package org.xipki.ca.server.impl.scep;

import java.io.IOException;
import java.math.BigInteger;
import java.security.PrivateKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.cms.CMSObjectIdentifiers;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.asn1.cms.SignedData;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.pkcs.CertificationRequestInfo;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSAbsentContent;
import org.bouncycastle.cms.CMSAlgorithm;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.util.CollectionStore;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.audit.AuditEvent;
import org.xipki.audit.AuditStatus;
import org.xipki.ca.api.NameId;
import org.xipki.ca.api.OperationException;
import org.xipki.ca.api.RequestType;
import org.xipki.ca.server.impl.ByUserRequestorInfo;
import org.xipki.ca.server.impl.CaAuditConstants;
import org.xipki.ca.server.impl.CaManagerImpl;
import org.xipki.ca.server.impl.CertTemplateData;
import org.xipki.ca.server.impl.KnowCertResult;
import org.xipki.ca.server.impl.X509Ca;
import org.xipki.ca.server.impl.util.CaUtil;
import org.xipki.ca.server.impl.util.PasswordHash;
import org.xipki.ca.server.mgmt.api.CaMgmtException;
import org.xipki.ca.server.mgmt.api.CaStatus;
import org.xipki.ca.server.mgmt.api.PermissionConstants;
import org.xipki.ca.server.mgmt.api.x509.ScepControl;
import org.xipki.ca.server.mgmt.api.x509.ScepEntry;
import org.xipki.common.InvalidConfException;
import org.xipki.common.ObjectCreationException;
import org.xipki.common.util.Base64;
import org.xipki.common.util.CollectionUtil;
import org.xipki.common.util.LogUtil;
import org.xipki.common.util.ParamUtil;
import org.xipki.scep.crypto.ScepHashAlgoType;
import org.xipki.scep.exception.MessageDecodingException;
import org.xipki.scep.exception.MessageEncodingException;
import org.xipki.scep.message.CaCaps;
import org.xipki.scep.message.DecodedPkiMessage;
import org.xipki.scep.message.EnvelopedDataDecryptor;
import org.xipki.scep.message.EnvelopedDataDecryptorInstance;
import org.xipki.scep.message.IssuerAndSubject;
import org.xipki.scep.message.PkiMessage;
import org.xipki.scep.transaction.CaCapability;
import org.xipki.scep.transaction.FailInfo;
import org.xipki.scep.transaction.MessageType;
import org.xipki.scep.transaction.Nonce;
import org.xipki.scep.transaction.PkiStatus;
import org.xipki.scep.transaction.TransactionId;
import org.xipki.security.HashAlgoType;
import org.xipki.security.KeyCertPair;
import org.xipki.security.SignatureAlgoControl;
import org.xipki.security.SignerConf;
import org.xipki.security.X509Cert;
import org.xipki.security.util.X509Util;

/* loaded from: input_file:org/xipki/ca/server/impl/scep/Scep.class */
public class Scep {
    private static final long DFLT_MAX_SIGNINGTIME_BIAS = 300000;
    private final String name;
    private final NameId caIdent;
    private final ScepEntry dbEntry;
    private final Set<String> certProfiles;
    private final ScepControl control;
    private final CaManagerImpl caManager;
    private final PrivateKey responderKey;
    private final X509Certificate responderCert;
    private final CaCaps caCaps;
    private final EnvelopedDataDecryptor envelopedDataDecryptor;
    private X509Cert caCert;
    private CaCertRespBytes caCertRespBytes;
    private long maxSigningTimeBiasInMs = DFLT_MAX_SIGNINGTIME_BIAS;
    private static final Logger LOG = LoggerFactory.getLogger(Scep.class);
    private static final Set<ASN1ObjectIdentifier> AES_ENC_ALGOS = new HashSet();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.xipki.ca.server.impl.scep.Scep$1, reason: invalid class name */
    /* loaded from: input_file:org/xipki/ca/server/impl/scep/Scep$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$scep$transaction$MessageType = new int[MessageType.values().length];

        static {
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.PKCSReq.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.RenewalReq.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.UpdateReq.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.CertPoll.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.GetCert.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.GetCRL.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
        }
    }

