package org.xipki.ca.gateway.scep;

import com.fasterxml.jackson.databind.deser.std.StdKeyDeserializer;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.time.Instant;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.cms.CMSObjectIdentifiers;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.asn1.cms.SignedData;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.pkcs.CertificationRequestInfo;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSAbsentContent;
import org.bouncycastle.cms.CMSAlgorithm;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.audit.AuditEvent;
import org.xipki.audit.AuditLevel;
import org.xipki.audit.AuditService;
import org.xipki.audit.AuditStatus;
import org.xipki.audit.Audits;
import org.xipki.ca.gateway.GatewayUtil;
import org.xipki.ca.gateway.PopControl;
import org.xipki.ca.gateway.Requestor;
import org.xipki.ca.gateway.RequestorAuthenticator;
import org.xipki.ca.gateway.conf.CaProfileConf;
import org.xipki.ca.gateway.conf.CaProfilesControl;
import org.xipki.ca.sdk.CaAuditConstants;
import org.xipki.ca.sdk.CertsMode;
import org.xipki.ca.sdk.EnrollCertRequestEntry;
import org.xipki.ca.sdk.EnrollCertsRequest;
import org.xipki.ca.sdk.EnrollOrPollCertsResponse;
import org.xipki.ca.sdk.EnrollOrPullCertResponseEntry;
import org.xipki.ca.sdk.ErrorResponse;
import org.xipki.ca.sdk.PollCertRequest;
import org.xipki.ca.sdk.PollCertRequestEntry;
import org.xipki.ca.sdk.SdkClient;
import org.xipki.ca.sdk.SdkErrorResponseException;
import org.xipki.ca.sdk.X500NameType;
import org.xipki.scep.message.CaCaps;
import org.xipki.scep.message.DecodedPkiMessage;
import org.xipki.scep.message.IssuerAndSubject;
import org.xipki.scep.message.MessageDecodingException;
import org.xipki.scep.message.MessageEncodingException;
import org.xipki.scep.message.PkiMessage;
import org.xipki.scep.transaction.CaCapability;
import org.xipki.scep.transaction.FailInfo;
import org.xipki.scep.transaction.MessageType;
import org.xipki.scep.transaction.Nonce;
import org.xipki.scep.transaction.Operation;
import org.xipki.scep.transaction.PkiStatus;
import org.xipki.scep.util.ScepConstants;
import org.xipki.security.HashAlgo;
import org.xipki.security.SecurityFactory;
import org.xipki.security.SignAlgo;
import org.xipki.security.X509Cert;
import org.xipki.security.pkcs11.P11CryptServiceFactory;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.LogUtil;
import org.xipki.util.PermissionConstants;
import org.xipki.util.StringUtil;
import org.xipki.util.exception.ErrorCode;
import org.xipki.util.exception.OperationException;
import org.xipki.util.http.HttpResponse;
import org.xipki.util.http.HttpStatusCode;
import org.xipki.util.http.XiHttpRequest;

/* loaded from: input_file:WEB-INF/lib/scep-gateway-6.4.0.jar:org/xipki/ca/gateway/scep/ScepResponder.class */
public class ScepResponder {
    private static final String NAME_decryption = "decryption";
    private static final String NAME_fail_info = "fail_info";
    private static final String NAME_failure_message = "failure_message";
    private static final String NAME_message_type = "message_type";
    private static final String NAME_pki_status = "pki_status";
    private static final String NAME_signature = "signature";
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) ScepResponder.class);
    private static final String CGI_PROGRAM = "/pkiclient.exe";
    private static final int CGI_PROGRAM_LEN = CGI_PROGRAM.length();
    private static final String CT_RESPONSE = "application/x-pki-message";
    private final ScepControl control;
    private final SdkClient sdk;
    private final PopControl popControl;
    private final CaProfilesControl caProfilesControl;
    private final CaCaps caCaps;
    private final SecurityFactory securityFactory;
    private final RequestorAuthenticator authenticator;
    private final CaNameScepSigners signers;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.xipki.ca.gateway.scep.ScepResponder$1, reason: invalid class name */
    /* loaded from: input_file:WEB-INF/lib/scep-gateway-6.4.0.jar:org/xipki/ca/gateway/scep/ScepResponder$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$util$exception$ErrorCode;

