package org.xipki.ca.server.impl.rest;

import io.netty.handler.codec.http.FullHttpRequest;
import io.netty.handler.codec.http.FullHttpResponse;
import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.handler.codec.http.HttpVersion;
import java.io.EOFException;
import java.math.BigInteger;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Date;
import javax.net.ssl.SSLSession;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.pkcs.CertificationRequestInfo;
import org.bouncycastle.util.Arrays;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.audit.AuditEvent;
import org.xipki.audit.AuditLevel;
import org.xipki.audit.AuditService;
import org.xipki.audit.AuditServiceRegister;
import org.xipki.audit.AuditStatus;
import org.xipki.ca.api.InsuffientPermissionException;
import org.xipki.ca.api.NameId;
import org.xipki.ca.api.OperationException;
import org.xipki.ca.api.RequestType;
import org.xipki.ca.api.X509CertWithDbId;
import org.xipki.ca.api.publisher.x509.X509CertificateInfo;
import org.xipki.ca.server.impl.CaAuditConstants;
import org.xipki.ca.server.impl.CertTemplateData;
import org.xipki.ca.server.impl.HttpRespAuditException;
import org.xipki.ca.server.impl.X509Ca;
import org.xipki.ca.server.impl.cmp.CmpRequestorInfo;
import org.xipki.ca.server.impl.cmp.CmpResponderManager;
import org.xipki.ca.server.impl.util.CaUtil;
import org.xipki.ca.server.impl.util.PasswordHash;
import org.xipki.ca.server.mgmt.api.CaStatus;
import org.xipki.common.util.Base64;
import org.xipki.common.util.DateUtil;
import org.xipki.common.util.LogUtil;
import org.xipki.common.util.RandomUtil;
import org.xipki.common.util.StringUtil;
import org.xipki.http.servlet.AbstractHttpServlet;
import org.xipki.http.servlet.ServletURI;
import org.xipki.http.servlet.SslReverseProxyMode;
import org.xipki.security.CrlReason;

/* loaded from: input_file:org/xipki/ca/server/impl/rest/HttpRestServlet.class */
public class HttpRestServlet extends AbstractHttpServlet {
    private static final Logger LOG = LoggerFactory.getLogger(HttpRestServlet.class);
    private CmpResponderManager responderManager;
    private AuditServiceRegister auditServiceRegister;

    /* renamed from: org.xipki.ca.server.impl.rest.HttpRestServlet$1, reason: invalid class name */
    /* loaded from: input_file:org/xipki/ca/server/impl/rest/HttpRestServlet$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode = new int[OperationException.ErrorCode.values().length];

        static {
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.ALREADY_ISSUED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.BAD_CERT_TEMPLATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.BAD_REQUEST.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.CERT_REVOKED.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.CRL_FAILURE.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.DATABASE_FAILURE.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.NOT_PERMITTED.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.INVALID_EXTENSION.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.SYSTEM_FAILURE.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.SYSTEM_UNAVAILABLE.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.UNKNOWN_CERT.ordinal()] = 11;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.UNKNOWN_CERT_PROFILE.ordinal()] = 12;
            } catch (NoSuchFieldError e12) {
            }
        }
    }

