package org.xipki.scep.message;

import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.util.Collection;
import java.util.Date;
import java.util.Set;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1PrintableString;
import org.bouncycastle.asn1.ASN1UTF8String;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.asn1.cms.CMSAttributes;
import org.bouncycastle.asn1.cms.CMSObjectIdentifiers;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSEnvelopedData;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSTypedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.util.CollectionStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.scep.message.EnvelopedDataDecryptor;
import org.xipki.scep.transaction.FailInfo;
import org.xipki.scep.transaction.MessageType;
import org.xipki.scep.transaction.Nonce;
import org.xipki.scep.transaction.PkiStatus;
import org.xipki.scep.transaction.TransactionId;
import org.xipki.scep.util.ScepConstants;
import org.xipki.scep.util.ScepUtil;
import org.xipki.security.HashAlgo;
import org.xipki.security.SignAlgo;
import org.xipki.security.X509Cert;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.LogUtil;
import org.xipki.util.StringUtil;

/* loaded from: input_file:org/xipki/scep/message/DecodedPkiMessage.class */
public class DecodedPkiMessage extends PkiMessage {
    private static final Logger LOG = LoggerFactory.getLogger(DecodedPkiMessage.class);
    private static final Set<ASN1ObjectIdentifier> SCEP_ATTR_TYPES = CollectionUtil.asSet(new ASN1ObjectIdentifier[]{ScepConstants.ID_FAILINFO, ScepConstants.ID_MESSAGE_TYPE, ScepConstants.ID_PKI_STATUS, ScepConstants.ID_RECIPIENT_NONCE, ScepConstants.ID_SENDER_NONCE, ScepConstants.ID_TRANSACTION_ID, CMSAttributes.signingTime});
    private X509Cert signatureCert;
    private HashAlgo digestAlgorithm;
    private ASN1ObjectIdentifier contentEncryptionAlgorithm;
    private Boolean signatureValid;
    private Boolean decryptionSuccessful;
    private Date signingTime;
    private String failureMessage;

    public DecodedPkiMessage(TransactionId transactionId, MessageType messageType, Nonce nonce) {
        super(transactionId, messageType, nonce);
    }

    public X509Cert getSignatureCert() {
        return this.signatureCert;
    }

    public void setSignatureCert(X509Cert x509Cert) {
        this.signatureCert = x509Cert;
    }

    public HashAlgo getDigestAlgorithm() {
        return this.digestAlgorithm;
    }

    public void setDigestAlgorithm(HashAlgo hashAlgo) {
        this.digestAlgorithm = hashAlgo;
    }

    public void setSignatureValid(Boolean bool) {
        this.signatureValid = bool;
    }

    public void setContentEncryptionAlgorithm(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        this.contentEncryptionAlgorithm = aSN1ObjectIdentifier;
    }

    public String getFailureMessage() {
        return this.failureMessage;
    }

    public void setFailureMessage(String str) {
        this.failureMessage = str;
    }

    public ASN1ObjectIdentifier getContentEncryptionAlgorithm() {
        return this.contentEncryptionAlgorithm;
    }

    public Boolean isDecryptionSuccessful() {
        return this.decryptionSuccessful;
    }

    public void setDecryptionSuccessful(Boolean bool) {
        this.decryptionSuccessful = bool;
    }

    public Boolean isSignatureValid() {
        return this.signatureValid;
    }

    public Date getSigningTime() {
        return this.signingTime;
    }

    public void setSigningTime(Date date) {
        this.signingTime = date;
    }

    public static DecodedPkiMessage decode(CMSSignedData cMSSignedData, PrivateKey privateKey, X509Cert x509Cert, CollectionStore<X509CertificateHolder> collectionStore) throws MessageDecodingException {
        return decode(cMSSignedData, new EnvelopedDataDecryptor(new EnvelopedDataDecryptor.EnvelopedDataDecryptorInstance(x509Cert, privateKey)), collectionStore);
    }

