package org.xipki.ca.server.cmp;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CRLException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Enumerated;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.cmp.CMPCertificate;
import org.bouncycastle.asn1.cmp.CMPObjectIdentifiers;
import org.bouncycastle.asn1.cmp.CertConfirmContent;
import org.bouncycastle.asn1.cmp.CertOrEncCert;
import org.bouncycastle.asn1.cmp.CertRepMessage;
import org.bouncycastle.asn1.cmp.CertResponse;
import org.bouncycastle.asn1.cmp.CertStatus;
import org.bouncycastle.asn1.cmp.CertifiedKeyPair;
import org.bouncycastle.asn1.cmp.ErrorMsgContent;
import org.bouncycastle.asn1.cmp.GenMsgContent;
import org.bouncycastle.asn1.cmp.GenRepContent;
import org.bouncycastle.asn1.cmp.InfoTypeAndValue;
import org.bouncycastle.asn1.cmp.PKIBody;
import org.bouncycastle.asn1.cmp.PKIFailureInfo;
import org.bouncycastle.asn1.cmp.PKIFreeText;
import org.bouncycastle.asn1.cmp.PKIHeader;
import org.bouncycastle.asn1.cmp.PKIHeaderBuilder;
import org.bouncycastle.asn1.cmp.PKIMessage;
import org.bouncycastle.asn1.cmp.PKIStatus;
import org.bouncycastle.asn1.cmp.PKIStatusInfo;
import org.bouncycastle.asn1.cmp.RevDetails;
import org.bouncycastle.asn1.cmp.RevRepContentBuilder;
import org.bouncycastle.asn1.cmp.RevReqContent;
import org.bouncycastle.asn1.cms.GCMParameters;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.asn1.crmf.AttributeTypeAndValue;
import org.bouncycastle.asn1.crmf.CertId;
import org.bouncycastle.asn1.crmf.CertReqMessages;
import org.bouncycastle.asn1.crmf.CertReqMsg;
import org.bouncycastle.asn1.crmf.CertTemplate;
import org.bouncycastle.asn1.crmf.Controls;
import org.bouncycastle.asn1.crmf.DhSigStatic;
import org.bouncycastle.asn1.crmf.EncryptedValue;
import org.bouncycastle.asn1.crmf.OptionalValidity;
import org.bouncycastle.asn1.crmf.PKIPublicationInfo;
import org.bouncycastle.asn1.crmf.POPOSigningKey;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.pkcs.CertificationRequestInfo;
import org.bouncycastle.asn1.pkcs.EncryptionScheme;
import org.bouncycastle.asn1.pkcs.KeyDerivationFunc;
import org.bouncycastle.asn1.pkcs.PBES2Parameters;
import org.bouncycastle.asn1.pkcs.PBKDF2Params;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.Time;
import org.bouncycastle.cert.cmp.GeneralPKIMessage;
import org.bouncycastle.cert.crmf.CRMFException;
import org.bouncycastle.cert.crmf.CertificateRequestMessage;
import org.bouncycastle.jcajce.spec.PBKDF2KeySpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.audit.AuditEvent;
import org.xipki.audit.AuditLevel;
import org.xipki.audit.AuditStatus;
import org.xipki.ca.api.CertWithDbId;
import org.xipki.ca.api.CertificateInfo;
import org.xipki.ca.api.InsuffientPermissionException;
import org.xipki.ca.api.OperationException;
import org.xipki.ca.api.RequestType;
import org.xipki.ca.api.mgmt.CaMgmtException;
import org.xipki.ca.api.mgmt.CaStatus;
import org.xipki.ca.api.mgmt.CertWithRevocationInfo;
import org.xipki.ca.api.mgmt.CmpControl;
import org.xipki.ca.api.mgmt.MgmtEntry;
import org.xipki.ca.api.mgmt.PermissionConstants;
import org.xipki.ca.api.mgmt.RequestorInfo;
import org.xipki.ca.server.CaAuditConstants;
import org.xipki.ca.server.CaInfo;
import org.xipki.ca.server.CaManagerImpl;
import org.xipki.ca.server.CaUtil;
import org.xipki.ca.server.CertTemplateData;
import org.xipki.ca.server.DhpocControl;
import org.xipki.ca.server.PasswordHash;
import org.xipki.ca.server.X509Ca;
import org.xipki.ca.server.cmp.CrmfKeyWrapper;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.CrlReason;
import org.xipki.security.DHSigStaticKeyCertPair;
import org.xipki.security.EdECConstants;
import org.xipki.security.HashAlgo;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.security.X509Cert;
import org.xipki.security.cmp.CmpUtf8Pairs;
import org.xipki.security.cmp.CmpUtil;
import org.xipki.security.cmp.PkiStatusInfo;
import org.xipki.security.util.AlgorithmUtil;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.DateUtil;
import org.xipki.util.HealthCheckResult;
import org.xipki.util.Hex;
import org.xipki.util.LogUtil;
import org.xipki.util.StringUtil;
import org.xipki.util.concurrent.ConcurrentBag;
import org.xipki.util.concurrent.ConcurrentBagEntry;

/* loaded from: input_file:org/xipki/ca/server/cmp/CmpResponder.class */
public class CmpResponder extends BaseCmpResponder {
    private static final Set<String> KNOWN_GENMSG_IDS = new HashSet();
    private static final Logger LOG = LoggerFactory.getLogger(CmpResponder.class);
    private static final AlgorithmIdentifier prf_hmacWithSHA256 = new AlgorithmIdentifier(PKCSObjectIdentifiers.id_hmacWithSHA256, DERNull.INSTANCE);
    private static final ConcurrentBag<ConcurrentBagEntry<Cipher>> aesGcm_ciphers;
    private static final ConcurrentBag<ConcurrentBagEntry<SecretKeyFactory>> pbkdf2_kdfs;
    private static boolean aesGcm_ciphers_initialized;
    private static boolean pbkdf2_kdfs_initialized;
    private static final Set<String> kupCertExtnIds;
    private final PendingCertificatePool pendingCertPool;
    private final KeyGenerator aesKeyGen;
    private final String caName;
    private final CaManagerImpl caManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.xipki.ca.server.cmp.CmpResponder$1, reason: invalid class name */
    /* loaded from: input_file:org/xipki/ca/server/cmp/CmpResponder$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode = new int[OperationException.ErrorCode.values().length];

        static {
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.DATABASE_FAILURE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.SYSTEM_FAILURE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.ALREADY_ISSUED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.BAD_CERT_TEMPLATE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.BAD_REQUEST.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.CERT_REVOKED.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.CERT_UNREVOKED.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.BAD_POP.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.CRL_FAILURE.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.NOT_PERMITTED.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.INVALID_EXTENSION.ordinal()] = 11;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.SYSTEM_UNAVAILABLE.ordinal()] = 12;
            } catch (NoSuchFieldError e12) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.UNKNOWN_CERT.ordinal()] = 13;
            } catch (NoSuchFieldError e13) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[OperationException.ErrorCode.UNKNOWN_CERT_PROFILE.ordinal()] = 14;
            } catch (NoSuchFieldError e14) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/xipki/ca/server/cmp/CmpResponder$PendingCertificatePool.class */
    public static class PendingCertificatePool {
        private final Map<String, Set<MyEntry>> map = new HashMap();

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:org/xipki/ca/server/cmp/CmpResponder$PendingCertificatePool$MyEntry.class */
        public static class MyEntry {
            private final BigInteger certReqId;
            private final long waitForConfirmTill;
            private final CertificateInfo certInfo;
            private final byte[] certHash;

            /* JADX WARN: Type inference failed for: r2v3, types: [byte[], byte[][]] */
            MyEntry(BigInteger bigInteger, long j, CertificateInfo certificateInfo) {
                this.certReqId = (BigInteger) Args.notNull(bigInteger, "certReqId");
                this.certInfo = (CertificateInfo) Args.notNull(certificateInfo, "certInfo");
                this.waitForConfirmTill = j;
                this.certHash = HashAlgo.SHA1.hash((byte[][]) new byte[]{certificateInfo.getCert().getEncodedCert()});
            }

            public int hashCode() {
                return this.certReqId.hashCode() + (961 * ((int) this.waitForConfirmTill)) + (31 * this.certInfo.hashCode());
            }

            public boolean equals(Object obj) {
                if (this == obj) {
                    return true;
                }
                if (!(obj instanceof MyEntry)) {
                    return false;
                }
                MyEntry myEntry = (MyEntry) obj;
                return this.certReqId.equals(myEntry.certReqId) && this.certInfo.equals(myEntry.certInfo);
            }
        }

        PendingCertificatePool() {
        }

        void addCertificate(byte[] bArr, BigInteger bigInteger, CertificateInfo certificateInfo, long j) {
            Args.notNull(bArr, "transactionId");
            Args.notNull(certificateInfo, "certInfo");
            if (certificateInfo.isAlreadyIssued()) {
                return;
            }
            String encode = Hex.encode(bArr);
            MyEntry myEntry = new MyEntry(bigInteger, j, certificateInfo);
            synchronized (this.map) {
                Set<MyEntry> set = this.map.get(encode);
                if (set == null) {
                    set = new HashSet();
                    this.map.put(encode, set);
                }
                set.add(myEntry);
            }
        }

        CertificateInfo removeCertificate(byte[] bArr, BigInteger bigInteger, byte[] bArr2) {
            Args.notNull(bArr, "transactionId");
            Args.notNull(bigInteger, "certReqId");
            Args.notNull(bArr2, "certHash");
            String encode = Hex.encode(bArr);
            MyEntry myEntry = null;
            synchronized (this.map) {
                Set<MyEntry> set = this.map.get(encode);
                if (set == null) {
                    return null;
                }
                Iterator<MyEntry> it = set.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    MyEntry next = it.next();
                    if (bigInteger.equals(next.certReqId)) {
                        myEntry = next;
                        break;
                    }
                }
                if (myEntry != null && Arrays.equals(bArr2, myEntry.certHash)) {
                    set.remove(myEntry);
                    if (CollectionUtil.isEmpty(set)) {
                        this.map.remove(encode);
                    }
                }
                if (myEntry == null) {
                    return null;
                }
                return myEntry.certInfo;
            }
        }

        Set<CertificateInfo> removeCertificates(byte[] bArr) {
            Set<MyEntry> remove;
            Args.notNull(bArr, "transactionId");
            String encode = Hex.encode(bArr);
            synchronized (this.map) {
                remove = this.map.remove(encode);
            }
            if (remove == null) {
                return null;
            }
            HashSet hashSet = new HashSet();
            Iterator<MyEntry> it = remove.iterator();
            while (it.hasNext()) {
                hashSet.add(it.next().certInfo);
            }
            return hashSet;
        }

