package org.xipki.cmp.client.internal;

import java.io.IOException;
import java.math.BigInteger;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Random;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSocketFactory;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Enumerated;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.cmp.CMPCertificate;
import org.bouncycastle.asn1.cmp.CMPObjectIdentifiers;
import org.bouncycastle.asn1.cmp.CertRepMessage;
import org.bouncycastle.asn1.cmp.CertResponse;
import org.bouncycastle.asn1.cmp.CertifiedKeyPair;
import org.bouncycastle.asn1.cmp.ErrorMsgContent;
import org.bouncycastle.asn1.cmp.GenMsgContent;
import org.bouncycastle.asn1.cmp.GenRepContent;
import org.bouncycastle.asn1.cmp.InfoTypeAndValue;
import org.bouncycastle.asn1.cmp.PBMParameter;
import org.bouncycastle.asn1.cmp.PKIBody;
import org.bouncycastle.asn1.cmp.PKIFreeText;
import org.bouncycastle.asn1.cmp.PKIHeader;
import org.bouncycastle.asn1.cmp.PKIHeaderBuilder;
import org.bouncycastle.asn1.cmp.PKIMessage;
import org.bouncycastle.asn1.cmp.PKIStatusInfo;
import org.bouncycastle.asn1.cmp.RevDetails;
import org.bouncycastle.asn1.cmp.RevRepContent;
import org.bouncycastle.asn1.cmp.RevReqContent;
import org.bouncycastle.asn1.cms.CMSObjectIdentifiers;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.asn1.cms.EnvelopedData;
import org.bouncycastle.asn1.cms.GCMParameters;
import org.bouncycastle.asn1.crmf.AttributeTypeAndValue;
import org.bouncycastle.asn1.crmf.CertId;
import org.bouncycastle.asn1.crmf.CertReqMessages;
import org.bouncycastle.asn1.crmf.CertReqMsg;
import org.bouncycastle.asn1.crmf.CertTemplateBuilder;
import org.bouncycastle.asn1.crmf.EncryptedKey;
import org.bouncycastle.asn1.crmf.EncryptedValue;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PBES2Parameters;
import org.bouncycastle.asn1.pkcs.PBKDF2Params;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.pkcs.RSAESOAEPparams;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.cmp.CMPException;
import org.bouncycastle.cert.cmp.CertificateConfirmationContentBuilder;
import org.bouncycastle.cert.cmp.GeneralPKIMessage;
import org.bouncycastle.cert.cmp.ProtectedPKIMessage;
import org.bouncycastle.cert.crmf.PKMACBuilder;
import org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator;
import org.bouncycastle.cms.CMSAlgorithm;
import org.bouncycastle.cms.CMSEnvelopedData;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.PasswordRecipientInformation;
import org.bouncycastle.cms.RecipientInformation;
import org.bouncycastle.cms.bc.BcPasswordEnvelopedRecipient;
import org.bouncycastle.cms.jcajce.JceKeyAgreeEnvelopedRecipient;
import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient;
import org.bouncycastle.crypto.agreement.ECDHBasicAgreement;
import org.bouncycastle.crypto.engines.AESEngine;
import org.bouncycastle.crypto.engines.IESEngine;
import org.bouncycastle.crypto.generators.KDF2BytesGenerator;
import org.bouncycastle.crypto.macs.HMac;
import org.bouncycastle.crypto.modes.CBCBlockCipher;
import org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher;
import org.bouncycastle.crypto.util.DigestFactory;
import org.bouncycastle.jcajce.provider.asymmetric.ec.IESCipher;
import org.bouncycastle.jcajce.spec.PBKDF2KeySpec;
import org.bouncycastle.jce.spec.IESParameterSpec;
import org.bouncycastle.operator.ContentVerifierProvider;
import org.bouncycastle.operator.DefaultSecretKeySizeProvider;
import org.bouncycastle.operator.DigestCalculatorProvider;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.cmp.CmpUtf8Pairs;
import org.xipki.cmp.CmpUtil;
import org.xipki.cmp.ProtectionResult;
import org.xipki.cmp.ProtectionVerificationResult;
import org.xipki.cmp.VerifiedPkiMessage;
import org.xipki.cmp.client.CmpClientException;
import org.xipki.cmp.client.EnrollCertRequest;
import org.xipki.cmp.client.PkiErrorException;
import org.xipki.cmp.client.Requestor;
import org.xipki.cmp.client.RevokeCertRequest;
import org.xipki.cmp.client.UnrevokeCertRequest;
import org.xipki.cmp.client.internal.Responder;
import org.xipki.cmp.client.internal.ResultEntry;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.CrlReason;
import org.xipki.security.HashAlgo;
import org.xipki.security.NoIdleSignerException;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.security.SecurityFactory;
import org.xipki.security.SignAlgo;
import org.xipki.security.X509Cert;
import org.xipki.security.XiSecurityException;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.DateUtil;
import org.xipki.util.Hex;
import org.xipki.util.LogUtil;
import org.xipki.util.PermissionConstants;
import org.xipki.util.ReqRespDebug;
import org.xipki.util.http.HttpRespContent;
import org.xipki.util.http.XiHttpClient;

/* loaded from: input_file:WEB-INF/lib/cmp-client-6.1.0.jar:org/xipki/cmp/client/internal/CmpAgent.class */
class CmpAgent {
    private static final String CMP_REQUEST_MIMETYPE = "application/pkixcmp";
    private static final String CMP_RESPONSE_MIMETYPE = "application/pkixcmp";
    protected static final int PKISTATUS_RESPONSE_ERROR = -1;
    protected static final int PKISTATUS_NO_ANSWER = -2;
    protected final SecurityFactory securityFactory;
    private final Responder pbmMacResponder;
    private final Responder signatureResponder;
    private final boolean sendRequestorCert;
    private final XiHttpClient httpClient;
    private final String serverUrl;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CmpAgent.class);
    private static final DefaultSecretKeySizeProvider KEYSIZE_PROVIDER = new DefaultSecretKeySizeProvider();
    private static final DigestCalculatorProvider DIGEST_CALCULATOR_PROVIDER = new BcDigestCalculatorProvider();
    private static final BigInteger MINUS_ONE = BigInteger.valueOf(-1);
    private final Random random = new Random();
    private final boolean implicitConfirm = true;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.xipki.cmp.client.internal.CmpAgent$1, reason: invalid class name */
    /* loaded from: input_file:WEB-INF/lib/cmp-client-6.1.0.jar:org/xipki/cmp/client/internal/CmpAgent$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$cmp$client$EnrollCertRequest$EnrollType = new int[EnrollCertRequest.EnrollType.values().length];

