package org.xipki.scep.client;

import java.io.IOException;
import java.math.BigInteger;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CRLException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.util.Collections;
import java.util.Date;
import java.util.LinkedList;
import java.util.List;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.asn1.cms.SignedData;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSAlgorithm;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.util.CollectionStore;
import org.xipki.scep.client.ScepClientException;
import org.xipki.scep.message.AuthorityCertStore;
import org.xipki.scep.message.CaCaps;
import org.xipki.scep.message.DecodedNextCaMessage;
import org.xipki.scep.message.DecodedPkiMessage;
import org.xipki.scep.message.IssuerAndSubject;
import org.xipki.scep.message.MessageDecodingException;
import org.xipki.scep.message.MessageEncodingException;
import org.xipki.scep.message.PkiMessage;
import org.xipki.scep.transaction.MessageType;
import org.xipki.scep.transaction.Operation;
import org.xipki.scep.transaction.PkiStatus;
import org.xipki.scep.transaction.TransactionId;
import org.xipki.scep.util.ScepConstants;
import org.xipki.scep.util.ScepUtil;
import org.xipki.security.HashAlgo;
import org.xipki.security.SignAlgo;
import org.xipki.security.SignatureAlgoControl;
import org.xipki.security.X509Cert;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.Base64;
import org.xipki.util.StringUtil;

/* loaded from: input_file:org/xipki/scep/client/Client.class */
public abstract class Client {
    public static final String REQ_CONTENT_TYPE = "application/octet-stream";
    public static final long DEFAULT_SIGNINGTIME_BIAS = 300000;
    protected final CaIdentifier caId;
    protected CaCaps caCaps;
    private final CaCertValidator caCertValidator;
    private long maxSigningTimeBiasInMs = DEFAULT_SIGNINGTIME_BIAS;
    private AuthorityCertStore authorityCertStore;
    private CollectionStore<X509CertificateHolder> responseSignerCerts;
    private boolean httpGetOnly;

    public Client(CaIdentifier caIdentifier, CaCertValidator caCertValidator) {
        this.caId = (CaIdentifier) Args.notNull(caIdentifier, "caId");
        this.caCertValidator = (CaCertValidator) Args.notNull(caCertValidator, "caCertValidator");
    }

    protected abstract ScepHttpResponse httpPost(String str, String str2, byte[] bArr) throws ScepClientException;

    protected abstract ScepHttpResponse httpGet(String str) throws ScepClientException;

    public boolean isHttpGetOnly() {
        return this.httpGetOnly;
    }

    public void setHttpGetOnly(boolean z) {
        this.httpGetOnly = z;
    }

    public long getMaxSigningTimeBiasInMs() {
        return this.maxSigningTimeBiasInMs;
    }

    public void setMaxSigningTimeBiasInMs(long j) {
        this.maxSigningTimeBiasInMs = j;
    }

    private ScepHttpResponse httpSend(Operation operation, ContentInfo contentInfo) throws ScepClientException {
        byte[] bArr = null;
        if (contentInfo != null) {
            try {
                bArr = contentInfo.getEncoded();
            } catch (IOException e) {
                throw new ScepClientException(e);
            }
        }
        if (Operation.GetCACaps == operation || Operation.GetCACert == operation || Operation.GetNextCACert == operation) {
            return httpGet(this.caId.buildGetUrl(operation, this.caId.getProfile()));
        }
        if (this.httpGetOnly || !this.caCaps.supportsPost()) {
            return httpGet(this.caId.buildGetUrl(operation, bArr == null ? null : Base64.encodeToString(bArr)));
        }
        return httpPost(this.caId.buildPostUrl(operation), REQ_CONTENT_TYPE, bArr);
    }

    private ScepHttpResponse httpSend(Operation operation) throws ScepClientException {
        return httpSend(operation, null);
    }

    public void init() throws ScepClientException {
        refresh();
    }

    public void refresh() throws ScepClientException {
        this.caCaps = CaCaps.getInstance(StringUtil.toUtf8String(httpSend(Operation.GetCACaps).getContentBytes()));
        this.authorityCertStore = retrieveCaCertStore(httpSend(Operation.GetCACert), this.caCertValidator);
        try {
            this.responseSignerCerts = new CollectionStore<>(Collections.singletonList(new X509CertificateHolder(this.authorityCertStore.getSignatureCert().getEncoded())));
        } catch (IOException e) {
            throw new ScepClientException(e);
        }
    }