    public Scep(ScepEntry scepEntry, CaManagerImpl caManagerImpl) throws CaMgmtException {
        this.caManager = (CaManagerImpl) ParamUtil.requireNonNull("caManager", caManagerImpl);
        this.dbEntry = (ScepEntry) ParamUtil.requireNonNull("dbEntry", scepEntry);
        this.name = scepEntry.name();
        this.caIdent = scepEntry.caIdent();
        this.certProfiles = scepEntry.certProfiles();
        try {
            this.control = new ScepControl(scepEntry.control());
            LOG.info("SCEP {}: caCert.included={}, signerCert.included={},support.getcrl={}", new Object[]{this.caIdent, Boolean.valueOf(this.control.includeCaCert()), Boolean.valueOf(this.control.includeSignerCert()), Boolean.valueOf(this.control.supportGetCrl())});
            String responderType = scepEntry.responderType();
            if (!"PKCS12".equalsIgnoreCase(responderType) && !"JKS".equalsIgnoreCase(responderType)) {
                throw new CaMgmtException("unsupported SCEP responder type '" + responderType + "'");
            }
            try {
                KeyCertPair createPrivateKeyAndCert = caManagerImpl.securityFactory().createPrivateKeyAndCert(scepEntry.responderType(), new SignerConf(scepEntry.responderConf(), HashAlgoType.SHA256, new SignatureAlgoControl()), scepEntry.certificate());
                this.responderKey = createPrivateKeyAndCert.privateKey();
                this.responderCert = createPrivateKeyAndCert.certificate();
                if (!(this.responderCert.getPublicKey() instanceof RSAPublicKey)) {
                    throw new IllegalArgumentException("The responder key is not RSA key for CA " + this.caIdent);
                }
                CaCaps caCaps = new CaCaps();
                caCaps.addCapability(CaCapability.AES);
                caCaps.addCapability(CaCapability.DES3);
                caCaps.addCapability(CaCapability.POSTPKIOperation);
                caCaps.addCapability(CaCapability.Renewal);
                caCaps.addCapability(CaCapability.SHA1);
                caCaps.addCapability(CaCapability.SHA256);
                caCaps.addCapability(CaCapability.SHA512);
                this.caCaps = caCaps;
                this.envelopedDataDecryptor = new EnvelopedDataDecryptor(new EnvelopedDataDecryptorInstance(this.responderCert, this.responderKey));
            } catch (ObjectCreationException e) {
                throw new CaMgmtException(e);
            }
        } catch (InvalidConfException e2) {
            throw new CaMgmtException(e2);
        }
    }

    public void setMaxSigningTimeBias(long j) {
        this.maxSigningTimeBiasInMs = j;
    }

    public String name() {
        return this.name;
    }

    public NameId caIdent() {
        return this.caIdent;
    }

    public ScepEntry dbEntry() {
        return this.dbEntry;
    }

    public CaCaps caCaps() {
        return this.caCaps;
    }

    public CaCertRespBytes caCertResp() throws OperationException {
        refreshCa();
        return this.caCertRespBytes;
    }

    public boolean supportsCertProfile(String str) throws CaMgmtException {
        if (this.certProfiles.contains("ALL") || this.certProfiles.contains(str.toUpperCase())) {
            return this.caManager.x509Ca(this.caIdent).supportsCertProfile(str);
        }
        return false;
    }

    public CaStatus status() {
        if (!this.dbEntry.isActive() || this.dbEntry.isFaulty()) {
            return CaStatus.INACTIVE;
        }
        try {
            return this.caManager.x509Ca(this.caIdent).caInfo().status();
        } catch (CaMgmtException e) {
            LogUtil.error(LOG, e);
            return CaStatus.INACTIVE;
        }
    }

