package org.xipki.cmp.client.internal;

import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSocketFactory;
import org.bouncycastle.asn1.cmp.CMPCertificate;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.cert.X509CRLHolder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.ca.sdk.CaAuditConstants;
import org.xipki.cmp.client.CertIdOrError;
import org.xipki.cmp.client.CmpClient;
import org.xipki.cmp.client.CmpClientConf;
import org.xipki.cmp.client.CmpClientException;
import org.xipki.cmp.client.EnrollCertRequest;
import org.xipki.cmp.client.EnrollCertResult;
import org.xipki.cmp.client.PkiErrorException;
import org.xipki.cmp.client.Requestor;
import org.xipki.cmp.client.RevokeCertRequest;
import org.xipki.cmp.client.UnrevokeCertRequest;
import org.xipki.cmp.client.internal.Responder;
import org.xipki.cmp.client.internal.ResultEntry;
import org.xipki.security.CollectionAlgorithmValidator;
import org.xipki.security.SecurityFactory;
import org.xipki.security.SignAlgo;
import org.xipki.security.X509Cert;
import org.xipki.security.util.JSON;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.BenchmarkExecutor;
import org.xipki.util.CollectionUtil;
import org.xipki.util.IoUtil;
import org.xipki.util.LogUtil;
import org.xipki.util.ReqRespDebug;
import org.xipki.util.exception.InvalidConfException;
import org.xipki.util.http.SslContextConf;

/* loaded from: input_file:WEB-INF/lib/cmp-client-6.1.0.jar:org/xipki/cmp/client/internal/CmpClientImpl.class */
public final class CmpClientImpl implements CmpClient {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CmpClientImpl.class);
    private SecurityFactory securityFactory;
    private CmpAgent agent;
    private List<X509Cert> dhpopCerts;
    private String confFile;
    private final AtomicBoolean initialized = new AtomicBoolean(false);

    public void setSecurityFactory(SecurityFactory securityFactory) {
        this.securityFactory = securityFactory;
    }

    public void setConfFile(String str) {
        this.confFile = str;
    }

    public void init() throws Exception {
        if (this.initialized.get()) {
            return;
        }
        if (this.confFile == null) {
            throw new IllegalStateException("confFile is not set");
        }
        if (this.securityFactory == null) {
            throw new IllegalStateException("securityFactory is not set");
        }
        this.initialized.set(false);
        LOG.info("initializing ...");
        File file = new File(IoUtil.expandFilepath(this.confFile));
        if (!file.exists()) {
            throw new IllegalStateException("could not find configuration file " + this.confFile);
        }
        CmpClientConf parse = parse(Files.newInputStream(file.toPath(), new OpenOption[0]));
        SslContextConf ofSslConf = SslContextConf.ofSslConf(parse.getSsl());
        SSLSocketFactory sslSocketFactory = ofSslConf.getSslSocketFactory();
        HostnameVerifier buildHostnameVerifier = ofSslConf.buildHostnameVerifier();
        CmpClientConf.Responder responder = parse.getResponder();
        String url = responder.getUrl();
        Responder.SignatureCmpResponder signatureCmpResponder = null;
        CmpClientConf.Responder.Signature signature = responder.getSignature();
        if (signature != null) {
            X509Cert parseCert = X509Util.parseCert(signature.getCert().readContent());
            HashSet hashSet = new HashSet(signature.getSignatureAlgos());
            HashSet hashSet2 = new HashSet();
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                hashSet2.add(SignAlgo.getInstance((String) it.next()));
            }
            if (hashSet2.isEmpty()) {
                throw new NoSuchAlgorithmException("none of the signature algorithms " + hashSet + " are supported");
            }
            signatureCmpResponder = new Responder.SignatureCmpResponder(parseCert, new CollectionAlgorithmValidator(hashSet2));
        }
        Responder.PbmMacCmpResponder pbmMacCmpResponder = null;
        CmpClientConf.Responder.PbmMac pbmMac = responder.getPbmMac();
        if (pbmMac != null) {
            pbmMacCmpResponder = new Responder.PbmMacCmpResponder(pbmMac.getOwfAlgos(), pbmMac.getMacAlgos());
        }
        if (responder.getDhPopCerts() != null) {
            this.dhpopCerts = X509Util.parseCerts(responder.getDhPopCerts().readContent());
        }
        this.agent = new CmpAgent(signatureCmpResponder, pbmMacCmpResponder, url, this.securityFactory, sslSocketFactory, buildHostnameVerifier, parse.isSendRequestorCert());
        this.initialized.set(true);
        LOG.info("initialized");
    }