        static {
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.PKCSReq.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.RenewalReq.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.CertPoll.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.GetCert.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.GetCRL.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            $SwitchMap$org$xipki$util$exception$ErrorCode = new int[ErrorCode.values().length];
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.ALREADY_ISSUED.ordinal()] = 1;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.CERT_REVOKED.ordinal()] = 2;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.CERT_UNREVOKED.ordinal()] = 3;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.BAD_CERT_TEMPLATE.ordinal()] = 4;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.BAD_REQUEST.ordinal()] = 5;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.BAD_POP.ordinal()] = 6;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.INVALID_EXTENSION.ordinal()] = 7;
            } catch (NoSuchFieldError e12) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.UNKNOWN_CERT.ordinal()] = 8;
            } catch (NoSuchFieldError e13) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.UNKNOWN_CERT_PROFILE.ordinal()] = 9;
            } catch (NoSuchFieldError e14) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.NOT_PERMITTED.ordinal()] = 10;
            } catch (NoSuchFieldError e15) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.SYSTEM_UNAVAILABLE.ordinal()] = 11;
            } catch (NoSuchFieldError e16) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.CRL_FAILURE.ordinal()] = 12;
            } catch (NoSuchFieldError e17) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.DATABASE_FAILURE.ordinal()] = 13;
            } catch (NoSuchFieldError e18) {
            }
            try {
                $SwitchMap$org$xipki$util$exception$ErrorCode[ErrorCode.SYSTEM_FAILURE.ordinal()] = 14;
            } catch (NoSuchFieldError e19) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/scep-gateway-6.4.0.jar:org/xipki/ca/gateway/scep/ScepResponder$FailInfoException.class */
    public static class FailInfoException extends Exception {
        public static final FailInfoException BAD_CERTID = new FailInfoException(FailInfo.badCertId);
        public static final FailInfoException BAD_MESSAGE_CHECK = new FailInfoException(FailInfo.badMessageCheck);
        public static final FailInfoException BAD_REQUEST = new FailInfoException(FailInfo.badRequest);
        private final FailInfo failInfo;

        private FailInfoException(FailInfo failInfo) {
            super(((FailInfo) Args.notNull(failInfo, "failInfo")).name());
            this.failInfo = failInfo;
        }

        public FailInfo getFailInfo() {
            return this.failInfo;
        }
    }

    public ScepResponder(ScepControl scepControl, SdkClient sdkClient, SecurityFactory securityFactory, CaNameScepSigners caNameScepSigners, RequestorAuthenticator requestorAuthenticator, PopControl popControl, CaProfilesControl caProfilesControl) {
        LOG.info("XiPKI SCEP-Gateway version {}", StringUtil.getVersion(getClass()));
        this.control = (ScepControl) Args.notNull(scepControl, "control");
        this.sdk = (SdkClient) Args.notNull(sdkClient, "sdk");
        this.securityFactory = (SecurityFactory) Args.notNull(securityFactory, "securityFactory");
        this.authenticator = (RequestorAuthenticator) Args.notNull(requestorAuthenticator, "authenticator");
        this.popControl = (PopControl) Args.notNull(popControl, "popControl");
        CaCaps caCaps = new CaCaps();
        caCaps.addCapabilities(CaCapability.SCEPStandard, CaCapability.AES, CaCapability.DES3, CaCapability.POSTPKIOperation, CaCapability.Renewal, CaCapability.SHA1, CaCapability.SHA256, CaCapability.SHA512);
        this.caCaps = caCaps;
        this.signers = caNameScepSigners;
        this.caProfilesControl = (CaProfilesControl) Args.notNull(caProfilesControl, "caProfiles");
    }

    private CaCaps getCaCaps() {
        return this.caCaps;
    }

    private Requestor.PasswordRequestor getRequestor(String str) {
        return this.authenticator.getPasswordRequestorByUser(str);
    }

    private Requestor.CertRequestor getRequestor(X509Cert x509Cert) {
        return this.authenticator.getCertRequestor(x509Cert);
    }