    public CaCaps getCaCaps() throws ScepClientException {
        initIfNotInited();
        return this.caCaps;
    }

    public X509Cert getCaCert() {
        if (this.authorityCertStore == null) {
            return null;
        }
        return this.authorityCertStore.getCaCert();
    }

    public CaIdentifier getCaId() throws ScepClientException {
        initIfNotInited();
        return this.caId;
    }

    public CaCertValidator getCaCertValidator() throws ScepClientException {
        initIfNotInited();
        return this.caCertValidator;
    }

    public AuthorityCertStore getAuthorityCertStore() throws ScepClientException {
        initIfNotInited();
        return this.authorityCertStore;
    }

    public X509CRLHolder scepGetCrl(PrivateKey privateKey, X509Cert x509Cert, X500Name x500Name, BigInteger bigInteger) throws ScepClientException {
        Args.notNull(privateKey, "identityKey");
        Args.notNull(x509Cert, "identityCert");
        Args.notNull(x500Name, "issuer");
        Args.notNull(bigInteger, "serialNumber");
        initIfNotInited();
        PkiMessage pkiMessage = new PkiMessage(TransactionId.randomTransactionId(), MessageType.GetCRL);
        pkiMessage.setMessageData(new IssuerAndSerialNumber(x500Name, bigInteger));
        DecodedPkiMessage decode = decode(parsePkiMessage(httpSend(Operation.PKIOperation, encryptThenSign(pkiMessage, privateKey, x509Cert)).getContentBytes()), privateKey, x509Cert);
        if (decode.getPkiStatus() != PkiStatus.SUCCESS) {
            throw new ScepClientException("server returned " + decode.getPkiStatus());
        }
        try {
            return ScepUtil.getCrlFromPkiMessage(SignedData.getInstance(ContentInfo.getInstance(decode.getMessageData()).getContent()));
        } catch (CRLException e) {
            throw new ScepClientException(e.getMessage(), e);
        }
    }

    public List<X509Cert> scepGetCert(PrivateKey privateKey, X509Cert x509Cert, X500Name x500Name, BigInteger bigInteger) throws ScepClientException {
        Args.notNull(privateKey, "identityKey");
        Args.notNull(x509Cert, "identityCert");
        Args.notNull(x500Name, "issuer");
        Args.notNull(bigInteger, "serialNumber");
        initIfNotInited();
        PkiMessage pkiMessage = new PkiMessage(TransactionId.randomTransactionId(), MessageType.GetCert);
        pkiMessage.setMessageData(new IssuerAndSerialNumber(x500Name, bigInteger));
        DecodedPkiMessage decode = decode(parsePkiMessage(httpSend(Operation.PKIOperation, encryptThenSign(pkiMessage, privateKey, x509Cert)).getContentBytes()), privateKey, x509Cert);
        if (decode.getPkiStatus() != PkiStatus.SUCCESS) {
            throw new ScepClientException("server returned " + decode.getPkiStatus());
        }
        try {
            return ScepUtil.getCertsFromSignedData(SignedData.getInstance(ContentInfo.getInstance(decode.getMessageData()).getContent()));
        } catch (CertificateException e) {
            throw new ScepClientException(e.getMessage(), e);
        }
    }

    public EnrolmentResponse scepCertPoll(PrivateKey privateKey, X509Cert x509Cert, CertificationRequest certificationRequest, X500Name x500Name) throws ScepClientException {
        Args.notNull(certificationRequest, "csr");
        try {
            return scepCertPoll(privateKey, x509Cert, TransactionId.sha1TransactionId(certificationRequest.getCertificationRequestInfo().getSubjectPublicKeyInfo()), x500Name, certificationRequest.getCertificationRequestInfo().getSubject());
        } catch (InvalidKeySpecException e) {
            throw new ScepClientException(e.getMessage(), e);
        }
    }

