package org.xipki.ca.gateway.cmp;

import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.time.Instant;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.bouncycastle.asn1.ASN1BitString;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.cmp.CMPCertificate;
import org.bouncycastle.asn1.cmp.CMPObjectIdentifiers;
import org.bouncycastle.asn1.cmp.CertConfirmContent;
import org.bouncycastle.asn1.cmp.CertOrEncCert;
import org.bouncycastle.asn1.cmp.CertRepMessage;
import org.bouncycastle.asn1.cmp.CertResponse;
import org.bouncycastle.asn1.cmp.CertifiedKeyPair;
import org.bouncycastle.asn1.cmp.ErrorMsgContent;
import org.bouncycastle.asn1.cmp.GenMsgContent;
import org.bouncycastle.asn1.cmp.GenRepContent;
import org.bouncycastle.asn1.cmp.InfoTypeAndValue;
import org.bouncycastle.asn1.cmp.PBMParameter;
import org.bouncycastle.asn1.cmp.PKIBody;
import org.bouncycastle.asn1.cmp.PKIFailureInfo;
import org.bouncycastle.asn1.cmp.PKIFreeText;
import org.bouncycastle.asn1.cmp.PKIHeader;
import org.bouncycastle.asn1.cmp.PKIHeaderBuilder;
import org.bouncycastle.asn1.cmp.PKIMessage;
import org.bouncycastle.asn1.cmp.PKIStatus;
import org.bouncycastle.asn1.cmp.PKIStatusInfo;
import org.bouncycastle.asn1.cms.GCMParameters;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.asn1.crmf.DhSigStatic;
import org.bouncycastle.asn1.crmf.EncryptedValue;
import org.bouncycastle.asn1.crmf.PKIPublicationInfo;
import org.bouncycastle.asn1.crmf.POPOSigningKey;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.EncryptionScheme;
import org.bouncycastle.asn1.pkcs.KeyDerivationFunc;
import org.bouncycastle.asn1.pkcs.PBES2Parameters;
import org.bouncycastle.asn1.pkcs.PBKDF2Params;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.cmp.CMPException;
import org.bouncycastle.cert.cmp.GeneralPKIMessage;
import org.bouncycastle.cert.cmp.ProtectedPKIMessage;
import org.bouncycastle.cert.crmf.CRMFException;
import org.bouncycastle.cert.crmf.CertificateRequestMessage;
import org.bouncycastle.cert.crmf.PKMACBuilder;
import org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator;
import org.bouncycastle.jcajce.spec.PBKDF2KeySpec;
import org.bouncycastle.operator.ContentVerifierProvider;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.audit.AuditEvent;
import org.xipki.audit.AuditLevel;
import org.xipki.audit.AuditStatus;
import org.xipki.ca.gateway.CaNameSigners;
import org.xipki.ca.gateway.PopControl;
import org.xipki.ca.gateway.Requestor;
import org.xipki.ca.gateway.RequestorAuthenticator;
import org.xipki.ca.gateway.cmp.CrmfKeyWrapper;
import org.xipki.ca.sdk.ErrorResponse;
import org.xipki.ca.sdk.SdkClient;
import org.xipki.ca.sdk.SdkErrorResponseException;
import org.xipki.cmp.CmpUtil;
import org.xipki.cmp.PkiStatusInfo;
import org.xipki.cmp.ProtectionResult;
import org.xipki.cmp.ProtectionVerificationResult;
import org.xipki.pki.ErrorCode;
import org.xipki.pki.OperationException;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.DHSigStaticKeyCertPair;
import org.xipki.security.EdECConstants;
import org.xipki.security.HashAlgo;
import org.xipki.security.SecurityFactory;
import org.xipki.security.SignAlgo;
import org.xipki.security.X509Cert;
import org.xipki.util.Args;
import org.xipki.util.Base64;
import org.xipki.util.ConcurrentBag;
import org.xipki.util.LogUtil;
import org.xipki.util.StringUtil;
import org.xipki.util.exception.InsufficientPermissionException;

/* loaded from: input_file:org/xipki/ca/gateway/cmp/BaseCmpResponder.class */
public abstract class BaseCmpResponder {
    public static final String HTTP_HEADER_certprofile = "certprofile";
    public static final String HTTP_HEADER_groupenroll = "groupenroll";
    public static final String TYPE_ccr = "ccr";
    public static final String TYPE_certConf = "cert_conf";
    public static final String TYPE_ir = "ir";
    public static final String TYPE_cr = "cr";
    public static final String TYPE_error = "error";
    public static final String TYPE_genm_cacerts = "genm_cacerts";
    public static final String TYPE_genm_current_crl = "genm_current_crl";
    public static final String TYPE_kur = "kur";
    public static final String TYPE_p10cr = "p10cr";
    public static final String TYPE_pkiconf = "pkiconf";
    public static final String TYPE_rr_revoke = "rr_revoke";
    public static final String TYPE_rr_unrevoke = "rr_unrevoke";
    private static final int PVNO_CMP2000 = 2;
    private static final ConcurrentBag<Cipher> aesGcm_ciphers;
    private static final ConcurrentBag<SecretKeyFactory> pbkdf2_kdfs;
    private static final boolean aesGcm_ciphers_initialized;
    private static final boolean pbkdf2_kdfs_initialized;
    protected final SecurityFactory securityFactory;
    protected final SdkClient sdk;
    protected final CmpControl cmpControl;
    protected final PopControl popControl;
    private final RequestorAuthenticator authenticator;
    private final CaNameSigners signers;
    private static final Logger LOG = LoggerFactory.getLogger(BaseCmpResponder.class);
    private static final AlgorithmIdentifier prf_hmacWithSHA256 = SignAlgo.HMAC_SHA256.getAlgorithmIdentifier();
    private static final Map<ErrorCode, Integer> errorCodeToPkiFailureMap = new HashMap(20);
    private final SecureRandom random = new SecureRandom();
    private final KeyGenerator aesKeyGen = KeyGenerator.getInstance("AES");