    public boolean needsTlsSessionInfo() {
        return true;
    }

    public FullHttpResponse service(FullHttpRequest fullHttpRequest, ServletURI servletURI, SSLSession sSLSession, SslReverseProxyMode sslReverseProxyMode) {
        HttpResponseStatus httpResponseStatus;
        String str;
        String str2;
        CmpRequestorInfo requestor;
        HttpVersion protocolVersion = fullHttpRequest.protocolVersion();
        HttpMethod method = fullHttpRequest.method();
        if (method != HttpMethod.POST && method != HttpMethod.GET) {
            return createErrorResponse(protocolVersion, HttpResponseStatus.METHOD_NOT_ALLOWED);
        }
        AuditService auditService = this.auditServiceRegister.getAuditService();
        AuditEvent auditEvent = new AuditEvent(new Date());
        auditEvent.setApplicationName("CA");
        auditEvent.setName(CaAuditConstants.NAME_PERF);
        auditEvent.addEventData(CaAuditConstants.NAME_reqType, RequestType.REST.name());
        String nextHexLong = RandomUtil.nextHexLong();
        auditEvent.addEventData(CaAuditConstants.NAME_mid, nextHexLong);
        AuditLevel auditLevel = AuditLevel.INFO;
        AuditStatus auditStatus = AuditStatus.SUCCESSFUL;
        try {
            try {
                try {
                    if (this.responderManager == null) {
                        LOG.error("responderManager in servlet not configured");
                        throw new HttpRespAuditException(HttpResponseStatus.INTERNAL_SERVER_ERROR, null, "responderManager in servlet not configured", AuditLevel.ERROR, AuditStatus.FAILED);
                    }
                    String str3 = null;
                    String str4 = null;
                    X509Ca x509Ca = null;
                    if (servletURI.path().length() > 1) {
                        String path = servletURI.path();
                        int indexOf = path.indexOf(47, 1);
                        if (indexOf == -1 || indexOf == path.length() - 1) {
                            String str5 = "invalid requestURI " + fullHttpRequest.uri();
                            LOG.error(str5);
                            throw new HttpRespAuditException(HttpResponseStatus.NOT_FOUND, null, str5, AuditLevel.ERROR, AuditStatus.FAILED);
                        }
                        String substring = path.substring(1, indexOf);
                        str4 = path.substring(indexOf + 1);
                        str3 = this.responderManager.getCaNameForAlias(substring);
                        if (str3 == null) {
                            str3 = substring.toUpperCase();
                        }
                        x509Ca = this.responderManager.getX509CaResponder(str3).getCa();
                    }
                    if (str3 == null || x509Ca == null || x509Ca.caInfo().status() != CaStatus.ACTIVE) {
                        String str6 = str3 == null ? "no CA is specified" : x509Ca == null ? "unknown CA '" + str3 + "'" : "CA '" + str3 + "' is out of service";
                        LOG.warn(str6);
                        throw new HttpRespAuditException(HttpResponseStatus.NOT_FOUND, null, str6, AuditLevel.INFO, AuditStatus.FAILED);
                    }
                    auditEvent.addEventData("CA", x509Ca.caIdent().name());
                    auditEvent.addEventType(str4);
                    String str7 = fullHttpRequest.headers().get("Authorization");
                    if (str7 == null || !str7.startsWith("Basic ")) {
                        X509Certificate clientCert = getClientCert(fullHttpRequest, sSLSession, sslReverseProxyMode);
                        if (clientCert == null) {
                            throw new HttpRespAuditException(HttpResponseStatus.UNAUTHORIZED, null, "no client certificate", AuditLevel.INFO, AuditStatus.FAILED);
                        }
                        requestor = x509Ca.getRequestor(clientCert);
                    } else {
                        String str8 = null;
                        byte[] bArr = null;
                        if (str7.length() > 6) {
                            byte[] decodeFast = Base64.decodeFast(str7.substring(6));
                            int i = -1;
                            int i2 = 0;
                            while (true) {
                                if (i2 >= decodeFast.length) {
                                    break;
                                }
                                if (decodeFast[i2] == 58) {
                                    i = i2;
                                    break;
                                }
                                i2++;
                            }
                            if (i != -1 && i < decodeFast.length - 1) {
                                str8 = new String(Arrays.copyOfRange(decodeFast, 0, i));
                                bArr = Arrays.copyOfRange(decodeFast, i + 1, decodeFast.length);
                            }
                        }
                        if (str8 == null) {
                            throw new HttpRespAuditException(HttpResponseStatus.UNAUTHORIZED, "invalid Authorization information", AuditLevel.INFO, AuditStatus.FAILED);
                        }
                        NameId authenticateUser = x509Ca.authenticateUser(str8, bArr);
                        if (authenticateUser == null) {