    public HttpResponse service(String str, byte[] bArr, XiHttpRequest xiHttpRequest) {
        HttpResponse httpResponse;
        String message;
        ErrorCode code;
        int i;
        byte[] encoded;
        String str2;
        String str3 = null;
        String str4 = null;
        if (str.length() > 1 && str.endsWith(CGI_PROGRAM)) {
            String[] splitAsArray = str.length() == CGI_PROGRAM_LEN ? new String[0] : StringUtil.splitAsArray(str.substring(1, str.length() - CGI_PROGRAM_LEN), "/");
            if (splitAsArray.length == 0 || splitAsArray.length == 1) {
                String trim = splitAsArray.length == 0 ? P11CryptServiceFactory.DEFAULT_P11MODULE_NAME : splitAsArray[0].trim();
                CaProfileConf caProfile = this.caProfilesControl.getCaProfile(trim);
                if (caProfile == null) {
                    LOG.warn("unknown alias " + trim);
                    return new HttpResponse(HttpStatusCode.SC_NOT_FOUND);
                }
                str3 = caProfile.getCa();
                str4 = caProfile.getCertprofile();
            } else if (splitAsArray.length == 2) {
                str3 = splitAsArray[0];
                str4 = splitAsArray[1].toLowerCase();
            }
        }
        if (str3 == null) {
            return new HttpResponse(HttpStatusCode.SC_NOT_FOUND);
        }
        AuditService auditService = Audits.getAuditService();
        AuditEvent auditEvent = new AuditEvent();
        auditEvent.setApplicationName("scep-gw");
        auditEvent.addEventData("name", str3 + "/" + str4);
        AuditLevel auditLevel = AuditLevel.INFO;
        AuditStatus auditStatus = AuditStatus.SUCCESSFUL;
        String parameter = xiHttpRequest.getParameter("operation");
        auditEvent.addEventData("operation", parameter);
        try {
            try {
                if ("PKIOperation".equalsIgnoreCase(parameter)) {
                    try {
                        CMSSignedData cMSSignedData = new CMSSignedData(bArr);
                        ScepSigner signer = this.signers.getSigner(str3);
                        if (signer == null) {
                            LOG.error("found no signer for CA {}", str3);
                            AuditStatus auditStatus2 = AuditStatus.FAILED;
                            HttpResponse httpResponse2 = new HttpResponse(400);
                            audit(auditService, auditEvent, auditLevel, auditStatus2, "found no signer");
                            return httpResponse2;
                        }
                        try {
                            encoded = servicePkiOperation(signer, str3, cMSSignedData, str4, auditEvent).getEncoded();
                            str2 = "application/x-pki-message";
                        } catch (SdkErrorResponseException | OperationException e) {
                            if (e instanceof OperationException) {
                                message = e.getMessage();
                                code = ((OperationException) e).getErrorCode();
                            } else {
                                ErrorResponse errorResponse = ((SdkErrorResponseException) e).getErrorResponse();
                                message = errorResponse.getMessage();
                                code = errorResponse.getCode();
                            }
                            switch (AnonymousClass1.$SwitchMap$org$xipki$util$exception$ErrorCode[code.ordinal()]) {
                                case 1:
                                case 2:
                                case 3:
                                    i = 403;
                                    break;
                                case 4:
                                case 5:
                                case 6:
                                case 7:
                                case 8:
                                case 9:
                                    i = 400;
                                    break;
                                case 10:
                                    i = 401;
                                    break;
                                case 11:
                                    i = 503;
                                    break;
                                case 12:
                                case 13:
                                case StdKeyDeserializer.TYPE_URL /* 14 */:
                                default:
                                    i = 500;
                                    break;
                            }
                            LogUtil.error(LOG, e, message);
                            AuditStatus auditStatus3 = AuditStatus.FAILED;
                            HttpResponse httpResponse3 = new HttpResponse(i);
                            audit(auditService, auditEvent, auditLevel, auditStatus3, message);
                            return httpResponse3;
                        } catch (MessageDecodingException e2) {
                            LogUtil.error(LOG, e2, "could not decrypt and/or verify the request");
                            AuditStatus auditStatus4 = AuditStatus.FAILED;
                            HttpResponse httpResponse4 = new HttpResponse(400);
                            audit(auditService, auditEvent, auditLevel, auditStatus4, "could not decrypt and/or verify the request");
                            return httpResponse4;
                        }
                    } catch (Exception e3) {
                        LogUtil.error(LOG, e3, "invalid request");
                        AuditStatus auditStatus5 = AuditStatus.FAILED;
                        HttpResponse httpResponse5 = new HttpResponse(400);
                        audit(auditService, auditEvent, auditLevel, auditStatus5, "invalid request");
                        return httpResponse5;
                    }
                } else if (Operation.GetCACaps.getCode().equalsIgnoreCase(parameter)) {
                    str2 = ScepConstants.CT_TEXT_PLAIN;
                    encoded = getCaCaps().getBytes();
                } else {
                    if (!Operation.GetCACert.getCode().equalsIgnoreCase(parameter)) {
                        if (Operation.GetNextCACert.getCode().equalsIgnoreCase(parameter)) {
                            String str5 = "SCEP operation '" + parameter + "' is not permitted";
                            AuditStatus auditStatus6 = AuditStatus.FAILED;
                            HttpResponse httpResponse6 = new HttpResponse(HttpStatusCode.SC_FORBIDDEN);
                            audit(auditService, auditEvent, auditLevel, auditStatus6, str5);
                            return httpResponse6;
                        }
                        String str6 = "unknown SCEP operation '" + parameter + "'";
                        AuditStatus auditStatus7 = AuditStatus.FAILED;
                        HttpResponse httpResponse7 = new HttpResponse(400);
                        audit(auditService, auditEvent, auditLevel, auditStatus7, str6);
                        return httpResponse7;
                    }
                    str2 = ScepConstants.CT_X509_CA_RA_CERT;
                    encoded = getCaCertResp(str3);
                }
                httpResponse = new HttpResponse(HttpStatusCode.SC_OK, str2, null, encoded);
                audit(auditService, auditEvent, auditLevel, auditStatus, null);
            } catch (Throwable th) {
                LOG.error("Throwable thrown, this should not happen!", th);
                AuditLevel auditLevel2 = AuditLevel.ERROR;
                AuditStatus auditStatus8 = AuditStatus.FAILED;
                httpResponse = new HttpResponse(500);
                audit(auditService, auditEvent, auditLevel2, auditStatus8, "internal error");
            }
            return httpResponse;
        } catch (Throwable th2) {
            audit(auditService, auditEvent, auditLevel, auditStatus, null);
            throw th2;
        }
    }