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.xipki.ca.gateway.cmp.BaseCmpResponder$1, reason: invalid class name */
    /* loaded from: input_file:org/xipki/ca/gateway/cmp/BaseCmpResponder$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$cmp$ProtectionResult;
        static final /* synthetic */ int[] $SwitchMap$org$xipki$pki$ErrorCode = new int[ErrorCode.values().length];

        static {
            try {
                $SwitchMap$org$xipki$pki$ErrorCode[ErrorCode.ALREADY_ISSUED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$pki$ErrorCode[ErrorCode.BAD_CERT_TEMPLATE.ordinal()] = BaseCmpResponder.PVNO_CMP2000;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$pki$ErrorCode[ErrorCode.INVALID_EXTENSION.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$pki$ErrorCode[ErrorCode.BAD_REQUEST.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xipki$pki$ErrorCode[ErrorCode.CERT_UNREVOKED.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$xipki$pki$ErrorCode[ErrorCode.UNKNOWN_CERT.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$xipki$pki$ErrorCode[ErrorCode.UNKNOWN_CERT_PROFILE.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$xipki$pki$ErrorCode[ErrorCode.BAD_POP.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$xipki$pki$ErrorCode[ErrorCode.CERT_REVOKED.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$xipki$pki$ErrorCode[ErrorCode.NOT_PERMITTED.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$org$xipki$pki$ErrorCode[ErrorCode.UNAUTHORIZED.ordinal()] = 11;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$org$xipki$pki$ErrorCode[ErrorCode.SYSTEM_UNAVAILABLE.ordinal()] = 12;
            } catch (NoSuchFieldError e12) {
            }
            try {
                $SwitchMap$org$xipki$pki$ErrorCode[ErrorCode.CRL_FAILURE.ordinal()] = 13;
            } catch (NoSuchFieldError e13) {
            }
            try {
                $SwitchMap$org$xipki$pki$ErrorCode[ErrorCode.DATABASE_FAILURE.ordinal()] = 14;
            } catch (NoSuchFieldError e14) {
            }
            try {
                $SwitchMap$org$xipki$pki$ErrorCode[ErrorCode.SYSTEM_FAILURE.ordinal()] = 15;
            } catch (NoSuchFieldError e15) {
            }
            try {
                $SwitchMap$org$xipki$pki$ErrorCode[ErrorCode.PATH_NOT_FOUND.ordinal()] = 16;
            } catch (NoSuchFieldError e16) {
            }
            $SwitchMap$org$xipki$cmp$ProtectionResult = new int[ProtectionResult.values().length];
            try {
                $SwitchMap$org$xipki$cmp$ProtectionResult[ProtectionResult.SIGNATURE_VALID.ordinal()] = 1;
            } catch (NoSuchFieldError e17) {
            }
            try {
                $SwitchMap$org$xipki$cmp$ProtectionResult[ProtectionResult.MAC_VALID.ordinal()] = BaseCmpResponder.PVNO_CMP2000;
            } catch (NoSuchFieldError e18) {
            }
            try {
                $SwitchMap$org$xipki$cmp$ProtectionResult[ProtectionResult.SIGNATURE_INVALID.ordinal()] = 3;
            } catch (NoSuchFieldError e19) {
            }
            try {
                $SwitchMap$org$xipki$cmp$ProtectionResult[ProtectionResult.MAC_INVALID.ordinal()] = 4;
            } catch (NoSuchFieldError e20) {
            }
            try {
                $SwitchMap$org$xipki$cmp$ProtectionResult[ProtectionResult.SENDER_NOT_AUTHORIZED.ordinal()] = 5;
            } catch (NoSuchFieldError e21) {
            }
            try {
                $SwitchMap$org$xipki$cmp$ProtectionResult[ProtectionResult.SIGNATURE_ALGO_FORBIDDEN.ordinal()] = 6;
            } catch (NoSuchFieldError e22) {
            }
            try {
                $SwitchMap$org$xipki$cmp$ProtectionResult[ProtectionResult.MAC_ALGO_FORBIDDEN.ordinal()] = 7;
            } catch (NoSuchFieldError e23) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public BaseCmpResponder(CmpControl cmpControl, SdkClient sdkClient, SecurityFactory securityFactory, CaNameSigners caNameSigners, RequestorAuthenticator requestorAuthenticator, PopControl popControl) throws NoSuchAlgorithmException {
        this.sdk = sdkClient;
        this.securityFactory = securityFactory;
        this.authenticator = requestorAuthenticator;
        this.cmpControl = cmpControl;
        this.popControl = popControl;
        this.signers = caNameSigners;
    }

    protected abstract PKIBody cmpEnrollCert(String str, String str2, boolean z, PKIMessage pKIMessage, PKIHeaderBuilder pKIHeaderBuilder, PKIHeader pKIHeader, PKIBody pKIBody, Requestor requestor, ASN1OctetString aSN1OctetString, AuditEvent auditEvent) throws InsufficientPermissionException, SdkErrorResponseException;

    protected abstract PKIBody cmpUnRevokeCertificates(String str, PKIMessage pKIMessage, PKIHeaderBuilder pKIHeaderBuilder, PKIHeader pKIHeader, PKIBody pKIBody, Requestor requestor, AuditEvent auditEvent) throws SdkErrorResponseException;

    protected abstract PKIBody confirmCertificates(String str, ASN1OctetString aSN1OctetString, CertConfirmContent certConfirmContent) throws SdkErrorResponseException;

    protected abstract PKIBody revokePendingCertificates(String str, ASN1OctetString aSN1OctetString) throws SdkErrorResponseException;