                            throw new HttpRespAuditException(HttpResponseStatus.UNAUTHORIZED, "could not authenticate user", AuditLevel.INFO, AuditStatus.FAILED);
                        }
                        requestor = x509Ca.getByUserRequestor(authenticateUser);
                    }
                    if (requestor == null) {
                        throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, "no requestor specified");
                    }
                    auditEvent.addEventData(CaAuditConstants.NAME_requestor, requestor.ident().name());
                    String str9 = null;
                    byte[] bArr2 = null;
                    if ("cacert".equalsIgnoreCase(str4)) {
                        str9 = "application/pkix-cert";
                        bArr2 = x509Ca.caInfo().certificate().encodedCert();
                    } else if ("enroll-cert".equalsIgnoreCase(str4)) {
                        String parameter = servletURI.parameter("profile");
                        if (StringUtil.isBlank(parameter)) {
                            throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, null, "required parameter profile not specified", AuditLevel.INFO, AuditStatus.FAILED);
                        }
                        String upperCase = parameter.toUpperCase();
                        try {
                            requestor.assertPermitted(1);
                            if (!requestor.isCertProfilePermitted(upperCase)) {
                                throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, "certProfile " + upperCase + " is not allowed");
                            }
                            String str10 = fullHttpRequest.headers().get("Content-Type");
                            if (!"application/pkcs10".equalsIgnoreCase(str10)) {
                                throw new HttpRespAuditException(HttpResponseStatus.UNSUPPORTED_MEDIA_TYPE, "unsupported media type " + str10, AuditLevel.INFO, AuditStatus.FAILED);
                            }
                            String parameter2 = servletURI.parameter("not-before");
                            Date parseUtcTimeyyyyMMddhhmmss = parameter2 == null ? null : DateUtil.parseUtcTimeyyyyMMddhhmmss(parameter2);
                            String parameter3 = servletURI.parameter("not-after");
                            Date parseUtcTimeyyyyMMddhhmmss2 = parameter3 == null ? null : DateUtil.parseUtcTimeyyyyMMddhhmmss(parameter3);
                            byte[] readContent = readContent(fullHttpRequest);
                            CertificationRequest certificationRequest = CertificationRequest.getInstance(readContent);
                            x509Ca.checkCsr(certificationRequest);
                            CertificationRequestInfo certificationRequestInfo = certificationRequest.getCertificationRequestInfo();
                            X509CertificateInfo generateCertificate = x509Ca.generateCertificate(new CertTemplateData(certificationRequestInfo.getSubject(), certificationRequestInfo.getSubjectPublicKeyInfo(), parseUtcTimeyyyyMMddhhmmss, parseUtcTimeyyyyMMddhhmmss2, CaUtil.getExtensions(certificationRequestInfo), upperCase), requestor, RequestType.REST, null, nextHexLong);
                            if (x509Ca.caInfo().isSaveRequest()) {
                                x509Ca.addRequestCert(x509Ca.addRequest(readContent), generateCertificate.cert().certId().longValue());
                            }
                            X509CertWithDbId cert = generateCertificate.cert();
                            if (cert == null) {
                                LOG.warn("could not generate certificate");
                                throw new HttpRespAuditException(HttpResponseStatus.INTERNAL_SERVER_ERROR, null, "could not generate certificate", AuditLevel.INFO, AuditStatus.FAILED);
                            }
                            str9 = "application/pkix-cert";
                            bArr2 = cert.encodedCert();
                        } catch (InsuffientPermissionException e) {
                            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, e.getMessage());
                        }
                    } else if ("revoke-cert".equalsIgnoreCase(str4) || "delete-cert".equalsIgnoreCase(str4)) {
                        try {
                            requestor.assertPermitted("revoke-cert".equalsIgnoreCase(str4) ? 2 : 8);
                            String parameter4 = servletURI.parameter("ca-sha1");
                            if (StringUtil.isBlank(parameter4)) {
                                throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, null, "required parameter ca-sha1 not specified", AuditLevel.INFO, AuditStatus.FAILED);
                            }
                            String parameter5 = servletURI.parameter("serial-number");
                            if (StringUtil.isBlank(parameter5)) {
                                throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, null, "required parameter serial-number not specified", AuditLevel.INFO, AuditStatus.FAILED);
                            }
                            if (!parameter4.equalsIgnoreCase(x509Ca.getHexSha1OfCert())) {
                                throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, null, "unknown ca-sha1", AuditLevel.INFO, AuditStatus.FAILED);
                            }
                            BigInteger bigInt = toBigInt(parameter5);