    public static DecodedPkiMessage decode(CMSSignedData cMSSignedData, EnvelopedDataDecryptor envelopedDataDecryptor, CollectionStore<X509CertificateHolder> collectionStore) throws MessageDecodingException {
        Args.notNull(envelopedDataDecryptor, "recipient");
        Collection signers = ((CMSSignedData) Args.notNull(cMSSignedData, "pkiMessage")).getSignerInfos().getSigners();
        if (signers.size() != 1) {
            throw new MessageDecodingException("number of signerInfos is not 1, but " + signers.size());
        }
        SignerInformation signerInformation = (SignerInformation) signers.iterator().next();
        Collection matches = collectionStore == null ? null : collectionStore.getMatches(signerInformation.getSID());
        if (CollectionUtil.isEmpty(matches)) {
            matches = cMSSignedData.getCertificates().getMatches(signerInformation.getSID());
        }
        if (matches == null || matches.size() != 1) {
            throw new MessageDecodingException("could not find embedded certificate to verify the signature");
        }
        AttributeTable signedAttributes = signerInformation.getSignedAttributes();
        if (signedAttributes == null) {
            throw new MessageDecodingException("missing SCEP attributes");
        }
        ASN1Encodable firstAttrValue = ScepUtil.getFirstAttrValue(signedAttributes, CMSAttributes.signingTime);
        Date time = firstAttrValue == null ? null : ScepUtil.getTime(firstAttrValue);
        String printableStringAttrValue = getPrintableStringAttrValue(signedAttributes, ScepConstants.ID_TRANSACTION_ID);
        if (StringUtil.isBlank(printableStringAttrValue)) {
            throw new MessageDecodingException("missing required SCEP attribute transactionId");
        }
        TransactionId transactionId = new TransactionId(printableStringAttrValue);
        Integer integerPrintStringAttrValue = getIntegerPrintStringAttrValue(signedAttributes, ScepConstants.ID_MESSAGE_TYPE);
        if (integerPrintStringAttrValue == null) {
            throw new MessageDecodingException("tid " + transactionId.getId() + ": missing required SCEP attribute messageType");
        }
        try {
            MessageType forValue = MessageType.forValue(integerPrintStringAttrValue.intValue());
            Nonce nonceAttrValue = getNonceAttrValue(signedAttributes, ScepConstants.ID_SENDER_NONCE);
            if (nonceAttrValue == null) {
                throw new MessageDecodingException("tid " + transactionId.getId() + ": missing required SCEP attribute senderNonce");
            }
            DecodedPkiMessage decodedPkiMessage = new DecodedPkiMessage(transactionId, forValue, nonceAttrValue);
            if (time != null) {
                decodedPkiMessage.setSigningTime(time);
            }
            Nonce nonce = null;
            try {
                nonce = getNonceAttrValue(signedAttributes, ScepConstants.ID_RECIPIENT_NONCE);
            } catch (MessageDecodingException e) {
                decodedPkiMessage.setFailureMessage("could not parse recipientNonce: " + e.getMessage());
            }
            if (nonce != null) {
                decodedPkiMessage.setRecipientNonce(nonce);
            }
            PkiStatus pkiStatus = null;
            if (MessageType.CertRep == forValue) {
                try {
                    Integer integerPrintStringAttrValue2 = getIntegerPrintStringAttrValue(signedAttributes, ScepConstants.ID_PKI_STATUS);
                    if (integerPrintStringAttrValue2 == null) {
                        decodedPkiMessage.setFailureMessage("missing required SCEP attribute pkiStatus");
                        return decodedPkiMessage;
                    }
                    try {
                        pkiStatus = PkiStatus.forValue(integerPrintStringAttrValue2.intValue());
                        decodedPkiMessage.setPkiStatus(pkiStatus);
                        if (pkiStatus == PkiStatus.FAILURE) {
                            try {
                                Integer integerPrintStringAttrValue3 = getIntegerPrintStringAttrValue(signedAttributes, ScepConstants.ID_FAILINFO);
                                if (integerPrintStringAttrValue3 == null) {
                                    decodedPkiMessage.setFailureMessage("missing required SCEP attribute failInfo");
                                    return decodedPkiMessage;
                                }
                                try {
                                    decodedPkiMessage.setFailInfo(FailInfo.forValue(integerPrintStringAttrValue3.intValue()));
                                    ASN1UTF8String firstAttrValue2 = ScepUtil.getFirstAttrValue(signedAttributes, ScepConstants.ID_SCEP_FAILINFOTEXT);
                                    if (firstAttrValue2 != null) {
                                        if (!(firstAttrValue2 instanceof ASN1UTF8String)) {
                                            throw new MessageDecodingException("the value of attribute failInfoText is not UTF8String");
                                        }
                                        decodedPkiMessage.setFailInfoText(firstAttrValue2.getString());
                                    }
                                } catch (IllegalArgumentException e2) {
                                    decodedPkiMessage.setFailureMessage("invalid failInfo '" + integerPrintStringAttrValue3 + "'");
                                    return decodedPkiMessage;
                                }
                            } catch (MessageDecodingException e3) {
                                decodedPkiMessage.setFailureMessage("could not parse failInfo: " + e3.getMessage());
                                return decodedPkiMessage;
                            }
                        }
                    } catch (IllegalArgumentException e4) {
                        decodedPkiMessage.setFailureMessage("invalid pkiStatus '" + integerPrintStringAttrValue2 + "'");
                        return decodedPkiMessage;
                    }
                } catch (MessageDecodingException e5) {
                    decodedPkiMessage.setFailureMessage("could not parse pkiStatus: " + e5.getMessage());
                    return decodedPkiMessage;
                }
            }
            for (Attribute attribute : signedAttributes.toASN1Structure().getAttributes()) {
                ASN1ObjectIdentifier attrType = attribute.getAttrType();