    private static void audit(AuditService auditService, AuditEvent auditEvent, AuditLevel auditLevel, AuditStatus auditStatus, String str) {
        AuditLevel level = auditEvent.getLevel();
        if (level == null) {
            auditEvent.setLevel(auditLevel);
        } else if (level.getValue() > auditLevel.getValue()) {
            auditEvent.setLevel(auditLevel);
        }
        if (auditStatus != null) {
            auditEvent.setStatus(auditStatus);
        }
        if (str != null) {
            auditEvent.addEventData("message", str);
        }
        auditEvent.finish();
        auditService.logEvent(auditEvent);
        GatewayUtil.logAuditEvent(LOG, auditEvent);
    }

    private byte[] getCaCertResp(String str) throws OperationException, SdkErrorResponseException {
        try {
            ScepSigner signer = this.signers.getSigner(str);
            if (signer == null) {
                throw new OperationException(ErrorCode.PATH_NOT_FOUND, "found na signer for CA " + str);
            }
            byte[] cacert = this.sdk.cacert(str);
            if (cacert == null) {
                throw new OperationException(ErrorCode.PATH_NOT_FOUND, "unknown CA " + str);
            }
            CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
            try {
                cMSSignedDataGenerator.addCertificate(new X509CertificateHolder(Certificate.getInstance(cacert)));
                cMSSignedDataGenerator.addCertificate(signer.getCert().toBcCert());
                return cMSSignedDataGenerator.generate(new CMSAbsentContent()).getEncoded();
            } catch (IOException e) {
                throw new CMSException("could not build CMS SignedDta");
            }
        } catch (CMSException | IOException e2) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, e2.getMessage());
        }
    }