    public ContentInfo servicePkiOperation(CMSSignedData cMSSignedData, String str, String str2, AuditEvent auditEvent) throws MessageDecodingException, OperationException {
        if (CaStatus.ACTIVE != status()) {
            LOG.warn("SCEP {} is not active", this.caIdent);
            throw new OperationException(OperationException.ErrorCode.SYSTEM_UNAVAILABLE);
        }
        DecodedPkiMessage decode = DecodedPkiMessage.decode(cMSSignedData, this.envelopedDataDecryptor, (CollectionStore) null);
        PkiMessage servicePkiOperation0 = servicePkiOperation0(cMSSignedData, decode, str, str2, auditEvent);
        audit(auditEvent, CaAuditConstants.NAME_SCEP_pkiStatus, servicePkiOperation0.pkiStatus().toString());
        if (servicePkiOperation0.pkiStatus() == PkiStatus.FAILURE) {
            auditEvent.setStatus(AuditStatus.FAILED);
        }
        if (servicePkiOperation0.failInfo() != null) {
            audit(auditEvent, CaAuditConstants.NAME_SCEP_failInfo, servicePkiOperation0.failInfo().toString());
        }
        return encodeResponse(servicePkiOperation0, decode);
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:72:0x0305. Please report as an issue. */
    private PkiMessage servicePkiOperation0(CMSSignedData cMSSignedData, DecodedPkiMessage decodedPkiMessage, String str, String str2, AuditEvent auditEvent) throws MessageDecodingException, OperationException {
        MessageType messageType;
        SignedData crl;
        boolean z;
        ParamUtil.requireNonNull("requestContent", cMSSignedData);
        ParamUtil.requireNonNull("req", decodedPkiMessage);
        String id = decodedPkiMessage.transactionId().id();
        audit(auditEvent, CaAuditConstants.NAME_tid, id);
        if (decodedPkiMessage.failureMessage() != null) {
            audit(auditEvent, CaAuditConstants.NAME_SCEP_failureMessage, decodedPkiMessage.failureMessage());
        }
        Boolean isSignatureValid = decodedPkiMessage.isSignatureValid();
        if (isSignatureValid != null && !isSignatureValid.booleanValue()) {
            audit(auditEvent, CaAuditConstants.NAME_SCEP_signature, "invalid");
        }
        Boolean isDecryptionSuccessful = decodedPkiMessage.isDecryptionSuccessful();
        if (isDecryptionSuccessful != null && !isDecryptionSuccessful.booleanValue()) {
            audit(auditEvent, CaAuditConstants.NAME_SCEP_decryption, "failed");
        }
        PkiMessage pkiMessage = new PkiMessage(decodedPkiMessage.transactionId(), MessageType.CertRep, Nonce.randomNonce());
        pkiMessage.setRecipientNonce(decodedPkiMessage.senderNonce());
        if (decodedPkiMessage.failureMessage() != null) {
            pkiMessage.setPkiStatus(PkiStatus.FAILURE);
            pkiMessage.setFailInfo(FailInfo.badRequest);
            return pkiMessage;
        }
        Boolean isSignatureValid2 = decodedPkiMessage.isSignatureValid();
        if (isSignatureValid2 != null && !isSignatureValid2.booleanValue()) {
            pkiMessage.setPkiStatus(PkiStatus.FAILURE);
            pkiMessage.setFailInfo(FailInfo.badMessageCheck);
            return pkiMessage;
        }
        Boolean isDecryptionSuccessful2 = decodedPkiMessage.isDecryptionSuccessful();
        if (isDecryptionSuccessful2 != null && !isDecryptionSuccessful2.booleanValue()) {
            pkiMessage.setPkiStatus(PkiStatus.FAILURE);
            pkiMessage.setFailInfo(FailInfo.badRequest);
            return pkiMessage;
        }
        Date signingTime = decodedPkiMessage.signingTime();
        if (this.maxSigningTimeBiasInMs > 0) {
            if (signingTime == null) {
                z = true;
            } else {
                long currentTimeMillis = System.currentTimeMillis() - signingTime.getTime();
                if (currentTimeMillis < 0) {
                    currentTimeMillis = (-1) * currentTimeMillis;
                }
                z = currentTimeMillis > this.maxSigningTimeBiasInMs;
            }
            if (z) {
                pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                pkiMessage.setFailInfo(FailInfo.badTime);
                return pkiMessage;
            }
        }
        String id2 = decodedPkiMessage.digestAlgorithm().getId();
        ScepHashAlgoType forNameOrOid = ScepHashAlgoType.forNameOrOid(id2);
        if (forNameOrOid == null) {
            LOG.warn("tid={}: unknown digest algorithm {}", id, id2);
            pkiMessage.setPkiStatus(PkiStatus.FAILURE);
            pkiMessage.setFailInfo(FailInfo.badAlg);
            return pkiMessage;
        }
        boolean z2 = false;
        if (forNameOrOid == ScepHashAlgoType.SHA1) {
            if (this.caCaps.containsCapability(CaCapability.SHA1)) {
                z2 = true;
            }
        } else if (forNameOrOid == ScepHashAlgoType.SHA256) {
            if (this.caCaps.containsCapability(CaCapability.SHA256)) {
                z2 = true;
            }
        } else if (forNameOrOid == ScepHashAlgoType.SHA512 && this.caCaps.containsCapability(CaCapability.SHA512)) {
            z2 = true;
        }
        if (!z2) {
            LOG.warn("tid={}: unsupported digest algorithm {}", id, id2);
            pkiMessage.setPkiStatus(PkiStatus.FAILURE);
            pkiMessage.setFailInfo(FailInfo.badAlg);
            return pkiMessage;
        }
        ASN1ObjectIdentifier contentEncryptionAlgorithm = decodedPkiMessage.contentEncryptionAlgorithm();
        if (CMSAlgorithm.DES_EDE3_CBC.equals(contentEncryptionAlgorithm)) {
            if (!this.caCaps.containsCapability(CaCapability.DES3)) {
                LOG.warn("tid={}: encryption with DES3 algorithm is not permitted", id, contentEncryptionAlgorithm);
                pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                pkiMessage.setFailInfo(FailInfo.badAlg);
                return pkiMessage;
            }
        } else {
            if (!AES_ENC_ALGOS.contains(contentEncryptionAlgorithm)) {
                LOG.warn("tid={}: encryption with algorithm {} is not permitted", id, contentEncryptionAlgorithm);
                pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                pkiMessage.setFailInfo(FailInfo.badAlg);
                return pkiMessage;
            }
            if (!this.caCaps.containsCapability(CaCapability.AES)) {
                LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", id, contentEncryptionAlgorithm);
                pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                pkiMessage.setFailInfo(FailInfo.badAlg);
                return pkiMessage;
            }
        }
        try {
            X509Ca x509Ca = this.caManager.x509Ca(this.caIdent);
            X500Name subjectAsX500Name = x509Ca.caInfo().certificate().subjectAsX500Name();
            try {
                messageType = decodedPkiMessage.messageType();
                audit(auditEvent, CaAuditConstants.NAME_SCEP_messageType, messageType.toString());
            } catch (FailInfoException e) {
                LogUtil.error(LOG, e);
                pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                pkiMessage.setFailInfo(e.failInfo());
            }
            switch (AnonymousClass1.$SwitchMap$org$xipki$scep$transaction$MessageType[messageType.ordinal()]) {
                case PasswordHash.SALT_INDEX /* 1 */:
                case PasswordHash.PBKDF2_INDEX /* 2 */:
                case 3:
                    CertificationRequest certificationRequest = CertificationRequest.getInstance(decodedPkiMessage.messageData());
                    X500Name subject = certificationRequest.getCertificationRequestInfo().getSubject();