        Set<CertificateInfo> removeConfirmTimeoutedCertificates() {
            synchronized (this.map) {
                if (CollectionUtil.isEmpty(this.map)) {
                    return null;
                }
                long currentTimeMillis = System.currentTimeMillis();
                HashSet hashSet = new HashSet();
                Iterator<String> it = this.map.keySet().iterator();
                while (it.hasNext()) {
                    for (MyEntry myEntry : this.map.get(it.next())) {
                        if (myEntry.waitForConfirmTill < currentTimeMillis) {
                            hashSet.add(myEntry.certInfo);
                        }
                    }
                }
                return hashSet;
            }
        }
    }

    /* loaded from: input_file:org/xipki/ca/server/cmp/CmpResponder$PendingPoolCleaner.class */
    private class PendingPoolCleaner implements Runnable {
        private PendingPoolCleaner() {
        }

        @Override // java.lang.Runnable
        public void run() {
            Set<CertificateInfo> removeConfirmTimeoutedCertificates = CmpResponder.this.pendingCertPool.removeConfirmTimeoutedCertificates();
            if (CollectionUtil.isEmpty(removeConfirmTimeoutedCertificates)) {
                return;
            }
            Date date = new Date();
            X509Ca ca = CmpResponder.this.getCa();
            Iterator<CertificateInfo> it = removeConfirmTimeoutedCertificates.iterator();
            while (it.hasNext()) {
                BigInteger bigInteger = null;
                try {
                    bigInteger = it.next().getCert().getCert().getSerialNumber();
                    ca.revokeCert(bigInteger, CrlReason.CESSATION_OF_OPERATION, date, CaAuditConstants.MSGID_ca_routine);
                } catch (Throwable th) {
                    CmpResponder.LOG.error("could not revoke certificate (CA={}, serialNumber={}): {}", new Object[]{ca.getCaInfo().getIdent(), LogUtil.formatCsn(bigInteger), th.getMessage()});
                }
            }
        }

        /* synthetic */ PendingPoolCleaner(CmpResponder cmpResponder, AnonymousClass1 anonymousClass1) {
            this();
        }
    }

    public CmpResponder(CaManagerImpl caManagerImpl, String str) throws NoSuchAlgorithmException {
        super(caManagerImpl.getSecurityFactory());
        this.aesKeyGen = KeyGenerator.getInstance("AES");
        this.caManager = caManagerImpl;
        this.pendingCertPool = new PendingCertificatePool();
        this.caName = str;
        caManagerImpl.getScheduledThreadPoolExecutor().scheduleAtFixedRate(new PendingPoolCleaner(this, null), 10L, 10L, TimeUnit.MINUTES);
    }

    public X509Ca getCa() {
        try {
            return this.caManager.getX509Ca(this.caName);
        } catch (CaMgmtException e) {
            throw new IllegalStateException(e.getMessage(), e);
        }
    }

    @Override // org.xipki.ca.server.cmp.BaseCmpResponder
    public boolean isOnService() {
        if (!super.isOnService()) {
            return false;
        }
        CaInfo caInfo = getCa().getCaInfo();
        return caInfo.getStatus() == CaStatus.ACTIVE && caInfo.supportsCmp();
    }

    public HealthCheckResult healthCheck() {
        HealthCheckResult healthCheck = getCa().healthCheck();
        boolean isHealthy = healthCheck.isHealthy();
        boolean isHealthy2 = this.caManager.getSignerWrapper(getResponderName()).getSigner().isHealthy();
        boolean z = isHealthy & isHealthy2;
        HealthCheckResult healthCheckResult = new HealthCheckResult();
        healthCheckResult.setName("Responder");
        healthCheckResult.setHealthy(isHealthy2);
        healthCheck.addChildCheck(healthCheckResult);
        healthCheck.setHealthy(z);
        return healthCheck;
    }

    public String getCaName() {
        return this.caName;
    }

    public String getResponderName() {
        return getCa().getCaInfo().getCmpResponderName();
    }

    @Override // org.xipki.ca.server.cmp.BaseCmpResponder
    protected PKIMessage processPkiMessage0(PKIMessage pKIMessage, RequestorInfo requestorInfo, ASN1OctetString aSN1OctetString, GeneralPKIMessage generalPKIMessage, String str, Map<String, String> map, AuditEvent auditEvent) {
        PKIBody pKIBody;
        if (!(requestorInfo instanceof RequestorInfo.CmpRequestorInfo)) {
            throw new IllegalArgumentException("unknown requestor type " + requestorInfo.getClass().getName());
        }
        RequestorInfo.CmpRequestorInfo cmpRequestorInfo = (RequestorInfo.CmpRequestorInfo) requestorInfo;
        auditEvent.addEventData(CaAuditConstants.NAME_requestor, cmpRequestorInfo.getIdent().getName());
        PKIHeader header = generalPKIMessage.getHeader();
        PKIHeaderBuilder pKIHeaderBuilder = new PKIHeaderBuilder(header.getPvno().getValue().intValue(), getSender(), header.getSender());
        pKIHeaderBuilder.setTransactionID(aSN1OctetString);
        ASN1OctetString senderNonce = header.getSenderNonce();
        if (senderNonce != null) {
            pKIHeaderBuilder.setRecipNonce(senderNonce);
        }
        PKIBody body = generalPKIMessage.getBody();
        int type = body.getType();
        CmpControl cmpControl = getCmpControl();
        try {
            switch (type) {
                case PasswordHash.ITERATION_INDEX /* 0 */:
                case PasswordHash.PBKDF2_INDEX /* 2 */:
                case 4:
                case 7:
                case 13:
                    String str2 = null;
                    if (2 == type) {
                        str2 = CaAuditConstants.Cmp.TYPE_cr;
                    } else if (0 == type) {
                        str2 = CaAuditConstants.Cmp.TYPE_ir;
                    } else if (7 == type) {
                        str2 = CaAuditConstants.Cmp.TYPE_kur;
                    } else if (4 == type) {
                        str2 = CaAuditConstants.Cmp.TYPE_p10cr;
                    } else if (13 == type) {
                        str2 = CaAuditConstants.Cmp.TYPE_ccr;
                    }
                    if (str2 != null) {
                        auditEvent.addEventType(str2);
                    }
                    String str3 = null;
                    Boolean bool = null;
                    if (map != null) {
                        str3 = map.get(CaAuditConstants.NAME_certprofile);
                        String str4 = map.get("ca-generate-keypair");
                        if (str4 != null) {
                            bool = Boolean.valueOf("true".equalsIgnoreCase(str4));
                        }
                    }
                    pKIBody = cmpEnrollCert(str3, bool, pKIMessage, pKIHeaderBuilder, cmpControl, header, body, cmpRequestorInfo, aSN1OctetString, str, auditEvent);
                    break;
                case PasswordHash.SALT_INDEX /* 1 */:
                case 3:
                case 5:
                case 6:
                case 8:
                case 9:
                case 10:
                case 12:
                case 14:
                case 15:
                case 16:
                case 17:
                case 18:
                case 20:
                case 22:
                default:
                    auditEvent.addEventType("PKIBody." + type);
                    pKIBody = buildErrorMsgPkiBody(PKIStatus.rejection, 32, "unsupported type " + type);
                    break;
                case 11:
                    pKIBody = cmpUnRevokeRemoveCertificates(pKIMessage, pKIHeaderBuilder, cmpControl, header, body, cmpRequestorInfo, str, auditEvent);
                    break;
                case 19:
                    auditEvent.addEventType(CaAuditConstants.Cmp.TYPE_pkiconf);
                    pKIBody = new PKIBody(19, DERNull.INSTANCE);
                    break;
                case 21:
                    pKIBody = cmpGeneralMsg(pKIHeaderBuilder, cmpControl, header, body, cmpRequestorInfo, aSN1OctetString, str, auditEvent);
                    break;
                case 23:
                    auditEvent.addEventType(CaAuditConstants.Cmp.TYPE_error);
                    revokePendingCertificates(aSN1OctetString, str);
                    pKIBody = new PKIBody(19, DERNull.INSTANCE);
                    break;
                case PasswordHash.SALT_BYTE_SIZE /* 24 */:
                    auditEvent.addEventType(CaAuditConstants.Cmp.TYPE_certConf);
                    pKIBody = confirmCertificates(aSN1OctetString, (CertConfirmContent) body.getContent(), str);
                    break;
            }
        } catch (InsuffientPermissionException e) {
            pKIBody = new PKIBody(23, new ErrorMsgContent(new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText(e.getMessage()), new PKIFailureInfo(65536))));
        }
        if (pKIBody.getType() == 23) {
            PkiStatusInfo pkiStatusInfo = new PkiStatusInfo(pKIBody.getContent().getPKIStatusInfo());
            auditEvent.setStatus(AuditStatus.FAILED);
            String statusMessage = pkiStatusInfo.statusMessage();
            if (statusMessage != null) {
                auditEvent.addEventData(CaAuditConstants.NAME_message, statusMessage);
            }
        } else if (auditEvent.getStatus() == null) {
            auditEvent.setStatus(AuditStatus.SUCCESSFUL);
        }
        return new PKIMessage(pKIHeaderBuilder.build(), pKIBody);
    }

    private PKIBody processIr(String str, Boolean bool, PKIMessage pKIMessage, RequestorInfo.CmpRequestorInfo cmpRequestorInfo, ASN1OctetString aSN1OctetString, PKIHeader pKIHeader, CertReqMessages certReqMessages, CmpControl cmpControl, String str2, AuditEvent auditEvent) throws InsuffientPermissionException {
        return new PKIBody(1, processCertReqMessages(str, bool, pKIMessage, cmpRequestorInfo, aSN1OctetString, pKIHeader, certReqMessages, true, cmpControl, str2, auditEvent));
    }

    private PKIBody processCr(String str, Boolean bool, PKIMessage pKIMessage, RequestorInfo.CmpRequestorInfo cmpRequestorInfo, ASN1OctetString aSN1OctetString, PKIHeader pKIHeader, CertReqMessages certReqMessages, CmpControl cmpControl, String str2, AuditEvent auditEvent) throws InsuffientPermissionException {
        return new PKIBody(3, processCertReqMessages(str, bool, pKIMessage, cmpRequestorInfo, aSN1OctetString, pKIHeader, certReqMessages, true, cmpControl, str2, auditEvent));
    }

    private PKIBody processKur(String str, Boolean bool, PKIMessage pKIMessage, RequestorInfo.CmpRequestorInfo cmpRequestorInfo, ASN1OctetString aSN1OctetString, PKIHeader pKIHeader, CertReqMessages certReqMessages, CmpControl cmpControl, String str2, AuditEvent auditEvent) throws InsuffientPermissionException {
        return new PKIBody(8, processCertReqMessages(str, bool, pKIMessage, cmpRequestorInfo, aSN1OctetString, pKIHeader, certReqMessages, true, cmpControl, str2, auditEvent));
    }