    private static CmpClientConf parse(InputStream inputStream) throws CmpClientException {
        try {
            try {
                CmpClientConf cmpClientConf = (CmpClientConf) JSON.parseObject(inputStream, CmpClientConf.class);
                cmpClientConf.validate();
                return cmpClientConf;
            } finally {
                try {
                    inputStream.close();
                } catch (IOException e) {
                    LOG.warn("could not close confStream: {}", e.getMessage());
                }
            }
        } catch (RuntimeException | InvalidConfException e2) {
            throw new CmpClientException("parsing profile failed, message: " + e2.getMessage(), e2);
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
    }

    @Override // org.xipki.cmp.client.CmpClient
    public EnrollCertResult enrollCert(String str, Requestor requestor, CertificationRequest certificationRequest, String str2, Date date, Date date2, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        Args.notNull(certificationRequest, "csr");
        return parseEnrollCertResult(this.agent.requestCertificate(Args.notBlank(str, "caName").toLowerCase(Locale.ROOT), requestor, new CsrEnrollCertRequest("cert-1", str2, certificationRequest), date, date2, reqRespDebug));
    }

    @Override // org.xipki.cmp.client.CmpClient
    public EnrollCertResult enrollCerts(String str, Requestor requestor, EnrollCertRequest enrollCertRequest, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        String lowerCase = Args.notBlank(str, "caName").toLowerCase(Locale.ROOT);
        if (CollectionUtil.isEmpty(((EnrollCertRequest) Args.notNull(enrollCertRequest, "request")).getRequestEntries())) {
            return null;
        }
        return parseEnrollCertResult(this.agent.requestCertificate(lowerCase, requestor, enrollCertRequest, reqRespDebug));
    }

    @Override // org.xipki.cmp.client.CmpClient
    public CertIdOrError revokeCert(String str, Requestor requestor, X509Cert x509Cert, X509Cert x509Cert2, int i, Date date, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        Args.notNull(x509Cert2, "cert");
        assertIssuedByCa(x509Cert2, x509Cert);
        return revokeCert(str, requestor, x509Cert, x509Cert2.getSerialNumber(), i, date, reqRespDebug);
    }

    @Override // org.xipki.cmp.client.CmpClient
    public CertIdOrError revokeCert(String str, Requestor requestor, X509Cert x509Cert, BigInteger bigInteger, int i, Date date, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        Args.notNull(str, "caName");
        Args.notNull(bigInteger, CaAuditConstants.NAME_serial);
        RevokeCertRequest.Entry entry = new RevokeCertRequest.Entry("cert-1", x509Cert.getSubject(), bigInteger, i, date);
        entry.setAuthorityKeyIdentifier(x509Cert.getSubjectKeyId());
        RevokeCertRequest revokeCertRequest = new RevokeCertRequest();
        revokeCertRequest.addRequestEntry(entry);
        Map<String, CertIdOrError> revokeCerts = revokeCerts(str, requestor, revokeCertRequest, reqRespDebug);
        if (revokeCerts == null) {
            return null;
        }
        return revokeCerts.get("cert-1");
    }

    @Override // org.xipki.cmp.client.CmpClient
    public Map<String, CertIdOrError> revokeCerts(String str, Requestor requestor, RevokeCertRequest revokeCertRequest, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        List<RevokeCertRequest.Entry> requestEntries = ((RevokeCertRequest) Args.notNull(revokeCertRequest, "request")).getRequestEntries();
        if (CollectionUtil.isEmpty(requestEntries)) {
            return Collections.emptyMap();
        }
        X500Name issuer = requestEntries.get(0).getIssuer();
        for (int i = 1; i < requestEntries.size(); i++) {
            if (!issuer.equals(requestEntries.get(i).getIssuer())) {
                throw new PkiErrorException(2, 32, "revoking certificates issued by more than one CA is not allowed");
            }
        }
        return parseRevokeCertResult(this.agent.revokeCertificate(str, requestor, revokeCertRequest, reqRespDebug));
    }

    private Map<String, CertIdOrError> parseRevokeCertResult(RevokeCertResponse revokeCertResponse) throws CmpClientException {
        CertIdOrError certIdOrError;
        HashMap hashMap = new HashMap();
        for (ResultEntry resultEntry : revokeCertResponse.getResultEntries()) {
            if (resultEntry instanceof ResultEntry.RevokeCert) {
                certIdOrError = new CertIdOrError(((ResultEntry.RevokeCert) resultEntry).getCertId());
            } else {
                if (!(resultEntry instanceof ResultEntry.Error)) {
                    throw new CmpClientException("unknown type " + resultEntry.getClass().getName());
                }
                certIdOrError = new CertIdOrError(((ResultEntry.Error) resultEntry).getStatusInfo());
            }
            hashMap.put(resultEntry.getId(), certIdOrError);
        }
        return hashMap;
    }