                    if (LOG.isInfoEnabled()) {
                        LOG.info("tid={}, subject={}", id, X509Util.getRfc4519Name(subject));
                    }
                    try {
                        x509Ca.checkCsr(certificationRequest);
                        CertificationRequestInfo certificationRequestInfo = certificationRequest.getCertificationRequestInfo();
                        X509Certificate signatureCert = decodedPkiMessage.signatureCert();
                        X500Principal subjectX500Principal = signatureCert.getSubjectX500Principal();
                        boolean equals = subjectX500Principal.equals(signatureCert.getIssuerX500Principal());
                        if (equals && !X500Name.getInstance(subjectX500Principal.getEncoded()).equals(certificationRequestInfo.getSubject())) {
                            LOG.warn("tid={}, self-signed identityCert.subject != csr.subject");
                            throw FailInfoException.BAD_REQUEST;
                        }
                        if (X509Util.getCommonName(certificationRequestInfo.getSubject()) == null) {
                            throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, "tid=" + id + ": no CommonName in requested subject");
                        }
                        NameId nameId = null;
                        String challengePassword = CaUtil.getChallengePassword(certificationRequestInfo);
                        if (challengePassword != null) {
                            String[] split = challengePassword.split(":");
                            if (split == null || split.length != 2) {
                                LOG.warn("tid={}: challengePassword does not have the format <user>:<password>", id);
                                throw FailInfoException.BAD_REQUEST;
                            }
                            String str3 = split[0];
                            nameId = x509Ca.authenticateUser(str3, split[1].getBytes());
                            if (nameId == null) {
                                LOG.warn("tid={}: could not authenticate user {}", id, str3);
                                throw FailInfoException.BAD_REQUEST;
                            }
                        }
                        if (equals) {
                            if (MessageType.PKCSReq != messageType) {
                                LOG.warn("tid={}: self-signed certificate is not permitted for messageType {}", id, messageType);
                                throw FailInfoException.BAD_REQUEST;
                            }
                            if (nameId == null) {
                                LOG.warn("tid={}: could not extract user & password from challengePassword, which are required for self-signed signature certificate", id);
                                throw FailInfoException.BAD_REQUEST;
                            }
                        } else if (nameId == null) {
                            KnowCertResult knowsCertificate = x509Ca.knowsCertificate(signatureCert);
                            if (!knowsCertificate.isKnown()) {
                                LOG.warn("tid={}: signature certificate is not trusted by the CA", id);
                                throw FailInfoException.BAD_REQUEST;
                            }
                            Integer userId = knowsCertificate.userId();
                            if (userId == null) {
                                LOG.warn("tid={}: could not extract user from the signature cert", id);
                                throw FailInfoException.BAD_REQUEST;
                            }
                            nameId = x509Ca.getUserIdent(userId.intValue());
                        }
                        ByUserRequestorInfo byUserRequestor = x509Ca.getByUserRequestor(nameId);
                        checkUserPermission(byUserRequestor, str);
                        crl = buildSignedData(x509Ca.generateCertificate(new CertTemplateData(certificationRequestInfo.getSubject(), certificationRequestInfo.getSubjectPublicKeyInfo(), (Date) null, (Date) null, CaUtil.getExtensions(certificationRequestInfo), str), byUserRequestor, RequestType.SCEP, getTransactionIdBytes(id), str2).cert().cert());
                        pkiMessage.setMessageData(new ContentInfo(CMSObjectIdentifiers.signedData, crl));
                        pkiMessage.setPkiStatus(PkiStatus.SUCCESS);
                        return pkiMessage;
                    } catch (OperationException e2) {
                        LogUtil.warn(LOG, e2, "tid=" + id + " POPO verification failed");
                        throw FailInfoException.BAD_MESSAGE_CHECK;
                    }
                case 4:
                    IssuerAndSubject issuerAndSubject = IssuerAndSubject.getInstance(decodedPkiMessage.messageData());
                    audit(auditEvent, CaAuditConstants.NAME_issuer, X509Util.getRfc4519Name(issuerAndSubject.issuer()));
                    audit(auditEvent, CaAuditConstants.NAME_subject, X509Util.getRfc4519Name(issuerAndSubject.subject()));
                    ensureIssuedByThisCa(subjectAsX500Name, issuerAndSubject.issuer());
                    crl = pollCert(x509Ca, issuerAndSubject.subject(), decodedPkiMessage.transactionId());
                    pkiMessage.setMessageData(new ContentInfo(CMSObjectIdentifiers.signedData, crl));
                    pkiMessage.setPkiStatus(PkiStatus.SUCCESS);
                    return pkiMessage;
                case 5:
                    IssuerAndSerialNumber issuerAndSerialNumber = IssuerAndSerialNumber.getInstance(decodedPkiMessage.messageData());
                    BigInteger positiveValue = issuerAndSerialNumber.getSerialNumber().getPositiveValue();
                    audit(auditEvent, CaAuditConstants.NAME_issuer, X509Util.getRfc4519Name(issuerAndSerialNumber.getName()));
                    audit(auditEvent, CaAuditConstants.NAME_serial, LogUtil.formatCsn(positiveValue));
                    ensureIssuedByThisCa(subjectAsX500Name, issuerAndSerialNumber.getName());
                    crl = getCert(x509Ca, issuerAndSerialNumber.getSerialNumber().getPositiveValue());
                    pkiMessage.setMessageData(new ContentInfo(CMSObjectIdentifiers.signedData, crl));
                    pkiMessage.setPkiStatus(PkiStatus.SUCCESS);
                    return pkiMessage;
                case 6:
                    IssuerAndSerialNumber issuerAndSerialNumber2 = IssuerAndSerialNumber.getInstance(decodedPkiMessage.messageData());
                    BigInteger positiveValue2 = issuerAndSerialNumber2.getSerialNumber().getPositiveValue();
                    audit(auditEvent, CaAuditConstants.NAME_issuer, X509Util.getRfc4519Name(issuerAndSerialNumber2.getName()));
                    audit(auditEvent, CaAuditConstants.NAME_serial, LogUtil.formatCsn(positiveValue2));
                    ensureIssuedByThisCa(subjectAsX500Name, issuerAndSerialNumber2.getName());
                    crl = getCrl(x509Ca, positiveValue2);
                    pkiMessage.setMessageData(new ContentInfo(CMSObjectIdentifiers.signedData, crl));
                    pkiMessage.setPkiStatus(PkiStatus.SUCCESS);
                    return pkiMessage;
                default:
                    LOG.error("unknown SCEP messageType '{}'", decodedPkiMessage.messageType());
                    throw FailInfoException.BAD_REQUEST;
            }
        } catch (CaMgmtException e3) {
            LogUtil.error(LOG, e3, id + "=" + id + ",could not get X509CA");
            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e3);
        }
    }