    private PKIBody processCcp(String str, PKIMessage pKIMessage, RequestorInfo.CmpRequestorInfo cmpRequestorInfo, ASN1OctetString aSN1OctetString, PKIHeader pKIHeader, CertReqMessages certReqMessages, CmpControl cmpControl, String str2, AuditEvent auditEvent) throws InsuffientPermissionException {
        return new PKIBody(14, processCertReqMessages(str, Boolean.FALSE, pKIMessage, cmpRequestorInfo, aSN1OctetString, pKIHeader, certReqMessages, false, cmpControl, str2, auditEvent));
    }

    private CertRepMessage processCertReqMessages(String str, Boolean bool, PKIMessage pKIMessage, RequestorInfo.CmpRequestorInfo cmpRequestorInfo, ASN1OctetString aSN1OctetString, PKIHeader pKIHeader, CertReqMessages certReqMessages, boolean z, CmpControl cmpControl, String str2, AuditEvent auditEvent) throws InsuffientPermissionException {
        CertReqMsg[] certReqMsgArray = certReqMessages.toCertReqMsgArray();
        int length = certReqMsgArray.length;
        ArrayList arrayList = new ArrayList(length);
        ArrayList arrayList2 = new ArrayList(1);
        boolean z2 = pKIMessage.getBody().getType() == 7;
        for (int i = 0; i < length && (!cmpControl.isGroupEnroll() || arrayList.size() == i); i++) {
            CertReqMsg certReqMsg = certReqMsgArray[i];
            ASN1Integer certReqId = certReqMsg.getCertReq().getCertReqId();
            CertificateRequestMessage certificateRequestMessage = new CertificateRequestMessage(certReqMsg);
            CertTemplate certTemplate = certificateRequestMessage.getCertTemplate();
            CmpUtf8Pairs extract = CmpUtil.extract(certReqMsg.getRegInfo());
            SubjectPublicKeyInfo publicKey = certTemplate.getPublicKey();
            X500Name subject = certTemplate.getSubject();
            Extensions extensions = certTemplate.getExtensions();
            String value = extract == null ? null : extract.value(CaAuditConstants.NAME_certprofile);
            if (value == null) {
                value = str;
            }
            if (value != null) {
                value = value.toLowerCase();
            }
            String value2 = extract == null ? null : extract.value("ca-generate-keypair");
            boolean equalsIgnoreCase = bool == null ? value2 == null ? false : "true".equalsIgnoreCase(value2) : value2 == null ? bool.booleanValue() : "true".equalsIgnoreCase(value2);
            if (z2) {
                Controls controls = certReqMsg.getCertReq().getControls();
                AttributeTypeAndValue attributeTypeAndValue = null;
                if (controls != null) {
                    try {
                        ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(controls.getEncoded());
                        int size = aSN1Sequence.size();
                        int i2 = 0;
                        while (true) {
                            if (i2 >= size) {
                                break;
                            }
                            AttributeTypeAndValue attributeTypeAndValue2 = AttributeTypeAndValue.getInstance(aSN1Sequence.getObjectAt(i2));
                            if (attributeTypeAndValue2.getType().equals(CMPObjectIdentifiers.regCtrl_oldCertID)) {
                                attributeTypeAndValue = attributeTypeAndValue2;
                                break;
                            }
                            i2++;
                        }
                    } catch (IOException e) {
                        arrayList2.add(buildErrorCertResponse(certReqId, 1073741824, "could not parse the controls"));
                    }
                }
                if (attributeTypeAndValue == null) {
                    arrayList2.add(buildErrorCertResponse(certReqId, 1048576, "no getCtrl oldCertID is specified"));
                } else {
                    CertId certId = CertId.getInstance(attributeTypeAndValue.getValue());
                    if (4 != certId.getIssuer().getTagNo()) {
                        arrayList2.add(buildErrorCertResponse(certReqId, 8, "invalid regCtrl oldCertID"));
                    } else {
                        X500Name x500Name = X500Name.getInstance(certId.getIssuer().getName());
                        BigInteger value3 = certId.getSerialNumber().getValue();
                        try {
                            CertWithRevocationInfo cert = this.caManager.getCert(x500Name, value3);
                            if (cert == null) {
                                arrayList2.add(buildErrorCertResponse(certReqId, 8, "found no certificate with the issuer " + x500Name + "and serial number " + value3));
                            } else if (cert.isRevoked()) {
                                arrayList2.add(buildErrorCertResponse(certReqId, 8192, "could not update a revoked certificate with the issuer " + x500Name + "and serial number " + value3));
                            } else {
                                if (value == null) {
                                    value = cert.getCertprofile();
                                }
                                if (value == null) {
                                    LOG.warn("no certprofile is specified");
                                    arrayList2.add(buildErrorCertResponse(certReqId, 1048576, "no certificate profile"));
                                } else {
                                    if (subject == null) {
                                        subject = cert.getCert().getSubjectAsX500Name();
                                    }
                                    if (publicKey == null && !equalsIgnoreCase) {
                                        publicKey = cert.getCert().getCertHolder().getSubjectPublicKeyInfo();
                                    }
                                    HashMap hashMap = new HashMap();
                                    if (extensions != null) {
                                        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : extensions.getExtensionOIDs()) {
                                            hashMap.put(aSN1ObjectIdentifier.getId(), extensions.getExtension(aSN1ObjectIdentifier));
                                        }
                                    }
                                    Extensions extensions2 = cert.getCert().getCertHolder().getExtensions();
                                    for (ASN1ObjectIdentifier aSN1ObjectIdentifier2 : extensions2.getExtensionOIDs()) {
                                        String id = aSN1ObjectIdentifier2.getId();
                                        if (!hashMap.containsKey(id) && !kupCertExtnIds.contains(id)) {
                                            hashMap.put(id, extensions2.getExtension(aSN1ObjectIdentifier2));
                                        }
                                    }
                                    extensions = new Extensions((Extension[]) hashMap.values().toArray(new Extension[0]));
                                }
                            }
                        } catch (CaMgmtException e2) {
                            arrayList2.add(buildErrorCertResponse(certReqId, 1073741824, "error while finding certificate with the issuer " + x500Name + "and serial number " + value3));
                        }
                    }
                }
            } else if (value == null) {
                LOG.warn("no certprofile is specified");
                arrayList2.add(buildErrorCertResponse(certReqId, 1048576, "no certificate profile"));
            }
            if (cmpRequestorInfo.isCertprofilePermitted(value)) {
                if (publicKey != null) {
                    if (!certificateRequestMessage.hasProofOfPossession()) {
                        arrayList2.add(buildErrorCertResponse(certReqId, 16384, "no POP"));
                    } else if (!verifyPopo(certificateRequestMessage, publicKey, cmpRequestorInfo.isRa())) {
                        LOG.warn("could not validate POP for request {}", certReqId.getValue());
                        arrayList2.add(buildErrorCertResponse(certReqId, 16384, "invalid POP"));
                    }
                } else if (!equalsIgnoreCase) {
                    LOG.warn("no public key is specified {}", certReqId.getValue());
                    arrayList2.add(buildErrorCertResponse(certReqId, 1048576, "no public key"));
                } else if (z) {
                    checkPermission(cmpRequestorInfo, 256);
                } else {
                    LOG.warn("no public key is specified and key generation is not allowed {}", certReqId.getValue());
                    arrayList2.add(buildErrorCertResponse(certReqId, 1048576, "no public key"));
                }
                OptionalValidity validity = certTemplate.getValidity();
                Date date = null;
                if (validity != null) {
                    Time notBefore = validity.getNotBefore();
                    r42 = notBefore != null ? notBefore.getDate() : null;
                    Time notAfter = validity.getNotAfter();
                    if (notAfter != null) {
                        date = notAfter.getDate();
                    }
                }
                arrayList.add(new CertTemplateData(subject, publicKey, r42, date, extensions, value, certReqId, equalsIgnoreCase));
            } else {
                arrayList2.add(buildErrorCertResponse(certReqId, 65536, "certprofile " + value + " is not allowed"));
            }
        }
        if (arrayList2.size() == length) {
            CertResponse[] certResponseArr = new CertResponse[length];
            for (int i3 = 0; i3 < length; i3++) {
                certResponseArr[i3] = (CertResponse) arrayList2.get(i3);
            }
            auditEvent.setStatus(AuditStatus.FAILED);
            return new CertRepMessage((CMPCertificate[]) null, certResponseArr);
        }
        if (cmpControl.isGroupEnroll() && arrayList.size() != length) {
            auditEvent.setStatus(AuditStatus.FAILED);
            int size2 = arrayList.size();
            BigInteger value4 = certReqMsgArray[size2].getCertReq().getCertReqId().getValue();
            CertResponse certResponse = (CertResponse) arrayList2.get(size2);
            PKIStatus pKIStatus = PKIStatus.getInstance(new ASN1Integer(certResponse.getStatus().getStatus()));
            PKIFailureInfo pKIFailureInfo = new PKIFailureInfo(certResponse.getStatus().getFailInfo());
            CertResponse[] certResponseArr2 = new CertResponse[length];
            for (int i4 = 0; i4 < length; i4++) {
                if (i4 == size2) {
                    certResponseArr2[i4] = certResponse;
                } else {
                    certResponseArr2[i4] = new CertResponse(certResponseArr2[i4].getCertReqId(), generateRejectionStatus(pKIStatus, Integer.valueOf(pKIFailureInfo.intValue()), "error in certReq " + value4));
                }
            }
            return new CertRepMessage((CMPCertificate[]) null, certResponseArr2);
        }
        List<CertResponse> generateCertificates = generateCertificates(arrayList, cmpRequestorInfo, aSN1OctetString, z2, pKIMessage, cmpControl, str2, auditEvent);
        CertResponse[] certResponseArr3 = new CertResponse[length];
        int i5 = 0;
        Iterator it = arrayList2.iterator();
        while (it.hasNext()) {
            int i6 = i5;
            i5++;
            certResponseArr3[i6] = (CertResponse) it.next();
        }
        Iterator<CertResponse> it2 = generateCertificates.iterator();
        while (it2.hasNext()) {
            int i7 = i5;
            i5++;
            certResponseArr3[i7] = it2.next();
        }
        CMPCertificate[] cMPCertificateArr = null;
        if (cmpControl.isSendCaCert()) {
            boolean z3 = false;
            Iterator<CertResponse> it3 = generateCertificates.iterator();
            while (true) {
                if (!it3.hasNext()) {
                    break;
                }
                if (it3.next().getCertifiedKeyPair() != null) {
                    z3 = true;
                    break;
                }
            }
            if (z3 && cmpControl.isSendCaCert()) {
                cMPCertificateArr = new CMPCertificate[]{getCa().getCaInfo().getCertInCmpFormat()};
            }
        }
        return new CertRepMessage(cMPCertificateArr, certResponseArr3);
    }

