package org.xipki.ca.server.cmp;

import java.security.InvalidKeyException;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.Date;
import java.util.Map;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.cmp.ErrorMsgContent;
import org.bouncycastle.asn1.cmp.PBMParameter;
import org.bouncycastle.asn1.cmp.PKIBody;
import org.bouncycastle.asn1.cmp.PKIFailureInfo;
import org.bouncycastle.asn1.cmp.PKIFreeText;
import org.bouncycastle.asn1.cmp.PKIHeader;
import org.bouncycastle.asn1.cmp.PKIHeaderBuilder;
import org.bouncycastle.asn1.cmp.PKIMessage;
import org.bouncycastle.asn1.cmp.PKIStatus;
import org.bouncycastle.asn1.cmp.PKIStatusInfo;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.cert.cmp.CMPException;
import org.bouncycastle.cert.cmp.GeneralPKIMessage;
import org.bouncycastle.cert.cmp.ProtectedPKIMessage;
import org.bouncycastle.cert.crmf.PKMACBuilder;
import org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator;
import org.bouncycastle.operator.ContentVerifierProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.audit.AuditEvent;
import org.xipki.audit.AuditLevel;
import org.xipki.audit.AuditStatus;
import org.xipki.ca.api.mgmt.CmpControl;
import org.xipki.ca.api.mgmt.RequestorInfo;
import org.xipki.ca.server.CaAuditConstants;
import org.xipki.ca.server.PasswordHash;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.SecurityFactory;
import org.xipki.security.cmp.CmpUtil;
import org.xipki.security.cmp.ProtectionResult;
import org.xipki.security.cmp.ProtectionVerificationResult;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.Base64;
import org.xipki.util.LogUtil;
import org.xipki.util.RandomUtil;

/* loaded from: input_file:org/xipki/ca/server/cmp/BaseCmpResponder.class */
abstract class BaseCmpResponder {
    private static final Logger LOG = LoggerFactory.getLogger(BaseCmpResponder.class);
    private static final int PVNO_CMP2000 = 2;
    protected final SecurityFactory securityFactory;
    private final SecureRandom random = new SecureRandom();

    /* renamed from: org.xipki.ca.server.cmp.BaseCmpResponder$1, reason: invalid class name */
    /* loaded from: input_file:org/xipki/ca/server/cmp/BaseCmpResponder$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$security$cmp$ProtectionResult = new int[ProtectionResult.values().length];

        static {
            try {
                $SwitchMap$org$xipki$security$cmp$ProtectionResult[ProtectionResult.SIGNATURE_VALID.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$security$cmp$ProtectionResult[ProtectionResult.MAC_VALID.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$security$cmp$ProtectionResult[ProtectionResult.SIGNATURE_INVALID.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$security$cmp$ProtectionResult[ProtectionResult.MAC_INVALID.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xipki$security$cmp$ProtectionResult[ProtectionResult.SENDER_NOT_AUTHORIZED.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$xipki$security$cmp$ProtectionResult[ProtectionResult.SIGNATURE_ALGO_FORBIDDEN.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$xipki$security$cmp$ProtectionResult[ProtectionResult.MAC_ALGO_FORBIDDEN.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public BaseCmpResponder(SecurityFactory securityFactory) {
        this.securityFactory = (SecurityFactory) Args.notNull(securityFactory, "securityFactory");
    }

    protected abstract ConcurrentContentSigner getSigner();

    protected abstract GeneralName getSender();

    protected abstract boolean intendsMe(GeneralName generalName);

    public boolean isOnService() {
        try {
            return getSigner() != null;
        } catch (Exception e) {
            LogUtil.error(LOG, e, "could not get responder signer");
            return false;
        }
    }

    protected abstract CmpControl getCmpControl();

    public abstract RequestorInfo.CmpRequestorInfo getMacRequestor(X500Name x500Name, byte[] bArr);

    public abstract RequestorInfo.CmpRequestorInfo getRequestor(X500Name x500Name);

    public abstract RequestorInfo.CmpRequestorInfo getRequestor(X509Certificate x509Certificate);

    private static X500Name getX500Sender(PKIHeader pKIHeader) {
        GeneralName sender = pKIHeader.getSender();
        if (sender.getTagNo() != 4) {
            return null;
        }
        return sender.getName();
    }