    private ContentInfo servicePkiOperation(ScepSigner scepSigner, String str, CMSSignedData cMSSignedData, String str2, AuditEvent auditEvent) throws MessageDecodingException, OperationException, SdkErrorResponseException {
        DecodedPkiMessage decode = DecodedPkiMessage.decode(cMSSignedData, scepSigner.getDecryptor(), null);
        PkiMessage servicePkiOperation0 = servicePkiOperation0(str, cMSSignedData, decode, str2, auditEvent);
        audit(auditEvent, NAME_pki_status, servicePkiOperation0.getPkiStatus().toString());
        if (servicePkiOperation0.getPkiStatus() == PkiStatus.FAILURE) {
            auditEvent.setStatus(AuditStatus.FAILED);
        }
        if (servicePkiOperation0.getFailInfo() != null) {
            audit(auditEvent, NAME_fail_info, servicePkiOperation0.getFailInfo().toString());
        }
        return encodeResponse(scepSigner, servicePkiOperation0, decode);
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:52:0x01f1. Please report as an issue. */
    private PkiMessage servicePkiOperation0(String str, CMSSignedData cMSSignedData, DecodedPkiMessage decodedPkiMessage, String str2, AuditEvent auditEvent) throws OperationException, SdkErrorResponseException {
        SignedData crl;
        Args.notNull(cMSSignedData, "requestContent");
        String id = ((DecodedPkiMessage) Args.notNull(decodedPkiMessage, "req")).getTransactionId().getId();
        audit(auditEvent, CaAuditConstants.NAME_tid, id);
        if (decodedPkiMessage.getFailureMessage() != null) {
            audit(auditEvent, NAME_failure_message, decodedPkiMessage.getFailureMessage());
        }
        if (!dfltTrue(decodedPkiMessage.isSignatureValid())) {
            audit(auditEvent, NAME_signature, "invalid");
        }
        if (!dfltTrue(decodedPkiMessage.isDecryptionSuccessful())) {
            audit(auditEvent, NAME_decryption, "failed");
        }
        PkiMessage pkiMessage = new PkiMessage(decodedPkiMessage.getTransactionId(), MessageType.CertRep, Nonce.randomNonce());
        pkiMessage.setRecipientNonce(decodedPkiMessage.getSenderNonce());
        if (decodedPkiMessage.getFailureMessage() != null) {
            return fail(pkiMessage, FailInfo.badRequest);
        }
        if (!dfltTrue(decodedPkiMessage.isSignatureValid())) {
            return fail(pkiMessage, FailInfo.badMessageCheck);
        }
        if (!dfltTrue(decodedPkiMessage.isDecryptionSuccessful())) {
            return fail(pkiMessage, FailInfo.badRequest);
        }
        Instant signingTime = decodedPkiMessage.getSigningTime();
        long maxSigningTimeBias = 1000 * this.control.getMaxSigningTimeBias();
        if (maxSigningTimeBias > 0) {
            if (signingTime == null || Math.abs(Instant.now().toEpochMilli() - signingTime.toEpochMilli()) > maxSigningTimeBias) {
                return fail(pkiMessage, FailInfo.badTime);
            }
        }
        HashAlgo digestAlgorithm = decodedPkiMessage.getDigestAlgorithm();
        boolean z = false;
        if (digestAlgorithm == HashAlgo.SHA1) {
            if (this.caCaps.supportsSHA1()) {
                z = true;
            }
        } else if (digestAlgorithm == HashAlgo.SHA256) {
            if (this.caCaps.supportsSHA256()) {
                z = true;
            }
        } else if (digestAlgorithm == HashAlgo.SHA512 && this.caCaps.supportsSHA512()) {
            z = true;
        }
        if (!z) {
            LOG.warn("tid={}: unsupported digest algorithm {}", id, digestAlgorithm);
            return fail(pkiMessage, FailInfo.badAlg);
        }
        ASN1ObjectIdentifier contentEncryptionAlgorithm = decodedPkiMessage.getContentEncryptionAlgorithm();
        if (CMSAlgorithm.DES_EDE3_CBC.equals(contentEncryptionAlgorithm)) {
            if (!this.caCaps.supportsDES3()) {
                LOG.warn("tid={}: encryption with DES3 algorithm {} is not permitted", id, contentEncryptionAlgorithm);
                return fail(pkiMessage, FailInfo.badAlg);
            }
        } else {
            if (!CMSAlgorithm.AES128_CBC.equals(contentEncryptionAlgorithm)) {
                LOG.warn("tid={}: encryption with algorithm {} is not permitted", id, contentEncryptionAlgorithm);
                return fail(pkiMessage, FailInfo.badAlg);
            }
            if (!this.caCaps.supportsAES()) {
                LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", id, contentEncryptionAlgorithm);
                return fail(pkiMessage, FailInfo.badAlg);
            }
        }
        try {
            MessageType messageType = decodedPkiMessage.getMessageType();
            audit(auditEvent, NAME_message_type, messageType.toString());
            Requestor.PasswordRequestor passwordRequestor = null;
            switch (messageType) {
                case PKCSReq:
                case RenewalReq:
                    CertificationRequest parseCsrInRequest = X509Util.parseCsrInRequest(decodedPkiMessage.getMessageData());
                    X500Name subject = parseCsrInRequest.getCertificationRequestInfo().getSubject();
                    if (LOG.isInfoEnabled()) {
                        LOG.info("tid={}, subject={}", id, X509Util.x500NameText(subject));
                    }
                    auditEvent.addEventData(CaAuditConstants.NAME_certprofile, str2);
                    auditEvent.addEventData(CaAuditConstants.NAME_req_subject, "\"" + X509Util.x500NameText(subject) + "\"");
                    if (!GatewayUtil.verifyCsr(parseCsrInRequest, this.securityFactory, this.popControl)) {
                        LOG.warn("tid={} POP verification failed", id);
                        throw FailInfoException.BAD_MESSAGE_CHECK;
                    }
                    CertificationRequestInfo certificationRequestInfo = parseCsrInRequest.getCertificationRequestInfo();
                    X509Cert signatureCert = decodedPkiMessage.getSignatureCert();
                    if (signatureCert.isSelfSigned() && !signatureCert.getSubject().equals(certificationRequestInfo.getSubject())) {
                        LOG.warn("tid={}, self-signed identityCert.subject ({}) != csr.subject ({})", id, signatureCert.getSubject(), certificationRequestInfo.getSubject());
                        throw FailInfoException.BAD_REQUEST;
                    }
                    if (X509Util.getCommonName(certificationRequestInfo.getSubject()) == null) {
                        throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "tid=" + id + ": no CommonName in requested subject");
                    }
                    String challengePassword = X509Util.getChallengePassword(certificationRequestInfo);
                    if (challengePassword != null) {
                        String[] split = challengePassword.split(ParameterizedMessage.ERROR_MSG_SEPARATOR);
                        if (split.length != 2) {
                            LOG.warn("tid={}: challengePassword does not have the format <user>:<password>", id);
                            throw FailInfoException.BAD_REQUEST;
                        }
                        String str3 = split[0];
                        String str4 = split[1];
                        Requestor.PasswordRequestor requestor = getRequestor(str3);