        static {
            try {
                $SwitchMap$org$xipki$cmp$client$EnrollCertRequest$EnrollType[EnrollCertRequest.EnrollType.INIT_REQ.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$cmp$client$EnrollCertRequest$EnrollType[EnrollCertRequest.EnrollType.CERT_REQ.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$cmp$client$EnrollCertRequest$EnrollType[EnrollCertRequest.EnrollType.KEY_UPDATE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$cmp$client$EnrollCertRequest$EnrollType[EnrollCertRequest.EnrollType.CROSS_CERT_REQ.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CmpAgent(Responder responder, Responder responder2, String str, SecurityFactory securityFactory, SSLSocketFactory sSLSocketFactory, HostnameVerifier hostnameVerifier, boolean z) {
        this.signatureResponder = responder;
        this.pbmMacResponder = responder2;
        this.securityFactory = (SecurityFactory) Args.notNull(securityFactory, "securityFactory");
        Args.notBlank(str, "serverUrl");
        try {
            this.serverUrl = str.endsWith("/") ? str : str + "/";
            new URL(this.serverUrl);
            this.httpClient = new XiHttpClient(sSLSocketFactory, hostnameVerifier);
            this.sendRequestorCert = z;
        } catch (MalformedURLException e) {
            throw new IllegalArgumentException("invalid URL: " + str);
        }
    }

    private Responder getResponder(Requestor requestor) {
        return requestor instanceof Requestor.SignatureCmpRequestor ? this.signatureResponder : this.pbmMacResponder;
    }

    private HttpRespContent send(String str, byte[] bArr) throws IOException {
        Args.notNull(bArr, "request");
        return this.httpClient.httpPost(this.serverUrl + str, "application/pkixcmp", bArr, "application/pkixcmp");
    }

    private PKIMessage sign(Requestor requestor, PKIMessage pKIMessage) throws CmpClientException {
        Args.notNull(pKIMessage, "request");
        if (requestor == null) {
            throw new CmpClientException("no request signer is configured");
        }
        if (requestor instanceof Requestor.SignatureCmpRequestor) {
            try {
                return CmpUtil.addProtection(pKIMessage, ((Requestor.SignatureCmpRequestor) requestor).getSigner(), requestor.getName(), this.sendRequestorCert);
            } catch (CMPException | NoIdleSignerException e) {
                throw new CmpClientException("could not sign the request", e);
            }
        }
        Requestor.PbmMacCmpRequestor pbmMacCmpRequestor = (Requestor.PbmMacCmpRequestor) requestor;
        try {
            return CmpUtil.addProtection(pKIMessage, pbmMacCmpRequestor.getPassword(), pbmMacCmpRequestor.getParameter(), requestor.getName(), pbmMacCmpRequestor.getSenderKID());
        } catch (CMPException e2) {
            throw new CmpClientException("could not sign the request", e2);
        }
    }

    private VerifiedPkiMessage signAndSend(String str, Requestor requestor, Responder responder, PKIMessage pKIMessage, ReqRespDebug reqRespDebug) throws CmpClientException {
        ASN1OctetString transactionID = ((PKIMessage) Args.notNull(pKIMessage, "request")).getHeader().getTransactionID();
        GeneralPKIMessage send = send(str, sign(requestor, pKIMessage), reqRespDebug);
        GeneralName recipient = send.getHeader().getRecipient();
        if (!requestor.getName().equals(recipient)) {
            LOG.warn("tid={}: unknown CMP requestor '{}'", transactionID, recipient);
        }
        VerifiedPkiMessage verifiedPkiMessage = new VerifiedPkiMessage(send);
        if (send.hasProtection()) {
            try {
                verifiedPkiMessage.setProtectionVerificationResult(verifyProtection(requestor, responder, Hex.encode(transactionID.getOctets()), send));
            } catch (InvalidKeyException | CMPException e) {
                throw new CmpClientException(e.getMessage(), e);
            }
        } else if (send.getBody().getType() != 23) {
            throw new CmpClientException("response is not signed");
        }
        return verifiedPkiMessage;
    }

    private GeneralPKIMessage send(String str, PKIMessage pKIMessage, ReqRespDebug reqRespDebug) throws CmpClientException {
        try {
            byte[] encoded = pKIMessage.getEncoded();
            ReqRespDebug.ReqRespPair reqRespPair = null;
            if (reqRespDebug != null) {
                reqRespPair = new ReqRespDebug.ReqRespPair();
                reqRespDebug.add(reqRespPair);
                if (reqRespDebug.saveRequest()) {
                    reqRespPair.setRequest(encoded);
                }
            }
            try {
                HttpRespContent send = send(str, encoded);
                byte[] content = send.getContent();
                if (reqRespPair != null && reqRespDebug.saveResponse() && send.getContent() != null) {
                    reqRespPair.setResponse(content);
                }
                if (!send.isOK()) {
                    LOG.warn("received HTTP status code " + send.getStatusCode());
                    throw new CmpClientException("Received HTTP status code");
                }
                try {
                    GeneralPKIMessage generalPKIMessage = new GeneralPKIMessage(content);
                    PKIHeader header = pKIMessage.getHeader();
                    PKIHeader header2 = generalPKIMessage.getHeader();
                    ASN1OctetString transactionID = header.getTransactionID();
                    ASN1OctetString transactionID2 = header2.getTransactionID();
                    if (!transactionID.equals(transactionID2)) {
                        LOG.warn("Response contains different tid ({}) than requested {}", transactionID2, transactionID);
                        throw new CmpClientException("Response contains different tid than the request");
                    }
                    ASN1OctetString senderNonce = header.getSenderNonce();
                    ASN1OctetString recipNonce = header2.getRecipNonce();
                    if (senderNonce.equals(recipNonce)) {
                        return generalPKIMessage;
                    }
                    LOG.warn("tid {}: response.recipientNonce ({}) != request.senderNonce ({})", transactionID, recipNonce, senderNonce);
                    throw new CmpClientException("Response contains differnt tid than the request");
                } catch (IOException e) {
                    LOG.error("could not decode the received PKI message: {}", Hex.encode(content));
                    throw new CmpClientException(e.getMessage(), e);
                }
            } catch (IOException e2) {
                LogUtil.error(LOG, e2, "could not send the PKI request to server");
                throw new CmpClientException("TRANSPORT_ERROR", e2);
            }
        } catch (IOException e3) {
            LOG.error("could not encode the PKI request {}", pKIMessage);
            throw new CmpClientException(e3.getMessage(), e3);
        }
    }

    private PKIHeader buildPkiHeader(Requestor requestor, Responder responder) {
        return buildPkiHeader(requestor, responder, false, null, null, (InfoTypeAndValue[]) null);
    }

