package org.xipki.ca.gateway.rest;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.EOFException;
import java.io.IOException;
import java.io.InputStreamReader;
import java.math.BigInteger;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Properties;
import java.util.Set;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.pkcs.CertificationRequestInfo;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.util.Arrays;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.audit.AuditEvent;
import org.xipki.audit.AuditLevel;
import org.xipki.audit.AuditStatus;
import org.xipki.ca.gateway.GatewayUtil;
import org.xipki.ca.gateway.PopControl;
import org.xipki.ca.gateway.Requestor;
import org.xipki.ca.gateway.RequestorAuthenticator;
import org.xipki.ca.gateway.RestResponse;
import org.xipki.ca.sdk.CaAuditConstants;
import org.xipki.ca.sdk.CertsMode;
import org.xipki.ca.sdk.EnrollCertRequestEntry;
import org.xipki.ca.sdk.EnrollCertsRequest;
import org.xipki.ca.sdk.EnrollOrPollCertsResponse;
import org.xipki.ca.sdk.EnrollOrPullCertResponseEntry;
import org.xipki.ca.sdk.RevokeCertRequestEntry;
import org.xipki.ca.sdk.RevokeCertsRequest;
import org.xipki.ca.sdk.SdkClient;
import org.xipki.ca.sdk.SdkErrorResponseException;
import org.xipki.ca.sdk.UnsuspendOrRemoveRequest;
import org.xipki.ca.sdk.X500NameType;
import org.xipki.security.CrlReason;
import org.xipki.security.SecurityFactory;
import org.xipki.security.X509Cert;
import org.xipki.security.XiSecurityException;
import org.xipki.security.util.HttpRequestMetadataRetriever;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.Base64;
import org.xipki.util.CollectionUtil;
import org.xipki.util.DateUtil;
import org.xipki.util.Hex;
import org.xipki.util.LogUtil;
import org.xipki.util.PemEncoder;
import org.xipki.util.PermissionConstants;
import org.xipki.util.StringUtil;
import org.xipki.util.exception.ErrorCode;
import org.xipki.util.exception.OperationException;
import org.xipki.util.http.HttpRespContent;

/* loaded from: input_file:WEB-INF/classes/org/xipki/ca/gateway/rest/RestResponder.class */
public class RestResponder {
    final byte[] NEWLINE = {13, 10};
    private static final int OK = 200;
    private static final int BAD_REQUEST = 400;
    private static final int UNAUTHORIZED = 401;
    private static final int NOT_FOUND = 404;
    private static final int CONFLICT = 409;
    private static final int UNSUPPORTED_MEDIA_TYPE = 415;
    private static final int INTERNAL_SERVER_ERROR = 500;
    private static final int SERVICE_UNAVAILABLE = 503;
    private static final String CT_pkcs10 = "application/pkcs10";
    private static final String CT_pkix_crl = "application/pkix-crl";
    private static final String CT_pkix_cert = "application/pkix-cert";
    private static final String CT_pem_file = "application/x-pem-file";
    private static final String HEADER_PKISTATUS = "X-xipki-pkistatus";
    private static final String PKISTATUS_accepted = "accepted";
    private static final String PKISTATUS_rejection = "rejection";
    private static final String HEADER_failInfo = "X-xipki-fail-info";
    private static final String FAILINFO_badRequest = "badRequest";
    private static final String FAILINFO_badCertId = "badCertId";
    private static final String FAILINFO_badPOP = "badPOP";
    private static final String FAILINFO_certRevoked = "certRevoked";
    private static final String FAILINFO_badCertTemplate = "badCertTemplate";
    private static final String FAILINFO_notAuthorized = "notAuthorized";
    private static final String FAILINFO_systemUnavail = "systemUnavail";
    private static final String FAILINFO_systemFailure = "systemFailure";
    private static final String CMD_cacert = "cacert";
    private static final String CMD_cacerts = "cacerts";
    private static final String CMD_crl = "crl";
    private static final String PARAM_profile = "profile";
    private static final String PARAM_reason = "reason";
    private static final String PARAM_not_before = "not-before";
    private static final String PARAM_not_after = "not-after";
    private static final String PARAM_invalidity_time = "invalidity-time";
    private static final String PARAM_crl_number = "crl-number";
    private static final String PARAM_ca_sha1 = "ca-sha1";
    private static final String PARAM_serial_number = "serial-number";
    private final SdkClient sdk;
    private final SecurityFactory securityFactory;
    private final PopControl popControl;
    private final RequestorAuthenticator authenticator;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) RestResponder.class);
    private static final String CMD_revoke_cert = "revoke-cert";
    private static final String CMD_unsuspend_cert = "unsuspend-cert";

    @Deprecated
    private static final String CMD_unrevoke_cert = "unrevoke-cert";
    private static final String CMD_enroll_cert = "enroll-cert";
    private static final String CMD_enroll_cross_cert = "enroll-cross-cert";
    private static final String CMD_enroll_serverkeygen = "enroll-serverkeygen";
    private static final String CMD_enroll_cert_twin = "enroll-cert-twin";
    private static final String CMD_enroll_serverkeygen_twin = "enroll-serverkeygen-twin";
    private static final Set<String> knownCommands = CollectionUtil.asUnmodifiableSet("cacert", "cacerts", CMD_revoke_cert, CMD_unsuspend_cert, CMD_unrevoke_cert, CMD_enroll_cert, CMD_enroll_cross_cert, CMD_enroll_serverkeygen, CMD_enroll_cert_twin, CMD_enroll_serverkeygen_twin, "crl");