    protected abstract PKIMessage processPkiMessage0(PKIMessage pKIMessage, RequestorInfo requestorInfo, ASN1OctetString aSN1OctetString, GeneralPKIMessage generalPKIMessage, String str, Map<String, String> map, AuditEvent auditEvent);

    public PKIMessage processPkiMessage(PKIMessage pKIMessage, X509Certificate x509Certificate, Map<String, String> map, AuditEvent auditEvent) {
        String str;
        RequestorInfo.CmpRequestorInfo cmpRequestorInfo;
        Args.notNull(pKIMessage, "pkiMessage");
        Args.notNull(auditEvent, "event");
        GeneralPKIMessage generalPKIMessage = new GeneralPKIMessage(pKIMessage);
        PKIHeader header = generalPKIMessage.getHeader();
        DEROctetString transactionID = header.getTransactionID();
        String str2 = null;
        if (auditEvent != null) {
            str2 = RandomUtil.nextHexLong();
            auditEvent.addEventData(CaAuditConstants.NAME_mid, str2);
        }
        if (transactionID == null) {
            transactionID = new DEROctetString(randomTransactionId());
        }
        String encodeToString = Base64.encodeToString(transactionID.getOctets());
        if (auditEvent != null) {
            auditEvent.addEventData(CaAuditConstants.NAME_tid, encodeToString);
        }
        int intValue = header.getPvno().getValue().intValue();
        if (intValue != 2) {
            if (auditEvent != null) {
                auditEvent.setLevel(AuditLevel.INFO);
                auditEvent.setStatus(AuditStatus.FAILED);
                auditEvent.addEventData(CaAuditConstants.NAME_message, "unsupproted version " + intValue);
            }
            return buildErrorPkiMessage(transactionID, header, 131072, null);
        }
        CmpControl cmpControl = getCmpControl();
        Integer num = null;
        String str3 = null;
        Date date = null;
        if (header.getMessageTime() != null) {
            try {
                date = header.getMessageTime().getDate();
            } catch (ParseException e) {
                LogUtil.error(LOG, e, "tid=" + encodeToString + ": could not parse messageTime");
            }
        }
        GeneralName recipient = header.getRecipient();
        if (!(recipient == null ? true : intendsMe(recipient))) {
            LOG.warn("tid={}: I am not the intended recipient, but '{}'", transactionID, header.getRecipient());
            num = 32;
            str3 = "I am not the intended recipient";
        } else if (date != null) {
            long messageTimeBias = cmpControl.getMessageTimeBias();
            if (messageTimeBias < 0) {
                messageTimeBias *= -1;
            }
            long time = (date.getTime() - System.currentTimeMillis()) / 1000;
            if (time > messageTimeBias) {
                num = 16;
                str3 = "message time is in the future";
            } else if (time * (-1) > messageTimeBias) {
                num = 16;
                str3 = "message too old";
            }
        } else if (cmpControl.isMessageTimeRequired()) {
            num = 32768;
            str3 = "missing time-stamp";
        }
        if (num != null) {
            if (auditEvent != null) {
                auditEvent.setLevel(AuditLevel.INFO);
                auditEvent.setStatus(AuditStatus.FAILED);
                auditEvent.addEventData(CaAuditConstants.NAME_message, str3);
            }
            return buildErrorPkiMessage(transactionID, header, num.intValue(), str3);
        }
        boolean hasProtection = generalPKIMessage.hasProtection();
        if (hasProtection) {
            try {
                ProtectionVerificationResult verifyProtection = verifyProtection(encodeToString, generalPKIMessage, cmpControl);
                ProtectionResult protectionResult = verifyProtection.getProtectionResult();
                switch (AnonymousClass1.$SwitchMap$org$xipki$security$cmp$ProtectionResult[protectionResult.ordinal()]) {
                    case PasswordHash.SALT_INDEX /* 1 */:
                    case 2:
                        str = null;
                        break;
                    case 3:
                        str = "request is protected by signature but invalid";
                        break;
                    case 4:
                        str = "request is protected by MAC but invalid";
                        break;
                    case 5:
                        str = "request is protected but the requestor is not authorized";
                        break;
                    case 6:
                        str = "request is protected by signature but the algorithm is forbidden";
                        break;
                    case 7:
                        str = "request is protected by MAC but the algorithm is forbidden";
                        break;
                    default:
                        throw new IllegalStateException("should not reach here, unknown ProtectionResult " + protectionResult);
                }
                cmpRequestorInfo = (RequestorInfo.CmpRequestorInfo) verifyProtection.getRequestor();
            } catch (Exception e2) {
                LogUtil.error(LOG, e2, "tid=" + encodeToString + ": could not verify the signature");
                str = "request has invalid signature based protection";
                cmpRequestorInfo = null;
            }
        } else if (x509Certificate != null) {
            boolean z = false;
            X500Name x500Sender = getX500Sender(header);
            cmpRequestorInfo = x500Sender == null ? null : getRequestor(x500Sender);
            if (cmpRequestorInfo != null && x509Certificate.equals(cmpRequestorInfo.getCert().getCert())) {
                z = true;
            }
            if (z) {
                str = null;
            } else {
                LOG.warn("tid={}: not authorized requestor (TLS client '{}')", transactionID, X509Util.getRfc4519Name(x509Certificate.getSubjectX500Principal()));
                str = "requestor (TLS client certificate) is not authorized";
            }
        } else {
            str = "request has no protection";
            cmpRequestorInfo = null;
        }
        if (str == null) {
            PKIMessage processPkiMessage0 = processPkiMessage0(pKIMessage, cmpRequestorInfo, transactionID, generalPKIMessage, str2, map, auditEvent);
            if (hasProtection) {
                processPkiMessage0 = addProtection(processPkiMessage0, auditEvent, cmpRequestorInfo);
            }
            return processPkiMessage0;
        }
        if (auditEvent != null) {
            auditEvent.setLevel(AuditLevel.INFO);
            auditEvent.setStatus(AuditStatus.FAILED);
            auditEvent.addEventData(CaAuditConstants.NAME_message, str);
        }
        return buildErrorPkiMessage(transactionID, header, 64, str);
    }