    private PKIBody processP10cr(String str, PKIMessage pKIMessage, RequestorInfo.CmpRequestorInfo cmpRequestorInfo, ASN1OctetString aSN1OctetString, PKIHeader pKIHeader, CertificationRequest certificationRequest, CmpControl cmpControl, String str2, AuditEvent auditEvent) {
        Extensions extensions;
        int intValue;
        CertResponse certResponse = null;
        ASN1Integer aSN1Integer = new ASN1Integer(-1L);
        boolean z = false;
        X509Ca ca = getCa();
        if (ca.verifyCsr(certificationRequest)) {
            CertificationRequestInfo certificationRequestInfo = certificationRequest.getCertificationRequestInfo();
            try {
                extensions = CaUtil.getExtensions(certificationRequestInfo);
            } catch (IllegalArgumentException e) {
                extensions = null;
                LOG.warn("could not parse extensions of the pkcs#10 requst");
                certResponse = buildErrorCertResponse(aSN1Integer, 1048576, "invalid extensions");
            }
            if (certResponse == null) {
                X500Name subject = certificationRequestInfo.getSubject();
                SubjectPublicKeyInfo subjectPublicKeyInfo = certificationRequestInfo.getSubjectPublicKeyInfo();
                CmpUtf8Pairs extract = CmpUtil.extract(pKIHeader.getGeneralInfo());
                Date date = null;
                Date date2 = null;
                String str3 = null;
                if (extract != null) {
                    str3 = extract.value(CaAuditConstants.NAME_certprofile);
                    String value = extract.value("notbefore");
                    if (value != null) {
                        date = DateUtil.parseUtcTimeyyyyMMddhhmmss(value);
                    }
                    String value2 = extract.value("notafter");
                    if (value2 != null) {
                        date2 = DateUtil.parseUtcTimeyyyyMMddhhmmss(value2);
                    }
                }
                if (str3 == null) {
                    str3 = str;
                }
                if (str3 == null) {
                    LOG.warn("no certprofile is specified");
                    certResponse = buildErrorCertResponse(aSN1Integer, 1048576, "badCertTemplate");
                } else {
                    String lowerCase = str3.toLowerCase();
                    if (cmpRequestorInfo.isCertprofilePermitted(lowerCase)) {
                        certResponse = generateCertificates(Arrays.asList(new CertTemplateData(subject, subjectPublicKeyInfo, date, date2, extensions, lowerCase, aSN1Integer, false)), cmpRequestorInfo, aSN1OctetString, false, pKIMessage, cmpControl, str2, auditEvent).get(0);
                        z = true;
                    } else {
                        certResponse = buildErrorCertResponse(aSN1Integer, 65536, "certprofile " + lowerCase + " is not allowed");
                    }
                }
            }
        } else {
            LOG.warn("could not validate POP for the pkcs#10 requst");
            certResponse = buildErrorCertResponse(aSN1Integer, 16384, "invalid POP");
        }
        CMPCertificate[] cMPCertificateArr = null;
        if (z && cmpControl.isSendCaCert()) {
            cMPCertificateArr = new CMPCertificate[]{ca.getCaInfo().getCertInCmpFormat()};
        }
        if ((auditEvent.getStatus() == null || auditEvent.getStatus() != AuditStatus.FAILED) && (intValue = certResponse.getStatus().getStatus().intValue()) != 0 && intValue != 1 && intValue != 3) {
            auditEvent.setStatus(AuditStatus.FAILED);
            PKIFreeText statusString = certResponse.getStatus().getStatusString();
            if (statusString != null) {
                auditEvent.addEventData(CaAuditConstants.NAME_message, statusString.getStringAt(0).getString());
            }
        }
        return new PKIBody(3, new CertRepMessage(cMPCertificateArr, new CertResponse[]{certResponse}));
    }

    private List<CertResponse> generateCertificates(List<CertTemplateData> list, RequestorInfo.CmpRequestorInfo cmpRequestorInfo, ASN1OctetString aSN1OctetString, boolean z, PKIMessage pKIMessage, CmpControl cmpControl, String str, AuditEvent auditEvent) {
        CertificateInfo regenerateCert;
        X509Ca ca = getCa();
        int size = list.size();
        ArrayList arrayList = new ArrayList(size);
        if (cmpControl.isGroupEnroll()) {
            List<CertificateInfo> list2 = null;
            try {
                list2 = z ? ca.regenerateCerts(list, cmpRequestorInfo, RequestType.CMP, aSN1OctetString.getOctets(), str) : ca.generateCerts(list, cmpRequestorInfo, RequestType.CMP, aSN1OctetString.getOctets(), str);
                Long l = null;
                if (ca.getCaInfo().isSaveRequest()) {
                    try {
                        l = Long.valueOf(ca.addRequest(pKIMessage.getEncoded()));
                    } catch (Exception e) {
                        LOG.warn("could not save request");
                    }
                }
                for (int i = 0; i < size; i++) {
                    CertificateInfo certificateInfo = list2.get(i);
                    arrayList.add(postProcessCertInfo(list.get(i).getCertReqId(), cmpRequestorInfo, certificateInfo, aSN1OctetString, cmpControl));
                    if (l != null) {
                        ca.addRequestCert(l.longValue(), certificateInfo.getCert().getCertId().longValue());
                    }
                }
            } catch (OperationException e2) {
                if (list2 != null) {
                    Iterator<CertificateInfo> it = list2.iterator();
                    while (it.hasNext()) {
                        BigInteger serialNumber = it.next().getCert().getCertHolder().getSerialNumber();
                        try {
                            ca.revokeCert(serialNumber, CrlReason.CESSATION_OF_OPERATION, null, str);
                        } catch (OperationException e3) {
                            LogUtil.error(LOG, e3, "CA " + getCaName() + " could not revoke certificate " + serialNumber);
                        }
                    }
                }
                auditEvent.setStatus(AuditStatus.FAILED);
                arrayList.clear();
                for (int i2 = 0; i2 < size; i2++) {
                    arrayList.add(postProcessException(list.get(i2).getCertReqId(), e2));
                }
            }
        } else {
            Long l2 = null;
            boolean z2 = false;
            for (int i3 = 0; i3 < size; i3++) {
                CertTemplateData certTemplateData = list.get(i3);
                ASN1Integer certReqId = certTemplateData.getCertReqId();
                if (z) {
                    try {
                        regenerateCert = ca.regenerateCert(certTemplateData, cmpRequestorInfo, RequestType.CMP, aSN1OctetString.getOctets(), str);
                    } catch (OperationException e4) {
                        auditEvent.setStatus(AuditStatus.FAILED);
                        arrayList.add(postProcessException(certReqId, e4));
                    }
                } else {
                    regenerateCert = ca.generateCert(certTemplateData, (RequestorInfo) cmpRequestorInfo, RequestType.CMP, aSN1OctetString.getOctets(), str);
                }
                if (ca.getCaInfo().isSaveRequest()) {
                    if (l2 == null && !z2) {
                        try {
                            l2 = Long.valueOf(ca.addRequest(pKIMessage.getEncoded()));
                        } catch (Exception e5) {
                            z2 = true;
                            LOG.warn("could not save request");
                        }
                    }
                    if (l2 != null) {
                        ca.addRequestCert(l2.longValue(), regenerateCert.getCert().getCertId().longValue());
                    }
                }
                arrayList.add(postProcessCertInfo(certReqId, cmpRequestorInfo, regenerateCert, aSN1OctetString, cmpControl));
            }
        }
        return arrayList;
    }

