki.util.Curl;
import org.xipki.util.DefaultCurl;
import org.xipki.util.Hex;
import org.xipki.util.StringUtil;
import org.xipki.util.exception.ErrorCode;
import org.xipki.util.exception.OperationException;
import org.xipki.util.http.SslContextConf;

/* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/CtLogClient.class */
public class CtLogClient {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CtLogClient.class);
    private final Curl curl;
    private final List<String> addPreChainUrls;

    public CtLogClient(List<String> list, SslContextConf sslContextConf) {
        Args.notEmpty((List) list, "serverUrls");
        this.curl = new DefaultCurl(sslContextConf);
        this.addPreChainUrls = new ArrayList(list.size());
        for (String str : list) {
            this.addPreChainUrls.add(str.endsWith("/") ? str + "ct/v1/add-pre-chain" : str + "/ct/v1/add-pre-chain");
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v6, types: [byte[], byte[][]] */
    public CtLog.SignedCertificateTimestampList getCtLogScts(X509CertificateHolder x509CertificateHolder, X509Cert x509Cert, List<X509Cert> list, CtLogPublicKeyFinder ctLogPublicKeyFinder) throws OperationException {
        CtLogMessages.AddPreChainRequest addPreChainRequest = new CtLogMessages.AddPreChainRequest();
        LinkedList linkedList = new LinkedList();
        addPreChainRequest.setChain(linkedList);
        try {
            byte[] encoded = x509CertificateHolder.getEncoded();
            try {
                byte[] hash = HashAlgo.SHA256.hash(new byte[]{x509Cert.getSubjectPublicKeyInfo().getEncoded()});
                try {
                    byte[] preCertTbsCert = CtLog.getPreCertTbsCert(x509CertificateHolder.toASN1Structure().getTBSCertificate());
                    linkedList.add(encoded);
                    linkedList.add(x509Cert.getEncoded());
                    if (list != null) {
                        Iterator<X509Cert> it = list.iterator();
                        while (it.hasNext()) {
                            linkedList.add(it.next().getEncoded());
                        }
                    }
                    byte[] jSONBytes = JSON.toJSONBytes(addPreChainRequest);
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("CTLog Request: {}", StringUtil.toUtf8String(jSONBytes));
                    }
                    ArrayList arrayList = new ArrayList(this.addPreChainUrls.size());
                    HashMap hashMap = new HashMap();
                    hashMap.put("content-type", "application/json");
                    for (String str : this.addPreChainUrls) {
                        try {
                            byte[] content = this.curl.curlPost(str, false, hashMap, null, jSONBytes).getContent();
                            if (content == null) {
                                throw new OperationException(ErrorCode.SYSTEM_FAILURE, "server does not return any content while responding " + str);
                            }
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("CTLog Response: {}", StringUtil.toUtf8String(content));
                            }
                            CtLogMessages.AddPreChainResponse addPreChainResponse = (CtLogMessages.AddPreChainResponse) JSON.parseObject(content, CtLogMessages.AddPreChainResponse.class);
                            CtLog.DigitallySigned digitallySigned = CtLog.DigitallySigned.getInstance(addPreChainResponse.getSignature(), new AtomicInteger(0));
                            byte sct_version = addPreChainResponse.getSct_version();
                            byte[] id = addPreChainResponse.getId();
                            String encodeUpper = Hex.encodeUpper(id);
                            long timestamp = addPreChainResponse.getTimestamp();
                            byte[] extensions = addPreChainResponse.getExtensions();
                            PublicKey publicKey = ctLogPublicKeyFinder == null ? null : ctLogPublicKeyFinder.getPublicKey(id);
                            if (publicKey == null) {
                                LOG.warn("could not find CtLog public key 0x{} to verify the SCT", encodeUpper);
                            } else {
                                try {
                                    Signature signature = Signature.getInstance(getSignatureAlgo(digitallySigned.getAlgorithm()), "BC");
                                    signature.initVerify(publicKey);
                                    CtLog.update(signature, sct_version, timestamp, extensions, hash, preCertTbsCert);
                                    if (!signature.verify(digitallySigned.getSignature())) {
                                        throw new OperationException(ErrorCode.SYSTEM_FAILURE, "SCT signature is invalid");
                                    }
                                    LOG.info("verified SCT signature with logId {} and timestamp {}", encodeUpper, Long.valueOf(timestamp));
                                } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException e) {
                                    throw new OperationException(ErrorCode.SYSTEM_FAILURE, "error verifying SCT signature");
                                }
                            }
                            arrayList.add(new CtLog.SignedCertificateTimestamp(sct_version, id, timestamp, extensions, digitallySigned));
                        } catch (Exception e2) {
                            throw new OperationException(ErrorCode.SYSTEM_FAILURE, "error while calling " + str + ": " + e2.getMessage());
                        }
                    }
                    return new CtLog.SignedCertificateTimestampList(new CtLog.SerializedSCT(arrayList));
                } catch (IOException e3) {
                    throw new OperationException(ErrorCode.SYSTEM_FAILURE, e3.getMessage());
                }
            } catch (IOException e4) {
                throw new OperationException(ErrorCode.SYSTEM_FAILURE, e4.getMessage());
            }
        } catch (IOException e5) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, e5.getMessage());
        }
    }

    private static String getSignatureAlgo(CtLog.SignatureAndHashAlgorithm signatureAndHashAlgorithm) throws OperationException {
        Object obj;
        Object obj2;
        switch (signatureAndHashAlgorithm.getHash()) {
            case sha1:
                obj = "SHA1";
                break;
            case sha256:
                obj = "SHA256";
                break;
            case sha384:
                obj = "SHA384";
                break;
            case sha512:
                obj = "SHA512";
                break;
            default:
                throw new OperationException(ErrorCode.SYSTEM_FAILURE, "unsupported hash algorithm " + signatureAndHashAlgorithm.getHash());
        }
        CtLog.SignatureAlgorithm signature = signatureAndHashAlgorithm.getSignature();
        if (CtLog.SignatureAlgorithm.ecdsa == signature) {
            obj2 = "ECDSA";
        } else {
            if (CtLog.SignatureAlgorithm.rsa != signature) {
                throw new OperationException(ErrorCode.SYSTEM_FAILURE, "unsupported signature algorithm " + signatureAndHashAlgorithm.getSignature());
            }
            obj2 = "RSA";
        }
        return obj + "WITH" + obj2;
    }
}