    /* renamed from: org.xipki.ca.gateway.rest.RestResponder$1, reason: invalid class name */
    /* loaded from: input_file:WEB-INF/classes/org/xipki/ca/gateway/rest/RestResponder$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$util$exception$ErrorCode = new int[ErrorCode.values().length];

        static {
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.ALREADY_ISSUED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.BAD_REQUEST.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.INVALID_EXTENSION.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.UNKNOWN_CERT_PROFILE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.CERT_UNREVOKED.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.BAD_CERT_TEMPLATE.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.CERT_REVOKED.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.NOT_PERMITTED.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.UNAUTHORIZED.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.SYSTEM_UNAVAILABLE.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.UNKNOWN_CERT.ordinal()] = 11;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.BAD_POP.ordinal()] = 12;
            } catch (NoSuchFieldError e12) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.PATH_NOT_FOUND.ordinal()] = 13;
            } catch (NoSuchFieldError e13) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.CRL_FAILURE.ordinal()] = 14;
            } catch (NoSuchFieldError e14) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.DATABASE_FAILURE.ordinal()] = 15;
            } catch (NoSuchFieldError e15) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.SYSTEM_FAILURE.ordinal()] = 16;
            } catch (NoSuchFieldError e16) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/classes/org/xipki/ca/gateway/rest/RestResponder$HttpRespAuditException.class */
    public static class HttpRespAuditException extends Exception {
        private final int httpStatus;
        private final String auditMessage;
        private final AuditLevel auditLevel;
        private final AuditStatus auditStatus;

        public HttpRespAuditException(int i, String str, AuditLevel auditLevel, AuditStatus auditStatus) {
            this.httpStatus = i;
            this.auditMessage = Args.notBlank(str, "auditMessage");
            this.auditLevel = (AuditLevel) Args.notNull(auditLevel, "auditLevel");
            this.auditStatus = (AuditStatus) Args.notNull(auditStatus, "auditStatus");
        }

        public int getHttpStatus() {
            return this.httpStatus;
        }

        public String getAuditMessage() {
            return this.auditMessage;
        }

        public AuditLevel getAuditLevel() {
            return this.auditLevel;
        }

        public AuditStatus getAuditStatus() {
            return this.auditStatus;
        }
    }

    public RestResponder(SdkClient sdkClient, SecurityFactory securityFactory, RequestorAuthenticator requestorAuthenticator, PopControl popControl) {
        this.sdk = (SdkClient) Args.notNull(sdkClient, "sdk");
        this.securityFactory = (SecurityFactory) Args.notNull(securityFactory, "securityFactory");
        this.authenticator = (RequestorAuthenticator) Args.notNull(requestorAuthenticator, "authenticator");
        this.popControl = (PopControl) Args.notNull(popControl, "popControl");
    }

    private Requestor getRequestor(String str) {
        return this.authenticator.getPasswordRequestorByUser(str);
    }

    private Requestor getRequestor(X509Cert x509Cert) {
        return this.authenticator.getCertRequestor(x509Cert);
    }