    protected byte[] randomTransactionId() {
        return randomBytes(10);
    }

    protected byte[] randomSalt() {
        return randomBytes(64);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] randomBytes(int i) {
        byte[] bArr = new byte[i];
        this.random.nextBytes(bArr);
        return bArr;
    }

    private ProtectionVerificationResult verifyProtection(String str, GeneralPKIMessage generalPKIMessage, CmpControl cmpControl) throws CMPException, InvalidKeyException, OperatorCreationException {
        ProtectedPKIMessage protectedPKIMessage = new ProtectedPKIMessage(generalPKIMessage);
        PKIHeader header = protectedPKIMessage.getHeader();
        X500Name x500Sender = getX500Sender(header);
        if (x500Sender == null) {
            LOG.warn("tid={}: not authorized requestor 'null'", str);
            return new ProtectionVerificationResult((Object) null, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        AlgorithmIdentifier protectionAlg = header.getProtectionAlg();
        if (!protectedPKIMessage.hasPasswordBasedMacProtection()) {
            if (!cmpControl.getSigAlgoValidator().isAlgorithmPermitted(protectionAlg)) {
                LOG.warn("SIG_ALGO_FORBIDDEN: {}", generalPKIMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
                return new ProtectionVerificationResult((Object) null, ProtectionResult.SIGNATURE_ALGO_FORBIDDEN);
            }
            X500Name x500Sender2 = getX500Sender(header);
            RequestorInfo.CmpRequestorInfo requestor = x500Sender2 == null ? null : getRequestor(x500Sender2);
            if (requestor == null) {
                LOG.warn("tid={}: not authorized requestor '{}'", str, header.getSender());
                return new ProtectionVerificationResult((Object) null, ProtectionResult.SENDER_NOT_AUTHORIZED);
            }
            ContentVerifierProvider contentVerifierProvider = this.securityFactory.getContentVerifierProvider(requestor.getCert().getCert());
            if (contentVerifierProvider != null) {
                return new ProtectionVerificationResult(requestor, protectedPKIMessage.verify(contentVerifierProvider) ? ProtectionResult.SIGNATURE_VALID : ProtectionResult.SIGNATURE_INVALID);
            }
            LOG.warn("tid={}: not authorized requestor '{}'", str, x500Sender);
            return new ProtectionVerificationResult(requestor, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        PBMParameter pBMParameter = PBMParameter.getInstance(generalPKIMessage.getHeader().getProtectionAlg().getParameters());
        AlgorithmIdentifier owf = pBMParameter.getOwf();
        if (!cmpControl.isRequestPbmOwfPermitted(owf)) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf: {})", owf.getAlgorithm().getId());
            return new ProtectionVerificationResult((Object) null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        AlgorithmIdentifier mac = pBMParameter.getMac();
        if (!cmpControl.isRequestPbmMacPermitted(mac)) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac: {})", mac.getAlgorithm().getId());
            return new ProtectionVerificationResult((Object) null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        int intValue = pBMParameter.getIterationCount().getValue().intValue();
        if (intValue < 1000) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.iterationCount: {} < 1000)", Integer.valueOf(intValue));
            return new ProtectionVerificationResult((Object) null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        ASN1OctetString senderKID = header.getSenderKID();
        byte[] octets = senderKID == null ? null : senderKID.getOctets();
        PKMACBuilder pKMACBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
        RequestorInfo.CmpRequestorInfo macRequestor = getMacRequestor(x500Sender, octets);
        if (macRequestor != null) {
            return new ProtectionVerificationResult(macRequestor, protectedPKIMessage.verify(pKMACBuilder, macRequestor.getPassword()) ? ProtectionResult.MAC_VALID : ProtectionResult.MAC_INVALID);
        }
        Logger logger = LOG;
        Object[] objArr = new Object[3];
        objArr[0] = str;
        objArr[1] = x500Sender;
        objArr[2] = octets == null ? "null" : Hex.toHexString(octets);
        logger.warn("tid={}: not authorized requestor '{}' with senderKID '{}", objArr);
        return new ProtectionVerificationResult((Object) null, ProtectionResult.SENDER_NOT_AUTHORIZED);
    }