    public EnrolmentResponse scepCertPoll(PrivateKey privateKey, X509Cert x509Cert, TransactionId transactionId, X500Name x500Name, X500Name x500Name2) throws ScepClientException {
        Args.notNull(privateKey, "identityKey");
        Args.notNull(x509Cert, "identityCert");
        Args.notNull(x500Name, "issuer");
        Args.notNull(transactionId, "transactionId");
        initIfNotInited();
        PkiMessage pkiMessage = new PkiMessage(transactionId, MessageType.CertPoll);
        pkiMessage.setMessageData(new IssuerAndSubject(x500Name, x500Name2));
        DecodedPkiMessage decode = decode(parsePkiMessage(httpSend(Operation.PKIOperation, encryptThenSign(pkiMessage, privateKey, x509Cert)).getContentBytes()), privateKey, x509Cert);
        assertSameNonce(pkiMessage, decode);
        return new EnrolmentResponse(decode);
    }

    public EnrolmentResponse scepEnrol(CertificationRequest certificationRequest, PrivateKey privateKey, X509Cert x509Cert) throws ScepClientException {
        Args.notNull(certificationRequest, "csr");
        Args.notNull(privateKey, "identityKey");
        Args.notNull(x509Cert, "identityCert");
        initIfNotInited();
        return (x509Cert.isSelfSigned() || !this.caCaps.supportsRenewal()) ? scepPkcsReq(certificationRequest, privateKey, x509Cert) : scepRenewalReq(certificationRequest, privateKey, x509Cert);
    }

    public EnrolmentResponse scepPkcsReq(CertificationRequest certificationRequest, PrivateKey privateKey, X509Cert x509Cert) throws ScepClientException {
        Args.notNull(certificationRequest, "csr");
        Args.notNull(privateKey, "identityKey");
        Args.notNull(x509Cert, "identityCert");
        initIfNotInited();
        if (x509Cert.isSelfSigned()) {
            return enroll(MessageType.PKCSReq, certificationRequest, privateKey, x509Cert);
        }
        throw new IllegalArgumentException("identityCert is not self-signed");
    }

    public EnrolmentResponse scepRenewalReq(CertificationRequest certificationRequest, PrivateKey privateKey, X509Cert x509Cert) throws ScepClientException {
        initIfNotInited();
        if (!this.caCaps.supportsRenewal()) {
            throw new ScepClientException.OperationNotSupportedException("unsupported messageType '" + MessageType.RenewalReq + "'");
        }
        if (x509Cert.isSelfSigned()) {
            throw new IllegalArgumentException("identityCert must not be self-signed");
        }
        return enroll(MessageType.RenewalReq, certificationRequest, privateKey, x509Cert);
    }

    private EnrolmentResponse enroll(MessageType messageType, CertificationRequest certificationRequest, PrivateKey privateKey, X509Cert x509Cert) throws ScepClientException {
        try {
            PkiMessage pkiMessage = new PkiMessage(TransactionId.sha1TransactionId(certificationRequest.getCertificationRequestInfo().getSubjectPublicKeyInfo()), messageType);
            pkiMessage.setMessageData(certificationRequest);
            DecodedPkiMessage decode = decode(parsePkiMessage(httpSend(Operation.PKIOperation, encryptThenSign(pkiMessage, privateKey, x509Cert)).getContentBytes()), privateKey, x509Cert);
            assertSameNonce(pkiMessage, decode);
            return new EnrolmentResponse(decode);
        } catch (InvalidKeySpecException e) {
            throw new ScepClientException(e.getMessage(), e);
        }
    }

    public AuthorityCertStore scepNextCaCert() throws ScepClientException {
        initIfNotInited();
        if (this.caCaps.supportsGetNextCACert()) {
            return retrieveNextCaAuthorityCertStore(httpSend(Operation.GetNextCACert));
        }
        throw new ScepClientException.OperationNotSupportedException("unsupported operation '" + Operation.GetNextCACert.getCode() + "'");
    }