    public RestResponse service(String str, byte[] bArr, HttpRequestMetadataRetriever httpRequestMetadataRetriever, AuditEvent auditEvent) {
        int i;
        String str2;
        Requestor requestor;
        HttpRespContent httpRespContent;
        AuditLevel auditLevel = AuditLevel.INFO;
        AuditStatus auditStatus = AuditStatus.SUCCESSFUL;
        try {
            try {
                try {
                    try {
                        String str3 = null;
                        String str4 = null;
                        if (str.length() > 1) {
                            int indexOf = str.indexOf(47, 1);
                            if (indexOf == -1 || indexOf == str.length() - 1) {
                                String str5 = "invalid path " + str;
                                LOG.error(str5);
                                throw new HttpRespAuditException(NOT_FOUND, str5, AuditLevel.ERROR, AuditStatus.FAILED);
                            }
                            str3 = str.substring(1, indexOf).toLowerCase();
                            str4 = str.substring(indexOf + 1).toLowerCase();
                        }
                        if (StringUtil.isBlank(str4)) {
                            LOG.warn("command is not specified");
                            throw new HttpRespAuditException(NOT_FOUND, "command is not specified", AuditLevel.INFO, AuditStatus.FAILED);
                        }
                        if (StringUtil.isBlank(str3)) {
                            LOG.warn("CA is not specified");
                            throw new HttpRespAuditException(NOT_FOUND, "CA is not specified", AuditLevel.INFO, AuditStatus.FAILED);
                        }
                        auditEvent.addEventData("ca", str3);
                        auditEvent.addEventType(str4);
                        if (!knownCommands.contains(str4)) {
                            String str6 = "invalid command '" + str4 + "'";
                            LOG.error(str6);
                            throw new HttpRespAuditException(NOT_FOUND, str6, AuditLevel.INFO, AuditStatus.FAILED);
                        }
                        if ("cacert".equals(str4)) {
                            RestResponse restResponse = toRestResponse(HttpRespContent.ofOk(CT_pkix_cert, this.sdk.cacert(str3)));
                            auditEvent.setStatus(auditStatus);
                            auditEvent.setLevel(auditLevel);
                            if (0 != 0) {
                                auditEvent.addEventData(CaAuditConstants.NAME_message, null);
                            }
                            return restResponse;
                        }
                        if ("cacerts".equals(str4)) {
                            RestResponse restResponse2 = toRestResponse(HttpRespContent.ofOk(CT_pem_file, StringUtil.toUtf8Bytes(X509Util.encodeCertificates(this.sdk.cacerts(str3)))));
                            auditEvent.setStatus(auditStatus);
                            auditEvent.setLevel(auditLevel);
                            if (0 != 0) {
                                auditEvent.addEventData(CaAuditConstants.NAME_message, null);
                            }
                            return restResponse2;
                        }
                        if ("crl".equals(str4)) {
                            RestResponse restResponse3 = toRestResponse(getCrl(str3, httpRequestMetadataRetriever));
                            auditEvent.setStatus(auditStatus);
                            auditEvent.setLevel(auditLevel);
                            if (0 != 0) {
                                auditEvent.addEventData(CaAuditConstants.NAME_message, null);
                            }
                            return restResponse3;
                        }
                        String header = httpRequestMetadataRetriever.getHeader("Authorization");
                        if (header == null || !header.startsWith("Basic ")) {
                            X509Cert tlsClientCert = httpRequestMetadataRetriever.getTlsClientCert();
                            if (tlsClientCert == null) {
                                throw new HttpRespAuditException(UNAUTHORIZED, "no client certificate", AuditLevel.INFO, AuditStatus.FAILED);
                            }
                            requestor = getRequestor(tlsClientCert);
                            if (requestor == null) {
                                throw new OperationException(ErrorCode.NOT_PERMITTED, "no requestor specified");
                            }
                        } else {
                            String str7 = null;
                            byte[] bArr2 = null;
                            if (header.length() > 6) {
                                byte[] decodeFast = Base64.decodeFast(header.substring(6));
                                int i2 = -1;
                                int i3 = 0;
                                while (true) {
                                    if (i3 >= decodeFast.length) {
                                        break;
                                    }
                                    if (decodeFast[i3] == 58) {
                                        i2 = i3;
                                        break;
                                    }
                                    i3++;
                                }
                                if (i2 != -1 && i2 < decodeFast.length - 1) {
                                    str7 = StringUtil.toUtf8String(Arrays.copyOfRange(decodeFast, 0, i2));
                                    bArr2 = Arrays.copyOfRange(decodeFast, i2 + 1, decodeFast.length);
                                }
                            }
                            if (str7 == null) {
                                throw new HttpRespAuditException(UNAUTHORIZED, "invalid Authorization information", AuditLevel.INFO, AuditStatus.FAILED);
                            }
                            requestor = getRequestor(str7);
                            if (!(requestor != null && requestor.authenticate(bArr2))) {
                                throw new HttpRespAuditException(UNAUTHORIZED, "could not authenticate user " + str7, AuditLevel.INFO, AuditStatus.FAILED);
                            }
                        }
                        auditEvent.addEventData(CaAuditConstants.NAME_requestor, requestor.getName());
                        String str8 = str4;
                        boolean z = -1;
                        switch (str8.hashCode()) {
                            case -1326520806:
                                if (str8.equals(CMD_enroll_serverkeygen_twin)) {
                                    z = 4;
                                    break;
                                }
                                break;
                            case -791489768:
                                if (str8.equals(CMD_enroll_cross_cert)) {
                                    z = false;
                                    break;
                                }
                                break;
                            case -755363093:
                                if (str8.equals(CMD_enroll_cert)) {
                                    z = true;
                                    break;
                                }
                                break;
                            case -600063733:
                                if (str8.equals(CMD_revoke_cert)) {
                                    z = 5;
                                    break;
                                }
                                break;
                            case 234398555:
                                if (str8.equals(CMD_enroll_serverkeygen)) {
                                    z = 2;
                                    break;
