package org.jscep.client;

import java.io.IOException;
import java.math.BigInteger;
import java.net.URL;
import java.security.MessageDigest;
import java.security.PrivateKey;
import java.security.SignatureException;
import java.security.cert.CRL;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Objects;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.x500.X500Principal;
import okio.getPII;
import okio.setAppLanguage;
import okio.setDeviceModel;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.cert.CertException;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.RuntimeOperatorException;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.jscep.asn1.IssuerAndSubject;
import org.jscep.client.inspect.CertStoreInspector;
import org.jscep.client.inspect.CertStoreInspectorFactory;
import org.jscep.client.inspect.DefaultCertStoreInspectorFactory;
import org.jscep.client.verification.CertificateVerifier;
import org.jscep.message.PkcsPkiEnvelopeDecoder;
import org.jscep.message.PkcsPkiEnvelopeEncoder;
import org.jscep.message.PkiMessageDecoder;
import org.jscep.message.PkiMessageEncoder;
import org.jscep.transaction.EnrollmentTransaction;
import org.jscep.transaction.MessageType;
import org.jscep.transaction.NonEnrollmentTransaction;
import org.jscep.transaction.OperationFailureException;
import org.jscep.transaction.Transaction;
import org.jscep.transaction.TransactionException;
import org.jscep.transaction.TransactionId;
import org.jscep.transport.Transport;
import org.jscep.transport.TransportException;
import org.jscep.transport.TransportFactory;
import org.jscep.transport.UrlConnectionTransportFactory;
import org.jscep.transport.request.GetCaCapsRequest;
import org.jscep.transport.request.GetCaCertRequest;
import org.jscep.transport.request.GetNextCaCertRequest;
import org.jscep.transport.response.Capabilities;
import org.jscep.transport.response.Capability;
import org.jscep.transport.response.GetCaCapsResponseHandler;
import org.jscep.transport.response.GetCaCertResponseHandler;
import org.jscep.transport.response.GetNextCaCertResponseHandler;
import org.jscep.util.X500Utils;

/* loaded from: classes3.dex */
public final class Client {
    private static final setDeviceModel LOGGER = setAppLanguage.MediaBrowserCompat$MediaItem$1(Client.class);
    private final CallbackHandler handler;
    private CertStoreInspectorFactory inspectorFactory = new DefaultCertStoreInspectorFactory();
    private TransportFactory transportFactory = new UrlConnectionTransportFactory();
    private final URL url;

    public Client(URL url, CallbackHandler callbackHandler) {
        this.url = url;
        this.handler = callbackHandler;
        validateInput();
    }

    public Client(URL url, CertificateVerifier certificateVerifier) {
        this.url = url;
        this.handler = new DefaultCallbackHandler(certificateVerifier);
        validateInput();
    }

    private void checkDistributionPoints(String str) throws ClientException {
        if (this.inspectorFactory.getInstance(getCaCertificate(str)).getIssuer().getExtensionValue(Extension.cRLDistributionPoints.getId()) != null) {
            LOGGER.JobIntentService("CA supports distribution points");
        }
    }

    private Transport createTransport(String str) {
        return getCaCapabilities(str).isPostSupported() ? this.transportFactory.forMethod(TransportFactory.Method.POST, this.url) : this.transportFactory.forMethod(TransportFactory.Method.GET, this.url);
    }

    private PkiMessageDecoder getDecoder(X509Certificate x509Certificate, PrivateKey privateKey, String str) throws ClientException {
        return new PkiMessageDecoder(this.inspectorFactory.getInstance(getCaCertificate(str)).getSigner(), new PkcsPkiEnvelopeDecoder(x509Certificate, privateKey));
    }

    private PkiMessageEncoder getEncoder(X509Certificate x509Certificate, PrivateKey privateKey, String str) throws ClientException {
        CertStore caCertificate = getCaCertificate(str);
        Capabilities caCapabilities = getCaCapabilities(str);
        return new PkiMessageEncoder(privateKey, x509Certificate, new PkcsPkiEnvelopeEncoder(this.inspectorFactory.getInstance(caCertificate).getRecipient(), caCapabilities.getStrongestCipher()), caCapabilities.getStrongestSignatureAlgorithm());
    }

