package org.xipki.scep.serveremulator;

import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.pkcs.CertificationRequestInfo;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSAbsentContent;
import org.bouncycastle.cms.CMSAlgorithm;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.util.CollectionStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.scep.crypto.ScepHashAlgoType;
import org.xipki.scep.exception.MessageDecodingException;
import org.xipki.scep.message.CaCaps;
import org.xipki.scep.message.DecodedPkiMessage;
import org.xipki.scep.message.EnvelopedDataDecryptor;
import org.xipki.scep.message.EnvelopedDataDecryptorInstance;
import org.xipki.scep.message.IssuerAndSubject;
import org.xipki.scep.message.NextCaMessage;
import org.xipki.scep.message.PkiMessage;
import org.xipki.scep.serveremulator.AuditEvent;
import org.xipki.scep.transaction.CaCapability;
import org.xipki.scep.transaction.FailInfo;
import org.xipki.scep.transaction.MessageType;
import org.xipki.scep.transaction.Nonce;
import org.xipki.scep.transaction.PkiStatus;
import org.xipki.scep.transaction.TransactionId;
import org.xipki.scep.util.ScepUtil;

/* loaded from: input_file:org/xipki/scep/serveremulator/ScepResponder.class */
public class ScepResponder {
    private static final long DFLT_MAX_SIGNINGTIME_BIAS = 300000;
    private final CaCaps caCaps;
    private final CaEmulator caEmulator;
    private final RaEmulator raEmulator;
    private final NextCaAndRa nextCaAndRa;
    private final ScepControl control;
    private long maxSigningTimeBiasInMs = DFLT_MAX_SIGNINGTIME_BIAS;
    private static final Logger LOG = LoggerFactory.getLogger(ScepResponder.class);
    private static final Set<ASN1ObjectIdentifier> AES_ENC_ALGS = new HashSet();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.xipki.scep.serveremulator.ScepResponder$1, reason: invalid class name */
    /* loaded from: input_file:org/xipki/scep/serveremulator/ScepResponder$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$scep$transaction$MessageType = new int[MessageType.values().length];

        static {
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.PKCSReq.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.CertPoll.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.GetCert.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.RenewalReq.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.UpdateReq.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$xipki$scep$transaction$MessageType[MessageType.GetCRL.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
        }
    }

    public ScepResponder(CaCaps caCaps, CaEmulator caEmulator, RaEmulator raEmulator, NextCaAndRa nextCaAndRa, ScepControl scepControl) throws Exception {
        this.caCaps = (CaCaps) ScepUtil.requireNonNull("caCaps", caCaps);
        this.caEmulator = (CaEmulator) ScepUtil.requireNonNull("caEmulator", caEmulator);
        this.control = (ScepControl) ScepUtil.requireNonNull("control", scepControl);
        this.raEmulator = raEmulator;
        this.nextCaAndRa = nextCaAndRa;
        if (nextCaAndRa == null) {
            caCaps.removeCapability(CaCapability.GetNextCACert);
        } else {
            caCaps.addCapability(CaCapability.GetNextCACert);
        }
    }

    public void setMaxSigningTimeBias(long j) {
        this.maxSigningTimeBiasInMs = j;
    }

    public ContentInfo servicePkiOperation(CMSSignedData cMSSignedData, AuditEvent auditEvent) throws MessageDecodingException, CaException {
        ScepUtil.requireNonNull("requestContent", cMSSignedData);
        PrivateKey raKey = this.raEmulator != null ? this.raEmulator.raKey() : this.caEmulator.caKey();
        Certificate raCert = this.raEmulator != null ? this.raEmulator.raCert() : this.caEmulator.caCert();
        try {
            DecodedPkiMessage decode = DecodedPkiMessage.decode(cMSSignedData, new EnvelopedDataDecryptor(new EnvelopedDataDecryptorInstance(ScepUtil.toX509Cert(raCert), raKey)), (CollectionStore) null);
            PkiMessage servicePkiOperation0 = servicePkiOperation0(decode, auditEvent);
            auditEvent.putEventData(ScepAuditConstants.NAME_pkiStatus, servicePkiOperation0.pkiStatus());
            if (servicePkiOperation0.pkiStatus() == PkiStatus.FAILURE) {
                auditEvent.setLevel(AuditEvent.AuditLevel.ERROR);
            }
            if (servicePkiOperation0.failInfo() != null) {
                auditEvent.putEventData(ScepAuditConstants.NAME_failInfo, servicePkiOperation0.failInfo());
            }
            String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(signingKey(), ScepHashAlgoType.forNameOrOid(decode.digestAlgorithm().getId()));
            try {
                X509Certificate x509Cert = ScepUtil.toX509Cert(signingCert());
                return servicePkiOperation0.encode(signingKey(), signatureAlgorithm, x509Cert, this.control.isSendSignerCert() ? new X509Certificate[]{x509Cert} : null, decode.signatureCert(), decode.contentEncryptionAlgorithm());
            } catch (Exception e) {
                throw new CaException(e);
            }
        } catch (CertificateException e2) {
            throw new MessageDecodingException("could not parse recipientCert " + raCert.getTBSCertificate().getSubject());
        }
    }