    private Requestor.CertRequestor getCertRequestor(X500Name x500Name, byte[] bArr, CMPCertificate[] cMPCertificateArr) {
        if (cMPCertificateArr == null) {
            return null;
        }
        for (CMPCertificate cMPCertificate : cMPCertificateArr) {
            Certificate x509v3PKCert = cMPCertificate.getX509v3PKCert();
            if (x509v3PKCert != null) {
                if (x500Name == null || x500Name.equals(x509v3PKCert.getSubject())) {
                    X509Cert x509Cert = new X509Cert(x509v3PKCert);
                    if (bArr == null || Arrays.equals(x509Cert.getSubjectKeyId(), bArr)) {
                        return getCertRequestor(x509Cert);
                    }
                } else {
                    continue;
                }
            }
        }
        return null;
    }

    private Requestor.SimplePasswordRequestor getPasswordRequestor(byte[] bArr) {
        return this.authenticator.getSimplePasswordRequestorByKeyId(bArr);
    }

    private Requestor.CertRequestor getCertRequestor(X509Cert x509Cert) {
        return this.authenticator.getCertRequestor(x509Cert);
    }

    protected static X500Name getX500Name(GeneralName generalName) {
        if (generalName.getTagNo() != 4) {
            return null;
        }
        return generalName.getName();
    }

    private PKIMessage processPkiMessage0(String str, PKIMessage pKIMessage, Requestor requestor, ASN1OctetString aSN1OctetString, GeneralPKIMessage generalPKIMessage, Map<String, String> map, AuditEvent auditEvent) {
        PKIBody pKIBody;
        auditEvent.addEventData("requestor", requestor == null ? "null" : requestor.getName());
        PKIHeader header = generalPKIMessage.getHeader();
        PKIHeaderBuilder pKIHeaderBuilder = new PKIHeaderBuilder(header.getPvno().getValue().intValue(), header.getRecipient(), header.getSender());
        pKIHeaderBuilder.setTransactionID(aSN1OctetString);
        ASN1OctetString senderNonce = header.getSenderNonce();
        if (senderNonce != null) {
            pKIHeaderBuilder.setRecipNonce(senderNonce);
        }
        PKIBody body = generalPKIMessage.getBody();
        int type = body.getType();
        try {
            if (type == 0 || type == PVNO_CMP2000 || type == 7 || type == 4 || type == 13) {
                auditEvent.addEventType(PVNO_CMP2000 == type ? TYPE_cr : 0 == type ? TYPE_ir : 7 == type ? TYPE_kur : 4 == type ? TYPE_p10cr : TYPE_ccr);
                String str2 = null;
                boolean z = false;
                if (map != null) {
                    str2 = map.get(HTTP_HEADER_certprofile);
                    String str3 = map.get(HTTP_HEADER_groupenroll);
                    z = !StringUtil.isBlank(str3) && Boolean.parseBoolean(str3);
                }
                pKIBody = cmpEnrollCert(str, str2, z, pKIMessage, pKIHeaderBuilder, header, body, requestor, aSN1OctetString, auditEvent);
            } else if (type == 24) {
                auditEvent.addEventType(TYPE_certConf);
                pKIBody = confirmCertificates(str, aSN1OctetString, (CertConfirmContent) body.getContent());
            } else if (type == 11) {
                pKIBody = cmpUnRevokeCertificates(str, pKIMessage, pKIHeaderBuilder, header, body, requestor, auditEvent);
            } else if (type == 19) {
                auditEvent.addEventType(TYPE_pkiconf);
                pKIBody = new PKIBody(19, DERNull.INSTANCE);
            } else if (type == 21) {
                pKIBody = cmpGeneralMsg(str, body, auditEvent);
            } else if (type == 23) {
                auditEvent.addEventType(TYPE_error);
                pKIBody = revokePendingCertificates(str, aSN1OctetString);
            } else {
                auditEvent.addEventType("PKIBody." + type);
                pKIBody = buildErrorMsgPkiBody(PKIStatus.rejection, 32, "unsupported type " + type);
            }
        } catch (InsufficientPermissionException e) {
            pKIBody = new PKIBody(23, new ErrorMsgContent(new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText(e.getMessage()), new PKIFailureInfo(65536))));
        } catch (SdkErrorResponseException e2) {
            LogUtil.error(LOG, e2);
            ErrorResponse errorResponse = e2.getErrorResponse();
            pKIBody = new PKIBody(23, new ErrorMsgContent(buildPKIStatusInfo(errorResponse.getCode(), errorResponse.getMessage())));
        }
        if (pKIBody.getType() == 23) {
            PkiStatusInfo pkiStatusInfo = new PkiStatusInfo(pKIBody.getContent().getPKIStatusInfo());
            auditEvent.setStatus(AuditStatus.FAILED);
            String statusMessage = pkiStatusInfo.statusMessage();
            if (statusMessage != null) {
                auditEvent.addEventData("message", statusMessage);
            }
        } else if (auditEvent.getStatus() == null) {
            auditEvent.setStatus(AuditStatus.SUCCESSFUL);
        }
        return new PKIMessage(pKIHeaderBuilder.build(), pKIBody);
    }

