package org.xipki.ca.server.impl.scep;

import io.netty.handler.codec.http.FullHttpRequest;
import io.netty.handler.codec.http.FullHttpResponse;
import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.handler.codec.http.HttpVersion;
import java.io.EOFException;
import java.io.IOException;
import java.io.InputStream;
import java.util.Date;
import javax.net.ssl.SSLSession;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.cmp.PKIMessage;
import org.bouncycastle.cms.CMSSignedData;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.audit.AuditEvent;
import org.xipki.audit.AuditLevel;
import org.xipki.audit.AuditService;
import org.xipki.audit.AuditServiceRegister;
import org.xipki.audit.AuditStatus;
import org.xipki.ca.api.OperationException;
import org.xipki.ca.api.RequestType;
import org.xipki.ca.server.impl.CaAuditConstants;
import org.xipki.ca.server.impl.CaManagerImpl;
import org.xipki.ca.server.impl.util.PasswordHash;
import org.xipki.ca.server.mgmt.api.CaStatus;
import org.xipki.common.util.Base64;
import org.xipki.common.util.LogUtil;
import org.xipki.common.util.RandomUtil;
import org.xipki.http.servlet.AbstractHttpServlet;
import org.xipki.http.servlet.ServletURI;
import org.xipki.http.servlet.SslReverseProxyMode;
import org.xipki.scep.exception.MessageDecodingException;
import org.xipki.scep.transaction.Operation;

/* loaded from: input_file:org/xipki/ca/server/impl/scep/ScepServlet.class */
public class ScepServlet extends AbstractHttpServlet {
    private static final Logger LOG = LoggerFactory.getLogger(ScepServlet.class);
    private static final String CGI_PROGRAM = "/pkiclient.exe";
    private static final int CGI_PROGRAM_LEN = CGI_PROGRAM.length();
    private static final String CT_RESPONSE = "application/x-pki-message";
    private AuditServiceRegister auditServiceRegister;
    private CaManagerImpl responderManager;

    /* renamed from: org.xipki.ca.server.impl.scep.ScepServlet$1, reason: invalid class name */
    /* loaded from: input_file:org/xipki/ca/server/impl/scep/ScepServlet$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode = new int[OperationException.ErrorCode.values().length];

        static {
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.ALREADY_ISSUED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.CERT_REVOKED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.CERT_UNREVOKED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.BAD_CERT_TEMPLATE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.BAD_REQUEST.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.BAD_POP.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.INVALID_EXTENSION.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.UNKNOWN_CERT.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.UNKNOWN_CERT_PROFILE.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.NOT_PERMITTED.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.SYSTEM_UNAVAILABLE.ordinal()] = 11;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.CRL_FAILURE.ordinal()] = 12;
            } catch (NoSuchFieldError e12) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.DATABASE_FAILURE.ordinal()] = 13;
            } catch (NoSuchFieldError e13) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.SYSTEM_FAILURE.ordinal()] = 14;
            } catch (NoSuchFieldError e14) {
            }
        }
    }