    @Override // org.xipki.cmp.client.CmpClient
    public X509CRLHolder downloadCrl(String str, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        return this.agent.downloadCurrentCrl(Args.toNonBlankLower(str, "caName"), reqRespDebug);
    }

    private static X509Cert getCertificate(CMPCertificate cMPCertificate) throws CertificateException {
        Certificate x509v3PKCert = cMPCertificate.getX509v3PKCert();
        if (x509v3PKCert == null) {
            return null;
        }
        return new X509Cert(x509v3PKCert);
    }

    private static boolean verify(X509Cert x509Cert, X509Cert x509Cert2) {
        if (!x509Cert2.getIssuer().equals(x509Cert.getSubject())) {
            return false;
        }
        if (Boolean.getBoolean(BenchmarkExecutor.PROPKEY_BENCHMARK)) {
            return true;
        }
        try {
            x509Cert2.verify(x509Cert.getPublicKey());
            return true;
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            LOG.debug("{} while verifying signature: {}", e.getClass().getName(), e.getMessage());
            return false;
        }
    }

    @Override // org.xipki.cmp.client.CmpClient
    public CertIdOrError unsuspendCert(String str, Requestor requestor, X509Cert x509Cert, X509Cert x509Cert2, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        assertIssuedByCa((X509Cert) Args.notNull(x509Cert2, "cert"), x509Cert);
        return unsuspendCert(str, requestor, x509Cert, x509Cert2.getSerialNumber(), reqRespDebug);
    }

    @Override // org.xipki.cmp.client.CmpClient
    public CertIdOrError unsuspendCert(String str, Requestor requestor, X509Cert x509Cert, BigInteger bigInteger, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        Args.notNull(x509Cert, "issuerCert");
        Args.notNull(bigInteger, CaAuditConstants.NAME_serial);
        ResultEntry.UnrevokeOrRemoveCert unrevokeOrRemoveCert = new ResultEntry.UnrevokeOrRemoveCert("cert-1", x509Cert.getSubject(), bigInteger);
        unrevokeOrRemoveCert.setAuthorityKeyIdentifier(x509Cert.getSubjectKeyId());
        UnrevokeCertRequest unrevokeCertRequest = new UnrevokeCertRequest();
        UnrevokeCertRequest.Entry entry = new UnrevokeCertRequest.Entry(unrevokeOrRemoveCert.getId(), unrevokeOrRemoveCert.getIssuer(), unrevokeOrRemoveCert.getSerialNumber());
        entry.setAuthorityKeyIdentifier(unrevokeOrRemoveCert.getAuthorityKeyIdentifier());
        unrevokeCertRequest.addRequestEntry(entry);
        Map<String, CertIdOrError> unsuspendCerts = unsuspendCerts(str, requestor, unrevokeCertRequest, reqRespDebug);
        if (unsuspendCerts == null) {
            return null;
        }
        return unsuspendCerts.get("cert-1");
    }

    @Override // org.xipki.cmp.client.CmpClient
    public Map<String, CertIdOrError> unsuspendCerts(String str, Requestor requestor, UnrevokeCertRequest unrevokeCertRequest, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        List<UnrevokeCertRequest.Entry> requestEntries = ((UnrevokeCertRequest) Args.notNull(unrevokeCertRequest, "request")).getRequestEntries();
        if (CollectionUtil.isEmpty(requestEntries)) {
            return Collections.emptyMap();
        }
        X500Name issuer = requestEntries.get(0).getIssuer();
        for (int i = 1; i < requestEntries.size(); i++) {
            if (!issuer.equals(requestEntries.get(i).getIssuer())) {
                throw new PkiErrorException(2, 32, "unsuspending certificates issued by more than one CA is not allowed");
            }
        }
        return parseRevokeCertResult(this.agent.unrevokeCertificate(str, requestor, unrevokeCertRequest, reqRespDebug));
    }