    private boolean isSelfSigned(X509Certificate x509Certificate) throws ClientException {
        try {
            JcaX509CertificateHolder jcaX509CertificateHolder = new JcaX509CertificateHolder(x509Certificate);
            return jcaX509CertificateHolder.isSignatureValid(new JcaContentVerifierProviderBuilder().build(jcaX509CertificateHolder));
        } catch (RuntimeOperatorException e) {
            if (!(e.getCause() instanceof SignatureException)) {
                throw new ClientException(e);
            }
            LOGGER.JobIntentService("SignatureException detected so we consider that the certificate is not self signed");
            return false;
        } catch (Exception e2) {
            throw new ClientException(e2);
        }
    }

    private EnrollmentResponse send(EnrollmentTransaction enrollmentTransaction) throws TransactionException {
        Transaction.State send = enrollmentTransaction.send();
        return send == Transaction.State.CERT_ISSUED ? new EnrollmentResponse(enrollmentTransaction.getId(), enrollmentTransaction.getCertStore()) : send == Transaction.State.CERT_REQ_PENDING ? new EnrollmentResponse(enrollmentTransaction.getId()) : new EnrollmentResponse(enrollmentTransaction.getId(), enrollmentTransaction.getFailInfo());
    }

    private void validateInput() {
        URL url = this.url;
        Objects.requireNonNull(url, "URL should not be null");
        if (!url.getProtocol().matches("^https?$")) {
            throw new IllegalArgumentException("URL protocol should be HTTP or HTTPS");
        }
        if (this.url.getRef() != null) {
            throw new IllegalArgumentException("URL should contain no reference");
        }
        if (this.url.getQuery() != null) {
            throw new IllegalArgumentException("URL should contain no query string");
        }
        Objects.requireNonNull(this.handler, "Callback handler should not be null");
    }

    private void verifyCA(X509Certificate x509Certificate) throws ClientException {
        CertificateVerificationCallback certificateVerificationCallback = new CertificateVerificationCallback(x509Certificate);
        try {
            setDeviceModel setdevicemodel = LOGGER;
            setdevicemodel.superDispatchKeyEvent("Requesting certificate verification.");
            this.handler.handle(new Callback[]{certificateVerificationCallback});
            if (certificateVerificationCallback.isVerified()) {
                setdevicemodel.superDispatchKeyEvent("Certificate verification passed.");
            } else {
                setdevicemodel.superDispatchKeyEvent("Certificate verification failed.");
                throw new ClientException("CA certificate fingerprint could not be verified.");
            }
        } catch (IOException e) {
            throw new ClientException(e);
        } catch (UnsupportedCallbackException e2) {
            LOGGER.superDispatchKeyEvent("Certificate verification failed.");
            throw new ClientException(e2);
        }
    }

    private void verifyRA(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws ClientException {
        setDeviceModel setdevicemodel = LOGGER;
        setdevicemodel.superDispatchKeyEvent("Verifying signature of RA certificate");
        if (x509Certificate.equals(x509Certificate2)) {
            setdevicemodel.superDispatchKeyEvent("RA and CA are identical");
            return;
        }
        try {
            if (new JcaX509CertificateHolder(x509Certificate2).isSignatureValid(new JcaContentVerifierProviderBuilder().build(x509Certificate))) {
                setdevicemodel.superDispatchKeyEvent("Signature verification passed for RA.");
            } else {
                setdevicemodel.superDispatchKeyEvent("Signature verification failed for RA.");
                throw new ClientException("RA not issued by CA");
            }
        } catch (CertificateEncodingException e) {
            throw new ClientException(e);
        } catch (CertException e2) {
            throw new ClientException(e2);
        } catch (OperatorCreationException e3) {
            throw new ClientException(e3);
        }
    }

    public EnrollmentResponse enrol(X509Certificate x509Certificate, PrivateKey privateKey, PKCS10CertificationRequest pKCS10CertificationRequest) throws ClientException, TransactionException {
        return enrol(x509Certificate, privateKey, pKCS10CertificationRequest, null);
    }