    public boolean needsTlsSessionInfo() {
        return false;
    }

    public FullHttpResponse service(FullHttpRequest fullHttpRequest, ServletURI servletURI, SSLSession sSLSession, SslReverseProxyMode sslReverseProxyMode) throws Exception {
        boolean z;
        HttpResponseStatus httpResponseStatus;
        HttpVersion protocolVersion = fullHttpRequest.protocolVersion();
        HttpMethod method = fullHttpRequest.method();
        if (method == HttpMethod.POST) {
            z = true;
        } else {
            if (method != HttpMethod.GET) {
                return createErrorResponse(protocolVersion, HttpResponseStatus.METHOD_NOT_ALLOWED);
            }
            z = false;
        }
        String str = null;
        String str2 = null;
        if (servletURI.path().length() > 1) {
            String path = servletURI.path();
            if (path.endsWith(CGI_PROGRAM)) {
                String[] split = path.substring(1, path.length() - CGI_PROGRAM_LEN).split("/");
                if (split.length == 2) {
                    str = split[0];
                    str2 = split[1].toUpperCase();
                }
            }
        }
        if (str == null || str2 == null) {
            return createErrorResponse(protocolVersion, HttpResponseStatus.NOT_FOUND);
        }
        AuditService auditService = this.auditServiceRegister.getAuditService();
        AuditEvent auditEvent = new AuditEvent(new Date());
        auditEvent.setApplicationName("SCEP");
        auditEvent.setName(CaAuditConstants.NAME_PERF);
        auditEvent.addEventData(CaAuditConstants.NAME_SCEP_name, str + "/" + str2);
        auditEvent.addEventData(CaAuditConstants.NAME_reqType, RequestType.SCEP.name());
        String nextHexLong = RandomUtil.nextHexLong();
        auditEvent.addEventData(CaAuditConstants.NAME_mid, nextHexLong);
        AuditLevel auditLevel = AuditLevel.INFO;
        AuditStatus auditStatus = AuditStatus.SUCCESSFUL;
        try {
            try {
                if (this.responderManager == null) {
                    LOG.error("responderManager in servlet not configured");
                    AuditLevel auditLevel2 = AuditLevel.ERROR;
                    AuditStatus auditStatus2 = AuditStatus.FAILED;
                    FullHttpResponse createErrorResponse = createErrorResponse(protocolVersion, HttpResponseStatus.INTERNAL_SERVER_ERROR);
                    audit(auditService, auditEvent, auditLevel2, auditStatus2, "responderManager in servlet not configured");
                    return createErrorResponse;
                }
                Scep scep = this.responderManager.getScep(str);
                if (scep == null || scep.status() != CaStatus.ACTIVE || !scep.supportsCertProfile(str2)) {
                    String str3 = "unknown SCEP '" + str + "/" + str2 + "'";
                    LOG.warn(str3);
                    AuditStatus auditStatus3 = AuditStatus.FAILED;
                    FullHttpResponse createErrorResponse2 = createErrorResponse(protocolVersion, HttpResponseStatus.NOT_FOUND);
                    audit(auditService, auditEvent, auditLevel, auditStatus3, str3);
                    return createErrorResponse2;
                }
                String parameter = servletURI.parameter(CaAuditConstants.NAME_SCEP_operation);
                auditEvent.addEventData(CaAuditConstants.NAME_SCEP_operation, parameter);
                if (!"PKIOperation".equalsIgnoreCase(parameter)) {
                    if (Operation.GetCACaps.code().equalsIgnoreCase(parameter)) {
                        FullHttpResponse createOKResponse = createOKResponse(protocolVersion, "text/plain", scep.caCaps().bytes());
                        audit(auditService, auditEvent, auditLevel, auditStatus, null);
                        return createOKResponse;
                    }
                    if (Operation.GetCACert.code().equalsIgnoreCase(parameter)) {
                        FullHttpResponse createOKResponse2 = createOKResponse(protocolVersion, "application/x-x509-ca-ra-cert", scep.caCertResp().bytes());
                        audit(auditService, auditEvent, auditLevel, auditStatus, null);
                        return createOKResponse2;
                    }
                    if (Operation.GetNextCACert.code().equalsIgnoreCase(parameter)) {
                        String str4 = "SCEP operation '" + parameter + "' is not permitted";
                        AuditStatus auditStatus4 = AuditStatus.FAILED;
                        FullHttpResponse createErrorResponse3 = createErrorResponse(protocolVersion, HttpResponseStatus.FORBIDDEN);
                        audit(auditService, auditEvent, auditLevel, auditStatus4, str4);
                        return createErrorResponse3;
                    }
                    String str5 = "unknown SCEP operation '" + parameter + "'";
                    AuditStatus auditStatus5 = AuditStatus.FAILED;
                    FullHttpResponse createErrorResponse4 = createErrorResponse(protocolVersion, HttpResponseStatus.BAD_REQUEST);
                    audit(auditService, auditEvent, auditLevel, auditStatus5, str5);
                    return createErrorResponse4;
                }
                try {
                    try {
                        FullHttpResponse createOKResponse3 = createOKResponse(protocolVersion, CT_RESPONSE, scep.servicePkiOperation(new CMSSignedData(z ? readContent(fullHttpRequest) : Base64.decode(servletURI.parameter(CaAuditConstants.NAME_message))), str2, nextHexLong, auditEvent).getEncoded());