                        passwordRequestor = requestor;
                        if (!(requestor != null && requestor.authenticate(str4.getBytes(StandardCharsets.UTF_8)))) {
                            LOG.warn("tid={}: could not authenticate user {}", id, str3);
                            throw FailInfoException.BAD_REQUEST;
                        }
                    }
                    if (signatureCert.isSelfSigned()) {
                        if (MessageType.PKCSReq != messageType) {
                            LOG.warn("tid={}: self-signed certificate is not permitted for messageType {}", id, messageType);
                            throw FailInfoException.BAD_REQUEST;
                        }
                        if (passwordRequestor == null) {
                            LOG.warn("tid={}: could not extract user & password from challengePassword, which are required for self-signed signature certificate", id);
                            throw FailInfoException.BAD_REQUEST;
                        }
                    } else if (passwordRequestor == null) {
                        passwordRequestor = getRequestor(signatureCert);
                        if (passwordRequestor == null) {
                            LOG.warn("tid={}: signature certificate is not trusted by the CA", id);
                            throw FailInfoException.BAD_REQUEST;
                        }
                    }
                    checkUserPermission(passwordRequestor, str, str2);
                    Extensions extensions = X509Util.getExtensions(certificationRequestInfo);
                    EnrollCertRequestEntry enrollCertRequestEntry = new EnrollCertRequestEntry();
                    enrollCertRequestEntry.setCertprofile(str2);
                    enrollCertRequestEntry.setSubject(new X500NameType(certificationRequestInfo.getSubject()));
                    try {
                        enrollCertRequestEntry.extensions(extensions);
                        try {
                            enrollCertRequestEntry.subjectPublicKey(certificationRequestInfo.getSubjectPublicKeyInfo());
                            EnrollCertsRequest enrollCertsRequest = new EnrollCertsRequest();
                            enrollCertsRequest.setEntries(new EnrollCertRequestEntry[]{enrollCertRequestEntry});
                            enrollCertsRequest.setTransactionId(id);
                            enrollCertsRequest.setExplicitConfirm(false);
                            enrollCertsRequest.setCaCertMode(this.control.isIncludeCertChain() ? CertsMode.CHAIN : this.control.isIncludeCaCert() ? CertsMode.CERT : CertsMode.NONE);
                            try {
                                crl = buildSignedData(this.sdk.enrollCerts(str, enrollCertsRequest));
                                pkiMessage.setMessageData(new ContentInfo(CMSObjectIdentifiers.signedData, crl));
                                pkiMessage.setPkiStatus(PkiStatus.SUCCESS);
                                return pkiMessage;
                            } catch (IOException e) {
                                LOG.error("error enrollCerts", (Throwable) e);
                                throw new OperationException(ErrorCode.SYSTEM_FAILURE, e.getMessage());
                            }
                        } catch (IOException e2) {
                            LogUtil.warn(LOG, e2, "could not encode SubjectPublicKeyInfo");
                            throw FailInfoException.BAD_REQUEST;
                        }
                    } catch (IOException e3) {
                        LogUtil.warn(LOG, e3, "could not encode extensions");
                        throw FailInfoException.BAD_REQUEST;
                    }
                case CertPoll:
                    IssuerAndSubject issuerAndSubject = IssuerAndSubject.getInstance(decodedPkiMessage.getMessageData());
                    audit(auditEvent, CaAuditConstants.NAME_issuer, "\"" + X509Util.x500NameText(issuerAndSubject.getIssuer()) + "\"");
                    audit(auditEvent, CaAuditConstants.NAME_subject, "\"" + X509Util.x500NameText(issuerAndSubject.getSubject()) + "\"");
                    PollCertRequestEntry pollCertRequestEntry = new PollCertRequestEntry(null, new X500NameType(issuerAndSubject.getSubject()));
                    PollCertRequest pollCertRequest = new PollCertRequest();
                    pollCertRequest.setIssuer(new X500NameType(issuerAndSubject.getIssuer()));
                    pollCertRequest.setTransactionId(decodedPkiMessage.getTransactionId().getId());
                    pollCertRequest.setEntries(new PollCertRequestEntry[]{pollCertRequestEntry});
                    try {
                        crl = buildSignedData(this.sdk.pollCerts(pollCertRequest));
                        pkiMessage.setMessageData(new ContentInfo(CMSObjectIdentifiers.signedData, crl));
                        pkiMessage.setPkiStatus(PkiStatus.SUCCESS);
                        return pkiMessage;
                    } catch (IOException e4) {
                        LOG.error("error pollCerts", (Throwable) e4);
                        throw new OperationException(ErrorCode.SYSTEM_FAILURE, e4.getMessage());
                    }
                case GetCert:
                    IssuerAndSerialNumber issuerAndSerialNumber = IssuerAndSerialNumber.getInstance(decodedPkiMessage.getMessageData());
                    BigInteger positiveValue = issuerAndSerialNumber.getSerialNumber().getPositiveValue();
                    audit(auditEvent, CaAuditConstants.NAME_issuer, "\"" + X509Util.x500NameText(issuerAndSerialNumber.getName()) + "\"");
                    audit(auditEvent, CaAuditConstants.NAME_serial, LogUtil.formatCsn(positiveValue));
                    crl = getCert(str, issuerAndSerialNumber.getName(), positiveValue);
                    pkiMessage.setMessageData(new ContentInfo(CMSObjectIdentifiers.signedData, crl));
                    pkiMessage.setPkiStatus(PkiStatus.SUCCESS);
                    return pkiMessage;
                case GetCRL:
                    IssuerAndSerialNumber issuerAndSerialNumber2 = IssuerAndSerialNumber.getInstance(decodedPkiMessage.getMessageData());
                    BigInteger positiveValue2 = issuerAndSerialNumber2.getSerialNumber().getPositiveValue();
                    audit(auditEvent, CaAuditConstants.NAME_issuer, "\"" + X509Util.x500NameText(issuerAndSerialNumber2.getName()) + "\"");
                    audit(auditEvent, CaAuditConstants.NAME_serial, LogUtil.formatCsn(positiveValue2));
                    crl = getCrl(str, issuerAndSerialNumber2.getName(), positiveValue2);
                    pkiMessage.setMessageData(new ContentInfo(CMSObjectIdentifiers.signedData, crl));
                    pkiMessage.setPkiStatus(PkiStatus.SUCCESS);
                    return pkiMessage;
                default:
                    LOG.error("unknown SCEP messageType '{}'", decodedPkiMessage.getMessageType());
                    throw FailInfoException.BAD_REQUEST;
            }
        } catch (FailInfoException e5) {
            LogUtil.error(LOG, e5);
            return fail(pkiMessage, e5.getFailInfo());
        }
    }