    public PKIMessage processPkiMessage(String str, PKIMessage pKIMessage, X509Cert x509Cert, Map<String, String> map, AuditEvent auditEvent) {
        String str2;
        Requestor.CertRequestor certRequestor;
        RDN[] rDNs;
        Args.notNull(auditEvent, "event");
        GeneralPKIMessage generalPKIMessage = new GeneralPKIMessage((PKIMessage) Args.notNull(pKIMessage, "pkiMessage"));
        PKIHeader header = generalPKIMessage.getHeader();
        DEROctetString transactionID = header.getTransactionID();
        if (transactionID == null) {
            transactionID = new DEROctetString(randomTransactionId());
        }
        String encodeToString = Base64.encodeToString(transactionID.getOctets());
        auditEvent.addEventData("tid", encodeToString);
        GeneralName recipient = header.getRecipient();
        int intValue = header.getPvno().getValue().intValue();
        if (intValue < PVNO_CMP2000) {
            auditEvent.update(AuditLevel.INFO, AuditStatus.FAILED);
            auditEvent.addEventData("message", "unsupported version " + intValue);
            return buildErrorPkiMessage(transactionID, header, 131072, null, recipient);
        }
        Integer num = null;
        String str3 = null;
        Instant instant = null;
        if (header.getMessageTime() != null) {
            try {
                instant = header.getMessageTime().getDate().toInstant();
            } catch (ParseException e) {
                LogUtil.error(LOG, e, "tid=" + encodeToString + ": could not parse messageTime");
            }
        }
        ConcurrentContentSigner signer = this.signers.getSigner(str);
        X500Name x500Name = getX500Name(header.getRecipient());
        if (x500Name != null && (rDNs = x500Name.getRDNs()) != null && rDNs.length > 0 && !signer.getCertificate().getSubject().equals(x500Name)) {
            LOG.warn("tid={}: I am not the intended recipient, but '{}'", transactionID, header.getRecipient());
            num = 32;
            str3 = "I am not the intended recipient";
        }
        if (instant != null) {
            long seconds = this.cmpControl.getMessageTimeBias().getSeconds();
            long epochSecond = instant.getEpochSecond() - Instant.now().getEpochSecond();
            if (epochSecond > seconds) {
                num = 16;
                str3 = "message time is in the future";
            } else if (epochSecond * (-1) > seconds) {
                num = 16;
                str3 = "message too old";
            }
        } else if (this.cmpControl.isMessageTimeRequired()) {
            num = 32768;
            str3 = "missing time-stamp";
        }
        if (num != null) {
            auditEvent.update(AuditLevel.INFO, AuditStatus.FAILED);
            auditEvent.addEventData("message", str3);
            return buildErrorPkiMessage(transactionID, header, num.intValue(), str3, recipient);
        }
        boolean hasProtection = generalPKIMessage.hasProtection();
        if (hasProtection) {
            try {
                ProtectionVerificationResult verifyProtection = verifyProtection(encodeToString, generalPKIMessage);
                ProtectionResult protectionResult = verifyProtection.getProtectionResult();
                switch (AnonymousClass1.$SwitchMap$org$xipki$cmp$ProtectionResult[protectionResult.ordinal()]) {
                    case 1:
                    case PVNO_CMP2000 /* 2 */:
                        str2 = null;
                        break;
                    case 3:
                        str2 = "request is protected by signature but invalid";
                        break;
                    case 4:
                        str2 = "request is protected by MAC but invalid";
                        break;
                    case 5:
                        str2 = "request is protected but the requestor is not authorized";
                        break;
                    case 6:
                        str2 = "request is protected by signature but the algorithm is forbidden";
                        break;
                    case 7:
                        str2 = "request is protected by MAC but the algorithm is forbidden";
                        break;
                    default:
                        throw new IllegalStateException("should not reach here, unknown ProtectionResult " + protectionResult);
                }
                certRequestor = (Requestor) verifyProtection.getRequestor();
            } catch (Exception e2) {
                LogUtil.error(LOG, e2, "tid=" + encodeToString + ": could not verify the signature");
                str2 = "request has invalid signature based protection";
                certRequestor = null;
            }
        } else if (x509Cert != null) {
            certRequestor = getX500Name(header.getSender()) == null ? null : getCertRequestor(x509Cert);
            if (certRequestor != null) {
                str2 = null;
            } else {
                LOG.warn("tid={}: not authorized requestor (TLS client '{}')", transactionID, x509Cert.getSubjectText());
                str2 = "requestor (TLS client certificate) is not authorized";
            }
        } else {
            certRequestor = null;
            if (generalPKIMessage.getBody().getType() != 21) {
                LOG.warn("tid={}: nmessage is not protected", transactionID);
                str2 = "message is not protected";
            } else {
                str2 = null;
            }
        }
        if (str2 != null) {
            auditEvent.update(AuditLevel.INFO, AuditStatus.FAILED);
            auditEvent.addEventData("message", str2);
            return buildErrorPkiMessage(transactionID, header, 64, str2, recipient);
        }
        PKIMessage processPkiMessage0 = processPkiMessage0(str, pKIMessage, certRequestor, transactionID, generalPKIMessage, map, auditEvent);
        if (hasProtection) {
            processPkiMessage0 = addProtection(signer, processPkiMessage0, auditEvent, certRequestor);
        }
        return processPkiMessage0;
    }

    private byte[] randomTransactionId() {
        return randomBytes(10);
    }

    private byte[] randomSalt() {
        return randomBytes(64);
    }

    private byte[] randomBytes(int i) {
        byte[] bArr = new byte[i];
        this.random.nextBytes(bArr);
        return bArr;
    }