    /* JADX WARN: Finally extract failed */
    private CertResponse postProcessCertInfo(ASN1Integer aSN1Integer, RequestorInfo.CmpRequestorInfo cmpRequestorInfo, CertificateInfo certificateInfo, ASN1OctetString aSN1OctetString, CmpControl cmpControl) {
        PKIStatusInfo pKIStatusInfo;
        EncryptedValue encryptedValue;
        CrmfKeyWrapper eCIESAsymmetricKeyWrapper;
        byte[] encoded;
        if (cmpControl.isConfirmCert()) {
            this.pendingCertPool.addCertificate(aSN1OctetString.getOctets(), aSN1Integer.getPositiveValue(), certificateInfo, System.currentTimeMillis() + cmpControl.getConfirmWaitTimeMs());
        }
        String warningMessage = certificateInfo.getWarningMessage();
        if (StringUtil.isBlank(warningMessage)) {
            pKIStatusInfo = certificateInfo.isAlreadyIssued() ? new PKIStatusInfo(PKIStatus.grantedWithMods, new PKIFreeText("ALREADY_ISSUED")) : new PKIStatusInfo(PKIStatus.granted);
        } else {
            pKIStatusInfo = new PKIStatusInfo(PKIStatus.grantedWithMods, new PKIFreeText(warningMessage));
        }
        CertOrEncCert certOrEncCert = new CertOrEncCert(CMPCertificate.getInstance(certificateInfo.getCert().getEncodedCert()));
        if (certificateInfo.getPrivateKey() == null) {
            return new CertResponse(aSN1Integer, pKIStatusInfo, new CertifiedKeyPair(certOrEncCert), (ASN1OctetString) null);
        }
        PrivateKeyInfo privateKey = certificateInfo.getPrivateKey();
        AlgorithmIdentifier privateKeyAlgorithm = privateKey.getPrivateKeyAlgorithm();
        try {
            if (cmpRequestorInfo.getCert() == null) {
                ASN1ObjectIdentifier aSN1ObjectIdentifier = NISTObjectIdentifiers.id_aes128_GCM;
                byte[] randomBytes = randomBytes(12);
                byte[] randomBytes2 = randomBytes(16);
                ConcurrentBagEntry concurrentBagEntry = null;
                if (pbkdf2_kdfs_initialized) {
                    try {
                        concurrentBagEntry = pbkdf2_kdfs.borrow(5L, TimeUnit.SECONDS);
                    } catch (InterruptedException e) {
                    }
                }
                try {
                    SecretKeySpec secretKeySpec = new SecretKeySpec((concurrentBagEntry != null ? (SecretKeyFactory) concurrentBagEntry.value() : SecretKeyFactory.getInstance(PKCSObjectIdentifiers.id_PBKDF2.getId())).generateSecret(new PBKDF2KeySpec(cmpRequestorInfo.getPassword(), randomBytes2, 10240, 128, prf_hmacWithSHA256)).getEncoded(), "AES");
                    if (concurrentBagEntry != null) {
                        pbkdf2_kdfs.requite(concurrentBagEntry);
                    }
                    GCMParameterSpec gCMParameterSpec = new GCMParameterSpec(128, randomBytes);
                    ConcurrentBagEntry concurrentBagEntry2 = null;
                    if (aesGcm_ciphers_initialized) {
                        try {
                            concurrentBagEntry2 = aesGcm_ciphers.borrow(5L, TimeUnit.SECONDS);
                        } catch (InterruptedException e2) {
                        }
                    }
                    Cipher cipher = concurrentBagEntry2 != null ? (Cipher) concurrentBagEntry2.value() : Cipher.getInstance(aSN1ObjectIdentifier.getId());
                    try {
                        cipher.init(1, secretKeySpec, gCMParameterSpec);
                        byte[] doFinal = cipher.doFinal(privateKey.getEncoded());
                        if (concurrentBagEntry2 != null) {
                            aesGcm_ciphers.requite(concurrentBagEntry2);
                        }
                        encryptedValue = new EncryptedValue(privateKeyAlgorithm, new AlgorithmIdentifier(PKCSObjectIdentifiers.id_PBES2, new PBES2Parameters(new KeyDerivationFunc(PKCSObjectIdentifiers.id_PBKDF2, new PBKDF2Params(randomBytes2, 10240, 16, prf_hmacWithSHA256)), new EncryptionScheme(aSN1ObjectIdentifier, new GCMParameters(randomBytes, 16)))), (DERBitString) null, (AlgorithmIdentifier) null, (ASN1OctetString) null, new DERBitString(doFinal));
                        return new CertResponse(aSN1Integer, pKIStatusInfo, new CertifiedKeyPair(certOrEncCert, encryptedValue, (PKIPublicationInfo) null), (ASN1OctetString) null);
                    } catch (Throwable th) {
                        if (concurrentBagEntry2 != null) {
                            aesGcm_ciphers.requite(concurrentBagEntry2);
                        }
                        throw th;
                    }
                } catch (Throwable th2) {
                    if (concurrentBagEntry != null) {
                        pbkdf2_kdfs.requite(concurrentBagEntry);
                    }
                    throw th2;
                }
            }
            PublicKey publicKey = cmpRequestorInfo.getCert().getCert().getPublicKey();
            if (publicKey instanceof RSAPublicKey) {
                eCIESAsymmetricKeyWrapper = new CrmfKeyWrapper.RSAOAEPAsymmetricKeyWrapper(publicKey);
            } else {
                if (!(publicKey instanceof ECPublicKey)) {
                    LOG.error("Requestors's public key can not be used for encryption");
                    return new CertResponse(aSN1Integer, new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText("Requestors's public key can not be used for encryption")));
                }
                eCIESAsymmetricKeyWrapper = new CrmfKeyWrapper.ECIESAsymmetricKeyWrapper(publicKey);
            }
            byte[] bArr = new byte[16];
            synchronized (this.aesKeyGen) {
                encoded = this.aesKeyGen.generateKey().getEncoded();
            }
            byte[] generateWrappedKey = eCIESAsymmetricKeyWrapper.generateWrappedKey(encoded);
            AlgorithmIdentifier algorithmIdentifier = eCIESAsymmetricKeyWrapper.getAlgorithmIdentifier();
            ASN1ObjectIdentifier aSN1ObjectIdentifier2 = NISTObjectIdentifiers.id_aes128_GCM;
            byte[] randomBytes3 = randomBytes(12);
            ConcurrentBagEntry concurrentBagEntry3 = null;
            if (aesGcm_ciphers_initialized) {
                try {
                    concurrentBagEntry3 = aesGcm_ciphers.borrow(5L, TimeUnit.SECONDS);
                } catch (InterruptedException e3) {
                }
            }
            Cipher cipher2 = concurrentBagEntry3 != null ? (Cipher) concurrentBagEntry3.value() : Cipher.getInstance(aSN1ObjectIdentifier2.getId());
            try {
                try {
                    cipher2.init(1, new SecretKeySpec(encoded, "AES"), new GCMParameterSpec(128, randomBytes3));
                    byte[] doFinal2 = cipher2.doFinal(privateKey.getEncoded());
                    if (concurrentBagEntry3 != null) {
                        aesGcm_ciphers.requite(concurrentBagEntry3);
                    }
                    encryptedValue = new EncryptedValue(privateKeyAlgorithm, new AlgorithmIdentifier(aSN1ObjectIdentifier2, new GCMParameters(randomBytes3, 16)), new DERBitString(generateWrappedKey), algorithmIdentifier, (ASN1OctetString) null, new DERBitString(doFinal2));
                    return new CertResponse(aSN1Integer, pKIStatusInfo, new CertifiedKeyPair(certOrEncCert, encryptedValue, (PKIPublicationInfo) null), (ASN1OctetString) null);
                } catch (InvalidAlgorithmParameterException | InvalidKeyException e4) {
                    throw new IllegalStateException(e4);
                }
            } catch (Throwable th3) {
                if (concurrentBagEntry3 != null) {
                    aesGcm_ciphers.requite(concurrentBagEntry3);
                }
                throw th3;
            }
        } catch (Throwable th4) {
            LOG.error("error while encrypting the private key");
            return new CertResponse(aSN1Integer, new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText("error while encrypting the private key")));
        }
    }

    private PKIBody unRevokeRemoveCertificates(PKIMessage pKIMessage, RevReqContent revReqContent, int i, CmpControl cmpControl, String str, AuditEvent auditEvent) {
        String str2;
        PKIStatusInfo generateRejectionStatus;
        Long l;
        X509Ca ca;
        CertWithDbId revokeCert;
        RevDetails[] revDetailsArray = revReqContent.toRevDetailsArray();
        RevRepContentBuilder revRepContentBuilder = new RevRepContentBuilder();
        for (RevDetails revDetails : revDetailsArray) {
            CertTemplate certDetails = revDetails.getCertDetails();
            X500Name issuer = certDetails.getIssuer();
            ASN1Integer serialNumber = certDetails.getSerialNumber();
            try {
                X500Name subjectAsX500Name = getCa().getCaInfo().getCert().getSubjectAsX500Name();
                if (issuer == null) {
                    return buildErrorMsgPkiBody(PKIStatus.rejection, 1048576, "issuer is not present");
                }
                if (!issuer.equals(subjectAsX500Name)) {
                    return buildErrorMsgPkiBody(PKIStatus.rejection, 1048576, "issuer does not target at the CA");
                }
                if (serialNumber == null) {
                    return buildErrorMsgPkiBody(PKIStatus.rejection, 1048576, "serialNumber is not present");
                }
                if (certDetails.getSigningAlg() != null || certDetails.getValidity() != null || certDetails.getSubject() != null || certDetails.getPublicKey() != null || certDetails.getIssuerUID() != null || certDetails.getSubjectUID() != null) {
                    return buildErrorMsgPkiBody(PKIStatus.rejection, 1048576, "only version, issuer and serialNumber in RevDetails.certDetails are allowed, but more is specified");
                }
                if (certDetails.getExtensions() != null) {
                    Extensions extensions = certDetails.getExtensions();
                    ASN1ObjectIdentifier[] criticalExtensionOIDs = extensions.getCriticalExtensionOIDs();
                    if (criticalExtensionOIDs != null) {
                        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : criticalExtensionOIDs) {
                            if (!Extension.authorityKeyIdentifier.equals(aSN1ObjectIdentifier)) {
                                return buildErrorMsgPkiBody(PKIStatus.rejection, 1048576, "unknown critical extension " + aSN1ObjectIdentifier.getId());
                            }
                        }
                    }
                    Extension extension = extensions.getExtension(Extension.authorityKeyIdentifier);
                    if (extension == null) {
                        return buildErrorMsgPkiBody(PKIStatus.rejection, 1048576, "issuer's AKI not present");
                    }
                    AuthorityKeyIdentifier authorityKeyIdentifier = AuthorityKeyIdentifier.getInstance(extension.getParsedValue());
                    if (authorityKeyIdentifier.getKeyIdentifier() == null) {
                        return buildErrorMsgPkiBody(PKIStatus.rejection, 1048576, "issuer's AKI not present");
                    }
                    boolean z = Arrays.equals(getCa().getCaInfo().getCert().getSubjectKeyIdentifier(), authorityKeyIdentifier.getKeyIdentifier());
                    if (z && authorityKeyIdentifier.getAuthorityCertSerialNumber() != null && !getCa().getCaInfo().getSerialNumber().equals(authorityKeyIdentifier.getAuthorityCertSerialNumber())) {
                        z = false;
                    }
                    if (z && authorityKeyIdentifier.getAuthorityCertIssuer() != null) {
                        GeneralName[] names = authorityKeyIdentifier.getAuthorityCertIssuer().getNames();
                        int length = names.length;
                        int i2 = 0;
                        while (true) {
                            if (i2 >= length) {
                                break;
                            }
                            GeneralName generalName = names[i2];
                            if (generalName.getTagNo() != 4) {
                                z = false;
                                break;
                            }
                            if (!subjectAsX500Name.equals(generalName.getName())) {
                                z = false;
                                break;
                            }
                            i2++;
                        }
                    }
                    if (!z) {
                        return buildErrorMsgPkiBody(PKIStatus.rejection, 1048576, "issuer does not target at the CA");
                    }
                } else if (cmpControl.isRrAkiRequired()) {
                    return buildErrorMsgPkiBody(PKIStatus.rejection, 1048576, "issuer's AKI not present");
                }
            } catch (IllegalArgumentException e) {
                return buildErrorMsgPkiBody(PKIStatus.rejection, 32, "the request is not invalid");
            }
        }
        byte[] bArr = null;
        if (getCa().getCaInfo().isSaveRequest()) {
            try {
                bArr = pKIMessage.getEncoded();
            } catch (IOException e2) {
                LOG.warn("could not encode request");
            }
        }
        Long l2 = null;
        for (RevDetails revDetails2 : revDetailsArray) {
            ASN1Integer serialNumber2 = revDetails2.getCertDetails().getSerialNumber();
            X500Name subjectAsX500Name2 = getCa().getCaInfo().getCert().getSubjectAsX500Name();
            BigInteger positiveValue = serialNumber2.getPositiveValue();
            CertId certId = new CertId(new GeneralName(subjectAsX500Name2), serialNumber2);
            try {
                l = null;
                ca = getCa();
                if (4 == i) {
                    revokeCert = ca.unrevokeCert(positiveValue, str);
                    if (revokeCert != null) {
                        l = revokeCert.getCertId();
                    }
                } else if (8 == i) {
                    revokeCert = ca.removeCert(positiveValue, str);
                } else {
                    Date date = null;
                    Extensions crlEntryDetails = revDetails2.getCrlEntryDetails();
                    if (crlEntryDetails != null) {
                        ASN1Encodable extensionParsedValue = crlEntryDetails.getExtensionParsedValue(Extension.reasonCode);
                        r31 = extensionParsedValue != null ? CrlReason.forReasonCode(ASN1Enumerated.getInstance(extensionParsedValue).getValue().intValue()) : null;
                        ASN1ObjectIdentifier aSN1ObjectIdentifier2 = Extension.invalidityDate;
                        ASN1Encodable extensionParsedValue2 = crlEntryDetails.getExtensionParsedValue(aSN1ObjectIdentifier2);
                        if (extensionParsedValue2 != null) {
                            try {
                                date = ASN1GeneralizedTime.getInstance(extensionParsedValue2).getDate();
                            } catch (ParseException e3) {
                                throw new OperationException(OperationException.ErrorCode.INVALID_EXTENSION, "invalid extension " + aSN1ObjectIdentifier2.getId());
                            }
                        }
                    }
                    if (r31 == null) {
                        r31 = CrlReason.UNSPECIFIED;
                    }
                    revokeCert = ca.revokeCert(positiveValue, r31, date, str);
                    if (revokeCert != null) {
                        l = ((CertWithRevocationInfo) revokeCert).getCert().getCertId();
                    }
                }
            } catch (OperationException e4) {
                OperationException.ErrorCode errorCode = e4.getErrorCode();
                LOG.warn("{}, OperationException: code={}, message={}", new Object[]{PermissionConstants.getTextForCode(i), errorCode.name(), e4.getErrorMessage()});
                switch (AnonymousClass1.$SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[errorCode.ordinal()]) {
                    case PasswordHash.SALT_INDEX /* 1 */:
                    case PasswordHash.PBKDF2_INDEX /* 2 */:
                        str2 = errorCode.name();
                        break;
                    default:
                        str2 = errorCode.name() + ": " + e4.getErrorMessage();
                        break;
                }
                generateRejectionStatus = generateRejectionStatus(Integer.valueOf(getPKiFailureInfo(e4)), str2);
                auditEvent.setLevel(AuditLevel.ERROR);
                auditEvent.setStatus(AuditStatus.FAILED);
                auditEvent.addEventData(CaAuditConstants.NAME_message, str2);
            }
            if (revokeCert == null) {
                throw new OperationException(OperationException.ErrorCode.UNKNOWN_CERT, "cert not exists");
            }
            if (l != null && ca.getCaInfo().isSaveRequest()) {
                if (l2 == null) {
                    l2 = Long.valueOf(ca.addRequest(bArr));
                }
                ca.addRequestCert(l2.longValue(), l.longValue());
            }
            generateRejectionStatus = new PKIStatusInfo(PKIStatus.granted);
            revRepContentBuilder.add(generateRejectionStatus, certId);
        }
        return new PKIBody(12, revRepContentBuilder.build());
    }