    private PKIHeader buildPkiHeader(Requestor requestor, Responder responder, boolean z, ASN1OctetString aSN1OctetString, CmpUtf8Pairs cmpUtf8Pairs, InfoTypeAndValue... infoTypeAndValueArr) {
        if (infoTypeAndValueArr != null) {
            for (InfoTypeAndValue infoTypeAndValue : infoTypeAndValueArr) {
                if (infoTypeAndValue != null) {
                    ASN1ObjectIdentifier infoType = infoTypeAndValue.getInfoType();
                    if (CMPObjectIdentifiers.it_implicitConfirm.equals(infoType)) {
                        throw new IllegalArgumentException("additionGeneralInfos contains not-permitted ITV implicitConfirm");
                    }
                    if (CMPObjectIdentifiers.regInfo_utf8Pairs.equals(infoType)) {
                        throw new IllegalArgumentException("additionGeneralInfos contains not-permitted ITV utf8Pairs");
                    }
                }
            }
        }
        PKIHeaderBuilder pKIHeaderBuilder = new PKIHeaderBuilder(2, requestor != null ? requestor.getName() : new GeneralName(new X500Name(new RDN[0])), responder != null ? responder.getName() : new GeneralName(new X500Name(new RDN[0])));
        pKIHeaderBuilder.setMessageTime(new ASN1GeneralizedTime(new Date()));
        pKIHeaderBuilder.setTransactionID(aSN1OctetString == null ? new DEROctetString(randomTransactionId()) : aSN1OctetString);
        pKIHeaderBuilder.setSenderNonce(randomSenderNonce());
        ArrayList arrayList = new ArrayList(2);
        if (z) {
            arrayList.add(CmpUtil.getImplicitConfirmGeneralInfo());
        }
        if (cmpUtf8Pairs != null) {
            arrayList.add(CmpUtil.buildInfoTypeAndValue(cmpUtf8Pairs));
        }
        if (infoTypeAndValueArr != null) {
            for (InfoTypeAndValue infoTypeAndValue2 : infoTypeAndValueArr) {
                if (infoTypeAndValue2 != null) {
                    arrayList.add(infoTypeAndValue2);
                }
            }
        }
        if (CollectionUtil.isNotEmpty(arrayList)) {
            pKIHeaderBuilder.setGeneralInfo((InfoTypeAndValue[]) arrayList.toArray(new InfoTypeAndValue[0]));
        }
        return pKIHeaderBuilder.build();
    }

    private byte[] randomTransactionId() {
        byte[] bArr = new byte[20];
        this.random.nextBytes(bArr);
        return bArr;
    }

    private byte[] randomSenderNonce() {
        byte[] bArr = new byte[16];
        this.random.nextBytes(bArr);
        return bArr;
    }

    private ProtectionVerificationResult verifyProtection(Requestor requestor, Responder responder, String str, GeneralPKIMessage generalPKIMessage) throws CMPException, InvalidKeyException {
        ProtectedPKIMessage protectedPKIMessage = new ProtectedPKIMessage(generalPKIMessage);
        PKIHeader header = protectedPKIMessage.getHeader();
        if (requestor instanceof Requestor.PbmMacCmpRequestor) {
            if (!protectedPKIMessage.hasPasswordBasedMacProtection()) {
                LOG.warn("NOT_MAC_BASED: {}", generalPKIMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
                return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
            }
            PBMParameter pBMParameter = PBMParameter.getInstance(generalPKIMessage.getHeader().getProtectionAlg().getParameters());
            try {
                HashAlgo hashAlgo = HashAlgo.getInstance(pBMParameter.getOwf());
                Responder.PbmMacCmpResponder pbmMacCmpResponder = (Responder.PbmMacCmpResponder) responder;
                if (!pbmMacCmpResponder.isPbmOwfPermitted(hashAlgo)) {
                    LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf: {})", hashAlgo);
                    return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
                }
                try {
                    SignAlgo signAlgo = SignAlgo.getInstance(pBMParameter.getMac());
                    if (pbmMacCmpResponder.isPbmMacPermitted(signAlgo)) {
                        return new ProtectionVerificationResult(requestor, protectedPKIMessage.verify(new PKMACBuilder(new JcePKMACValuesCalculator()), ((Requestor.PbmMacCmpRequestor) requestor).getPassword()) ? ProtectionResult.MAC_VALID : ProtectionResult.MAC_INVALID);
                    }
                    LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac: {})", signAlgo);
                    return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
                } catch (NoSuchAlgorithmException e) {
                    LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac)", (Throwable) e);
                    return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
                }
            } catch (NoSuchAlgorithmException e2) {
                LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf)", (Throwable) e2);
                return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
            }
        }
        if (protectedPKIMessage.hasPasswordBasedMacProtection()) {
            LOG.warn("NOT_SIGNATURE_BASED: {}", generalPKIMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
            return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        Responder.SignatureCmpResponder signatureCmpResponder = (Responder.SignatureCmpResponder) responder;
        if (!(header.getSender().getTagNo() != 4 ? false : signatureCmpResponder.getCert().getSubject().equals(X500Name.getInstance(header.getSender().getName())))) {
            LOG.warn("tid={}: not authorized responder '{}'", str, header.getSender());
            return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        try {
            SignAlgo signAlgo2 = SignAlgo.getInstance(protectedPKIMessage.getHeader().getProtectionAlg());
            if (!signatureCmpResponder.getSigAlgoValidator().isAlgorithmPermitted(signAlgo2)) {
                LOG.warn("tid={}: response protected by untrusted protection algorithm '{}'", str, signAlgo2.getJceName());
                return new ProtectionVerificationResult(null, ProtectionResult.SIGNATURE_INVALID);
            }
            X509Cert cert = signatureCmpResponder.getCert();
            ContentVerifierProvider contentVerifierProvider = this.securityFactory.getContentVerifierProvider(cert);
            if (contentVerifierProvider != null) {
                return new ProtectionVerificationResult(cert, protectedPKIMessage.verify(contentVerifierProvider) ? ProtectionResult.SIGNATURE_VALID : ProtectionResult.SIGNATURE_INVALID);
            }
            LOG.warn("tid={}: not authorized responder '{}'", str, header.getSender());
            return new ProtectionVerificationResult(cert, ProtectionResult.SENDER_NOT_AUTHORIZED);
        } catch (NoSuchAlgorithmException e3) {
            LOG.warn("tid={}: unknown response protection algorithm: {}", str, e3.getMessage());
            return new ProtectionVerificationResult(null, ProtectionResult.SIGNATURE_INVALID);
        }
    }