                            if ("revoke-cert".equalsIgnoreCase(str4)) {
                                String parameter6 = servletURI.parameter(CaAuditConstants.NAME_reason);
                                CrlReason forNameOrText = parameter6 == null ? CrlReason.UNSPECIFIED : CrlReason.forNameOrText(parameter6);
                                if (forNameOrText == CrlReason.REMOVE_FROM_CRL) {
                                    x509Ca.unrevokeCertificate(bigInt, nextHexLong);
                                } else {
                                    Date date = null;
                                    String parameter7 = servletURI.parameter("invalidity-time");
                                    if (StringUtil.isNotBlank(parameter7)) {
                                        date = DateUtil.parseUtcTimeyyyyMMddhhmmss(parameter7);
                                    }
                                    x509Ca.revokeCertificate(bigInt, forNameOrText, date, nextHexLong);
                                }
                            } else if ("delete-cert".equalsIgnoreCase(str4)) {
                                x509Ca.removeCertificate(bigInt, nextHexLong);
                            }
                        } catch (InsuffientPermissionException e2) {
                            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, e2.getMessage());
                        }
                    } else if ("crl".equalsIgnoreCase(str4)) {
                        try {
                            requestor.assertPermitted(64);
                            String parameter8 = servletURI.parameter("crl-number");
                            BigInteger bigInteger = null;
                            if (StringUtil.isNotBlank(parameter8)) {
                                try {
                                    bigInteger = toBigInt(parameter8);
                                } catch (NumberFormatException e3) {
                                    String str11 = "invalid crlNumber '" + parameter8 + "'";
                                    LOG.warn(str11);
                                    throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, null, str11, AuditLevel.INFO, AuditStatus.FAILED);
                                }
                            }
                            X509CRL crl = x509Ca.getCrl(bigInteger);
                            if (crl == null) {
                                LOG.warn("could not get CRL");
                                throw new HttpRespAuditException(HttpResponseStatus.INTERNAL_SERVER_ERROR, null, "could not get CRL", AuditLevel.INFO, AuditStatus.FAILED);
                            }
                            str9 = "application/pkix-crl";
                            bArr2 = crl.getEncoded();
                        } catch (InsuffientPermissionException e4) {
                            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, e4.getMessage());
                        }
                    } else {
                        if (!"new-crl".equalsIgnoreCase(str4)) {
                            String str12 = "invalid command '" + str4 + "'";
                            LOG.error(str12);
                            throw new HttpRespAuditException(HttpResponseStatus.NOT_FOUND, str12, AuditLevel.INFO, AuditStatus.FAILED);
                        }
                        try {
                            requestor.assertPermitted(32);
                            X509CRL generateCrlOnDemand = x509Ca.generateCrlOnDemand(nextHexLong);
                            if (generateCrlOnDemand == null) {
                                LOG.warn("could not generate CRL");
                                throw new HttpRespAuditException(HttpResponseStatus.INTERNAL_SERVER_ERROR, null, "could not generate CRL", AuditLevel.INFO, AuditStatus.FAILED);
                            }
                            str9 = "application/pkix-crl";
                            bArr2 = generateCrlOnDemand.getEncoded();
                        } catch (InsuffientPermissionException e5) {
                            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, e5.getMessage());
                        }
                    }
                    FullHttpResponse createOKResponse = createOKResponse(protocolVersion, str9, bArr2);
                    createOKResponse.headers().add("X-xipki-pkistatus", "accepted");
                    audit(auditService, auditEvent, auditLevel, auditStatus, null);
                    return createOKResponse;
                } catch (Throwable th) {
                    audit(auditService, auditEvent, auditLevel, auditStatus, null);
                    throw th;
                }
            } catch (OperationException e6) {
                OperationException.ErrorCode errorCode = e6.errorCode();
                LOG.warn("generate certificate, OperationException: code={}, message={}", errorCode.name(), e6.errorMessage());
                switch (AnonymousClass1.$SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[errorCode.ordinal()]) {
                    case PasswordHash.SALT_INDEX /* 1 */:
                        httpResponseStatus = HttpResponseStatus.BAD_REQUEST;
                        str = "badRequest";
                        break;
                    case PasswordHash.PBKDF2_INDEX /* 2 */:
                        httpResponseStatus = HttpResponseStatus.BAD_REQUEST;