    private EnrollCertResult parseEnrollCertResult(EnrollCertResponse enrollCertResponse) throws CmpClientException {
        X509Cert[] x509CertArr;
        EnrollCertResult.CertifiedKeyPairOrError certifiedKeyPairOrError;
        HashMap hashMap = new HashMap();
        for (ResultEntry resultEntry : enrollCertResponse.getResultEntries()) {
            if (resultEntry instanceof ResultEntry.EnrollCert) {
                ResultEntry.EnrollCert enrollCert = (ResultEntry.EnrollCert) resultEntry;
                try {
                    certifiedKeyPairOrError = new EnrollCertResult.CertifiedKeyPairOrError(getCertificate(enrollCert.getCert()), enrollCert.getPrivateKeyInfo());
                } catch (CertificateException e) {
                    throw new CmpClientException(String.format("CertificateParsingException for request (id=%s): %s", enrollCert.getId(), e.getMessage()));
                }
            } else {
                certifiedKeyPairOrError = resultEntry instanceof ResultEntry.Error ? new EnrollCertResult.CertifiedKeyPairOrError(((ResultEntry.Error) resultEntry).getStatusInfo()) : null;
            }
            hashMap.put(resultEntry.getId(), certifiedKeyPairOrError);
        }
        List<CMPCertificate> caCertificates = enrollCertResponse.getCaCertificates();
        if (CollectionUtil.isEmpty(caCertificates)) {
            return new EnrollCertResult(null, hashMap);
        }
        ArrayList arrayList = new ArrayList(caCertificates.size());
        Iterator<CMPCertificate> it = caCertificates.iterator();
        while (it.hasNext()) {
            try {
                arrayList.add(getCertificate(it.next()));
            } catch (CertificateException e2) {
                LogUtil.error(LOG, e2, "could not extract the caPub from CMPCertificate");
            }
        }
        X509Cert x509Cert = null;
        Iterator it2 = hashMap.values().iterator();
        while (it2.hasNext()) {
            X509Cert certificate = ((EnrollCertResult.CertifiedKeyPairOrError) it2.next()).getCertificate();
            if (certificate != null) {
                Iterator it3 = arrayList.iterator();
                while (true) {
                    if (!it3.hasNext()) {
                        break;
                    }
                    X509Cert x509Cert2 = (X509Cert) it3.next();
                    if (verify(x509Cert2, certificate)) {
                        x509Cert = x509Cert2;
                        break;
                    }
                }
                if (x509Cert != null) {
                    break;
                }
            }
        }
        if (x509Cert == null) {
            return new EnrollCertResult(null, hashMap);
        }
        Iterator it4 = hashMap.values().iterator();
        while (it4.hasNext()) {
            X509Cert certificate2 = ((EnrollCertResult.CertifiedKeyPairOrError) it4.next()).getCertificate();
            if (certificate2 != null && !verify(x509Cert, certificate2)) {
                LOG.warn("not all certificates are issued by CA embedded in caPubs, ignore the caPubs");
                return new EnrollCertResult(null, hashMap);
            }
        }
        arrayList.remove(x509Cert);
        if (arrayList.isEmpty()) {
            x509CertArr = new X509Cert[]{x509Cert};
        } else {
            try {
                x509CertArr = X509Util.buildCertPath(x509Cert, arrayList, true);
            } catch (CertPathBuilderException e3) {
                LOG.warn("could not build certpath for the CA certificate");
                x509CertArr = new X509Cert[]{x509Cert};
            }
        }
        return new EnrollCertResult(x509CertArr, hashMap);
    }

    private static void assertIssuedByCa(X509Cert x509Cert, X509Cert x509Cert2) throws CmpClientException {
        boolean z;
        try {
            z = X509Util.issues(x509Cert2, x509Cert);
        } catch (CertificateEncodingException e) {
            LogUtil.error(LOG, e);
            z = false;
        }
        if (!z) {
            throw new CmpClientException("the given certificate is not issued by the CA");
        }
    }

    @Override // org.xipki.cmp.client.CmpClient
    public X509Cert caCert(String str, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        return this.agent.caCerts(str, 1, reqRespDebug).get(0);
    }

    @Override // org.xipki.cmp.client.CmpClient
    public List<X509Cert> caCerts(String str, ReqRespDebug reqRespDebug) throws CmpClientException, PkiErrorException {
        return this.agent.caCerts(str, 99, reqRespDebug);
    }

    @Override // org.xipki.cmp.client.CmpClient
    public List<X509Cert> getDhPopPeerCertificates() {
        return this.dhpopCerts == null ? Collections.emptyList() : Collections.unmodifiableList(this.dhpopCerts);
    }
}