                                }
                                break;
                            case 745720018:
                                if (str8.equals(CMD_unrevoke_cert)) {
                                    z = 7;
                                    break;
                                }
                                break;
                            case 922534446:
                                if (str8.equals(CMD_unsuspend_cert)) {
                                    z = 6;
                                    break;
                                }
                                break;
                            case 1144303754:
                                if (str8.equals(CMD_enroll_cert_twin)) {
                                    z = 3;
                                    break;
                                }
                                break;
                        }
                        switch (z) {
                            case false:
                                httpRespContent = enrollCrossCert(str3, requestor, bArr, httpRequestMetadataRetriever, auditEvent);
                                break;
                            case true:
                            case true:
                            case true:
                            case PermissionConstants.UNSUSPEND_CERT /* 4 */:
                                httpRespContent = enrollCerts(str4, str3, requestor, bArr, httpRequestMetadataRetriever, auditEvent);
                                break;
                            case true:
                            case true:
                            case true:
                                unRevoke(str4, str3, requestor, httpRequestMetadataRetriever, auditEvent);
                                httpRespContent = null;
                                break;
                            default:
                                throw new IllegalStateException("invalid command '" + str4 + "'");
                        }
                        RestResponse restResponse4 = toRestResponse(httpRespContent);
                        auditEvent.setStatus(auditStatus);
                        auditEvent.setLevel(auditLevel);
                        if (0 != 0) {
                            auditEvent.addEventData(CaAuditConstants.NAME_message, null);
                        }
                        return restResponse4;
                    } catch (OperationException e) {
                        ErrorCode errorCode = e.getErrorCode();
                        if (LOG.isWarnEnabled()) {
                            LogUtil.warn(LOG, e, StringUtil.concat("generate certificate, OperationException: code=", errorCode.name(), ", message=", e.getErrorMessage()));
                        }
                        switch (AnonymousClass1.$SwitchMap$org$xipki$util$exception$ErrorCode[errorCode.ordinal()]) {
                            case 1:
                            case 2:
                            case 3:
                            case PermissionConstants.UNSUSPEND_CERT /* 4 */:
                            case 5:
                                i = BAD_REQUEST;
                                str2 = FAILINFO_badRequest;
                                break;
                            case 6:
                                i = BAD_REQUEST;
                                str2 = FAILINFO_badCertTemplate;
                                break;
                            case 7:
                                i = CONFLICT;
                                str2 = FAILINFO_certRevoked;
                                break;
                            case PermissionConstants.REMOVE_CERT /* 8 */:
                            case 9:
                                i = UNAUTHORIZED;
                                str2 = FAILINFO_notAuthorized;
                                break;
                            case 10:
                                i = SERVICE_UNAVAILABLE;
                                str2 = FAILINFO_systemUnavail;
                                break;
                            case 11:
                                i = BAD_REQUEST;
                                str2 = FAILINFO_badCertId;
                                break;
                            case 12:
                                i = BAD_REQUEST;
                                str2 = FAILINFO_badPOP;
                                break;
                            case 13:
                                i = NOT_FOUND;
                                str2 = FAILINFO_systemUnavail;
                                break;
                            case 14:
                            case 15:
                            case PermissionConstants.REENROLL_CERT /* 16 */:
                            default:
                                i = INTERNAL_SERVER_ERROR;
                                str2 = FAILINFO_systemFailure;
                                break;
                        }
                        auditEvent.setStatus(AuditStatus.FAILED);
                        auditEvent.addEventData(CaAuditConstants.NAME_message, errorCode.name());
                        String name = errorCode.name();
                        if (errorCode != ErrorCode.DATABASE_FAILURE && errorCode != ErrorCode.SYSTEM_FAILURE) {
                            name = name + ": " + e.getErrorMessage();
                        }
                        HashMap hashMap = new HashMap();
                        hashMap.put(HEADER_PKISTATUS, PKISTATUS_rejection);
                        if (StringUtil.isNotBlank(str2)) {
                            hashMap.put(HEADER_failInfo, str2);
                        }
                        RestResponse restResponse5 = new RestResponse(i, null, hashMap, null);
                        auditEvent.setStatus(auditStatus);
                        auditEvent.setLevel(auditLevel);
                        if (name != null) {
                            auditEvent.addEventData(CaAuditConstants.NAME_message, name);
                        }
                        return restResponse5;
                    }
                } catch (Throwable th) {
                    if (th instanceof EOFException) {
                        LogUtil.warn(LOG, th, "connection reset by peer");
                    } else {
                        LOG.error("Throwable thrown, this should not happen!", th);
                    }
                    AuditLevel auditLevel2 = AuditLevel.ERROR;
                    AuditStatus auditStatus2 = AuditStatus.FAILED;
                    RestResponse restResponse6 = new RestResponse(INTERNAL_SERVER_ERROR, null, null, null);
                    auditEvent.setStatus(auditStatus2);
                    auditEvent.setLevel(auditLevel2);
                    if ("internal error" != 0) {
                        auditEvent.addEventData(CaAuditConstants.NAME_message, "internal error");
                    }
                    return restResponse6;
                }
            } catch (HttpRespAuditException e2) {
                AuditStatus auditStatus3 = e2.getAuditStatus();
                AuditLevel auditLevel3 = e2.getAuditLevel();
                String auditMessage = e2.getAuditMessage();
                RestResponse restResponse7 = new RestResponse(e2.getHttpStatus(), null, null, null);
                auditEvent.setStatus(auditStatus3);
                auditEvent.setLevel(auditLevel3);
                if (auditMessage != null) {
                    auditEvent.addEventData(CaAuditConstants.NAME_message, auditMessage);
                }
                return restResponse7;
            }
        } catch (Throwable th2) {
            auditEvent.setStatus(auditStatus);
            auditEvent.setLevel(auditLevel);
            if (0 != 0) {
                auditEvent.addEventData(CaAuditConstants.NAME_message, null);
            }
            throw th2;
        }
    }