    private ProtectionVerificationResult verifyProtection(String str, GeneralPKIMessage generalPKIMessage) throws CMPException, InvalidKeyException {
        ProtectedPKIMessage protectedPKIMessage = new ProtectedPKIMessage(generalPKIMessage);
        PKIHeader header = protectedPKIMessage.getHeader();
        byte[] octets = header.getSenderKID() == null ? null : header.getSenderKID().getOctets();
        AlgorithmIdentifier protectionAlg = header.getProtectionAlg();
        if (!protectedPKIMessage.hasPasswordBasedMacProtection()) {
            if (!this.cmpControl.getSigAlgoValidator().isAlgorithmPermitted(protectionAlg)) {
                LOG.warn("SIG_ALGO_FORBIDDEN: {}", generalPKIMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
                return new ProtectionVerificationResult((Object) null, ProtectionResult.SIGNATURE_ALGO_FORBIDDEN);
            }
            X500Name x500Name = getX500Name(header.getSender());
            Requestor.CertRequestor certRequestor = x500Name == null ? null : getCertRequestor(x500Name, octets, generalPKIMessage.toASN1Structure().getExtraCerts());
            if (certRequestor == null) {
                LOG.warn("tid={}: not authorized requestor '{}'", str, header.getSender());
                return new ProtectionVerificationResult((Object) null, ProtectionResult.SENDER_NOT_AUTHORIZED);
            }
            ContentVerifierProvider contentVerifierProvider = this.securityFactory.getContentVerifierProvider(certRequestor.getCert());
            if (contentVerifierProvider != null) {
                return new ProtectionVerificationResult(certRequestor, protectedPKIMessage.verify(contentVerifierProvider) ? ProtectionResult.SIGNATURE_VALID : ProtectionResult.SIGNATURE_INVALID);
            }
            LOG.warn("tid={}: not authorized requestor '{}'", str, header.getSender());
            return new ProtectionVerificationResult(certRequestor, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        PBMParameter pBMParameter = PBMParameter.getInstance(generalPKIMessage.getHeader().getProtectionAlg().getParameters());
        try {
            HashAlgo hashAlgo = HashAlgo.getInstance(pBMParameter.getOwf());
            if (!this.cmpControl.isRequestPbmOwfPermitted(hashAlgo)) {
                LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf: {})", hashAlgo.getJceName());
                return new ProtectionVerificationResult((Object) null, ProtectionResult.MAC_ALGO_FORBIDDEN);
            }
            try {
                SignAlgo signAlgo = SignAlgo.getInstance(pBMParameter.getMac());
                if (!this.cmpControl.isRequestPbmMacPermitted(signAlgo)) {
                    LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac: {})", signAlgo.getJceName());
                    return new ProtectionVerificationResult((Object) null, ProtectionResult.MAC_ALGO_FORBIDDEN);
                }
                int intValue = pBMParameter.getIterationCount().getValue().intValue();
                if (intValue < 1000) {
                    LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.iterationCount: {} < 1000)", Integer.valueOf(intValue));
                    return new ProtectionVerificationResult((Object) null, ProtectionResult.MAC_ALGO_FORBIDDEN);
                }
                PKMACBuilder pKMACBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
                Requestor.SimplePasswordRequestor passwordRequestor = getPasswordRequestor(octets);
                if (passwordRequestor != null) {
                    return new ProtectionVerificationResult(passwordRequestor, protectedPKIMessage.verify(pKMACBuilder, passwordRequestor.getPassword()) ? ProtectionResult.MAC_VALID : ProtectionResult.MAC_INVALID);
                }
                LOG.warn("tid={}: not authorized requestor with senderKID '{}", str, octets == null ? "null" : Hex.toHexString(octets));
                return new ProtectionVerificationResult((Object) null, ProtectionResult.SENDER_NOT_AUTHORIZED);
            } catch (NoSuchAlgorithmException e) {
                LogUtil.warn(LOG, e);
                return new ProtectionVerificationResult((Object) null, ProtectionResult.MAC_ALGO_FORBIDDEN);
            }
        } catch (NoSuchAlgorithmException e2) {
            LogUtil.warn(LOG, e2);
            return new ProtectionVerificationResult((Object) null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
    }

    private PKIMessage addProtection(ConcurrentContentSigner concurrentContentSigner, PKIMessage pKIMessage, AuditEvent auditEvent, Requestor requestor) {
        GeneralName sender = pKIMessage.getHeader().getSender();
        try {
            if (requestor instanceof Requestor.CertRequestor) {
                return CmpUtil.addProtection(pKIMessage, concurrentContentSigner, sender, this.cmpControl.isSendResponderCert());
            }
            Requestor.SimplePasswordRequestor simplePasswordRequestor = (Requestor.SimplePasswordRequestor) requestor;
            return CmpUtil.addProtection(pKIMessage, simplePasswordRequestor.getPassword(), new PBMParameter(randomSalt(), this.cmpControl.getResponsePbmOwf().getAlgorithmIdentifier(), this.cmpControl.getResponsePbmIterationCount(), this.cmpControl.getResponsePbmMac().getAlgorithmIdentifier()), sender, simplePasswordRequestor.getKeyId());
        } catch (Exception e) {
            LogUtil.error(LOG, e, "could not add protection to the PKI message");
            PKIStatusInfo generateRejectionStatus = generateRejectionStatus(1073741824, "could not sign the PKIMessage");
            auditEvent.update(AuditLevel.ERROR, AuditStatus.FAILED);
            auditEvent.addEventData("message", "could not sign the PKIMessage");
            return new PKIMessage(pKIMessage.getHeader(), new PKIBody(23, new ErrorMsgContent(generateRejectionStatus)));
        }
    }

    private PKIMessage buildErrorPkiMessage(ASN1OctetString aSN1OctetString, PKIHeader pKIHeader, int i, String str, GeneralName generalName) {
        PKIHeaderBuilder pKIHeaderBuilder = new PKIHeaderBuilder(pKIHeader.getPvno().getValue().intValue(), generalName, pKIHeader.getSender());
        pKIHeaderBuilder.setMessageTime(new ASN1GeneralizedTime(Date.from(Instant.now())));
        if (aSN1OctetString != null) {
            pKIHeaderBuilder.setTransactionID(aSN1OctetString);
        }
        ASN1OctetString senderNonce = pKIHeader.getSenderNonce();
        if (senderNonce != null) {
            pKIHeaderBuilder.setRecipNonce(senderNonce);
        }
        return new PKIMessage(pKIHeaderBuilder.build(), new PKIBody(23, new ErrorMsgContent(generateRejectionStatus(Integer.valueOf(i), str))));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static PKIStatusInfo generateRejectionStatus(Integer num, String str) {
        return generateRejectionStatus(PKIStatus.rejection, num, str);
    }