    private PKIMessage buildMessageWithGeneralMsgContent(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        Args.notNull(aSN1ObjectIdentifier, "type");
        return new PKIMessage(buildPkiHeader(null, null), new PKIBody(21, new GenMsgContent(new InfoTypeAndValue(aSN1ObjectIdentifier))));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509CRLHolder downloadCurrentCrl(String str, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        ASN1ObjectIdentifier aSN1ObjectIdentifier = CMPObjectIdentifiers.it_currentCRL;
        return new X509CRLHolder(CertificateList.getInstance(parseGenRep(send(str, buildMessageWithGeneralMsgContent(aSN1ObjectIdentifier), reqRespDebug), aSN1ObjectIdentifier)));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<X509Cert> caCerts(String str, int i, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        ASN1ObjectIdentifier aSN1ObjectIdentifier = CMPObjectIdentifiers.id_it_caCerts;
        ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(parseGenRep(send(str, buildMessageWithGeneralMsgContent(aSN1ObjectIdentifier), reqRespDebug), aSN1ObjectIdentifier));
        int min = Math.min(i, aSN1Sequence.size());
        ArrayList arrayList = new ArrayList(min);
        for (int i2 = 0; i2 < min; i2++) {
            arrayList.add(new X509Cert(Certificate.getInstance(aSN1Sequence.getObjectAt(i2))));
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RevokeCertResponse revokeCertificate(String str, Requestor requestor, RevokeCertRequest revokeCertRequest, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        Responder responder = getResponder(requestor);
        return parse(signAndSend(str, requestor, responder, buildRevokeCertRequest(requestor, responder, (RevokeCertRequest) Args.notNull(revokeCertRequest, "request")), reqRespDebug), revokeCertRequest.getRequestEntries());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RevokeCertResponse unrevokeCertificate(String str, Requestor requestor, UnrevokeCertRequest unrevokeCertRequest, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        Responder responder = getResponder(requestor);
        return parse(signAndSend(str, requestor, responder, buildUnrevokeCertRequest(requestor, responder, (UnrevokeCertRequest) Args.notNull(unrevokeCertRequest, "request"), CrlReason.REMOVE_FROM_CRL.getCode()), reqRespDebug), unrevokeCertRequest.getRequestEntries());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public EnrollCertResponse requestCertificate(String str, Requestor requestor, CsrEnrollCertRequest csrEnrollCertRequest, Date date, Date date2, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        Responder responder = getResponder(requestor);
        PKIMessage buildPkiMessage = buildPkiMessage(requestor, responder, (CsrEnrollCertRequest) Args.notNull(csrEnrollCertRequest, "csr"), date, date2);
        HashMap hashMap = new HashMap();
        hashMap.put(MINUS_ONE, csrEnrollCertRequest.getId());
        return requestCertificate0(str, requestor, responder, buildPkiMessage, hashMap, 3, reqRespDebug);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public EnrollCertResponse requestCertificate(String str, Requestor requestor, EnrollCertRequest enrollCertRequest, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        int i;
        Responder responder = getResponder(requestor);
        PKIMessage buildPkiMessage = buildPkiMessage(requestor, responder, (EnrollCertRequest) Args.notNull(enrollCertRequest, "req"));
        HashMap hashMap = new HashMap();
        for (EnrollCertRequest.Entry entry : enrollCertRequest.getRequestEntries()) {
            hashMap.put(entry.getCertReq().getCertReqId().getValue(), entry.getId());
        }
        switch (AnonymousClass1.$SwitchMap$org$xipki$cmp$client$EnrollCertRequest$EnrollType[enrollCertRequest.getType().ordinal()]) {
            case 1:
                i = 1;
                break;
            case 2:
                i = 3;
                break;
            case 3:
                i = 8;
                break;
            case PermissionConstants.UNSUSPEND_CERT /* 4 */:
                i = 14;
                break;
            default:
                throw new IllegalStateException("unknown EnrollCertRequest.Type " + enrollCertRequest.getType());
        }
        return requestCertificate0(str, requestor, responder, buildPkiMessage, hashMap, i, reqRespDebug);
    }

    private EnrollCertResponse requestCertificate0(String str, Requestor requestor, Responder responder, PKIMessage pKIMessage, Map<BigInteger, String> map, int i, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        CMPCertificate certificate;
        byte[] decrypt;
        ResultEntry enrollCert;
        VerifiedPkiMessage signAndSend = signAndSend(str, requestor, responder, pKIMessage, reqRespDebug);
        checkProtection(signAndSend);
        PKIBody body = signAndSend.getPkiMessage().getBody();
        int type = body.getType();
        if (23 == type) {
            throw new PkiErrorException(ErrorMsgContent.getInstance(body.getContent()).getPKIStatusInfo());
        }
        if (i != type) {
            throw new CmpClientException(String.format("unknown PKI body type %s instead the expected [%s, %s]", Integer.valueOf(type), Integer.valueOf(i), 23));
        }
        CertRepMessage certRepMessage = CertRepMessage.getInstance(body.getContent());
        CertResponse[] response = certRepMessage.getResponse();
        EnrollCertResponse enrollCertResponse = new EnrollCertResponse();
        CMPCertificate[] caPubs = certRepMessage.getCaPubs();
        if (caPubs != null && caPubs.length > 0) {
            for (CMPCertificate cMPCertificate : caPubs) {
                if (cMPCertificate != null) {
                    enrollCertResponse.addCaCertificate(cMPCertificate);
                }
            }
        }
        CertificateConfirmationContentBuilder certificateConfirmationContentBuilder = CmpUtil.isImplicitConfirm(signAndSend.getPkiMessage().getHeader()) ? null : new CertificateConfirmationContentBuilder();
        boolean z = false;
        for (CertResponse certResponse : response) {
            PKIStatusInfo status = certResponse.getStatus();
            int intValue = status.getStatus().intValue();
            BigInteger value = certResponse.getCertReqId().getValue();
            String str2 = map.get(value);
            if (str2 != null) {
                map.remove(value);
            } else if (map.size() == 1) {
                str2 = map.values().iterator().next();
                map.clear();
            }
            if (str2 != null) {
                if (intValue == 0 || intValue == 1) {
                    CertifiedKeyPair certifiedKeyPair = certResponse.getCertifiedKeyPair();
                    if (certifiedKeyPair == null || (certificate = certifiedKeyPair.getCertOrEncCert().getCertificate()) == null) {
                        return null;
                    }
                    if (requestor == null) {
                        enrollCertResponse.addResultEntry(new ResultEntry.Error(str2, PKISTATUS_RESPONSE_ERROR, 1073741824, "could not decrypt PrivateKeyInfo/requestor is null"));
                    } else {
                        PrivateKeyInfo privateKeyInfo = null;
                        if (certifiedKeyPair.getPrivateKey() != null) {
                            try {
                                if (requestor instanceof Requestor.SignatureCmpRequestor) {
                                    ConcurrentContentSigner signer = ((Requestor.SignatureCmpRequestor) requestor).getSigner();
                                    if (!(signer.getSigningKey() instanceof PrivateKey)) {
                                        throw new XiSecurityException("no decryption key is configured");
                                        break;
                                    }
                                    decrypt = decrypt(certifiedKeyPair.getPrivateKey(), (PrivateKey) signer.getSigningKey());
                                } else {
                                    decrypt = decrypt(certifiedKeyPair.getPrivateKey(), ((Requestor.PbmMacCmpRequestor) requestor).getPassword());
                                }
                                privateKeyInfo = PrivateKeyInfo.getInstance(decrypt);
                            } catch (XiSecurityException e) {
                                enrollCertResponse.addResultEntry(new ResultEntry.Error(str2, PKISTATUS_RESPONSE_ERROR, 1073741824, "could not decrypt PrivateKeyInfo"));
                            }
                        }
                        enrollCert = new ResultEntry.EnrollCert(str2, certificate, privateKeyInfo, intValue);
                        if (certificateConfirmationContentBuilder != null) {
                            z = true;
                            certificateConfirmationContentBuilder.addAcceptedCertificate(new X509CertificateHolder(certificate.getX509v3PKCert()), value);
                        }
                    }
                } else {
                    PKIFreeText statusString = status.getStatusString();
                    enrollCert = new ResultEntry.Error(str2, intValue, status.getFailInfo().intValue(), statusString == null ? null : statusString.getStringAtUTF8(0).getString());
                }
                enrollCertResponse.addResultEntry(enrollCert);
            }
        }
        if (CollectionUtil.isNotEmpty(map)) {
            Iterator<Map.Entry<BigInteger, String>> it = map.entrySet().iterator();
            while (it.hasNext()) {
                enrollCertResponse.addResultEntry(new ResultEntry.Error(it.next().getValue(), PKISTATUS_NO_ANSWER));
            }
        }
        if (!z) {
            return enrollCertResponse;
        }
        checkProtection(signAndSend(str, requestor, responder, buildCertConfirmRequest(requestor, responder, signAndSend.getPkiMessage().getHeader().getTransactionID(), certificateConfirmationContentBuilder), reqRespDebug));
        return enrollCertResponse;
    }