    private SignedData getCert(String str, X500Name x500Name, BigInteger bigInteger) throws FailInfoException, OperationException, SdkErrorResponseException {
        try {
            byte[] cert = this.sdk.getCert(str, x500Name, bigInteger);
            if (cert == null) {
                throw FailInfoException.BAD_CERTID;
            }
            return buildSignedData(cert, null);
        } catch (IOException e) {
            LogUtil.error(LOG, e, "could not get certificate for CA '" + str + "' and serialNumber=" + LogUtil.formatCsn(bigInteger) + ")");
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, e);
        }
    }

    private SignedData buildSignedData(EnrollOrPollCertsResponse enrollOrPollCertsResponse) throws OperationException {
        EnrollOrPullCertResponseEntry[] entries = enrollOrPollCertsResponse.getEntries();
        int length = entries == null ? 0 : entries.length;
        if (length != 1) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, "expected 1 cert, but received " + length);
        }
        EnrollOrPullCertResponseEntry enrollOrPullCertResponseEntry = entries[0];
        byte[] cert = enrollOrPullCertResponseEntry.getCert();
        if (cert == null) {
            throw new OperationException(ErrorCode.ofCode(enrollOrPullCertResponseEntry.getError().getCode()), "expected 1 cert, but received none");
        }
        return buildSignedData(cert, enrollOrPollCertsResponse.getExtraCerts());
    }

