package se.swedenconnect.ca.cmc.api.impl;

import java.io.IOException;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.cmc.BodyPartID;
import org.bouncycastle.asn1.cmc.CMCObjectIdentifiers;
import org.bouncycastle.asn1.cmc.CertificationRequest;
import org.bouncycastle.asn1.cmc.LraPopWitness;
import org.bouncycastle.asn1.crmf.CertTemplate;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.cert.crmf.CertificateRequestMessage;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMException;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCSException;
import se.swedenconnect.ca.cmc.CMCException;
import se.swedenconnect.ca.cmc.api.CMCMessageException;
import se.swedenconnect.ca.cmc.api.CMCRequestParser;
import se.swedenconnect.ca.cmc.api.CMCResponseFactory;
import se.swedenconnect.ca.cmc.api.data.CMCRequest;
import se.swedenconnect.ca.cmc.auth.CMCUtils;
import se.swedenconnect.ca.engine.ca.issuer.CAService;
import se.swedenconnect.ca.engine.ca.models.cert.CertificateModel;
import se.swedenconnect.ca.engine.ca.models.cert.extension.impl.GenericExtensionModel;
import se.swedenconnect.ca.engine.ca.models.cert.impl.EncodedCertNameModel;

/* loaded from: input_file:se/swedenconnect/ca/cmc/api/impl/DefaultCMCCaApi.class */
public class DefaultCMCCaApi extends AbstractAdminCMCCaApi {
    public DefaultCMCCaApi(CAService cAService, CMCRequestParser cMCRequestParser, CMCResponseFactory cMCResponseFactory) {
        super(cAService, cMCRequestParser, cMCResponseFactory);
    }

    @Override // se.swedenconnect.ca.cmc.api.impl.AbstractCMCCaApi
    CertificateModel getCertificateModel(CMCRequest cMCRequest) throws CMCException {
        CertificationRequest certificationRequest = cMCRequest.getCertificationRequest();
        return certificationRequest != null ? getCertificateModelFromPKCS10(certificationRequest) : getCertificateModelFromCRMF(cMCRequest.getCertificateRequestMessage(), (LraPopWitness) CMCUtils.getCMCControlObject(CMCObjectIdentifiers.id_cmc_lraPOPWitness, cMCRequest.getPkiData()).getValue(), cMCRequest.getCertReqBodyPartId());
    }

    private CertificateModel getCertificateModelFromCRMF(CertificateRequestMessage certificateRequestMessage, LraPopWitness lraPopWitness, BodyPartID bodyPartID) throws CMCMessageException {
        if (lraPopWitness == null) {
            throw new CMCMessageException("Certificate request message format requests must hav LRA POP Witness set");
        }
        if (!((List) Arrays.asList(lraPopWitness.getBodyIds()).stream().map((v0) -> {
            return v0.getID();
        }).collect(Collectors.toList())).contains(Long.valueOf(bodyPartID.getID()))) {
            throw new CMCMessageException("No matching LRA POP Witness ID in CRMF request");
        }
        CertTemplate certTemplate = certificateRequestMessage.getCertTemplate();
        try {
            PublicKey publicKey = new JcaPEMKeyConverter().getPublicKey(certTemplate.getPublicKey());
            Extensions extensions = certTemplate.getExtensions();
            ASN1ObjectIdentifier[] extensionOIDs = extensions.getExtensionOIDs();
            ArrayList arrayList = new ArrayList();
            for (ASN1ObjectIdentifier aSN1ObjectIdentifier : extensionOIDs) {
                Extension extension = extensions.getExtension(aSN1ObjectIdentifier);
                arrayList.add(new GenericExtensionModel(extension.getExtnId(), extension.getParsedValue().toASN1Primitive(), extension.isCritical()));
            }
            return CertificateModel.builder().publicKey(publicKey).subject(new EncodedCertNameModel(certTemplate.getSubject())).extensionModels(arrayList).build();
        } catch (PEMException e) {
            throw new CMCMessageException("Failed to get public key from certificate template", e);
        }
    }

    private CertificateModel getCertificateModelFromPKCS10(CertificationRequest certificationRequest) throws CMCMessageException {
        try {
            PKCS10CertificationRequest pKCS10CertificationRequest = new PKCS10CertificationRequest(certificationRequest.getEncoded("DER"));
            PublicKey validatePkcs10Signature = validatePkcs10Signature(pKCS10CertificationRequest);
            pKCS10CertificationRequest.getSubject();
            Attribute[] attributes = pKCS10CertificationRequest.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
            ArrayList arrayList = new ArrayList();
            if (attributes != null && attributes.length > 0) {
                Iterator it = ASN1Sequence.getInstance(Attribute.getInstance(attributes[0]).getAttrValues().getObjectAt(0)).iterator();
                while (it.hasNext()) {
                    Extension extension = Extension.getInstance(it.next());
                    arrayList.add(new GenericExtensionModel(extension.getExtnId(), extension.getParsedValue().toASN1Primitive(), extension.isCritical()));
                }
            }
            return CertificateModel.builder().publicKey(validatePkcs10Signature).subject(new EncodedCertNameModel(pKCS10CertificationRequest.getSubject())).extensionModels(arrayList).build();
        } catch (IOException | OperatorCreationException | PKCSException e) {
            throw new CMCMessageException("Failed to get certificate model from PKCS#10 - " + e.getMessage(), e);
        }
    }

    private PublicKey validatePkcs10Signature(PKCS10CertificationRequest pKCS10CertificationRequest) throws CMCMessageException, OperatorCreationException, PKCSException, IOException {
        if (pKCS10CertificationRequest.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(pKCS10CertificationRequest.getSubjectPublicKeyInfo()))) {
            return BouncyCastleProvider.getPublicKey(pKCS10CertificationRequest.getSubjectPublicKeyInfo());
        }
        throw new CMCMessageException("Invalid PKCS10 signature");
    }
}