    protected static PKIStatusInfo generateRejectionStatus(PKIStatus pKIStatus, Integer num, String str) {
        return new PKIStatusInfo(pKIStatus, str == null ? null : new PKIFreeText(str), num == null ? null : new PKIFailureInfo(num.intValue()));
    }

    protected static int getPKiFailureInfo(OperationException operationException) {
        Integer num = errorCodeToPkiFailureMap.get(operationException.getErrorCode());
        if (num == null) {
            return 1073741824;
        }
        return num.intValue();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkPermission(Requestor requestor, Requestor.Permission permission) throws InsufficientPermissionException {
        if (!requestor.isPermitted(permission)) {
            throw new InsufficientPermissionException(permission + "is not permitted");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static PKIBody buildErrorMsgPkiBody(PKIStatus pKIStatus, int i, String str) {
        return new PKIBody(23, new ErrorMsgContent(new PKIStatusInfo(pKIStatus, str == null ? null : new PKIFreeText(str), new PKIFailureInfo(i))));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static CertRepMessage buildErrCertResp(ASN1Integer aSN1Integer, int i, String str) {
        return new CertRepMessage((CMPCertificate[]) null, new CertResponse[]{new CertResponse(aSN1Integer, generateRejectionStatus(Integer.valueOf(i), str))});
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void addErrCertResp(Map<Integer, CertResponse> map, int i, ASN1Integer aSN1Integer, int i2, String str) {
        map.put(Integer.valueOf(i), new CertResponse(aSN1Integer, generateRejectionStatus(Integer.valueOf(i2), str)));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean verifyPop(CertificateRequestMessage certificateRequestMessage, SubjectPublicKeyInfo subjectPublicKeyInfo) {
        int proofOfPossessionType = certificateRequestMessage.getProofOfPossessionType();
        if (proofOfPossessionType == 0) {
            return false;
        }
        if (proofOfPossessionType != 1) {
            LOG.error("unsupported POP type: " + proofOfPossessionType);
            return false;
        }
        POPOSigningKey pOPOSigningKey = POPOSigningKey.getInstance(certificateRequestMessage.toASN1Structure().getPop().getObject());
        try {
            SignAlgo signAlgo = SignAlgo.getInstance(pOPOSigningKey.getAlgorithmIdentifier());
            if (!this.popControl.getPopAlgoValidator().isAlgorithmPermitted(signAlgo)) {
                LOG.error("POP signature algorithm {} not permitted", signAlgo.getJceName());
                return false;
            }
            try {
                PublicKey generatePublicKey = this.securityFactory.generatePublicKey(subjectPublicKeyInfo);
                DHSigStaticKeyCertPair dHSigStaticKeyCertPair = null;
                if (SignAlgo.DHPOP_X25519 == signAlgo || SignAlgo.DHPOP_X448 == signAlgo) {
                    IssuerAndSerialNumber issuerAndSerial = DhSigStatic.getInstance(pOPOSigningKey.getSignature().getBytes()).getIssuerAndSerial();
                    dHSigStaticKeyCertPair = this.popControl.getDhKeyCertPair(issuerAndSerial.getName(), issuerAndSerial.getSerialNumber().getValue(), EdECConstants.getName(subjectPublicKeyInfo.getAlgorithm().getAlgorithm()));
                    if (dHSigStaticKeyCertPair == null) {
                        return false;
                    }
                }
                return certificateRequestMessage.isValidSigningKeyPOP(this.securityFactory.getContentVerifierProvider(generatePublicKey, dHSigStaticKeyCertPair));
            } catch (IllegalStateException | InvalidKeyException | CRMFException e) {
                LogUtil.error(LOG, e);
                return false;
            }
        } catch (NoSuchAlgorithmException e2) {
            LogUtil.error(LOG, e2, "Cannot parse POP signature algorithm");
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Finally extract failed */
    public CertResponse postProcessCertInfo(ASN1Integer aSN1Integer, Requestor requestor, byte[] bArr, byte[] bArr2) {
        EncryptedValue encryptedValue;
        CrmfKeyWrapper eCIESAsymmetricKeyWrapper;
        byte[] encoded;
        PKIStatusInfo pKIStatusInfo = new PKIStatusInfo(PKIStatus.granted);
        CertOrEncCert certOrEncCert = new CertOrEncCert(new CMPCertificate(Certificate.getInstance(bArr)));
        if (bArr2 == null) {
            return new CertResponse(aSN1Integer, pKIStatusInfo, new CertifiedKeyPair(certOrEncCert), (ASN1OctetString) null);
        }
        PrivateKeyInfo privateKeyInfo = PrivateKeyInfo.getInstance(bArr2);
        AlgorithmIdentifier privateKeyAlgorithm = privateKeyInfo.getPrivateKeyAlgorithm();
        try {
            if (requestor instanceof Requestor.CertRequestor) {
                PublicKey publicKey = ((Requestor.CertRequestor) requestor).getCert().getPublicKey();
                if (publicKey instanceof RSAPublicKey) {
                    eCIESAsymmetricKeyWrapper = new CrmfKeyWrapper.RSAOAEPAsymmetricKeyWrapper(publicKey);
                } else {
                    if (!(publicKey instanceof ECPublicKey)) {
                        LOG.error("Requestors's private key can not be used for encryption");
                        return new CertResponse(aSN1Integer, new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText("Requestors's private key can not be used for encryption")));
                    }
                    eCIESAsymmetricKeyWrapper = new CrmfKeyWrapper.ECIESAsymmetricKeyWrapper(publicKey);
                }
                synchronized (this.aesKeyGen) {
                    encoded = this.aesKeyGen.generateKey().getEncoded();
                }
                byte[] generateWrappedKey = eCIESAsymmetricKeyWrapper.generateWrappedKey(encoded);
                AlgorithmIdentifier algorithmIdentifier = eCIESAsymmetricKeyWrapper.getAlgorithmIdentifier();
                ASN1ObjectIdentifier aSN1ObjectIdentifier = NISTObjectIdentifiers.id_aes128_GCM;
                byte[] randomBytes = randomBytes(12);
                ConcurrentBag.BagEntry bagEntry = null;
                if (aesGcm_ciphers_initialized) {
                    try {
                        bagEntry = aesGcm_ciphers.borrow(5L, TimeUnit.SECONDS);
                    } catch (InterruptedException e) {
                    }
                }
                Cipher cipher = bagEntry != null ? (Cipher) bagEntry.value() : Cipher.getInstance(aSN1ObjectIdentifier.getId());
                try {
                    try {
                        cipher.init(1, new SecretKeySpec(encoded, "AES"), new GCMParameterSpec(128, randomBytes));
                        byte[] doFinal = cipher.doFinal(privateKeyInfo.getEncoded());
                        if (bagEntry != null) {
                            aesGcm_ciphers.requite(bagEntry);
                        }
                        encryptedValue = new EncryptedValue(privateKeyAlgorithm, new AlgorithmIdentifier(aSN1ObjectIdentifier, new GCMParameters(randomBytes, 16)), new DERBitString(generateWrappedKey), algorithmIdentifier, (ASN1OctetString) null, new DERBitString(doFinal));
                        return new CertResponse(aSN1Integer, pKIStatusInfo, new CertifiedKeyPair(certOrEncCert, encryptedValue, (PKIPublicationInfo) null), (ASN1OctetString) null);
                    } catch (InvalidAlgorithmParameterException | InvalidKeyException e2) {
                        throw new IllegalStateException(e2);
                    }
                } catch (Throwable th) {
                    if (bagEntry != null) {
                        aesGcm_ciphers.requite(bagEntry);
                    }
                    throw th;
                }
            }
            Requestor.SimplePasswordRequestor simplePasswordRequestor = (Requestor.SimplePasswordRequestor) requestor;
            ASN1ObjectIdentifier aSN1ObjectIdentifier2 = NISTObjectIdentifiers.id_aes128_GCM;
            byte[] randomBytes2 = randomBytes(12);
            byte[] randomBytes3 = randomBytes(16);
            ConcurrentBag.BagEntry bagEntry2 = null;
            if (pbkdf2_kdfs_initialized) {
                try {
                    bagEntry2 = pbkdf2_kdfs.borrow(5L, TimeUnit.SECONDS);
                } catch (InterruptedException e3) {
                }
            }
            try {
                SecretKeySpec secretKeySpec = new SecretKeySpec((bagEntry2 != null ? (SecretKeyFactory) bagEntry2.value() : SecretKeyFactory.getInstance(PKCSObjectIdentifiers.id_PBKDF2.getId())).generateSecret(new PBKDF2KeySpec(simplePasswordRequestor.getPassword(), randomBytes3, 10240, 128, prf_hmacWithSHA256)).getEncoded(), "AES");
                if (bagEntry2 != null) {
                    pbkdf2_kdfs.requite(bagEntry2);
                }
                GCMParameterSpec gCMParameterSpec = new GCMParameterSpec(128, randomBytes2);
                ConcurrentBag.BagEntry bagEntry3 = null;
                if (aesGcm_ciphers_initialized) {
                    try {
                        bagEntry3 = aesGcm_ciphers.borrow(5L, TimeUnit.SECONDS);
                    } catch (InterruptedException e4) {
                    }
                }
                Cipher cipher2 = bagEntry3 != null ? (Cipher) bagEntry3.value() : Cipher.getInstance(aSN1ObjectIdentifier2.getId());
                try {
                    cipher2.init(1, secretKeySpec, gCMParameterSpec);
                    byte[] doFinal2 = cipher2.doFinal(privateKeyInfo.getEncoded());
                    if (bagEntry3 != null) {
                        aesGcm_ciphers.requite(bagEntry3);
                    }
                    encryptedValue = new EncryptedValue(privateKeyAlgorithm, new AlgorithmIdentifier(PKCSObjectIdentifiers.id_PBES2, new PBES2Parameters(new KeyDerivationFunc(PKCSObjectIdentifiers.id_PBKDF2, new PBKDF2Params(randomBytes3, 10240, 16, prf_hmacWithSHA256)), new EncryptionScheme(aSN1ObjectIdentifier2, new GCMParameters(randomBytes2, 16)))), (ASN1BitString) null, (AlgorithmIdentifier) null, (ASN1OctetString) null, new DERBitString(doFinal2));
                    return new CertResponse(aSN1Integer, pKIStatusInfo, new CertifiedKeyPair(certOrEncCert, encryptedValue, (PKIPublicationInfo) null), (ASN1OctetString) null);
                } catch (Throwable th2) {
                    if (bagEntry3 != null) {
                        aesGcm_ciphers.requite(bagEntry3);
                    }
                    throw th2;
                }
            } catch (Throwable th3) {
                if (bagEntry2 != null) {
                    pbkdf2_kdfs.requite(bagEntry2);
                }
                throw th3;
            }
        } catch (Throwable th4) {
            LogUtil.error(LOG, th4, "error while encrypting the private key");
            return new CertResponse(aSN1Integer, new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText("error while encrypting the private key")));
        }
    }