    private CertResponse postProcessException(ASN1Integer aSN1Integer, OperationException operationException) {
        String str;
        OperationException.ErrorCode errorCode = operationException.getErrorCode();
        LOG.warn("generate certificate, OperationException: code={}, message={}", errorCode.name(), operationException.getErrorMessage());
        switch (AnonymousClass1.$SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[errorCode.ordinal()]) {
            case PasswordHash.SALT_INDEX /* 1 */:
            case PasswordHash.PBKDF2_INDEX /* 2 */:
                str = errorCode.name();
                break;
            default:
                str = errorCode.name() + ": " + operationException.getErrorMessage();
                break;
        }
        return new CertResponse(aSN1Integer, generateRejectionStatus(Integer.valueOf(getPKiFailureInfo(operationException)), str));
    }

    private int getPKiFailureInfo(OperationException operationException) {
        int i;
        switch (AnonymousClass1.$SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[operationException.getErrorCode().ordinal()]) {
            case PasswordHash.SALT_INDEX /* 1 */:
                i = 1073741824;
                break;
            case PasswordHash.PBKDF2_INDEX /* 2 */:
                i = 1073741824;
                break;
            case 3:
                i = 32;
                break;
            case 4:
                i = 1048576;
                break;
            case 5:
                i = 32;
                break;
            case 6:
                i = 8192;
                break;
            case 7:
                i = 65536;
                break;
            case 8:
                i = 16384;
                break;
            case 9:
                i = 1073741824;
                break;
            case 10:
                i = 65536;
                break;
            case 11:
                i = 32;
                break;
            case 12:
                i = Integer.MIN_VALUE;
                break;
            case 13:
                i = 8;
                break;
            case 14:
                i = 1048576;
                break;
            default:
                i = 1073741824;
                break;
        }
        return i;
    }

    private PKIBody confirmCertificates(ASN1OctetString aSN1OctetString, CertConfirmContent certConfirmContent, String str) {
        int intValue;
        boolean z = true;
        for (CertStatus certStatus : certConfirmContent.toCertStatusArray()) {
            ASN1Integer certReqId = certStatus.getCertReqId();
            byte[] octets = certStatus.getCertHash().getOctets();
            CertificateInfo removeCertificate = this.pendingCertPool.removeCertificate(aSN1OctetString.getOctets(), certReqId.getPositiveValue(), octets);
            if (removeCertificate != null) {
                PKIStatusInfo statusInfo = certStatus.getStatusInfo();
                boolean z2 = true;
                if (statusInfo != null && 0 != (intValue = statusInfo.getStatus().intValue()) && 1 != intValue) {
                    z2 = false;
                }
                if (!z2) {
                    BigInteger serialNumber = removeCertificate.getCert().getCert().getSerialNumber();
                    X509Ca ca = getCa();
                    try {
                        ca.revokeCert(serialNumber, CrlReason.CESSATION_OF_OPERATION, new Date(), str);
                    } catch (OperationException e) {
                        LogUtil.warn(LOG, e, "could not revoke certificate ca=" + ca.getCaInfo().getIdent() + " serialNumber=" + LogUtil.formatCsn(serialNumber));
                    }
                    z = false;
                }
            } else if (LOG.isWarnEnabled()) {
                LOG.warn("no cert under transactionId={}, certReqId={} and certHash=0X{}", new Object[]{aSN1OctetString, certReqId.getPositiveValue(), Hex.encode(octets)});
            }
        }
        if (revokePendingCertificates(aSN1OctetString, str)) {
            z = false;
        }
        return z ? new PKIBody(19, DERNull.INSTANCE) : new PKIBody(23, new ErrorMsgContent(new PKIStatusInfo(PKIStatus.rejection, (PKIFreeText) null, new PKIFailureInfo(1073741824))));
    }

    private boolean revokePendingCertificates(ASN1OctetString aSN1OctetString, String str) {
        Set<CertificateInfo> removeCertificates = this.pendingCertPool.removeCertificates(aSN1OctetString.getOctets());
        if (CollectionUtil.isEmpty(removeCertificates)) {
            return true;
        }
        boolean z = true;
        Date date = new Date();
        X509Ca ca = getCa();
        Iterator<CertificateInfo> it = removeCertificates.iterator();
        while (it.hasNext()) {
            try {
                ca.revokeCert(it.next().getCert().getCert().getSerialNumber(), CrlReason.CESSATION_OF_OPERATION, date, str);
            } catch (OperationException e) {
                z = false;
            }
        }
        return z;
    }

    private boolean verifyPopo(CertificateRequestMessage certificateRequestMessage, SubjectPublicKeyInfo subjectPublicKeyInfo, boolean z) {
        String id;
        int proofOfPossessionType = certificateRequestMessage.getProofOfPossessionType();
        if (proofOfPossessionType == 0 && z) {
            return true;
        }
        if (proofOfPossessionType != 1) {
            LOG.error("unsupported POP type: " + proofOfPossessionType);
            return false;
        }
        POPOSigningKey pOPOSigningKey = POPOSigningKey.getInstance(certificateRequestMessage.toASN1Structure().getPopo().getObject());
        AlgorithmIdentifier algorithmIdentifier = pOPOSigningKey.getAlgorithmIdentifier();
        if (!getCmpControl().getPopoAlgoValidator().isAlgorithmPermitted(algorithmIdentifier)) {
            try {
                id = AlgorithmUtil.getSignatureAlgoName(algorithmIdentifier);
            } catch (NoSuchAlgorithmException e) {
                id = algorithmIdentifier.getAlgorithm().getId();
            }
            LOG.error("POPO signature algorithm {} not permitted", id);
            return false;
        }
        try {
            PublicKey generatePublicKey = this.securityFactory.generatePublicKey(subjectPublicKeyInfo);
            ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
            DhpocControl dhpocControl = getCa().getCaInfo().getDhpocControl();
            DHSigStaticKeyCertPair dHSigStaticKeyCertPair = null;
            if (ObjectIdentifiers.Xipki.id_alg_dhPop_x25519_sha256.equals(algorithm) || ObjectIdentifiers.Xipki.id_alg_dhPop_x448_sha512.equals(algorithm)) {
                if (dhpocControl != null) {
                    IssuerAndSerialNumber issuerAndSerial = DhSigStatic.getInstance(pOPOSigningKey.getSignature().getBytes()).getIssuerAndSerial();
                    dHSigStaticKeyCertPair = dhpocControl.getKeyCertPair(issuerAndSerial.getName(), issuerAndSerial.getSerialNumber().getValue(), EdECConstants.getName(subjectPublicKeyInfo.getAlgorithm().getAlgorithm()));
                }
                if (dHSigStaticKeyCertPair == null) {
                    return false;
                }
            }
            return certificateRequestMessage.isValidSigningKeyPOP(this.securityFactory.getContentVerifierProvider(generatePublicKey, dHSigStaticKeyCertPair));
        } catch (IllegalStateException | InvalidKeyException | CRMFException e2) {
            LogUtil.error(LOG, e2);
            return false;
        }
    }

    @Override // org.xipki.ca.server.cmp.BaseCmpResponder
    protected CmpControl getCmpControl() {
        return getCa().getCmpControl();
    }

    private void checkPermission(RequestorInfo.CmpRequestorInfo cmpRequestorInfo, int i) throws InsuffientPermissionException {
        if (!PermissionConstants.contains(getCa().getCaInfo().getPermission(), i)) {
            throw new InsuffientPermissionException("Permission " + PermissionConstants.getTextForCode(i) + "is not permitted");
        }
        cmpRequestorInfo.assertPermitted(i);
    }

    private String getSystemInfo(RequestorInfo.CmpRequestorInfo cmpRequestorInfo, Set<Integer> set) throws OperationException {
        X509Ca ca = getCa();
        CaInfo caInfo = ca.getCaInfo();
        if (set != null && !set.contains(3)) {
            throw new OperationException(OperationException.ErrorCode.BAD_REQUEST, "none of versions " + set + " is supported");
        }
        JSONObject jSONObject = new JSONObject(false);
        jSONObject.put("version", 3);
        LinkedList linkedList = new LinkedList();
        linkedList.add(caInfo.getCert().getEncodedCert());
        Iterator<X509Cert> it = caInfo.getCertchain().iterator();
        while (it.hasNext()) {
            linkedList.add(it.next().getEncodedCert());
        }
        jSONObject.put("caCertchain", linkedList);
        JSONObject jSONObject2 = new JSONObject(false);
        jSONObject2.put("rrAkiRequired", Boolean.valueOf(getCmpControl().isRrAkiRequired()));
        jSONObject.put("cmpControl", jSONObject2);
        Set profiles = cmpRequestorInfo.getCaHasRequestor().getProfiles();
        HashSet<String> hashSet = new HashSet();
        for (String str : ca.getCaManager().getCertprofilesForCa(caInfo.getIdent().getName())) {
            if (profiles.contains("all") || profiles.contains(str)) {
                hashSet.add(str);
            }
        }
        if (CollectionUtil.isNotEmpty(hashSet)) {
            LinkedList linkedList2 = new LinkedList();
            jSONObject.put("certprofiles", linkedList2);
            for (String str2 : hashSet) {
                MgmtEntry.Certprofile certprofile = ca.getCaManager().getCertprofile(str2);
                if (!certprofile.isFaulty()) {
                    JSONObject jSONObject3 = new JSONObject(false);
                    jSONObject3.put(CaAuditConstants.Scep.NAME_name, str2);
                    jSONObject3.put("type", certprofile.getType());
                    jSONObject3.put("conf", certprofile.getConf());
                    linkedList2.add(jSONObject3);
                }
            }
        }
        DhpocControl dhpocControl = ca.getCaInfo().getDhpocControl();
        if (dhpocControl != null) {
            X509Cert[] certificates = dhpocControl.getCertificates();
            LinkedList linkedList3 = new LinkedList();
            for (X509Cert x509Cert : certificates) {
                linkedList3.add(x509Cert.getEncodedCert());
            }
            jSONObject.put("dhpocs", linkedList3);
        }
        return JSON.toJSONString(jSONObject, false);
    }