    private PKIMessage buildCertConfirmRequest(Requestor requestor, Responder responder, ASN1OctetString aSN1OctetString, CertificateConfirmationContentBuilder certificateConfirmationContentBuilder) throws CmpClientException {
        try {
            return new PKIMessage(buildPkiHeader(requestor, responder, true, aSN1OctetString, null, (InfoTypeAndValue[]) null), new PKIBody(24, certificateConfirmationContentBuilder.build(DIGEST_CALCULATOR_PROVIDER).toASN1Structure()));
        } catch (CMPException e) {
            throw new CmpClientException(e.getMessage(), e);
        }
    }

    private PKIMessage buildRevokeCertRequest(Requestor requestor, Responder responder, RevokeCertRequest revokeCertRequest) throws CmpClientException {
        PKIHeader buildPkiHeader = buildPkiHeader(requestor, responder);
        List<RevokeCertRequest.Entry> requestEntries = revokeCertRequest.getRequestEntries();
        ArrayList arrayList = new ArrayList(requestEntries.size());
        for (RevokeCertRequest.Entry entry : requestEntries) {
            CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder();
            certTemplateBuilder.setIssuer(entry.getIssuer());
            certTemplateBuilder.setSerialNumber(new ASN1Integer(entry.getSerialNumber()));
            byte[] authorityKeyIdentifier = entry.getAuthorityKeyIdentifier();
            if (authorityKeyIdentifier != null) {
                certTemplateBuilder.setExtensions(getCertTempExtensions(authorityKeyIdentifier));
            }
            Date invalidityDate = entry.getInvalidityDate();
            Extension[] extensionArr = new Extension[invalidityDate == null ? 1 : 2];
            try {
                extensionArr[0] = new Extension(Extension.reasonCode, true, new DEROctetString(new ASN1Enumerated(entry.getReason()).getEncoded()));
                if (invalidityDate != null) {
                    extensionArr[1] = new Extension(Extension.invalidityDate, true, new DEROctetString(new ASN1GeneralizedTime(invalidityDate).getEncoded()));
                }
                arrayList.add(new RevDetails(certTemplateBuilder.build(), new Extensions(extensionArr)));
            } catch (IOException e) {
                throw new CmpClientException(e.getMessage(), e);
            }
        }
        return new PKIMessage(buildPkiHeader, new PKIBody(11, new RevReqContent((RevDetails[]) arrayList.toArray(new RevDetails[0]))));
    }

    private PKIMessage buildUnrevokeCertRequest(Requestor requestor, Responder responder, UnrevokeCertRequest unrevokeCertRequest, int i) throws CmpClientException {
        PKIHeader buildPkiHeader = buildPkiHeader(requestor, responder);
        List<UnrevokeCertRequest.Entry> requestEntries = unrevokeCertRequest.getRequestEntries();
        ArrayList arrayList = new ArrayList(requestEntries.size());
        for (UnrevokeCertRequest.Entry entry : requestEntries) {
            CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder();
            certTemplateBuilder.setIssuer(entry.getIssuer());
            certTemplateBuilder.setSerialNumber(new ASN1Integer(entry.getSerialNumber()));
            byte[] authorityKeyIdentifier = entry.getAuthorityKeyIdentifier();
            if (authorityKeyIdentifier != null) {
                certTemplateBuilder.setExtensions(getCertTempExtensions(authorityKeyIdentifier));
            }
            Extension[] extensionArr = new Extension[1];
            try {
                extensionArr[0] = new Extension(Extension.reasonCode, true, new DEROctetString(new ASN1Enumerated(i).getEncoded()));
                arrayList.add(new RevDetails(certTemplateBuilder.build(), new Extensions(extensionArr)));
            } catch (IOException e) {
                throw new CmpClientException(e.getMessage(), e);
            }
        }
        return new PKIMessage(buildPkiHeader, new PKIBody(11, new RevReqContent((RevDetails[]) arrayList.toArray(new RevDetails[0]))));
    }