    private SignedData getCert(X509Ca x509Ca, BigInteger bigInteger) throws FailInfoException, OperationException {
        try {
            X509Certificate certificate = x509Ca.getCertificate(bigInteger);
            if (certificate == null) {
                throw FailInfoException.BAD_CERTID;
            }
            return buildSignedData(certificate);
        } catch (CertificateException e) {
            LogUtil.error(LOG, e, "could not get certificate for CA '" + this.caIdent + "' and serialNumber=" + LogUtil.formatCsn(bigInteger) + ")");
            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e);
        }
    }

    private SignedData pollCert(X509Ca x509Ca, X500Name x500Name, TransactionId transactionId) throws FailInfoException, OperationException {
        List<X509Certificate> certificate = x509Ca.getCertificate(x500Name, getTransactionIdBytes(transactionId.id()));
        if (CollectionUtil.isEmpty(certificate)) {
            certificate = x509Ca.getCertificate(x500Name, null);
        }
        if (CollectionUtil.isEmpty(certificate)) {
            throw FailInfoException.BAD_CERTID;
        }
        if (certificate.size() <= 1) {
            return buildSignedData(certificate.get(0));
        }
        LOG.warn("given certId (subject: {}) and transactionId {} match multiple certificates", X509Util.getRfc4519Name(x500Name), transactionId.id());
        throw FailInfoException.BAD_CERTID;
    }