    protected PKIBody cmpGeneralMsg(String str, PKIBody pKIBody, AuditEvent auditEvent) throws SdkErrorResponseException {
        InfoTypeAndValue infoTypeAndValue;
        InfoTypeAndValue[] infoTypeAndValueArray = GenMsgContent.getInstance(pKIBody.getContent()).toInfoTypeAndValueArray();
        InfoTypeAndValue infoTypeAndValue2 = null;
        if (infoTypeAndValueArray != null) {
            for (InfoTypeAndValue infoTypeAndValue3 : infoTypeAndValueArray) {
                String id = infoTypeAndValue3.getInfoType().getId();
                if (CMPObjectIdentifiers.id_it_caCerts.getId().equals(id) || CMPObjectIdentifiers.it_currentCRL.getId().equals(id)) {
                    infoTypeAndValue2 = infoTypeAndValue3;
                    break;
                }
            }
        }
        if (infoTypeAndValue2 == null) {
            return buildErrorMsgPkiBody(PKIStatus.rejection, 32, "PKIBody type 21 with given sub-type is not supported");
        }
        ASN1ObjectIdentifier infoType = infoTypeAndValue2.getInfoType();
        if (CMPObjectIdentifiers.it_currentCRL.equals(infoType)) {
            auditEvent.addEventType(TYPE_genm_current_crl);
            byte[] currentCrl = this.sdk.currentCrl(str);
            if (currentCrl == null) {
                return buildErrorMsgPkiBody(PKIStatus.rejection, 1073741824, "no CRL is available");
            }
            infoTypeAndValue = new InfoTypeAndValue(infoType, CertificateList.getInstance(currentCrl));
        } else {
            auditEvent.addEventType(TYPE_genm_cacerts);
            byte[][] cacerts = this.sdk.cacerts(str);
            if (cacerts == null || cacerts.length == 0) {
                return buildErrorMsgPkiBody(PKIStatus.rejection, 1073741824, "no certchain is available");
            }
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            for (byte[] bArr : cacerts) {
                aSN1EncodableVector.add(new CMPCertificate(Certificate.getInstance(bArr)));
            }
            infoTypeAndValue = new InfoTypeAndValue(infoType, new DERSequence(aSN1EncodableVector));
        }
        return new PKIBody(22, new GenRepContent(infoTypeAndValue));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static PKIStatusInfo buildPKIStatusInfo(int i, String str) {
        ErrorCode errorCode;
        try {
            errorCode = ErrorCode.ofCode(i);
        } catch (Exception e) {
            LOG.warn("unknown error code {}, map it to {}", Integer.valueOf(i), ErrorCode.SYSTEM_FAILURE);
            errorCode = ErrorCode.SYSTEM_FAILURE;
        }
        return buildPKIStatusInfo(errorCode, str);
    }