    private RestResponse toRestResponse(HttpRespContent httpRespContent) {
        HashMap hashMap = new HashMap();
        hashMap.put(HEADER_PKISTATUS, PKISTATUS_accepted);
        return httpRespContent == null ? new RestResponse(OK, null, hashMap, null) : new RestResponse(OK, httpRespContent.getContentType(), hashMap, httpRespContent.isBase64(), httpRespContent.getContent());
    }

    private HttpRespContent enrollCerts(String str, String str2, Requestor requestor, byte[] bArr, HttpRequestMetadataRetriever httpRequestMetadataRetriever, AuditEvent auditEvent) throws HttpRespAuditException, OperationException, IOException, SdkErrorResponseException {
        X500Name subject;
        SubjectPublicKeyInfo subjectPublicKeyInfo;
        Extensions extensions;
        if (!requestor.isPermitted(1)) {
            throw new OperationException(ErrorCode.NOT_PERMITTED, "ENROLL_CERT is not allowed");
        }
        boolean z = CMD_enroll_cert_twin.equals(str) || CMD_enroll_serverkeygen_twin.equals(str);
        boolean z2 = CMD_enroll_serverkeygen.equals(str) || CMD_enroll_serverkeygen_twin.equals(str);
        String checkProfile = checkProfile(requestor, httpRequestMetadataRetriever);
        String str3 = z ? checkProfile + "-enc" : null;
        if (str3 != null && !requestor.isCertprofilePermitted(str3)) {
            throw new OperationException(ErrorCode.NOT_PERMITTED, "certprofile " + str3 + " is not allowed");
        }
        String parameter = httpRequestMetadataRetriever.getParameter(PARAM_not_before);
        Date parseUtcTimeyyyyMMddhhmmss = parameter == null ? null : DateUtil.parseUtcTimeyyyyMMddhhmmss(parameter);
        String parameter2 = httpRequestMetadataRetriever.getParameter(PARAM_not_after);
        Date parseUtcTimeyyyyMMddhhmmss2 = parameter2 == null ? null : DateUtil.parseUtcTimeyyyyMMddhhmmss(parameter2);
        String header = httpRequestMetadataRetriever.getHeader("Content-Type");
        if (z2) {
            subjectPublicKeyInfo = null;
            if (header.startsWith("text/plain")) {
                Properties properties = new Properties();
                properties.load(new ByteArrayInputStream(bArr));
                String property = properties.getProperty(CaAuditConstants.NAME_subject);
                if (property == null) {
                    throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "subject is not specified");
                }
                try {
                    subject = new X500Name(property);
                    extensions = null;
                } catch (Exception e) {
                    throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "invalid subject");
                }
            } else {
                if (!CT_pkcs10.equalsIgnoreCase(header)) {
                    throw new HttpRespAuditException(UNSUPPORTED_MEDIA_TYPE, "unsupported media type " + header, AuditLevel.INFO, AuditStatus.FAILED);
                }
                CertificationRequestInfo certificationRequestInfo = CertificationRequest.getInstance(X509Util.toDerEncoded(bArr)).getCertificationRequestInfo();
                subject = certificationRequestInfo.getSubject();
                extensions = X509Util.getExtensions(certificationRequestInfo);
            }
        } else {
            if (!CT_pkcs10.equalsIgnoreCase(header)) {
                throw new HttpRespAuditException(UNSUPPORTED_MEDIA_TYPE, "unsupported media type " + header, AuditLevel.INFO, AuditStatus.FAILED);
            }
            CertificationRequest certificationRequest = CertificationRequest.getInstance(bArr);
            if (!GatewayUtil.verifyCsr(certificationRequest, this.securityFactory, this.popControl)) {
                throw new OperationException(ErrorCode.BAD_POP);
            }
            CertificationRequestInfo certificationRequestInfo2 = certificationRequest.getCertificationRequestInfo();
            subject = certificationRequestInfo2.getSubject();
            subjectPublicKeyInfo = certificationRequestInfo2.getSubjectPublicKeyInfo();
            extensions = X509Util.getExtensions(certificationRequestInfo2);
        }
        BigInteger bigInteger = BigInteger.ONE;
        BigInteger valueOf = z ? BigInteger.valueOf(2L) : null;
        EnrollCertRequestEntry enrollCertRequestEntry = new EnrollCertRequestEntry();
        enrollCertRequestEntry.setCertReqId(bigInteger);
        enrollCertRequestEntry.setCertprofile(checkProfile);
        enrollCertRequestEntry.setSubject(new X500NameType(subject));
        enrollCertRequestEntry.notBefore(parseUtcTimeyyyyMMddhhmmss);
        enrollCertRequestEntry.notAfter(parseUtcTimeyyyyMMddhhmmss2);
        auditEvent.addEventData(CaAuditConstants.NAME_certprofile, checkProfile);
        auditEvent.addEventData(CaAuditConstants.NAME_req_subject, "\"" + X509Util.x500NameText(subject) + "\"");
        try {
            enrollCertRequestEntry.extensions(extensions);
            try {
                enrollCertRequestEntry.subjectPublicKey(subjectPublicKeyInfo);
                ArrayList arrayList = new ArrayList(z ? 2 : 1);
                arrayList.add(enrollCertRequestEntry);
                if (z) {
                    EnrollCertRequestEntry enrollCertRequestEntry2 = new EnrollCertRequestEntry();
                    enrollCertRequestEntry2.setCertReqId(valueOf);
                    enrollCertRequestEntry2.setCertprofile(str3);
                    enrollCertRequestEntry2.setSubject(new X500NameType(subject));
                    enrollCertRequestEntry2.notBefore(parseUtcTimeyyyyMMddhhmmss);
                    enrollCertRequestEntry2.notAfter(parseUtcTimeyyyyMMddhhmmss2);
                    auditEvent.addEventData(CaAuditConstants.NAME_certprofile, str3);
                    auditEvent.addEventData(CaAuditConstants.NAME_req_subject, "\"" + X509Util.x500NameText(subject) + "\"");
                    try {
                        enrollCertRequestEntry2.extensions(extensions);
                        arrayList.add(enrollCertRequestEntry2);
                    } catch (IOException e2) {
                        throw new HttpRespAuditException(BAD_REQUEST, "could not encode extensions", AuditLevel.INFO, AuditStatus.FAILED);
                    }
                }
                EnrollCertsRequest enrollCertsRequest = new EnrollCertsRequest();
                enrollCertsRequest.setEntries(arrayList);
                enrollCertsRequest.setExplicitConfirm(false);
                enrollCertsRequest.setGroupEnroll(Boolean.valueOf(z));
                enrollCertsRequest.setCaCertMode(CertsMode.NONE);
                EnrollOrPollCertsResponse enrollCerts = this.sdk.enrollCerts(str2, enrollCertsRequest);
                checkResponse(arrayList.size(), enrollCerts);
                EnrollOrPullCertResponseEntry entry = getEntry(enrollCerts.getEntries(), bigInteger);
                if (!z2 && !z) {
                    return HttpRespContent.ofOk(CT_pkix_cert, entry.getCert());
                }
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                if (z2) {
                    byteArrayOutputStream.write(PemEncoder.encode(entry.getPrivateKey(), PemEncoder.PemLabel.PRIVATE_KEY));
                    byteArrayOutputStream.write(this.NEWLINE);
                }
                byteArrayOutputStream.write(PemEncoder.encode(entry.getCert(), PemEncoder.PemLabel.CERTIFICATE));
                byteArrayOutputStream.write(this.NEWLINE);
                if (z) {
                    EnrollOrPullCertResponseEntry entry2 = getEntry(enrollCerts.getEntries(), valueOf);
                    byteArrayOutputStream.write(PemEncoder.encode(entry2.getPrivateKey(), PemEncoder.PemLabel.PRIVATE_KEY));
                    byteArrayOutputStream.write(this.NEWLINE);
                    byteArrayOutputStream.write(PemEncoder.encode(entry2.getCert(), PemEncoder.PemLabel.CERTIFICATE));
                    byteArrayOutputStream.write(this.NEWLINE);
                }
                byteArrayOutputStream.flush();
                return HttpRespContent.ofOk(CT_pem_file, byteArrayOutputStream.toByteArray());
            } catch (IOException e3) {
                throw new HttpRespAuditException(BAD_REQUEST, "could not encode SubjectPublicKeyInfo", AuditLevel.INFO, AuditStatus.FAILED);
            }
        } catch (IOException e4) {
            throw new HttpRespAuditException(BAD_REQUEST, "could not encode extensions", AuditLevel.INFO, AuditStatus.FAILED);
        }
    }