    public ContentInfo encode(NextCaMessage nextCaMessage) throws CaException {
        ScepUtil.requireNonNull("nextCAMsg", nextCaMessage);
        try {
            X509Certificate x509Cert = ScepUtil.toX509Cert(signingCert());
            return nextCaMessage.encode(signingKey(), x509Cert, this.control.isSendSignerCert() ? new X509Certificate[]{x509Cert} : null);
        } catch (Exception e) {
            throw new CaException(e);
        }
    }

    private PkiMessage servicePkiOperation0(DecodedPkiMessage decodedPkiMessage, AuditEvent auditEvent) throws MessageDecodingException, CaException {
        boolean z;
        TransactionId transactionId = decodedPkiMessage.transactionId();
        PkiMessage pkiMessage = new PkiMessage(transactionId, MessageType.CertRep, Nonce.randomNonce());
        pkiMessage.setPkiStatus(PkiStatus.SUCCESS);
        pkiMessage.setRecipientNonce(decodedPkiMessage.senderNonce());
        if (decodedPkiMessage.failureMessage() != null) {
            pkiMessage.setPkiStatus(PkiStatus.FAILURE);
            pkiMessage.setFailInfo(FailInfo.badRequest);
            return pkiMessage;
        }
        Boolean isSignatureValid = decodedPkiMessage.isSignatureValid();
        if (isSignatureValid != null && !isSignatureValid.booleanValue()) {
            pkiMessage.setPkiStatus(PkiStatus.FAILURE);
            pkiMessage.setFailInfo(FailInfo.badMessageCheck);
            return pkiMessage;
        }
        Boolean isDecryptionSuccessful = decodedPkiMessage.isDecryptionSuccessful();
        if (isDecryptionSuccessful != null && !isDecryptionSuccessful.booleanValue()) {
            pkiMessage.setPkiStatus(PkiStatus.FAILURE);
            pkiMessage.setFailInfo(FailInfo.badRequest);
            return pkiMessage;
        }
        Date signingTime = decodedPkiMessage.signingTime();
        if (this.maxSigningTimeBiasInMs > 0) {
            if (signingTime == null) {
                z = true;
            } else {
                long currentTimeMillis = System.currentTimeMillis() - signingTime.getTime();
                if (currentTimeMillis < 0) {
                    currentTimeMillis = (-1) * currentTimeMillis;
                }
                z = currentTimeMillis > this.maxSigningTimeBiasInMs;
            }
            if (z) {
                pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                pkiMessage.setFailInfo(FailInfo.badTime);
                return pkiMessage;
            }
        }
        String id = decodedPkiMessage.digestAlgorithm().getId();
        ScepHashAlgoType forNameOrOid = ScepHashAlgoType.forNameOrOid(id);
        if (forNameOrOid == null) {
            LOG.warn("tid={}: unknown digest algorithm {}", transactionId, id);
            pkiMessage.setPkiStatus(PkiStatus.FAILURE);
            pkiMessage.setFailInfo(FailInfo.badAlg);
            return pkiMessage;
        }
        boolean z2 = false;
        if (forNameOrOid == ScepHashAlgoType.SHA1) {
            if (this.caCaps.containsCapability(CaCapability.SHA1)) {
                z2 = true;
            }
        } else if (forNameOrOid == ScepHashAlgoType.SHA256) {
            if (this.caCaps.containsCapability(CaCapability.SHA256)) {
                z2 = true;
            }
        } else if (forNameOrOid == ScepHashAlgoType.SHA512) {
            if (this.caCaps.containsCapability(CaCapability.SHA512)) {
                z2 = true;
            }
        } else if (forNameOrOid == ScepHashAlgoType.MD5 && this.control.isUseInsecureAlg()) {
            z2 = true;
        }
        if (!z2) {
            LOG.warn("tid={}: unsupported digest algorithm {}", transactionId, id);
            pkiMessage.setPkiStatus(PkiStatus.FAILURE);
            pkiMessage.setFailInfo(FailInfo.badAlg);
            return pkiMessage;
        }
        ASN1ObjectIdentifier contentEncryptionAlgorithm = decodedPkiMessage.contentEncryptionAlgorithm();
        if (CMSAlgorithm.DES_EDE3_CBC.equals(contentEncryptionAlgorithm)) {
            if (!this.caCaps.containsCapability(CaCapability.DES3)) {
                LOG.warn("tid={}: encryption with DES3 algorithm is not permitted", transactionId, contentEncryptionAlgorithm);
                pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                pkiMessage.setFailInfo(FailInfo.badAlg);
                return pkiMessage;
            }
        } else if (AES_ENC_ALGS.contains(contentEncryptionAlgorithm)) {
            if (!this.caCaps.containsCapability(CaCapability.AES)) {
                LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", transactionId, contentEncryptionAlgorithm);
                pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                pkiMessage.setFailInfo(FailInfo.badAlg);
                return pkiMessage;
            }
        } else {
            if (!CMSAlgorithm.DES_CBC.equals(contentEncryptionAlgorithm)) {
                LOG.warn("tid={}: encryption with algorithm {} is not permitted", transactionId, contentEncryptionAlgorithm);
                pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                pkiMessage.setFailInfo(FailInfo.badAlg);
                return pkiMessage;
            }
            if (!this.control.isUseInsecureAlg()) {
                LOG.warn("tid={}: encryption with DES algorithm {} is not permitted", transactionId, contentEncryptionAlgorithm);
                pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                pkiMessage.setFailInfo(FailInfo.badAlg);
                return pkiMessage;
            }
        }
        if (pkiMessage.pkiStatus() == PkiStatus.FAILURE) {
            return pkiMessage;
        }
        switch (AnonymousClass1.$SwitchMap$org$xipki$scep$transaction$MessageType[decodedPkiMessage.messageType().ordinal()]) {
            case 1:
                boolean equals = decodedPkiMessage.signatureCert().getIssuerX500Principal().equals(decodedPkiMessage.signatureCert().getIssuerX500Principal());
                CertificationRequest certificationRequest = CertificationRequest.getInstance(decodedPkiMessage.messageData());