    private PKIMessage buildPkiMessage(Requestor requestor, Responder responder, CsrEnrollCertRequest csrEnrollCertRequest, Date date, Date date2) {
        CmpUtf8Pairs cmpUtf8Pairs = null;
        if (date != null) {
            cmpUtf8Pairs = new CmpUtf8Pairs();
            cmpUtf8Pairs.putUtf8Pair(CmpUtf8Pairs.KEY_NOTBEFORE, DateUtil.toUtcTimeyyyyMMddhhmmss(date));
        }
        if (date2 != null) {
            if (cmpUtf8Pairs == null) {
                cmpUtf8Pairs = new CmpUtf8Pairs();
            }
            cmpUtf8Pairs.putUtf8Pair(CmpUtf8Pairs.KEY_NOTAFTER, DateUtil.toUtcTimeyyyyMMddhhmmss(date2));
        }
        InfoTypeAndValue infoTypeAndValue = null;
        if (csrEnrollCertRequest.getCertprofile() != null) {
            infoTypeAndValue = new InfoTypeAndValue(ObjectIdentifiers.CMP.id_it_certProfile, new DERSequence(new DERUTF8String(csrEnrollCertRequest.getCertprofile())));
        }
        return new PKIMessage(buildPkiHeader(requestor, responder, true, null, cmpUtf8Pairs, infoTypeAndValue), new PKIBody(4, csrEnrollCertRequest.getCsr()));
    }

    private PKIMessage buildPkiMessage(Requestor requestor, Responder responder, EnrollCertRequest enrollCertRequest) {
        int i;
        List<EnrollCertRequest.Entry> requestEntries = enrollCertRequest.getRequestEntries();
        CertReqMsg[] certReqMsgArr = new CertReqMsg[requestEntries.size()];
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        for (int i2 = 0; i2 < requestEntries.size(); i2++) {
            EnrollCertRequest.Entry entry = requestEntries.get(i2);
            if (entry.getCertprofile() != null) {
                aSN1EncodableVector.add(new DERUTF8String(entry.getCertprofile()));
            }
            certReqMsgArr[i2] = new CertReqMsg(entry.getCertReq(), entry.getPop(), (AttributeTypeAndValue[]) null);
        }
        if (aSN1EncodableVector.size() != 0 && aSN1EncodableVector.size() != requestEntries.size()) {
            throw new IllegalStateException("either not all reqEntries have CertProfile or all not");
        }
        PKIHeader buildPkiHeader = buildPkiHeader(requestor, responder, true, null, null, new InfoTypeAndValue(ObjectIdentifiers.CMP.id_it_certProfile, new DERSequence(aSN1EncodableVector)));
        switch (AnonymousClass1.$SwitchMap$org$xipki$cmp$client$EnrollCertRequest$EnrollType[enrollCertRequest.getType().ordinal()]) {
            case 1:
                i = 0;
                break;
            case 2:
                i = 2;
                break;
            case 3:
                i = 7;
                break;
            case PermissionConstants.UNSUSPEND_CERT /* 4 */:
                i = 13;
                break;
            default:
                throw new IllegalStateException("Unknown EnrollCertRequest.Type " + enrollCertRequest.getType());
        }
        return new PKIMessage(buildPkiHeader, new PKIBody(i, new CertReqMessages(certReqMsgArr)));
    }

    private static void checkProtection(VerifiedPkiMessage verifiedPkiMessage) throws PkiErrorException {
        boolean z;
        Args.notNull(verifiedPkiMessage, "response");
        if (verifiedPkiMessage.hasProtection()) {
            ProtectionVerificationResult protectionVerificationResult = verifiedPkiMessage.getProtectionVerificationResult();
            if (protectionVerificationResult == null) {
                z = false;
            } else {
                ProtectionResult protectionResult = protectionVerificationResult.getProtectionResult();
                z = protectionResult == ProtectionResult.MAC_VALID || protectionResult == ProtectionResult.SIGNATURE_VALID;
            }
            if (!z) {
                throw new PkiErrorException(PKISTATUS_RESPONSE_ERROR, 64, "message check of the response failed");
            }
        }
    }

    private static byte[] decrypt(EncryptedKey encryptedKey, char[] cArr) throws XiSecurityException {
        EnvelopedData value = encryptedKey.getValue();
        return value instanceof EnvelopedData ? decrypt(value, cArr) : decrypt((EncryptedValue) value, cArr);
    }

    private static byte[] decrypt(EnvelopedData envelopedData, char[] cArr) throws XiSecurityException {
        try {
            return ((PasswordRecipientInformation) new CMSEnvelopedData(new ContentInfo(CMSObjectIdentifiers.envelopedData, envelopedData)).getRecipientInfos().getRecipients().iterator().next()).getContent(new BcPasswordEnvelopedRecipient(cArr));
        } catch (CMSException e) {
            throw new XiSecurityException(e.getMessage(), e);
        }
    }

    private static byte[] decrypt(EncryptedValue encryptedValue, char[] cArr) throws XiSecurityException {
        AlgorithmIdentifier symmAlg = encryptedValue.getSymmAlg();
        if (!PKCSObjectIdentifiers.id_PBES2.equals(symmAlg.getAlgorithm())) {
            throw new XiSecurityException("unsupported symmAlg " + symmAlg.getAlgorithm().getId());
        }
        PBES2Parameters pBES2Parameters = PBES2Parameters.getInstance(symmAlg.getParameters());
        PBKDF2Params pBKDF2Params = PBKDF2Params.getInstance(pBES2Parameters.getKeyDerivationFunc().getParameters());
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(SecretKeyFactory.getInstance(pBES2Parameters.getKeyDerivationFunc().getAlgorithm().getId()).generateSecret(new PBKDF2KeySpec(cArr, pBKDF2Params.getSalt(), pBKDF2Params.getIterationCount().intValue(), KEYSIZE_PROVIDER.getKeySize(AlgorithmIdentifier.getInstance(pBES2Parameters.getEncryptionScheme())), pBKDF2Params.getPrf())).getEncoded(), "AES");
            Cipher cipher = Cipher.getInstance(pBES2Parameters.getEncryptionScheme().getAlgorithm().getId());
            GCMParameters gCMParameters = GCMParameters.getInstance(pBES2Parameters.getEncryptionScheme().getParameters());
            cipher.init(2, secretKeySpec, new GCMParameterSpec(gCMParameters.getIcvLen() * 8, gCMParameters.getNonce()));
            return cipher.doFinal(encryptedValue.getEncValue().getOctets());
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | InvalidKeySpecException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new XiSecurityException("Error while decrypting the EncryptedValue", e);
        }
    }

    private static byte[] decrypt(EncryptedKey encryptedKey, PrivateKey privateKey) throws XiSecurityException {
        EnvelopedData value = encryptedKey.getValue();
        return value instanceof EnvelopedData ? decrypt(value, privateKey) : decrypt((EncryptedValue) value, privateKey);
    }