    private HttpRespContent enrollCrossCert(String str, Requestor requestor, byte[] bArr, HttpRequestMetadataRetriever httpRequestMetadataRetriever, AuditEvent auditEvent) throws HttpRespAuditException, OperationException, IOException, SdkErrorResponseException {
        if (!requestor.isPermitted(PermissionConstants.ENROLL_CROSS)) {
            throw new OperationException(ErrorCode.NOT_PERMITTED, "ENROLL_CROSS is not allowed");
        }
        String checkProfile = checkProfile(requestor, httpRequestMetadataRetriever);
        String header = httpRequestMetadataRetriever.getHeader("Content-Type");
        if (!CT_pem_file.equalsIgnoreCase(header)) {
            throw new HttpRespAuditException(UNSUPPORTED_MEDIA_TYPE, "unsupported media type " + header, AuditLevel.INFO, AuditStatus.FAILED);
        }
        String parameter = httpRequestMetadataRetriever.getParameter(PARAM_not_before);
        Date parseUtcTimeyyyyMMddhhmmss = parameter == null ? null : DateUtil.parseUtcTimeyyyyMMddhhmmss(parameter);
        String parameter2 = httpRequestMetadataRetriever.getParameter(PARAM_not_after);
        Date parseUtcTimeyyyyMMddhhmmss2 = parameter2 == null ? null : DateUtil.parseUtcTimeyyyyMMddhhmmss(parameter2);
        byte[] bArr2 = null;
        byte[] bArr3 = null;
        PemReader pemReader = new PemReader(new InputStreamReader(new ByteArrayInputStream(bArr)));
        Throwable th = null;
        while (true) {
            try {
                PemObject readPemObject = pemReader.readPemObject();
                if (readPemObject == null) {
                    if (bArr2 == null) {
                        throw new HttpRespAuditException(BAD_REQUEST, "PEM CSR is not specified", AuditLevel.INFO, AuditStatus.FAILED);
                    }
                    if (bArr3 == null) {
                        throw new HttpRespAuditException(BAD_REQUEST, "PEM CERTIFICATE is not specified", AuditLevel.INFO, AuditStatus.FAILED);
                    }
                    CertificationRequest certificationRequest = CertificationRequest.getInstance(bArr2);
                    if (!GatewayUtil.verifyCsr(certificationRequest, this.securityFactory, this.popControl)) {
                        throw new OperationException(ErrorCode.BAD_POP);
                    }
                    Certificate certificate = Certificate.getInstance(bArr3);
                    try {
                        X509Util.assertCsrAndCertMatch(certificationRequest, certificate, true);
                        SubjectPublicKeyInfo subjectPublicKeyInfo = certificate.getSubjectPublicKeyInfo();
                        Extensions extensions = certificate.getTBSCertificate().getExtensions();
                        X500Name subject = certificate.getSubject();
                        BigInteger bigInteger = BigInteger.ONE;
                        if (parseUtcTimeyyyyMMddhhmmss2 == null || parseUtcTimeyyyyMMddhhmmss2.after(certificate.getEndDate().getDate())) {
                            parseUtcTimeyyyyMMddhhmmss2 = certificate.getEndDate().getDate();
                        }
                        EnrollCertRequestEntry enrollCertRequestEntry = new EnrollCertRequestEntry();
                        enrollCertRequestEntry.setCertReqId(bigInteger);
                        enrollCertRequestEntry.setCertprofile(checkProfile);
                        enrollCertRequestEntry.setSubject(new X500NameType(subject));
                        enrollCertRequestEntry.notBefore(parseUtcTimeyyyyMMddhhmmss);
                        enrollCertRequestEntry.notAfter(parseUtcTimeyyyyMMddhhmmss2);
                        auditEvent.addEventData(CaAuditConstants.NAME_certprofile, checkProfile);
                        auditEvent.addEventData(CaAuditConstants.NAME_req_subject, "\"" + X509Util.x500NameText(subject) + "\"");
                        try {
                            enrollCertRequestEntry.extensions(extensions);
                            try {
                                enrollCertRequestEntry.subjectPublicKey(subjectPublicKeyInfo);
                                List<EnrollCertRequestEntry> singletonList = Collections.singletonList(enrollCertRequestEntry);
                                EnrollCertsRequest enrollCertsRequest = new EnrollCertsRequest();
                                enrollCertsRequest.setEntries(singletonList);
                                enrollCertsRequest.setExplicitConfirm(false);
                                enrollCertsRequest.setGroupEnroll(false);
                                enrollCertsRequest.setCaCertMode(CertsMode.NONE);
                                EnrollOrPollCertsResponse enrollCrossCerts = this.sdk.enrollCrossCerts(str, enrollCertsRequest);
                                checkResponse(singletonList.size(), enrollCrossCerts);
                                return HttpRespContent.ofOk(CT_pkix_cert, getEntry(enrollCrossCerts.getEntries(), bigInteger).getCert());
                            } catch (IOException e) {
                                throw new HttpRespAuditException(BAD_REQUEST, "could not encode SubjectPublicKeyInfo", AuditLevel.INFO, AuditStatus.FAILED);
                            }
                        } catch (IOException e2) {
                            throw new HttpRespAuditException(BAD_REQUEST, "could not encode extensions", AuditLevel.INFO, AuditStatus.FAILED);
                        }
                    } catch (XiSecurityException e3) {
                        throw new HttpRespAuditException(BAD_REQUEST, e3.getMessage(), AuditLevel.INFO, AuditStatus.FAILED);
                    }
                }
                String type = readPemObject.getType();
                if (PemEncoder.PemLabel.CERTIFICATE_REQUEST.getType().equals(type)) {
                    if (bArr2 != null) {
                        throw new HttpRespAuditException(BAD_REQUEST, "duplicated PEM CSRs", AuditLevel.INFO, AuditStatus.FAILED);
                    }
                    bArr2 = readPemObject.getContent();
                } else {
                    if (!PemEncoder.PemLabel.CERTIFICATE.getType().equals(type)) {
                        throw new HttpRespAuditException(BAD_REQUEST, "unknown PEM object type " + type, AuditLevel.INFO, AuditStatus.FAILED);
                    }
                    if (bArr3 != null) {
                        throw new HttpRespAuditException(BAD_REQUEST, "duplicated PEM certificates", AuditLevel.INFO, AuditStatus.FAILED);
                    }
                    bArr3 = readPemObject.getContent();
                }
            } finally {
                if (pemReader != null) {
                    if (0 != 0) {
                        try {
                            pemReader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        pemReader.close();
                    }
                }
            }
        }
    }