                if (equals && !X500Name.getInstance(decodedPkiMessage.signatureCert().getSubjectX500Principal().getEncoded()).equals(certificationRequest.getCertificationRequestInfo().getSubject())) {
                    LOG.warn("tid={}: self-signed cert.subject != CSR.subject", transactionId);
                    pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                    pkiMessage.setFailInfo(FailInfo.badRequest);
                    return pkiMessage;
                }
                String challengePassword = getChallengePassword(certificationRequest.getCertificationRequestInfo());
                if (challengePassword == null || !this.control.secret().equals(challengePassword)) {
                    LOG.warn("challengePassword is not trusted");
                    pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                    pkiMessage.setFailInfo(FailInfo.badRequest);
                }
                try {
                    Certificate generateCert = this.caEmulator.generateCert(certificationRequest);
                    if (generateCert != null && this.control.isPendingCert()) {
                        pkiMessage.setPkiStatus(PkiStatus.PENDING);
                        break;
                    } else if (generateCert == null) {
                        pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                        pkiMessage.setFailInfo(FailInfo.badCertId);
                        break;
                    } else {
                        pkiMessage.setMessageData(createSignedData(generateCert));
                        break;
                    }
                } catch (Exception e) {
                    throw new CaException("system failure: " + e.getMessage(), e);
                }
                break;
            case 2:
                IssuerAndSubject issuerAndSubject = IssuerAndSubject.getInstance(decodedPkiMessage.messageData());
                Certificate pollCert = this.caEmulator.pollCert(issuerAndSubject.issuer(), issuerAndSubject.subject());
                if (pollCert == null) {
                    pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                    pkiMessage.setFailInfo(FailInfo.badCertId);
                    break;
                } else {
                    pkiMessage.setMessageData(createSignedData(pollCert));
                    break;
                }
            case 3:
                IssuerAndSerialNumber issuerAndSerialNumber = IssuerAndSerialNumber.getInstance(decodedPkiMessage.messageData());
                Certificate cert = this.caEmulator.getCert(issuerAndSerialNumber.getName(), issuerAndSerialNumber.getSerialNumber().getValue());
                if (cert == null) {
                    pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                    pkiMessage.setFailInfo(FailInfo.badCertId);
                    break;
                } else {
                    pkiMessage.setMessageData(createSignedData(cert));
                    break;
                }
            case 4:
                if (!this.caCaps.containsCapability(CaCapability.Renewal)) {
                    pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                    pkiMessage.setFailInfo(FailInfo.badRequest);
                    break;
                } else {
                    try {
                        Certificate generateCert2 = this.caEmulator.generateCert(CertificationRequest.getInstance(decodedPkiMessage.messageData()));
                        if (generateCert2 == null) {
                            pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                            pkiMessage.setFailInfo(FailInfo.badCertId);
                            break;
                        } else {
                            pkiMessage.setMessageData(createSignedData(generateCert2));
                            break;
                        }
                    } catch (Exception e2) {
                        throw new CaException("system failure: " + e2.getMessage(), e2);
                    }
                }
            case 5:
                if (!this.caCaps.containsCapability(CaCapability.Update)) {
                    pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                    pkiMessage.setFailInfo(FailInfo.badRequest);
                    break;
                } else {
                    try {
                        Certificate generateCert3 = this.caEmulator.generateCert(CertificationRequest.getInstance(decodedPkiMessage.messageData()));
                        if (generateCert3 == null) {
                            pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                            pkiMessage.setFailInfo(FailInfo.badCertId);
                            break;
                        } else {
                            pkiMessage.setMessageData(createSignedData(generateCert3));
                            break;
                        }
                    } catch (Exception e3) {
                        throw new CaException("system failure: " + e3.getMessage(), e3);
                    }
                }
            case 6:
                IssuerAndSerialNumber issuerAndSerialNumber2 = IssuerAndSerialNumber.getInstance(decodedPkiMessage.messageData());
                try {
                    CertificateList crl = this.caEmulator.getCrl(issuerAndSerialNumber2.getName(), issuerAndSerialNumber2.getSerialNumber().getValue());
                    if (crl == null) {
                        pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                        pkiMessage.setFailInfo(FailInfo.badCertId);
                        break;
                    } else {
                        pkiMessage.setMessageData(createSignedData(crl));
                        break;
                    }
                } catch (Exception e4) {
                    throw new CaException("system failure: " + e4.getMessage(), e4);
                }
            default:
                pkiMessage.setPkiStatus(PkiStatus.FAILURE);
                pkiMessage.setFailInfo(FailInfo.badRequest);
                break;
        }
        return pkiMessage;
    }