    private SignedData buildSignedData(byte[] bArr, byte[][] bArr2) throws OperationException {
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        try {
            cMSSignedDataGenerator.addCertificate(new X509CertificateHolder(Certificate.getInstance(bArr)));
            if (bArr2 != null) {
                for (byte[] bArr3 : bArr2) {
                    cMSSignedDataGenerator.addCertificate(new X509CertificateHolder(Certificate.getInstance(bArr3)));
                }
            }
            return SignedData.getInstance(cMSSignedDataGenerator.generate(new CMSAbsentContent()).toASN1Structure().getContent());
        } catch (CMSException e) {
            LogUtil.error(LOG, e);
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, (Throwable) e);
        }
    }

    private SignedData getCrl(String str, X500Name x500Name, BigInteger bigInteger) throws FailInfoException, OperationException, SdkErrorResponseException {
        if (!this.control.isSupportGetCrl()) {
            throw FailInfoException.BAD_REQUEST;
        }
        try {
            byte[] currentCrl = this.sdk.currentCrl(str);
            if (currentCrl == null) {
                LOG.error("found no CRL");
                throw FailInfoException.BAD_REQUEST;
            }
            CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
            cMSSignedDataGenerator.addCRL(new X509CRLHolder(CertificateList.getInstance(currentCrl)));
            try {
                return SignedData.getInstance(cMSSignedDataGenerator.generate(new CMSAbsentContent()).toASN1Structure().getContent());
            } catch (CMSException e) {
                LogUtil.error(LOG, e, "could not generate CMSSignedData");
                throw new OperationException(ErrorCode.SYSTEM_FAILURE, (Throwable) e);
            }
        } catch (IOException e2) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, e2.getMessage());
        }
    }

    private ContentInfo encodeResponse(ScepSigner scepSigner, PkiMessage pkiMessage, DecodedPkiMessage decodedPkiMessage) throws OperationException {
        Args.notNull(pkiMessage, "response");
        Args.notNull(decodedPkiMessage, "request");
        if (!"RSA".equalsIgnoreCase(scepSigner.getKey().getAlgorithm())) {
            throw new UnsupportedOperationException("getSignatureAlgorithm() for non-RSA is not supported yet.");
        }
        try {
            return pkiMessage.encode(scepSigner.getKey(), SignAlgo.getInstance(decodedPkiMessage.getDigestAlgorithm().getJceName() + "withRSA"), scepSigner.getCert(), this.control.isIncludeSignerCert() ? new X509Cert[]{scepSigner.getCert()} : null, decodedPkiMessage.getSignatureCert(), decodedPkiMessage.getContentEncryptionAlgorithm());
        } catch (NoSuchAlgorithmException | MessageEncodingException e) {
            LogUtil.error(LOG, e, "could not encode response");
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, e);
        }
    }

    private static void checkUserPermission(Requestor requestor, String str, String str2) throws OperationException {
        if (!requestor.isPermitted(1)) {
            throw new OperationException(ErrorCode.NOT_PERMITTED, PermissionConstants.getTextForCode(1) + " is not permitted for user " + requestor.getName());
        }
        if (!requestor.isCertprofilePermitted(str, str2)) {
            throw new OperationException(ErrorCode.NOT_PERMITTED, "Certificate profile " + str2 + " is not permitted for user " + requestor.getName());
        }
    }

    private static void audit(AuditEvent auditEvent, String str, String str2) {
        auditEvent.addEventData(str, str2 == null ? "null" : str2);
    }

    private static PkiMessage fail(PkiMessage pkiMessage, FailInfo failInfo) {
        pkiMessage.setPkiStatus(PkiStatus.FAILURE);
        pkiMessage.setFailInfo(FailInfo.badMessageCheck);
        return pkiMessage;
    }

    private static boolean dfltTrue(Boolean bool) {
        return bool == null || bool.booleanValue();
    }
}