    private ContentInfo encryptThenSign(PkiMessage pkiMessage, PrivateKey privateKey, X509Cert x509Cert) throws ScepClientException {
        ASN1ObjectIdentifier aSN1ObjectIdentifier;
        HashAlgo mostSecureHashAlgo = this.caCaps.mostSecureHashAlgo();
        if (this.caCaps.supportsAES()) {
            aSN1ObjectIdentifier = CMSAlgorithm.AES128_CBC;
        } else {
            if (!this.caCaps.supportsDES3()) {
                throw new ScepClientException("DES will not be supported by this client");
            }
            aSN1ObjectIdentifier = CMSAlgorithm.DES_EDE3_CBC;
        }
        try {
            return pkiMessage.encode(privateKey, SignAlgo.getInstance(privateKey, mostSecureHashAlgo, (SignatureAlgoControl) null), x509Cert, new X509Cert[]{x509Cert}, this.authorityCertStore.getEncryptionCert(), aSN1ObjectIdentifier);
        } catch (NoSuchAlgorithmException | MessageEncodingException e) {
            throw new ScepClientException(e);
        }
    }

    public void destroy() {
    }

    private AuthorityCertStore retrieveNextCaAuthorityCertStore(ScepHttpResponse scepHttpResponse) throws ScepClientException {
        String contentType = scepHttpResponse.getContentType();
        if (!ScepConstants.CT_X509_NEXT_CA_CERT.equalsIgnoreCase(contentType)) {
            throw new ScepClientException("invalid Content-Type '" + contentType + "'");
        }
        try {
            try {
                DecodedNextCaMessage decode = DecodedNextCaMessage.decode(new CMSSignedData(scepHttpResponse.getContentBytes()), this.responseSignerCerts);
                if (decode.getFailureMessage() != null) {
                    throw new ScepClientException("Error: " + decode.getFailureMessage());
                }
                Boolean isSignatureValid = decode.isSignatureValid();
                if (isSignatureValid != null && !isSignatureValid.booleanValue()) {
                    throw new ScepClientException("Signature is invalid");
                }
                Date signingTime = decode.getSigningTime();
                long maxSigningTimeBiasInMs = getMaxSigningTimeBiasInMs();
                if (maxSigningTimeBiasInMs > 0) {
                    if (signingTime == null) {
                        throw new ScepClientException("CMS signingTime attribute is not present");
                    }
                    if (Math.abs(System.currentTimeMillis() - signingTime.getTime()) > maxSigningTimeBiasInMs) {
                        throw new ScepClientException("CMS signingTime is out of permitted period");
                    }
                }
                if (decode.getSignatureCert().equals(this.authorityCertStore.getSignatureCert())) {
                    return decode.getAuthorityCertStore();
                }
                throw new ScepClientException("the signature certificate must not be trusted");
            } catch (MessageDecodingException e) {
                throw new ScepClientException("could not decode response: " + e.getMessage(), e);
            }
        } catch (CMSException | IllegalArgumentException e2) {
            throw new ScepClientException("invalid SignedData message: " + e2.getMessage(), e2);
        }
    }

    private void initIfNotInited() throws ScepClientException {
        if (this.caCaps == null) {
            init();
        }
    }

    private DecodedPkiMessage decode(CMSSignedData cMSSignedData, PrivateKey privateKey, X509Cert x509Cert) throws ScepClientException {
        try {
            DecodedPkiMessage decode = DecodedPkiMessage.decode(cMSSignedData, privateKey, x509Cert, this.responseSignerCerts);
            if (decode.getFailureMessage() != null) {
                throw new ScepClientException("Error: " + decode.getFailureMessage());
            }
            Boolean isSignatureValid = decode.isSignatureValid();
            if (isSignatureValid != null && !isSignatureValid.booleanValue()) {
                throw new ScepClientException("Signature is invalid");
            }
            Boolean isDecryptionSuccessful = decode.isDecryptionSuccessful();
            if (isDecryptionSuccessful != null && !isDecryptionSuccessful.booleanValue()) {
                throw new ScepClientException("Decryption failed");
            }
            Date signingTime = decode.getSigningTime();
            long maxSigningTimeBiasInMs = getMaxSigningTimeBiasInMs();
            if (maxSigningTimeBiasInMs > 0) {
                if (signingTime == null) {
                    throw new ScepClientException("CMS signingTime attribute is not present");
                }
                if (Math.abs(System.currentTimeMillis() - signingTime.getTime()) > maxSigningTimeBiasInMs) {
                    throw new ScepClientException("CMS signingTime is out of permitted period");
                }
            }
            if (decode.getSignatureCert().equals(this.authorityCertStore.getSignatureCert())) {
                return decode;
            }
            throw new ScepClientException("the signature certificate must not be trusted");
        } catch (MessageDecodingException e) {
            throw new ScepClientException(e);
        }
    }