    private SignedData buildSignedData(X509Certificate x509Certificate) throws OperationException {
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        try {
            cMSSignedDataGenerator.addCertificate(new X509CertificateHolder(x509Certificate.getEncoded()));
            if (this.control.includeCaCert()) {
                refreshCa();
                cMSSignedDataGenerator.addCertificate(this.caCert.certHolder());
            }
            return SignedData.getInstance(cMSSignedDataGenerator.generate(new CMSAbsentContent()).toASN1Structure().getContent());
        } catch (CMSException | IOException | CertificateEncodingException e) {
            LogUtil.error(LOG, e);
            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e);
        }
    }

    private SignedData getCrl(X509Ca x509Ca, BigInteger bigInteger) throws FailInfoException, OperationException {
        if (!this.control.supportGetCrl()) {
            throw FailInfoException.BAD_REQUEST;
        }
        CertificateList bcCurrentCrl = x509Ca.getBcCurrentCrl();
        if (bcCurrentCrl == null) {
            throw FailInfoException.BAD_REQUEST;
        }
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        cMSSignedDataGenerator.addCRL(new X509CRLHolder(bcCurrentCrl));
        try {
            return SignedData.getInstance(cMSSignedDataGenerator.generate(new CMSAbsentContent()).toASN1Structure().getContent());
        } catch (CMSException e) {
            LogUtil.error(LOG, e, "could not generate CMSSignedData");
            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e);
        }
    }

    private ContentInfo encodeResponse(PkiMessage pkiMessage, DecodedPkiMessage decodedPkiMessage) throws OperationException {
        ParamUtil.requireNonNull("response", pkiMessage);
        ParamUtil.requireNonNull("request", decodedPkiMessage);
        try {
            return pkiMessage.encode(this.responderKey, getSignatureAlgorithm(this.responderKey, decodedPkiMessage.digestAlgorithm()), this.responderCert, this.control.includeSignerCert() ? new X509Certificate[]{this.responderCert} : null, decodedPkiMessage.signatureCert(), decodedPkiMessage.contentEncryptionAlgorithm());
        } catch (MessageEncodingException e) {
            LogUtil.error(LOG, e, "could not encode response");
            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e);
        }
    }