    static PKIStatusInfo buildPKIStatusInfo(ErrorCode errorCode, String str) {
        int i;
        PKIFreeText pKIFreeText = str == null ? null : new PKIFreeText(str);
        switch (AnonymousClass1.$SwitchMap$org$xipki$pki$ErrorCode[errorCode.ordinal()]) {
            case 1:
                i = 536870912;
                break;
            case PVNO_CMP2000 /* 2 */:
            case 3:
                i = 1048576;
                break;
            case 4:
            case 5:
            case 6:
            case 7:
                i = 32;
                break;
            case 8:
                i = 16384;
                break;
            case 9:
                i = 8192;
                break;
            case 10:
            case 11:
                i = 65536;
                break;
            case 12:
                i = Integer.MIN_VALUE;
                break;
            case 13:
            case 14:
            case 15:
            case 16:
            default:
                i = 1073741824;
                break;
        }
        return new PKIStatusInfo(PKIStatus.rejection, pKIFreeText, new PKIFailureInfo(i));
    }

    static {
        String id = NISTObjectIdentifiers.id_aes128_GCM.getId();
        aesGcm_ciphers = new ConcurrentBag<>();
        for (int i = 0; i < 64; i++) {
            try {
                aesGcm_ciphers.add(new ConcurrentBag.BagEntry(Cipher.getInstance(id)));
            } catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
                LogUtil.error(LOG, e, "could not get Cipher of " + id);
            }
        }
        int size = aesGcm_ciphers.size();
        aesGcm_ciphers_initialized = size > 0;
        if (size > 0) {
            LOG.info("initialized {} AES GCM Cipher instances", Integer.valueOf(size));
        } else {
            LOG.error("could not initialize any AES GCM Cipher instance");
        }
        String id2 = PKCSObjectIdentifiers.id_PBKDF2.getId();
        pbkdf2_kdfs = new ConcurrentBag<>();
        for (int i2 = 0; i2 < 64; i2++) {
            try {
                pbkdf2_kdfs.add(new ConcurrentBag.BagEntry(SecretKeyFactory.getInstance(id2)));
            } catch (NoSuchAlgorithmException e2) {
                LogUtil.error(LOG, e2, "could not get SecretKeyFactory of " + id2);
            }
        }
        int size2 = pbkdf2_kdfs.size();
        pbkdf2_kdfs_initialized = size2 > 0;
        if (size2 > 0) {
            LOG.info("initialized {} PBKDF2 SecretKeyFactory instances", Integer.valueOf(size2));
        } else {
            LOG.error("could not initialize any PBKDF2 SecretKeyFactory instance");
        }
        errorCodeToPkiFailureMap.put(ErrorCode.ALREADY_ISSUED, 32);
        errorCodeToPkiFailureMap.put(ErrorCode.BAD_CERT_TEMPLATE, 1048576);
        errorCodeToPkiFailureMap.put(ErrorCode.BAD_REQUEST, 32);
        errorCodeToPkiFailureMap.put(ErrorCode.CERT_REVOKED, 8192);
        errorCodeToPkiFailureMap.put(ErrorCode.CERT_UNREVOKED, 65536);
        errorCodeToPkiFailureMap.put(ErrorCode.BAD_POP, 16384);
        errorCodeToPkiFailureMap.put(ErrorCode.NOT_PERMITTED, 65536);
        errorCodeToPkiFailureMap.put(ErrorCode.INVALID_EXTENSION, 32);
        errorCodeToPkiFailureMap.put(ErrorCode.SYSTEM_UNAVAILABLE, Integer.MIN_VALUE);
        errorCodeToPkiFailureMap.put(ErrorCode.UNKNOWN_CERT, 8);
        errorCodeToPkiFailureMap.put(ErrorCode.UNKNOWN_CERT_PROFILE, 1048576);
    }
}