    public EnrollmentResponse enrol(X509Certificate x509Certificate, PrivateKey privateKey, PKCS10CertificationRequest pKCS10CertificationRequest, String str) throws ClientException, TransactionException {
        setDeviceModel setdevicemodel = LOGGER;
        setdevicemodel.superDispatchKeyEvent("Enrolling certificate with CA");
        if (isSelfSigned(x509Certificate)) {
            setdevicemodel.superDispatchKeyEvent("Certificate is self-signed");
            if (!pKCS10CertificationRequest.getSubject().equals(X500Utils.toX500Name(x509Certificate.getSubjectX500Principal()))) {
                setdevicemodel.NotificationCompatSideChannelService("The self-signed certificate MUST use the same subject name as in the PKCS#10 request.");
            }
        }
        EnrollmentTransaction enrollmentTransaction = new EnrollmentTransaction(createTransport(str), getEncoder(x509Certificate, privateKey, str), getDecoder(x509Certificate, privateKey, str), pKCS10CertificationRequest);
        try {
            MessageDigest strongestMessageDigest = getCaCapabilities(str).getStrongestMessageDigest();
            setdevicemodel.notify("{} PKCS#10 Fingerprint: [{}]", strongestMessageDigest.getAlgorithm(), new String(getPII.cancel(strongestMessageDigest.digest(pKCS10CertificationRequest.getEncoded()), true)));
        } catch (IOException e) {
            LOGGER.access$000("Error getting encoded CSR", e);
        }
        return send(enrollmentTransaction);
    }

    public Capabilities getCaCapabilities() {
        return getCaCapabilities(null);
    }

    public Capabilities getCaCapabilities(String str) {
        LOGGER.superDispatchKeyEvent("Determining capabilities of SCEP server");
        GetCaCapsRequest getCaCapsRequest = new GetCaCapsRequest(str);
        try {
            return (Capabilities) this.transportFactory.forMethod(TransportFactory.Method.GET, this.url).sendRequest(getCaCapsRequest, new GetCaCapsResponseHandler());
        } catch (TransportException unused) {
            LOGGER.JobIntentService("AbstractTransport problem when determining capabilities.  Using empty capabilities.");
            return new Capabilities(new Capability[0]);
        }
    }

    public CertStore getCaCertificate() throws ClientException {
        return getCaCertificate(null);
    }

    public CertStore getCaCertificate(String str) throws ClientException {
        LOGGER.superDispatchKeyEvent("Retrieving current CA certificate");
        GetCaCertRequest getCaCertRequest = new GetCaCertRequest(str);
        try {
            CertStore certStore = (CertStore) this.transportFactory.forMethod(TransportFactory.Method.GET, this.url).sendRequest(getCaCertRequest, new GetCaCertResponseHandler());
            CertStoreInspector certStoreInspectorFactory = this.inspectorFactory.getInstance(certStore);
            verifyCA(certStoreInspectorFactory.getIssuer());
            verifyRA(certStoreInspectorFactory.getIssuer(), certStoreInspectorFactory.getRecipient());
            verifyRA(certStoreInspectorFactory.getIssuer(), certStoreInspectorFactory.getSigner());
            return certStore;
        } catch (TransportException e) {
            throw new ClientException(e);
        }
    }

    public CertStore getCertificate(X509Certificate x509Certificate, PrivateKey privateKey, BigInteger bigInteger) throws ClientException, OperationFailureException {
        return getCertificate(x509Certificate, privateKey, bigInteger, null);
    }

    public CertStore getCertificate(X509Certificate x509Certificate, PrivateKey privateKey, BigInteger bigInteger, String str) throws OperationFailureException, ClientException {
        LOGGER.superDispatchKeyEvent("Retriving certificate from CA");
        NonEnrollmentTransaction nonEnrollmentTransaction = new NonEnrollmentTransaction(createTransport(str), getEncoder(x509Certificate, privateKey, str), getDecoder(x509Certificate, privateKey, str), new IssuerAndSerialNumber(X500Utils.toX500Name(this.inspectorFactory.getInstance(getCaCertificate(str)).getIssuer().getSubjectX500Principal()), bigInteger), MessageType.GET_CERT);
        try {
            Transaction.State send = nonEnrollmentTransaction.send();
            if (send == Transaction.State.CERT_ISSUED) {
                return nonEnrollmentTransaction.getCertStore();
            }
            if (send == Transaction.State.CERT_REQ_PENDING) {
                throw new IllegalStateException();
            }
            throw new OperationFailureException(nonEnrollmentTransaction.getFailInfo());
        } catch (TransactionException e) {
            throw new ClientException(e);
        }
    }