    private static byte[] decrypt(EnvelopedData envelopedData, PrivateKey privateKey) throws XiSecurityException {
        try {
            RecipientInformation recipientInformation = (RecipientInformation) new CMSEnvelopedData(new ContentInfo(CMSObjectIdentifiers.envelopedData, envelopedData)).getRecipientInfos().getRecipients().iterator().next();
            ASN1ObjectIdentifier algorithm = recipientInformation.getKeyEncryptionAlgorithm().getAlgorithm();
            return recipientInformation.getContent((algorithm.equals(CMSAlgorithm.ECDH_SHA1KDF) || algorithm.equals(CMSAlgorithm.ECDH_SHA224KDF) || algorithm.equals(CMSAlgorithm.ECDH_SHA256KDF) || algorithm.equals(CMSAlgorithm.ECDH_SHA384KDF) || algorithm.equals(CMSAlgorithm.ECDH_SHA384KDF) || algorithm.equals(CMSAlgorithm.ECDH_SHA512KDF)) ? new JceKeyAgreeEnvelopedRecipient(privateKey).setProvider("BC") : new JceKeyTransEnvelopedRecipient(privateKey).setProvider("BC"));
        } catch (CMSException e) {
            throw new XiSecurityException(e.getMessage(), e);
        }
    }

    private static byte[] decrypt(EncryptedValue encryptedValue, PrivateKey privateKey) throws XiSecurityException {
        byte[] engineDoFinal;
        Cipher cipher;
        AlgorithmIdentifier keyAlg = encryptedValue.getKeyAlg();
        ASN1ObjectIdentifier algorithm = keyAlg.getAlgorithm();
        try {
            if (privateKey instanceof RSAPrivateKey) {
                if (algorithm.equals(PKCSObjectIdentifiers.id_RSAES_OAEP)) {
                    if (keyAlg.getParameters() != null) {
                        RSAESOAEPparams rSAESOAEPparams = RSAESOAEPparams.getInstance(keyAlg.getParameters());
                        ASN1ObjectIdentifier algorithm2 = rSAESOAEPparams.getHashAlgorithm().getAlgorithm();
                        if (!algorithm2.equals(RSAESOAEPparams.DEFAULT_HASH_ALGORITHM.getAlgorithm())) {
                            throw new XiSecurityException("unsupported RSAESOAEPparams.HashAlgorithm " + algorithm2.getId());
                        }
                        ASN1ObjectIdentifier algorithm3 = rSAESOAEPparams.getMaskGenAlgorithm().getAlgorithm();
                        if (!algorithm3.equals(RSAESOAEPparams.DEFAULT_MASK_GEN_FUNCTION.getAlgorithm())) {
                            throw new XiSecurityException("unsupported RSAESOAEPparams.MaskGenAlgorithm " + algorithm3.getId());
                        }
                        ASN1ObjectIdentifier algorithm4 = rSAESOAEPparams.getPSourceAlgorithm().getAlgorithm();
                        if (!rSAESOAEPparams.getPSourceAlgorithm().equals(RSAESOAEPparams.DEFAULT_P_SOURCE_ALGORITHM)) {
                            throw new XiSecurityException("unsupported RSAESOAEPparams.PSourceAlgorithm " + algorithm4.getId());
                        }
                    }
                    cipher = Cipher.getInstance("RSA/NONE/OAEPPADDING");
                } else {
                    if (!algorithm.equals(PKCSObjectIdentifiers.rsaEncryption)) {
                        throw new XiSecurityException("unsupported keyAlg " + algorithm.getId());
                    }
                    cipher = Cipher.getInstance("RSA/NONE/PKCS1PADDING");
                }
                cipher.init(2, privateKey);
                engineDoFinal = cipher.doFinal(encryptedValue.getEncSymmKey().getOctets());
            } else {
                if (!(privateKey instanceof ECPrivateKey)) {
                    throw new XiSecurityException("unsupported decryption key type " + privateKey.getClass().getName());
                }
                ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(keyAlg.getParameters());
                int size = aSN1Sequence.size();
                for (int i = 0; i < size; i++) {
                    if (!algorithm.equals(ObjectIdentifiers.Secg.id_ecies_specifiedParameters)) {
                        throw new XiSecurityException("unsupported keyAlg " + algorithm.getId());
                    }
                    ASN1TaggedObject objectAt = aSN1Sequence.getObjectAt(i);
                    int tagNo = objectAt.getTagNo();
                    if (tagNo == 0) {
                        AlgorithmIdentifier algorithmIdentifier = AlgorithmIdentifier.getInstance(objectAt.getBaseObject());
                        if (!ObjectIdentifiers.Misc.id_iso18033_kdf2.equals(algorithmIdentifier.getAlgorithm())) {
                            throw new XiSecurityException("unsupported KeyDerivationFunction " + algorithmIdentifier.getAlgorithm().getId());
                        }
                        AlgorithmIdentifier algorithmIdentifier2 = AlgorithmIdentifier.getInstance(algorithmIdentifier.getParameters());
                        if (!algorithmIdentifier2.getAlgorithm().equals(HashAlgo.SHA1.getOid())) {
                            throw new XiSecurityException("unsupported KeyDerivationFunction.HashAlgorithm " + algorithmIdentifier2.getAlgorithm().getId());
                        }
                    } else if (tagNo == 1) {
                        AlgorithmIdentifier algorithmIdentifier3 = AlgorithmIdentifier.getInstance(objectAt.getBaseObject());
                        if (!ObjectIdentifiers.Secg.id_aes128_cbc_in_ecies.equals(algorithmIdentifier3.getAlgorithm())) {
                            throw new XiSecurityException("unsupported SymmetricEncryption " + algorithmIdentifier3.getAlgorithm().getId());
                        }
                    } else if (tagNo == 2) {
                        AlgorithmIdentifier algorithmIdentifier4 = AlgorithmIdentifier.getInstance(objectAt.getBaseObject());
                        if (!ObjectIdentifiers.Secg.id_hmac_full_ecies.equals(algorithmIdentifier4.getAlgorithm())) {
                            throw new XiSecurityException("unsupported MessageAuthenticationCode " + algorithmIdentifier4.getAlgorithm().getId());
                        }
                        AlgorithmIdentifier algorithmIdentifier5 = AlgorithmIdentifier.getInstance(algorithmIdentifier4.getParameters());
                        if (!algorithmIdentifier5.getAlgorithm().equals(HashAlgo.SHA1.getOid())) {
                            throw new XiSecurityException("unsupported MessageAuthenticationCode.HashAlgorithm " + algorithmIdentifier5.getAlgorithm().getId());
                        }
                    } else {
                        continue;
                    }
                }
                IESParameterSpec iESParameterSpec = new IESParameterSpec((byte[]) null, (byte[]) null, PermissionConstants.ENROLL_CROSS, PermissionConstants.ENROLL_CROSS, new byte[16]);
                IESCipher iESCipher = new IESCipher(new IESEngine(new ECDHBasicAgreement(), new KDF2BytesGenerator(DigestFactory.createSHA1()), new HMac(DigestFactory.createSHA1()), new PaddedBufferedBlockCipher(new CBCBlockCipher(new AESEngine()))), 16);
                iESCipher.engineInit(2, privateKey, iESParameterSpec, (SecureRandom) null);
                ASN1Sequence dERSequence = DERSequence.getInstance(encryptedValue.getEncSymmKey().getOctets());
                byte[] octets = DEROctetString.getInstance(dERSequence.getObjectAt(0)).getOctets();
                byte[] octets2 = DEROctetString.getInstance(dERSequence.getObjectAt(1)).getOctets();
                byte[] octets3 = DEROctetString.getInstance(dERSequence.getObjectAt(2)).getOctets();
                byte[] bArr = new byte[octets.length + octets2.length + octets3.length];
                System.arraycopy(octets, 0, bArr, 0, octets.length);
                int length = octets.length;
                System.arraycopy(octets2, 0, bArr, length, octets2.length);
                System.arraycopy(octets3, 0, bArr, length + octets2.length, octets3.length);
                engineDoFinal = iESCipher.engineDoFinal(bArr, 0, bArr.length);
            }
            AlgorithmIdentifier symmAlg = encryptedValue.getSymmAlg();
            ASN1ObjectIdentifier algorithm5 = symmAlg.getAlgorithm();
            if (!algorithm5.equals(NISTObjectIdentifiers.id_aes128_GCM)) {
                throw new XiSecurityException("unsupported symmAlg " + algorithm5.getId());
            }
            GCMParameters gCMParameters = GCMParameters.getInstance(symmAlg.getParameters());
            Cipher cipher2 = Cipher.getInstance(algorithm5.getId());
            cipher2.init(2, new SecretKeySpec(engineDoFinal, "AES"), new GCMParameterSpec(gCMParameters.getIcvLen() << 3, gCMParameters.getNonce()));
            return cipher2.doFinal(encryptedValue.getEncValue().getOctets());
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new XiSecurityException("Error while decrypting the EncryptedValue", e);
        }
    }