    private ContentInfo createSignedData(CertificateList certificateList) throws CaException {
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        cMSSignedDataGenerator.addCRL(new X509CRLHolder(certificateList));
        try {
            return cMSSignedDataGenerator.generate(new CMSAbsentContent()).toASN1Structure();
        } catch (CMSException e) {
            throw new CaException(e.getMessage(), e);
        }
    }

    private ContentInfo createSignedData(Certificate certificate) throws CaException {
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        try {
            cMSSignedDataGenerator.addCertificate(new X509CertificateHolder(certificate));
            if (this.control.sendCaCert()) {
                cMSSignedDataGenerator.addCertificate(new X509CertificateHolder(this.caEmulator.caCert()));
            }
            return cMSSignedDataGenerator.generate(new CMSAbsentContent()).toASN1Structure();
        } catch (CMSException e) {
            throw new CaException((Throwable) e);
        }
    }

    public PrivateKey signingKey() {
        return this.raEmulator != null ? this.raEmulator.raKey() : this.caEmulator.caKey();
    }

    public Certificate signingCert() {
        return this.raEmulator != null ? this.raEmulator.raCert() : this.caEmulator.caCert();
    }

    public CaCaps caCaps() {
        return this.caCaps;
    }

    public CaEmulator caEmulator() {
        return this.caEmulator;
    }

    public RaEmulator raEmulator() {
        return this.raEmulator;
    }

    public NextCaAndRa nextCaAndRa() {
        return this.nextCaAndRa;
    }

    private static String getChallengePassword(CertificationRequestInfo certificationRequestInfo) {
        ASN1Set attributes = certificationRequestInfo.getAttributes();
        for (int i = 0; i < attributes.size(); i++) {
            Attribute attribute = Attribute.getInstance(attributes.getObjectAt(i));
            if (PKCSObjectIdentifiers.pkcs_9_at_challengePassword.equals(attribute.getAttrType())) {
                return attribute.getAttributeValues()[0].getString();
            }
        }
        return null;
    }

    static {
        AES_ENC_ALGS.add(CMSAlgorithm.AES128_CBC);
        AES_ENC_ALGS.add(CMSAlgorithm.AES128_CCM);
        AES_ENC_ALGS.add(CMSAlgorithm.AES128_GCM);
        AES_ENC_ALGS.add(CMSAlgorithm.AES192_CBC);
        AES_ENC_ALGS.add(CMSAlgorithm.AES192_CCM);
        AES_ENC_ALGS.add(CMSAlgorithm.AES192_GCM);
        AES_ENC_ALGS.add(CMSAlgorithm.AES256_CBC);
        AES_ENC_ALGS.add(CMSAlgorithm.AES256_CCM);
        AES_ENC_ALGS.add(CMSAlgorithm.AES256_GCM);
    }
}