    private static void checkUserPermission(ByUserRequestorInfo byUserRequestorInfo, String str) throws OperationException {
        if (!byUserRequestorInfo.isPermitted(1)) {
            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, PermissionConstants.getTextForCode(1) + " is not permitted for user " + byUserRequestorInfo.caHasUser().userIdent().name());
        }
        if (!byUserRequestorInfo.isCertProfilePermitted(str)) {
            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, "Certificate profile " + str + " is not permitted for user " + byUserRequestorInfo.caHasUser().userIdent().name());
        }
    }

    private static String getSignatureAlgorithm(PrivateKey privateKey, ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        ScepHashAlgoType forNameOrOid = ScepHashAlgoType.forNameOrOid(aSN1ObjectIdentifier.getId());
        if (forNameOrOid == null) {
            forNameOrOid = ScepHashAlgoType.SHA256;
        }
        if ("RSA".equalsIgnoreCase(privateKey.getAlgorithm())) {
            return forNameOrOid.getName() + "withRSA";
        }
        throw new UnsupportedOperationException("getSignatureAlgorithm() for non-RSA is not supported yet.");
    }

    private static void ensureIssuedByThisCa(X500Name x500Name, X500Name x500Name2) throws FailInfoException {
        if (!x500Name.equals(x500Name2)) {
            throw FailInfoException.BAD_CERTID;
        }
    }

    static CMSSignedData createDegeneratedSigendData(X509Certificate... x509CertificateArr) throws CMSException, CertificateException {
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        try {
            for (X509Certificate x509Certificate : x509CertificateArr) {
                cMSSignedDataGenerator.addCertificate(new X509CertificateHolder(x509Certificate.getEncoded()));
            }
            return cMSSignedDataGenerator.generate(new CMSAbsentContent());
        } catch (IOException e) {
            throw new CMSException("could not build CMS SignedDta");
        }
    }

    private static byte[] getTransactionIdBytes(String str) throws OperationException {
        byte[] bArr = null;
        int length = str.length();
        if (length % 2 != 0) {
            bArr = str.getBytes();
        } else {
            try {
                bArr = Hex.decode(str);
            } catch (Exception e) {
                if (length % 4 == 0) {
                    try {
                        bArr = Base64.decode(str);
                    } catch (Exception e2) {
                        LOG.error("could not decode (hex or base64) '{}': {}", str, e2.getMessage());
                    }
                }
            }
        }
        if (bArr == null) {
            bArr = str.getBytes();
        }
        if (bArr.length > 20) {
            throw new OperationException(OperationException.ErrorCode.BAD_REQUEST, "transactionID too long");
        }
        return bArr;
    }

    private static void audit(AuditEvent auditEvent, String str, String str2) {
        auditEvent.addEventData(str, str2 == null ? "null" : str2);
    }

    private void refreshCa() throws OperationException {
        try {
            X509Cert certificate = this.caManager.x509Ca(this.caIdent).caInfo().certificate();
            if (certificate.equals(this.caCert)) {
                return;
            }
            this.caCert = certificate;
            this.caCertRespBytes = new CaCertRespBytes(certificate.cert(), this.responderCert);
        } catch (CaMgmtException | CertificateException | CMSException e) {
            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e.getMessage());
        }
    }

    static {
        AES_ENC_ALGOS.add(CMSAlgorithm.AES128_CBC);
        AES_ENC_ALGOS.add(CMSAlgorithm.AES128_CCM);
        AES_ENC_ALGOS.add(CMSAlgorithm.AES128_GCM);
        AES_ENC_ALGOS.add(CMSAlgorithm.AES192_CBC);
        AES_ENC_ALGOS.add(CMSAlgorithm.AES192_CCM);
        AES_ENC_ALGOS.add(CMSAlgorithm.AES192_GCM);
        AES_ENC_ALGOS.add(CMSAlgorithm.AES256_CBC);
        AES_ENC_ALGOS.add(CMSAlgorithm.AES256_CCM);
        AES_ENC_ALGOS.add(CMSAlgorithm.AES256_GCM);
    }
}