    private static ASN1Encodable parseGenRep(GeneralPKIMessage generalPKIMessage, ASN1ObjectIdentifier aSN1ObjectIdentifier) throws CmpClientException, PkiErrorException {
        PKIBody body = generalPKIMessage.getBody();
        int type = body.getType();
        if (23 == type) {
            throw new PkiErrorException(ErrorMsgContent.getInstance(body.getContent()).getPKIStatusInfo());
        }
        if (22 != type) {
            throw new CmpClientException(String.format("unknown PKI body type %s instead the expected [%s, %s]", Integer.valueOf(type), 22, 23));
        }
        InfoTypeAndValue[] infoTypeAndValueArray = GenRepContent.getInstance(body.getContent()).toInfoTypeAndValueArray();
        InfoTypeAndValue infoTypeAndValue = null;
        if (infoTypeAndValueArray != null && infoTypeAndValueArray.length > 0) {
            int length = infoTypeAndValueArray.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                InfoTypeAndValue infoTypeAndValue2 = infoTypeAndValueArray[i];
                if (aSN1ObjectIdentifier.equals(infoTypeAndValue2.getInfoType())) {
                    infoTypeAndValue = infoTypeAndValue2;
                    break;
                }
                i++;
            }
        }
        if (infoTypeAndValue == null) {
            throw new CmpClientException("the response does not contain InfoTypeAndValue " + aSN1ObjectIdentifier);
        }
        return infoTypeAndValue.getInfoValue();
    }

    private static RevokeCertResponse parse(VerifiedPkiMessage verifiedPkiMessage, List<? extends UnrevokeCertRequest.Entry> list) throws CmpClientException, PkiErrorException {
        checkProtection((VerifiedPkiMessage) Args.notNull(verifiedPkiMessage, "response"));
        PKIBody body = verifiedPkiMessage.getPkiMessage().getBody();
        int type = body.getType();
        if (23 == type) {
            throw new PkiErrorException(ErrorMsgContent.getInstance(body.getContent()).getPKIStatusInfo());
        }
        if (12 != type) {
            throw new CmpClientException(String.format("unknown PKI body type %s instead the expected [%s, %s]", Integer.valueOf(type), 12, 23));
        }
        RevRepContent revRepContent = RevRepContent.getInstance(body.getContent());
        PKIStatusInfo[] status = revRepContent.getStatus();
        if (status == null || status.length != list.size()) {
            throw new CmpClientException(String.format("incorrect number of status entries in response '%s' instead the expected '%s'", Integer.valueOf(status != null ? status.length : 0), Integer.valueOf(list.size())));
        }
        CertId[] revCerts = revRepContent.getRevCerts();
        RevokeCertResponse revokeCertResponse = new RevokeCertResponse();
        for (int i = 0; i < status.length; i++) {
            PKIStatusInfo pKIStatusInfo = status[i];
            int intValue = pKIStatusInfo.getStatus().intValue();
            UnrevokeCertRequest.Entry entry = list.get(i);
            if (intValue == 0 || intValue == 1) {
                CertId certId = null;
                if (revCerts != null) {
                    int length = revCerts.length;
                    int i2 = 0;
                    while (true) {
                        if (i2 >= length) {
                            break;
                        }
                        CertId certId2 = revCerts[i2];
                        if (entry.getIssuer().equals(certId2.getIssuer().getName()) && entry.getSerialNumber().equals(certId2.getSerialNumber().getValue())) {
                            certId = certId2;
                            break;
                        }
                        i2++;
                    }
                }
                if (certId == null) {
                    LOG.warn("certId is not present in response for (issuer='{}', serialNumber={})", X509Util.x500NameText(entry.getIssuer()), LogUtil.formatCsn(entry.getSerialNumber()));
                    certId = new CertId(new GeneralName(entry.getIssuer()), entry.getSerialNumber());
                }
                revokeCertResponse.addResultEntry(new ResultEntry.RevokeCert(entry.getId(), certId));
            } else {
                PKIFreeText statusString = pKIStatusInfo.getStatusString();
                revokeCertResponse.addResultEntry(new ResultEntry.Error(entry.getId(), intValue, pKIStatusInfo.getFailInfo().intValue(), statusString == null ? null : statusString.getStringAtUTF8(0).getString()));
            }
        }
        return revokeCertResponse;
    }

    private static Extensions getCertTempExtensions(byte[] bArr) throws CmpClientException {
        try {
            return new Extensions(new Extension(Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifier(bArr).getEncoded()));
        } catch (IOException e) {
            throw new CmpClientException("could not encoded AuthorityKeyIdentifier", e);
        }
    }
}