    public X509CRL getRevocationList(X509Certificate x509Certificate, PrivateKey privateKey, X500Principal x500Principal, BigInteger bigInteger) throws ClientException, OperationFailureException {
        return getRevocationList(x509Certificate, privateKey, x500Principal, bigInteger, null);
    }

    public X509CRL getRevocationList(X509Certificate x509Certificate, PrivateKey privateKey, X500Principal x500Principal, BigInteger bigInteger, String str) throws ClientException, OperationFailureException {
        LOGGER.superDispatchKeyEvent("Retriving CRL from CA");
        checkDistributionPoints(str);
        NonEnrollmentTransaction nonEnrollmentTransaction = new NonEnrollmentTransaction(createTransport(str), getEncoder(x509Certificate, privateKey, str), getDecoder(x509Certificate, privateKey, str), new IssuerAndSerialNumber(X500Utils.toX500Name(x500Principal), bigInteger), MessageType.GET_CRL);
        try {
            Transaction.State send = nonEnrollmentTransaction.send();
            if (send != Transaction.State.CERT_ISSUED) {
                if (send == Transaction.State.CERT_REQ_PENDING) {
                    throw new IllegalStateException();
                }
                throw new OperationFailureException(nonEnrollmentTransaction.getFailInfo());
            }
            try {
                Collection<? extends CRL> cRLs = nonEnrollmentTransaction.getCertStore().getCRLs(null);
                if (cRLs.size() == 0) {
                    return null;
                }
                return (X509CRL) cRLs.iterator().next();
            } catch (CertStoreException e) {
                throw new RuntimeException(e);
            }
        } catch (TransactionException e2) {
            throw new ClientException(e2);
        }
    }

    public CertStore getRolloverCertificate() throws ClientException {
        return getRolloverCertificate(null);
    }

    public CertStore getRolloverCertificate(String str) throws ClientException {
        LOGGER.superDispatchKeyEvent("Retriving next CA certificate from CA");
        if (!getCaCapabilities(str).isRolloverSupported()) {
            throw new UnsupportedOperationException();
        }
        X509Certificate signer = this.inspectorFactory.getInstance(getCaCertificate(str)).getSigner();
        try {
            return (CertStore) this.transportFactory.forMethod(TransportFactory.Method.GET, this.url).sendRequest(new GetNextCaCertRequest(str), new GetNextCaCertResponseHandler(signer));
        } catch (TransportException e) {
            throw new ClientException(e);
        }
    }

    public EnrollmentResponse poll(X509Certificate x509Certificate, PrivateKey privateKey, X500Principal x500Principal, TransactionId transactionId) throws ClientException, TransactionException {
        return poll(x509Certificate, privateKey, x500Principal, transactionId, null);
    }

    public EnrollmentResponse poll(X509Certificate x509Certificate, PrivateKey privateKey, X500Principal x500Principal, TransactionId transactionId, String str) throws ClientException, TransactionException {
        return send(new EnrollmentTransaction(createTransport(str), getEncoder(x509Certificate, privateKey, str), getDecoder(x509Certificate, privateKey, str), new IssuerAndSubject(X500Utils.toX500Name(this.inspectorFactory.getInstance(getCaCertificate(str)).getIssuer().getSubjectX500Principal()), X500Utils.toX500Name(x500Principal)), transactionId));
    }

    public void setCertStoreInspectorFactory(CertStoreInspectorFactory certStoreInspectorFactory) {
        synchronized (this) {
            this.inspectorFactory = certStoreInspectorFactory;
        }
    }

    public void setTransportFactory(TransportFactory transportFactory) {
        synchronized (this) {
            this.transportFactory = transportFactory;
        }
    }
}