                if (!SCEP_ATTR_TYPES.contains(attrType)) {
                    decodedPkiMessage.addSignendAttribute(attrType, attribute.getAttrValues().getObjectAt(0));
                }
            }
            AttributeTable unsignedAttributes = signerInformation.getUnsignedAttributes();
            Attribute[] attributes = unsignedAttributes == null ? null : unsignedAttributes.toASN1Structure().getAttributes();
            if (attributes != null) {
                for (Attribute attribute2 : attributes) {
                    decodedPkiMessage.addUnsignendAttribute(attribute2.getAttrType(), attribute2.getAttrValues().getObjectAt(0));
                }
            }
            try {
                HashAlgo hashAlgo = HashAlgo.getInstance(signerInformation.getDigestAlgorithmID());
                decodedPkiMessage.setDigestAlgorithm(hashAlgo);
                if (!PKCSObjectIdentifiers.rsaEncryption.getId().equals(signerInformation.getEncryptionAlgOID()) && hashAlgo != SignAlgo.getInstance(signerInformation.toASN1Structure().getDigestEncryptionAlgorithm()).getHashAlgo()) {
                    decodedPkiMessage.setFailureMessage("digestAlgorithm and encryptionAlgorithm do not use the same digestAlgorithm");
                    return decodedPkiMessage;
                }
                X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) matches.iterator().next();
                decodedPkiMessage.setSignatureCert(new X509Cert(x509CertificateHolder));
                try {
                    try {
                        boolean verify = signerInformation.verify(new JcaSimpleSignerInfoVerifierBuilder().build(x509CertificateHolder));
                        decodedPkiMessage.setSignatureValid(Boolean.valueOf(verify));
                        if (!verify) {
                            return decodedPkiMessage;
                        }
                        if (MessageType.CertRep == forValue) {
                            if ((pkiStatus == PkiStatus.FAILURE) | (pkiStatus == PkiStatus.PENDING)) {
                                return decodedPkiMessage;
                            }
                        }
                        CMSTypedData signedContent = cMSSignedData.getSignedContent();
                        ASN1ObjectIdentifier contentType = signedContent.getContentType();
                        if (!CMSObjectIdentifiers.envelopedData.equals(contentType) && !CMSObjectIdentifiers.data.equals(contentType)) {
                            decodedPkiMessage.setFailureMessage("either id-envelopedData or id-data is excepted, but not '" + contentType.getId());
                            return decodedPkiMessage;
                        }
                        try {
                            CMSEnvelopedData cMSEnvelopedData = new CMSEnvelopedData((byte[]) signedContent.getContent());
                            decodedPkiMessage.setContentEncryptionAlgorithm(cMSEnvelopedData.getContentEncryptionAlgorithm().getAlgorithm());
                            try {
                                byte[] decrypt = envelopedDataDecryptor.decrypt(cMSEnvelopedData);
                                decodedPkiMessage.setDecryptionSuccessful(true);
                                try {
                                    if (MessageType.PKCSReq == forValue || MessageType.RenewalReq == forValue) {
                                        decodedPkiMessage.setMessageData(CertificationRequest.getInstance(decrypt));
                                    } else if (MessageType.CertPoll == forValue) {
                                        decodedPkiMessage.setMessageData(IssuerAndSubject.getInstance(decrypt));
                                    } else if (MessageType.GetCert == forValue || MessageType.GetCRL == forValue) {
                                        decodedPkiMessage.setMessageData(IssuerAndSerialNumber.getInstance(decrypt));
                                    } else {
                                        if (MessageType.CertRep != forValue) {
                                            throw new RuntimeException("should not reach here, unknown messageType " + forValue);
                                        }
                                        decodedPkiMessage.setMessageData(ContentInfo.getInstance(decrypt));
                                    }
                                    return decodedPkiMessage;
                                } catch (Exception e6) {
                                    LogUtil.error(LOG, e6);
                                    decodedPkiMessage.setFailureMessage("could not parse the messageData: " + e6.getMessage());
                                    return decodedPkiMessage;
                                }
                            } catch (MessageDecodingException e7) {
                                LogUtil.error(LOG, e7);
                                decodedPkiMessage.setFailureMessage("could not create the CMSEnvelopedData: " + e7.getMessage());
                                decodedPkiMessage.setDecryptionSuccessful(false);
                                return decodedPkiMessage;
                            }
                        } catch (CMSException e8) {
                            LogUtil.error(LOG, e8);
                            decodedPkiMessage.setFailureMessage("could not create the CMSEnvelopedData: " + e8.getMessage());
                            return decodedPkiMessage;
                        }
                    } catch (CMSException e9) {
                        LogUtil.error(LOG, e9);
                        decodedPkiMessage.setFailureMessage("could not verify the signature: " + e9.getMessage());
                        return decodedPkiMessage;
                    }
                } catch (OperatorCreationException | CertificateException e10) {
                    LogUtil.error(LOG, e10);
                    decodedPkiMessage.setFailureMessage("could not build signature verifier: " + e10.getMessage());
                    return decodedPkiMessage;
                }
            } catch (NoSuchAlgorithmException e11) {
                LogUtil.error(LOG, e11);
                decodedPkiMessage.setFailureMessage(e11.getMessage());
                return decodedPkiMessage;
            }
        } catch (IllegalArgumentException e12) {
            throw new MessageDecodingException("tid " + transactionId.getId() + ": invalid messageType '" + integerPrintStringAttrValue + "'");
        }
    }