    private static void checkResponse(int i, EnrollOrPollCertsResponse enrollOrPollCertsResponse) throws HttpRespAuditException {
        List<EnrollOrPullCertResponseEntry> entries = enrollOrPollCertsResponse.getEntries();
        if (entries != null) {
            for (EnrollOrPullCertResponseEntry enrollOrPullCertResponseEntry : entries) {
                if (enrollOrPullCertResponseEntry.getError() != null) {
                    throw new HttpRespAuditException(INTERNAL_SERVER_ERROR, enrollOrPullCertResponseEntry.getError().toString(), AuditLevel.INFO, AuditStatus.FAILED);
                }
            }
        }
        int size = entries == null ? 0 : entries.size();
        if (size != i) {
            throw new HttpRespAuditException(INTERNAL_SERVER_ERROR, "expected " + i + " cert, but received " + size, AuditLevel.INFO, AuditStatus.FAILED);
        }
    }

    private static String checkProfile(Requestor requestor, HttpRequestMetadataRetriever httpRequestMetadataRetriever) throws HttpRespAuditException, OperationException {
        String parameter = httpRequestMetadataRetriever.getParameter(PARAM_profile);
        if (StringUtil.isBlank(parameter)) {
            throw new HttpRespAuditException(BAD_REQUEST, "required parameter profile not specified", AuditLevel.INFO, AuditStatus.FAILED);
        }
        String lowerCase = parameter.toLowerCase();
        if (requestor.isCertprofilePermitted(lowerCase)) {
            return lowerCase;
        }
        throw new OperationException(ErrorCode.NOT_PERMITTED, "certprofile " + lowerCase + " is not allowed");
    }