                        str = "badCertTemplate";
                        break;
                    case 3:
                        httpResponseStatus = HttpResponseStatus.BAD_REQUEST;
                        str = "badRequest";
                        break;
                    case 4:
                        httpResponseStatus = HttpResponseStatus.CONFLICT;
                        str = "certRevoked";
                        break;
                    case 5:
                        httpResponseStatus = HttpResponseStatus.INTERNAL_SERVER_ERROR;
                        str = "systemFailure";
                        break;
                    case 6:
                        httpResponseStatus = HttpResponseStatus.INTERNAL_SERVER_ERROR;
                        str = "systemFailure";
                        break;
                    case 7:
                        httpResponseStatus = HttpResponseStatus.UNAUTHORIZED;
                        str = "notAuthorized";
                        break;
                    case 8:
                        httpResponseStatus = HttpResponseStatus.BAD_REQUEST;
                        str = "badRequest";
                        break;
                    case 9:
                        httpResponseStatus = HttpResponseStatus.INTERNAL_SERVER_ERROR;
                        str = "systemFailure";
                        break;
                    case 10:
                        httpResponseStatus = HttpResponseStatus.SERVICE_UNAVAILABLE;
                        str = "systemUnavail";
                        break;
                    case 11:
                        httpResponseStatus = HttpResponseStatus.BAD_REQUEST;
                        str = "badCertId";
                        break;
                    case 12:
                        httpResponseStatus = HttpResponseStatus.BAD_REQUEST;
                        str = "badCertTemplate";
                        break;
                    default:
                        httpResponseStatus = HttpResponseStatus.INTERNAL_SERVER_ERROR;
                        str = "systemFailure";
                        break;
                }
                auditEvent.setStatus(AuditStatus.FAILED);
                auditEvent.addEventData(CaAuditConstants.NAME_message, errorCode.name());
                switch (AnonymousClass1.$SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[errorCode.ordinal()]) {
                    case 6:
                    case 9:
                        str2 = errorCode.name();
                        break;
                    default:
                        str2 = errorCode.name() + ": " + e6.errorMessage();
                        break;
                }
                FullHttpResponse createErrorResponse = createErrorResponse(protocolVersion, httpResponseStatus);
                createErrorResponse.headers().add("X-xipki-pkistatus", "rejection");
                if (StringUtil.isNotBlank(str)) {
                    createErrorResponse.headers().add("X-xipki-fail-info", str);
                }
                audit(auditService, auditEvent, auditLevel, auditStatus, str2);
                return createErrorResponse;
            }
        } catch (HttpRespAuditException e7) {
            AuditStatus auditStatus2 = e7.auditStatus();
            AuditLevel auditLevel2 = e7.auditLevel();
            String auditMessage = e7.auditMessage();
            FullHttpResponse createErrorResponse2 = createErrorResponse(protocolVersion, e7.httpStatus());
            audit(auditService, auditEvent, auditLevel2, auditStatus2, auditMessage);
            return createErrorResponse2;
        } catch (Throwable th2) {
            if (th2 instanceof EOFException) {
                LogUtil.warn(LOG, th2, "connection reset by peer");
            } else {
                LOG.error("Throwable thrown, this should not happen!", th2);
            }
            AuditLevel auditLevel3 = AuditLevel.ERROR;
            AuditStatus auditStatus3 = AuditStatus.FAILED;
            FullHttpResponse createErrorResponse3 = createErrorResponse(protocolVersion, HttpResponseStatus.INTERNAL_SERVER_ERROR);
            audit(auditService, auditEvent, auditLevel3, auditStatus3, "internal error");
            return createErrorResponse3;
        }
    }

    public void setResponderManager(CmpResponderManager cmpResponderManager) {
        this.responderManager = cmpResponderManager;
    }

    public void setAuditServiceRegister(AuditServiceRegister auditServiceRegister) {
        this.auditServiceRegister = auditServiceRegister;
    }

    private static void audit(AuditService auditService, AuditEvent auditEvent, AuditLevel auditLevel, AuditStatus auditStatus, String str) {
        if (auditLevel != null) {
            auditEvent.setLevel(auditLevel);
        }
        if (auditStatus != null) {
            auditEvent.setStatus(auditStatus);
        }
        if (str != null) {
            auditEvent.addEventData(CaAuditConstants.NAME_message, str);
        }
        auditEvent.finish();
        auditService.logEvent(auditEvent);
    }

    private static BigInteger toBigInt(String str) {
        String trim = str.trim();
        if (!trim.startsWith("0x") && !trim.startsWith("0X")) {
            return new BigInteger(trim);
        }
        if (trim.length() > 2) {
            return new BigInteger(trim.substring(2), 16);
        }
        throw new NumberFormatException("invalid integer '" + trim + "'");
    }
}