    private static CMSSignedData parsePkiMessage(byte[] bArr) throws ScepClientException {
        try {
            return new CMSSignedData(bArr);
        } catch (CMSException e) {
            throw new ScepClientException((Throwable) e);
        }
    }

    private static AuthorityCertStore retrieveCaCertStore(ScepHttpResponse scepHttpResponse, CaCertValidator caCertValidator) throws ScepClientException {
        String contentType = scepHttpResponse.getContentType();
        X509Cert x509Cert = null;
        LinkedList linkedList = new LinkedList();
        if (ScepConstants.CT_X509_CA_CERT.equalsIgnoreCase(contentType)) {
            try {
                x509Cert = X509Util.parseCert(scepHttpResponse.getContentBytes());
            } catch (CertificateEncodingException e) {
                throw new ScepClientException("error parsing certificate: " + e.getMessage(), e);
            }
        } else {
            if (!ScepConstants.CT_X509_CA_RA_CERT.equalsIgnoreCase(contentType)) {
                throw new ScepClientException("invalid Content-Type '" + contentType + "'");
            }
            try {
                try {
                    List<X509Cert> certsFromSignedData = ScepUtil.getCertsFromSignedData(SignedData.getInstance(ContentInfo.getInstance(scepHttpResponse.getContentBytes()).getContent()));
                    int size = certsFromSignedData.size();
                    if (size < 2) {
                        throw new ScepClientException("at least 2 certificates are expected, but only " + size + " is available");
                    }
                    for (X509Cert x509Cert2 : certsFromSignedData) {
                        if (x509Cert2.getBasicConstraints() <= -1) {
                            linkedList.add(x509Cert2);
                        } else {
                            if (x509Cert != null) {
                                throw new ScepClientException("multiple CA certificates is returned, but exactly 1 is expected");
                            }
                            x509Cert = x509Cert2;
                        }
                    }
                    if (x509Cert == null) {
                        throw new ScepClientException("no CA certificate is returned");
                    }
                } catch (CertificateException e2) {
                    throw new ScepClientException(e2.getMessage(), e2);
                }
            } catch (IllegalArgumentException e3) {
                throw new ScepClientException("invalid SignedData message: " + e3.getMessage(), e3);
            }
        }
        if (!caCertValidator.isTrusted(x509Cert)) {
            throw new ScepClientException("CA certificate '" + x509Cert.getSubjectText() + "' is not trusted");
        }
        if (linkedList.isEmpty()) {
            return AuthorityCertStore.getInstance(x509Cert, new X509Cert[0]);
        }
        AuthorityCertStore authorityCertStore = AuthorityCertStore.getInstance(x509Cert, (X509Cert[]) linkedList.toArray(new X509Cert[0]));
        X509Cert encryptionCert = authorityCertStore.getEncryptionCert();
        X509Cert signatureCert = authorityCertStore.getSignatureCert();
        try {
            if (!X509Util.issues(x509Cert, encryptionCert)) {
                throw new ScepClientException("RA certificate '" + encryptionCert.getSubjectText() + " is not issued by the CA");
            }
            if (signatureCert == encryptionCert || !X509Util.issues(x509Cert, signatureCert)) {
                return authorityCertStore;
            }
            throw new ScepClientException("RA certificate '" + signatureCert.getSubjectText() + " is not issued by the CA");
        } catch (CertificateException e4) {
            throw new ScepClientException("invalid certificate: " + e4.getMessage(), e4);
        }
    }

    private static void assertSameNonce(PkiMessage pkiMessage, PkiMessage pkiMessage2) throws ScepClientException {
        if (pkiMessage.getSenderNonce().equals(pkiMessage2.getRecipientNonce())) {
            throw new ScepClientException("SenderNonce in request != RecipientNonce in response");
        }
    }
}