    private static EnrollOrPullCertResponseEntry getEntry(List<EnrollOrPullCertResponseEntry> list, BigInteger bigInteger) throws HttpRespAuditException {
        for (EnrollOrPullCertResponseEntry enrollOrPullCertResponseEntry : list) {
            if (bigInteger.equals(enrollOrPullCertResponseEntry.getId())) {
                return enrollOrPullCertResponseEntry;
            }
        }
        throw new HttpRespAuditException(INTERNAL_SERVER_ERROR, "found no response entry with certReqId " + bigInteger, AuditLevel.INFO, AuditStatus.FAILED);
    }

    private void unRevoke(String str, String str2, Requestor requestor, HttpRequestMetadataRetriever httpRequestMetadataRetriever, AuditEvent auditEvent) throws OperationException, HttpRespAuditException, IOException, SdkErrorResponseException {
        boolean equals = str.equals(CMD_revoke_cert);
        if (!requestor.isPermitted(equals ? 2 : 4)) {
            throw new OperationException(ErrorCode.NOT_PERMITTED, str + " is not allowed");
        }
        String parameter = httpRequestMetadataRetriever.getParameter(PARAM_ca_sha1);
        if (StringUtil.isBlank(parameter)) {
            throw new HttpRespAuditException(BAD_REQUEST, "required parameter ca-sha1 not specified", AuditLevel.INFO, AuditStatus.FAILED);
        }
        byte[] decode = Hex.decode(parameter);
        String parameter2 = httpRequestMetadataRetriever.getParameter(PARAM_serial_number);
        if (StringUtil.isBlank(parameter2)) {
            throw new HttpRespAuditException(BAD_REQUEST, "required parameter serial-number not specified", AuditLevel.INFO, AuditStatus.FAILED);
        }
        try {
            BigInteger bigInt = StringUtil.toBigInt(parameter2);
            auditEvent.addEventData(CaAuditConstants.NAME_serial, LogUtil.formatCsn(bigInt));
            if (!equals) {
                UnsuspendOrRemoveRequest unsuspendOrRemoveRequest = new UnsuspendOrRemoveRequest();
                unsuspendOrRemoveRequest.setIssuerCertSha1Fp(decode);
                unsuspendOrRemoveRequest.setEntries(Collections.singletonList(bigInt));
                this.sdk.unsuspendCerts(str2, unsuspendOrRemoveRequest);
                return;
            }
            String parameter3 = httpRequestMetadataRetriever.getParameter("reason");
            CrlReason forNameOrText = parameter3 == null ? CrlReason.UNSPECIFIED : CrlReason.forNameOrText(parameter3);
            if (forNameOrText == CrlReason.REMOVE_FROM_CRL) {
                throw new OperationException(ErrorCode.BAD_REQUEST, "reason " + CrlReason.REMOVE_FROM_CRL.getDescription() + " is not allowed!");
            }
            auditEvent.addEventData("reason", forNameOrText);
            Date date = null;
            String parameter4 = httpRequestMetadataRetriever.getParameter(PARAM_invalidity_time);
            if (StringUtil.isNotBlank(parameter4)) {
                date = DateUtil.parseUtcTimeyyyyMMddhhmmss(parameter4);
            }
            RevokeCertRequestEntry revokeCertRequestEntry = new RevokeCertRequestEntry();
            revokeCertRequestEntry.setSerialNumber(bigInt);
            if (date != null) {
                revokeCertRequestEntry.setInvalidityTime(Long.valueOf(date.getTime() / 1000));
            }
            revokeCertRequestEntry.setReason(forNameOrText);
            RevokeCertsRequest revokeCertsRequest = new RevokeCertsRequest();
            revokeCertsRequest.setIssuerCertSha1Fp(decode);
            revokeCertsRequest.setEntries(Collections.singletonList(revokeCertRequestEntry));
            this.sdk.revokeCerts(str2, revokeCertsRequest);
        } catch (NumberFormatException e) {
            throw new OperationException(ErrorCode.BAD_REQUEST, e.getMessage());
        }
    }

    private HttpRespContent getCrl(String str, HttpRequestMetadataRetriever httpRequestMetadataRetriever) throws OperationException, HttpRespAuditException, IOException, SdkErrorResponseException {
        String parameter = httpRequestMetadataRetriever.getParameter(PARAM_crl_number);
        BigInteger bigInteger = null;
        if (StringUtil.isNotBlank(parameter)) {
            try {
                bigInteger = StringUtil.toBigInt(parameter);
            } catch (NumberFormatException e) {
                String str2 = "invalid crlNumber '" + parameter + "'";
                LOG.warn(str2);
                throw new HttpRespAuditException(BAD_REQUEST, str2, AuditLevel.INFO, AuditStatus.FAILED);
            }
        }
        byte[] currentCrl = this.sdk.currentCrl(str, bigInteger, null, null);
        if (currentCrl != null) {
            return HttpRespContent.ofOk(CT_pkix_crl, currentCrl);
        }
        LOG.warn("could not get CRL");
        throw new HttpRespAuditException(INTERNAL_SERVER_ERROR, "could not get CRL", AuditLevel.INFO, AuditStatus.FAILED);
    }
}