    private PKIMessage addProtection(PKIMessage pKIMessage, AuditEvent auditEvent, RequestorInfo.CmpRequestorInfo cmpRequestorInfo) {
        CmpControl cmpControl = getCmpControl();
        try {
            if (cmpRequestorInfo.getCert() != null) {
                return CmpUtil.addProtection(pKIMessage, getSigner(), getSender(), cmpControl.isSendResponderCert());
            }
            return CmpUtil.addProtection(pKIMessage, cmpRequestorInfo.getPassword(), new PBMParameter(randomSalt(), cmpControl.getResponsePbmOwf(), cmpControl.getResponsePbmIterationCount(), cmpControl.getResponsePbmMac()), getSender(), cmpRequestorInfo.getKeyId());
        } catch (Exception e) {
            LogUtil.error(LOG, e, "could not add protection to the PKI message");
            PKIStatusInfo generateRejectionStatus = generateRejectionStatus(1073741824, "could not sign the PKIMessage");
            auditEvent.setLevel(AuditLevel.ERROR);
            auditEvent.setStatus(AuditStatus.FAILED);
            auditEvent.addEventData(CaAuditConstants.NAME_message, "could not sign the PKIMessage");
            return new PKIMessage(pKIMessage.getHeader(), new PKIBody(23, new ErrorMsgContent(generateRejectionStatus)));
        }
    }

    protected PKIMessage buildErrorPkiMessage(ASN1OctetString aSN1OctetString, PKIHeader pKIHeader, int i, String str) {
        PKIHeaderBuilder pKIHeaderBuilder = new PKIHeaderBuilder(pKIHeader.getPvno().getValue().intValue(), getSender(), pKIHeader.getSender());
        pKIHeaderBuilder.setMessageTime(new ASN1GeneralizedTime(new Date()));
        if (aSN1OctetString != null) {
            pKIHeaderBuilder.setTransactionID(aSN1OctetString);
        }
        ASN1OctetString senderNonce = pKIHeader.getSenderNonce();
        if (senderNonce != null) {
            pKIHeaderBuilder.setRecipNonce(senderNonce);
        }
        return new PKIMessage(pKIHeaderBuilder.build(), new PKIBody(23, new ErrorMsgContent(generateRejectionStatus(Integer.valueOf(i), str))));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PKIStatusInfo generateRejectionStatus(Integer num, String str) {
        return generateRejectionStatus(PKIStatus.rejection, num, str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PKIStatusInfo generateRejectionStatus(PKIStatus pKIStatus, Integer num, String str) {
        return new PKIStatusInfo(pKIStatus, str == null ? null : new PKIFreeText(str), num == null ? null : new PKIFailureInfo(num.intValue()));
    }

    public X500Name getResponderSubject() {
        GeneralName sender = getSender();
        if (sender == null) {
            return null;
        }
        return sender.getName();
    }

    public X509Certificate getResponderCert() {
        ConcurrentContentSigner signer = getSigner();
        if (signer == null) {
            return null;
        }
        return signer.getCertificate();
    }
}