                        audit(auditService, auditEvent, auditLevel, auditStatus, null);
                        return createOKResponse3;
                    } catch (MessageDecodingException e) {
                        LogUtil.error(LOG, e, "could not decrypt and/or verify the request");
                        AuditStatus auditStatus6 = AuditStatus.FAILED;
                        FullHttpResponse createErrorResponse5 = createErrorResponse(protocolVersion, HttpResponseStatus.BAD_REQUEST);
                        audit(auditService, auditEvent, auditLevel, auditStatus6, "could not decrypt and/or verify the request");
                        return createErrorResponse5;
                    } catch (OperationException e2) {
                        switch (AnonymousClass1.$SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[e2.errorCode().ordinal()]) {
                            case PasswordHash.SALT_INDEX /* 1 */:
                            case PasswordHash.PBKDF2_INDEX /* 2 */:
                            case 3:
                                httpResponseStatus = HttpResponseStatus.FORBIDDEN;
                                break;
                            case 4:
                            case 5:
                            case 6:
                            case 7:
                            case 8:
                            case 9:
                                httpResponseStatus = HttpResponseStatus.BAD_REQUEST;
                                break;
                            case 10:
                                httpResponseStatus = HttpResponseStatus.UNAUTHORIZED;
                                break;
                            case 11:
                                httpResponseStatus = HttpResponseStatus.SERVICE_UNAVAILABLE;
                                break;
                            case 12:
                            case 13:
                            case 14:
                                httpResponseStatus = HttpResponseStatus.INTERNAL_SERVER_ERROR;
                                break;
                            default:
                                httpResponseStatus = HttpResponseStatus.INTERNAL_SERVER_ERROR;
                                break;
                        }
                        String message = e2.getMessage();
                        LogUtil.error(LOG, e2, message);
                        AuditStatus auditStatus7 = AuditStatus.FAILED;
                        FullHttpResponse createErrorResponse6 = createErrorResponse(protocolVersion, httpResponseStatus);
                        audit(auditService, auditEvent, auditLevel, auditStatus7, message);
                        return createErrorResponse6;
                    }
                } catch (Exception e3) {
                    LogUtil.error(LOG, e3, "invalid request");
                    AuditStatus auditStatus8 = AuditStatus.FAILED;
                    FullHttpResponse createErrorResponse7 = createErrorResponse(protocolVersion, HttpResponseStatus.BAD_REQUEST);
                    audit(auditService, auditEvent, auditLevel, auditStatus8, "invalid request");
                    return createErrorResponse7;
                }
            } catch (Throwable th) {
                if (th instanceof EOFException) {
                    if (LOG.isWarnEnabled()) {
                        LogUtil.warn(LOG, th, "connection reset by peer");
                    }
                    LOG.debug("connection reset by peer", th);
                } else {
                    LOG.error("Throwable thrown, this should not happen!", th);
                }
                AuditLevel auditLevel3 = AuditLevel.ERROR;
                AuditStatus auditStatus9 = AuditStatus.FAILED;
                FullHttpResponse createErrorResponse8 = createErrorResponse(protocolVersion, HttpResponseStatus.INTERNAL_SERVER_ERROR);
                audit(auditService, auditEvent, auditLevel3, auditStatus9, "internal error");
                return createErrorResponse8;
            }
        } catch (Throwable th2) {
            audit(auditService, auditEvent, auditLevel, auditStatus, null);
            throw th2;
        }
    }

    protected PKIMessage generatePkiMessage(InputStream inputStream) throws IOException {
        ASN1InputStream aSN1InputStream = new ASN1InputStream(inputStream);
        try {
            return PKIMessage.getInstance(aSN1InputStream.readObject());
        } finally {
            try {
                aSN1InputStream.close();
            } catch (Exception e) {
                LOG.error("could not close ASN1 stream: {}", aSN1InputStream);
            }
        }
    }

    public void setResponderManager(CaManagerImpl caManagerImpl) {
        this.responderManager = caManagerImpl;
    }

    public void setAuditServiceRegister(AuditServiceRegister auditServiceRegister) {
        this.auditServiceRegister = auditServiceRegister;
    }

    private static void audit(AuditService auditService, AuditEvent auditEvent, AuditLevel auditLevel, AuditStatus auditStatus, String str) {
        auditEvent.setLevel(auditLevel);
        if (auditStatus != null) {
            auditEvent.setStatus(auditStatus);
        }
        if (str != null) {
            auditEvent.addEventData(CaAuditConstants.NAME_message, str);
        }
        auditEvent.finish();
        auditService.logEvent(auditEvent);
    }
}