    @Override // org.xipki.ca.server.cmp.BaseCmpResponder
    protected ConcurrentContentSigner getSigner() {
        return this.caManager.getSignerWrapper(getResponderName()).getSigner();
    }

    @Override // org.xipki.ca.server.cmp.BaseCmpResponder
    protected GeneralName getSender() {
        return this.caManager.getSignerWrapper(getResponderName()).getSubjectAsGeneralName();
    }

    @Override // org.xipki.ca.server.cmp.BaseCmpResponder
    protected boolean intendsMe(GeneralName generalName) {
        if (generalName == null) {
            return false;
        }
        if (getSender().equals(generalName)) {
            return true;
        }
        return generalName.getTagNo() == 4 && X500Name.getInstance(generalName.getName()).equals(this.caManager.getSignerWrapper(getResponderName()).getSubjectAsX500Name());
    }

    @Override // org.xipki.ca.server.cmp.BaseCmpResponder
    public RequestorInfo.CmpRequestorInfo getRequestor(X500Name x500Name) {
        return getCa().getRequestor(x500Name);
    }

    @Override // org.xipki.ca.server.cmp.BaseCmpResponder
    public RequestorInfo.CmpRequestorInfo getRequestor(X509Certificate x509Certificate) {
        return getCa().getRequestor(x509Certificate);
    }

    @Override // org.xipki.ca.server.cmp.BaseCmpResponder
    public RequestorInfo.CmpRequestorInfo getMacRequestor(X500Name x500Name, byte[] bArr) {
        return getCa().getMacRequestor(x500Name, bArr);
    }

    private PKIBody cmpEnrollCert(String str, Boolean bool, PKIMessage pKIMessage, PKIHeaderBuilder pKIHeaderBuilder, CmpControl cmpControl, PKIHeader pKIHeader, PKIBody pKIBody, RequestorInfo.CmpRequestorInfo cmpRequestorInfo, ASN1OctetString aSN1OctetString, String str2, AuditEvent auditEvent) throws InsuffientPermissionException {
        PKIBody processCcp;
        InfoTypeAndValue infoTypeAndValue;
        long confirmWaitTime = cmpControl.getConfirmWaitTime();
        if (confirmWaitTime < 0) {
            confirmWaitTime *= -1;
        }
        long j = confirmWaitTime * 1000;
        switch (pKIBody.getType()) {
            case PasswordHash.ITERATION_INDEX /* 0 */:
                checkPermission(cmpRequestorInfo, 1);
                processCcp = processIr(str, bool, pKIMessage, cmpRequestorInfo, aSN1OctetString, pKIHeader, CertReqMessages.getInstance(pKIBody.getContent()), cmpControl, str2, auditEvent);
                break;
            case PasswordHash.SALT_INDEX /* 1 */:
            case 3:
            case 5:
            case 6:
            case 8:
            case 9:
            case 10:
            case 11:
            case 12:
            default:
                throw new IllegalStateException("should not reach here");
            case PasswordHash.PBKDF2_INDEX /* 2 */:
                checkPermission(cmpRequestorInfo, 1);
                processCcp = processCr(str, bool, pKIMessage, cmpRequestorInfo, aSN1OctetString, pKIHeader, CertReqMessages.getInstance(pKIBody.getContent()), cmpControl, str2, auditEvent);
                break;
            case 4:
                checkPermission(cmpRequestorInfo, 1);
                processCcp = processP10cr(str, pKIMessage, cmpRequestorInfo, aSN1OctetString, pKIHeader, CertificationRequest.getInstance(pKIBody.getContent()), cmpControl, str2, auditEvent);
                break;
            case 7:
                checkPermission(cmpRequestorInfo, 16);
                processCcp = processKur(str, bool, pKIMessage, cmpRequestorInfo, aSN1OctetString, pKIHeader, CertReqMessages.getInstance(pKIBody.getContent()), cmpControl, str2, auditEvent);
                break;
            case 13:
                checkPermission(cmpRequestorInfo, 128);
                processCcp = processCcp(str, pKIMessage, cmpRequestorInfo, aSN1OctetString, pKIHeader, CertReqMessages.getInstance(pKIBody.getContent()), cmpControl, str2, auditEvent);
                break;
        }
        if (cmpControl.isConfirmCert() || !CmpUtil.isImplictConfirm(pKIHeader)) {
            pKIHeaderBuilder.setMessageTime(new ASN1GeneralizedTime(new Date()));
            infoTypeAndValue = new InfoTypeAndValue(CMPObjectIdentifiers.it_confirmWaitTime, new ASN1GeneralizedTime(new Date(System.currentTimeMillis() + j)));
        } else {
            this.pendingCertPool.removeCertificates(aSN1OctetString.getOctets());
            infoTypeAndValue = CmpUtil.getImplictConfirmGeneralInfo();
        }
        pKIHeaderBuilder.setGeneralInfo(infoTypeAndValue);
        return processCcp;
    }

    private PKIBody cmpUnRevokeRemoveCertificates(PKIMessage pKIMessage, PKIHeaderBuilder pKIHeaderBuilder, CmpControl cmpControl, PKIHeader pKIHeader, PKIBody pKIBody, RequestorInfo.CmpRequestorInfo cmpRequestorInfo, String str, AuditEvent auditEvent) {
        ASN1Encodable extensionParsedValue;
        Integer num = null;
        boolean z = true;
        RevReqContent revReqContent = RevReqContent.getInstance(pKIBody.getContent());
        RevDetails[] revDetailsArray = revReqContent.toRevDetailsArray();
        int length = revDetailsArray.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            Extensions crlEntryDetails = revDetailsArray[i].getCrlEntryDetails();
            int code = CrlReason.UNSPECIFIED.getCode();
            if (crlEntryDetails != null && (extensionParsedValue = crlEntryDetails.getExtensionParsedValue(Extension.reasonCode)) != null) {
                code = ASN1Enumerated.getInstance(extensionParsedValue).getValue().intValue();
            }
            if (code == -1) {
                if (num == null) {
                    auditEvent.addEventType(CaAuditConstants.Cmp.TYPE_rr_remove);
                    num = 8;
                } else if (num.intValue() != 8) {
                    z = false;
                    break;
                }
                i++;
            } else if (code == CrlReason.REMOVE_FROM_CRL.getCode()) {
                if (num == null) {
                    auditEvent.addEventType(CaAuditConstants.Cmp.TYPE_rr_unrevoke);
                    num = 4;
                } else if (num.intValue() != 4) {
                    z = false;
                    break;
                }
                i++;
            } else {
                if (num == null) {
                    auditEvent.addEventType(CaAuditConstants.Cmp.TYPE_rr_revoke);
                    num = 2;
                } else if (num.intValue() != 2) {
                    z = false;
                    break;
                }
                i++;
            }
        }
        if (!z) {
            return new PKIBody(23, new ErrorMsgContent(new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText("not all revDetails are of the same type"), new PKIFailureInfo(32))));
        }
        try {
            checkPermission(cmpRequestorInfo, num.intValue());
            return unRevokeRemoveCertificates(pKIMessage, revReqContent, num.intValue(), cmpControl, str, auditEvent);
        } catch (InsuffientPermissionException e) {
            auditEvent.setStatus(AuditStatus.FAILED);
            auditEvent.addEventData(CaAuditConstants.NAME_message, "NOT_PERMITTED");
            return buildErrorMsgPkiBody(PKIStatus.rejection, 65536, null);
        }
    }