    private static String getPrintableStringAttrValue(AttributeTable attributeTable, ASN1ObjectIdentifier aSN1ObjectIdentifier) throws MessageDecodingException {
        ASN1PrintableString firstAttrValue = ScepUtil.getFirstAttrValue(attributeTable, aSN1ObjectIdentifier);
        if (firstAttrValue instanceof ASN1PrintableString) {
            return firstAttrValue.getString();
        }
        if (firstAttrValue != null) {
            throw new MessageDecodingException("the value of attribute " + aSN1ObjectIdentifier.getId() + " is not PrintableString");
        }
        return null;
    }

    private static Integer getIntegerPrintStringAttrValue(AttributeTable attributeTable, ASN1ObjectIdentifier aSN1ObjectIdentifier) throws MessageDecodingException {
        String printableStringAttrValue = getPrintableStringAttrValue(attributeTable, aSN1ObjectIdentifier);
        if (printableStringAttrValue == null) {
            return null;
        }
        try {
            return Integer.valueOf(Integer.parseInt(printableStringAttrValue));
        } catch (NumberFormatException e) {
            throw new MessageDecodingException("invalid integer '" + printableStringAttrValue + "'");
        }
    }

    private static Nonce getNonceAttrValue(AttributeTable attributeTable, ASN1ObjectIdentifier aSN1ObjectIdentifier) throws MessageDecodingException {
        ASN1OctetString firstAttrValue = ScepUtil.getFirstAttrValue(attributeTable, aSN1ObjectIdentifier);
        if (firstAttrValue instanceof ASN1OctetString) {
            return new Nonce(firstAttrValue.getOctets());
        }
        if (firstAttrValue != null) {
            throw new MessageDecodingException("the value of attribute " + aSN1ObjectIdentifier.getId() + " is not OctetString");
        }
        return null;
    }
}