    private PKIBody cmpGeneralMsg(PKIHeaderBuilder pKIHeaderBuilder, CmpControl cmpControl, PKIHeader pKIHeader, PKIBody pKIBody, RequestorInfo.CmpRequestorInfo cmpRequestorInfo, ASN1OctetString aSN1OctetString, String str, AuditEvent auditEvent) throws InsuffientPermissionException {
        String str2;
        CertificateList dERUTF8String;
        InfoTypeAndValue[] infoTypeAndValueArray = GenMsgContent.getInstance(pKIBody.getContent()).toInfoTypeAndValueArray();
        InfoTypeAndValue infoTypeAndValue = null;
        if (infoTypeAndValueArray != null && infoTypeAndValueArray.length > 0) {
            int length = infoTypeAndValueArray.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                InfoTypeAndValue infoTypeAndValue2 = infoTypeAndValueArray[i];
                if (KNOWN_GENMSG_IDS.contains(infoTypeAndValue2.getInfoType().getId())) {
                    infoTypeAndValue = infoTypeAndValue2;
                    break;
                }
                i++;
            }
        }
        if (infoTypeAndValue == null) {
            return buildErrorMsgPkiBody(PKIStatus.rejection, 32, "PKIBody type 21 is only supported with the sub-types " + KNOWN_GENMSG_IDS.toString());
        }
        InfoTypeAndValue infoTypeAndValue3 = null;
        ASN1ObjectIdentifier infoType = infoTypeAndValue.getInfoType();
        try {
            X509Ca ca = getCa();
            if (CMPObjectIdentifiers.it_currentCRL.equals(infoType)) {
                auditEvent.addEventType(CaAuditConstants.Cmp.TYPE_genm_current_crl);
                checkPermission(cmpRequestorInfo, 64);
                ca.getBcCurrentCrl();
                CertificateList bcCurrentCrl = infoTypeAndValue.getInfoValue() == null ? ca.getBcCurrentCrl() : ca.getBcCrl(ASN1Integer.getInstance(infoTypeAndValue.getInfoValue()).getPositiveValue());
                if (bcCurrentCrl == null) {
                    return buildErrorMsgPkiBody(PKIStatus.rejection, 1073741824, "no CRL is available");
                }
                infoTypeAndValue3 = new InfoTypeAndValue(infoType, bcCurrentCrl);
            } else if (ObjectIdentifiers.Xipki.id_xipki_cmp_cmpGenmsg.equals(infoType)) {
                try {
                    ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(infoTypeAndValue.getInfoValue());
                    ASN1Integer aSN1Integer = ASN1Integer.getInstance(aSN1Sequence.getObjectAt(0));
                    ASN1Encodable objectAt = aSN1Sequence.size() > 1 ? aSN1Sequence.getObjectAt(1) : null;
                    int intValue = aSN1Integer.getPositiveValue().intValue();
                    switch (intValue) {
                        case PasswordHash.SALT_INDEX /* 1 */:
                            auditEvent.addEventType(CaAuditConstants.Cmp.TYPE_genm_gen_crl);
                            checkPermission(cmpRequestorInfo, 32);
                            X509CRL generateCrlOnDemand = ca.generateCrlOnDemand(str);
                            if (generateCrlOnDemand == null) {
                                return buildErrorMsgPkiBody(PKIStatus.rejection, 1073741824, "CRL generation is not activated");
                            }
                            dERUTF8String = CertificateList.getInstance(generateCrlOnDemand.getEncoded());
                            break;
                        case PasswordHash.PBKDF2_INDEX /* 2 */:
                            auditEvent.addEventType(CaAuditConstants.Cmp.TYPE_genm_crl4number);
                            checkPermission(cmpRequestorInfo, 64);
                            dERUTF8String = ca.getBcCrl(ASN1Integer.getInstance(objectAt).getPositiveValue());
                            if (dERUTF8String == null) {
                                return buildErrorMsgPkiBody(PKIStatus.rejection, 1073741824, "no CRL is available");
                            }
                            break;
                        case 3:
                            auditEvent.addEventType(CaAuditConstants.Cmp.TYPE_genm_cainfo);
                            HashSet hashSet = new HashSet();
                            if (objectAt != null) {
                                ASN1Sequence dERSequence = DERSequence.getInstance(objectAt);
                                int size = dERSequence.size();
                                for (int i2 = 0; i2 < size; i2++) {
                                    hashSet.add(Integer.valueOf(ASN1Integer.getInstance(dERSequence.getObjectAt(i2)).getPositiveValue().intValue()));
                                }
                            }
                            if (CollectionUtil.isEmpty(hashSet)) {
                                hashSet.add(3);
                            }
                            dERUTF8String = new DERUTF8String(getSystemInfo(cmpRequestorInfo, hashSet));
                            break;
                        default:
                            return buildErrorMsgPkiBody(PKIStatus.rejection, 32, "unsupported XiPKI action code " + intValue);
                    }
                    ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
                    aSN1EncodableVector.add(aSN1Integer);
                    if (dERUTF8String != null) {
                        aSN1EncodableVector.add(dERUTF8String);
                    }
                    infoTypeAndValue3 = new InfoTypeAndValue(infoType, new DERSequence(aSN1EncodableVector));
                } catch (IllegalArgumentException e) {
                    return buildErrorMsgPkiBody(PKIStatus.rejection, 32, "invalid value of the InfoTypeAndValue for " + infoType.getId());
                }
            } else if (ObjectIdentifiers.Xipki.id_xipki_cmp_cacertchain.equals(infoType)) {
                auditEvent.addEventType(CaAuditConstants.Cmp.TYPE_genm_cacertchain);
                ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
                aSN1EncodableVector2.add(ca.getCaInfo().getCertInCmpFormat());
                List<X509Cert> certchain = ca.getCaInfo().getCertchain();
                if (CollectionUtil.isNotEmpty(certchain)) {
                    Iterator<X509Cert> it = certchain.iterator();
                    while (it.hasNext()) {
                        aSN1EncodableVector2.add(it.next().getCertHolder().toASN1Structure());
                    }
                }
                infoTypeAndValue3 = new InfoTypeAndValue(infoType, new DERSequence(aSN1EncodableVector2));
            }
            return new PKIBody(22, new GenRepContent(infoTypeAndValue3));
        } catch (CRLException e2) {
            return buildErrorMsgPkiBody(PKIStatus.rejection, 1073741824, "CRLException: " + e2.getMessage());
        } catch (OperationException e3) {
            int pKiFailureInfo = getPKiFailureInfo(e3);
            OperationException.ErrorCode errorCode = e3.getErrorCode();
            switch (AnonymousClass1.$SwitchMap$org$xipki$ca$api$OperationException$ErrorCode[errorCode.ordinal()]) {
                case PasswordHash.SALT_INDEX /* 1 */:
                case PasswordHash.PBKDF2_INDEX /* 2 */:
                    str2 = errorCode.name();
                    break;
                default:
                    str2 = errorCode.name() + ": " + e3.getErrorMessage();
                    break;
            }
            return buildErrorMsgPkiBody(PKIStatus.rejection, pKiFailureInfo, str2);
        }
    }

    public CertificateList getCrl(RequestorInfo.CmpRequestorInfo cmpRequestorInfo, BigInteger bigInteger) throws OperationException {
        Args.notNull(cmpRequestorInfo, CaAuditConstants.NAME_requestor);
        try {
            checkPermission(cmpRequestorInfo, 64);
            X509Ca ca = getCa();
            return bigInteger == null ? ca.getBcCurrentCrl() : ca.getBcCrl(bigInteger);
        } catch (InsuffientPermissionException e) {
            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, e.getMessage());
        }
    }

    public X509CRL generateCrlOnDemand(RequestorInfo.CmpRequestorInfo cmpRequestorInfo, RequestType requestType, String str) throws OperationException {
        Args.notNull(cmpRequestorInfo, CaAuditConstants.NAME_requestor);
        try {
            checkPermission(cmpRequestorInfo, 32);
            return getCa().generateCrlOnDemand(str);
        } catch (InsuffientPermissionException e) {
            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, e.getMessage());
        }
    }

    public void revokeCert(RequestorInfo.CmpRequestorInfo cmpRequestorInfo, BigInteger bigInteger, CrlReason crlReason, Date date, RequestType requestType, String str) throws OperationException {
        Args.notNull(cmpRequestorInfo, CaAuditConstants.NAME_requestor);
        int i = crlReason == CrlReason.REMOVE_FROM_CRL ? 4 : 2;
        try {
            checkPermission(cmpRequestorInfo, i);
            X509Ca ca = getCa();
            if ((4 == i ? ca.unrevokeCert(bigInteger, str) : ca.revokeCert(bigInteger, crlReason, date, str)) == null) {
                throw new OperationException(OperationException.ErrorCode.UNKNOWN_CERT, "cert not exists");
            }
        } catch (InsuffientPermissionException e) {
            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, e.getMessage());
        }
    }

    public void removeCert(RequestorInfo.CmpRequestorInfo cmpRequestorInfo, BigInteger bigInteger, RequestType requestType, String str) throws OperationException {
        Args.notNull(cmpRequestorInfo, CaAuditConstants.NAME_requestor);
        try {
            checkPermission(cmpRequestorInfo, 8);
            if (getCa().removeCert(bigInteger, str) == null) {
                throw new OperationException(OperationException.ErrorCode.UNKNOWN_CERT, "cert not exists");
            }
        } catch (InsuffientPermissionException e) {
            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, e.getMessage());
        }
    }

    private static PKIBody buildErrorMsgPkiBody(PKIStatus pKIStatus, int i, String str) {
        return new PKIBody(23, new ErrorMsgContent(new PKIStatusInfo(pKIStatus, str == null ? null : new PKIFreeText(str), new PKIFailureInfo(i))));
    }

    private CertResponse buildErrorCertResponse(ASN1Integer aSN1Integer, int i, String str) {
        return new CertResponse(aSN1Integer, generateRejectionStatus(Integer.valueOf(i), str));
    }

    @Override // org.xipki.ca.server.cmp.BaseCmpResponder
    public /* bridge */ /* synthetic */ X509Certificate getResponderCert() {
        return super.getResponderCert();
    }

    @Override // org.xipki.ca.server.cmp.BaseCmpResponder
    public /* bridge */ /* synthetic */ X500Name getResponderSubject() {
        return super.getResponderSubject();
    }

    @Override // org.xipki.ca.server.cmp.BaseCmpResponder
    public /* bridge */ /* synthetic */ PKIMessage processPkiMessage(PKIMessage pKIMessage, X509Certificate x509Certificate, Map map, AuditEvent auditEvent) {
        return super.processPkiMessage(pKIMessage, x509Certificate, map, auditEvent);
    }

    static {
        KNOWN_GENMSG_IDS.add(CMPObjectIdentifiers.it_currentCRL.getId());
        KNOWN_GENMSG_IDS.add(ObjectIdentifiers.Xipki.id_xipki_cmp_cmpGenmsg.getId());
        KNOWN_GENMSG_IDS.add(ObjectIdentifiers.Xipki.id_xipki_cmp_cacertchain.getId());
        String id = NISTObjectIdentifiers.id_aes128_GCM.getId();
        aesGcm_ciphers = new ConcurrentBag<>();
        for (int i = 0; i < 64; i++) {
            try {
                aesGcm_ciphers.add(new ConcurrentBagEntry(Cipher.getInstance(id)));
            } catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
                LogUtil.error(LOG, e, "could not get Cipher of " + id);
            }
        }
        int size = aesGcm_ciphers.size();
        aesGcm_ciphers_initialized = size > 0;
        if (size > 0) {
            LOG.info("initialized {} AES GCM Cipher instances", Integer.valueOf(size));
        } else {
            LOG.error("could not initialize any AES GCM Cipher instance");
        }
        String id2 = PKCSObjectIdentifiers.id_PBKDF2.getId();
        pbkdf2_kdfs = new ConcurrentBag<>();
        for (int i2 = 0; i2 < 64; i2++) {
            try {
                pbkdf2_kdfs.add(new ConcurrentBagEntry(SecretKeyFactory.getInstance(id2)));
            } catch (NoSuchAlgorithmException e2) {
                LogUtil.error(LOG, e2, "could not get SecretKeyFactory of " + id2);
            }
        }
        int size2 = pbkdf2_kdfs.size();
        pbkdf2_kdfs_initialized = size2 > 0;
        if (size2 > 0) {
            LOG.info("initialized {} PBKDF2 SecretKeyFactory instances", Integer.valueOf(size2));
        } else {
            LOG.error("could not initialize any PBKDF2 SecretKeyFactory instance");
        }
        kupCertExtnIds = new HashSet();
        kupCertExtnIds.add(Extension.biometricInfo.getId());
        kupCertExtnIds.add(Extension.extendedKeyUsage.getId());
        kupCertExtnIds.add(Extension.keyUsage.getId());
        kupCertExtnIds.add(Extension.qCStatements.getId());
        kupCertExtnIds.add(Extension.subjectAlternativeName.getId());
        kupCertExtnIds.add(Extension.subjectInfoAccess.getId());
    }
}
