package blended.security.scep.internal;

import blended.security.ssl.CertificateProvider;
import blended.security.ssl.CommonNameProvider;
import blended.security.ssl.SelfSignedCertificateProvider;
import blended.security.ssl.SelfSignedConfig;
import blended.security.ssl.ServerCertificate;
import blended.security.ssl.ServerCertificate$;
import blended.security.ssl.X509CertificateInfo$;
import blended.util.logging.Logger;
import blended.util.logging.Logger$;
import java.net.URL;
import java.security.cert.X509Certificate;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.jscep.client.Client;
import org.jscep.client.DefaultCallbackHandler;
import org.jscep.client.EnrollmentResponse;
import org.jscep.client.verification.OptimisticCertificateVerifier;
import org.jscep.transaction.FailInfo;
import org.jscep.transport.response.Capabilities;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Some;
import scala.collection.JavaConverters$;
import scala.collection.TraversableOnce;
import scala.collection.immutable.List;
import scala.reflect.ClassTag$;
import scala.reflect.ScalaSignature;
import scala.sys.package$;
import scala.util.Try;
import scala.util.Try$;

/* compiled from: ScepCertificateProvider.scala */
@ScalaSignature(bytes = "\u0006\u0001\u00154A!\u0001\u0002\u0001\u0017\t92kY3q\u0007\u0016\u0014H/\u001b4jG\u0006$X\r\u0015:pm&$WM\u001d\u0006\u0003\u0007\u0011\t\u0001\"\u001b8uKJt\u0017\r\u001c\u0006\u0003\u000b\u0019\tAa]2fa*\u0011q\u0001C\u0001\tg\u0016\u001cWO]5us*\t\u0011\"A\u0004cY\u0016tG-\u001a3\u0004\u0001M\u0019\u0001\u0001\u0004\n\u0011\u00055\u0001R\"\u0001\b\u000b\u0003=\tQa]2bY\u0006L!!\u0005\b\u0003\r\u0005s\u0017PU3g!\t\u0019b#D\u0001\u0015\u0015\t)b!A\u0002tg2L!a\u0006\u000b\u0003'\r+'\u000f^5gS\u000e\fG/\u001a)s_ZLG-\u001a:\t\u0011e\u0001!\u0011!Q\u0001\ni\t1a\u00194h!\tYB$D\u0001\u0003\u0013\ti\"A\u0001\u0006TG\u0016\u00048i\u001c8gS\u001eDQa\b\u0001\u0005\u0002\u0001\na\u0001P5oSRtDCA\u0011#!\tY\u0002\u0001C\u0003\u001a=\u0001\u0007!\u0004\u0003\u0005%\u0001!\u0015\r\u0015\"\u0003&\u0003\rawnZ\u000b\u0002MA\u0011q\u0005L\u0007\u0002Q)\u0011\u0011FK\u0001\bY><w-\u001b8h\u0015\tY\u0003\"\u0001\u0003vi&d\u0017BA\u0017)\u0005\u0019aunZ4fe\"Aq\u0006\u0001ECB\u0013%\u0001'\u0001\u0006tG\u0016\u00048\t\\5f]R,\u0012!\r\t\u0003eej\u0011a\r\u0006\u0003iU\naa\u00197jK:$(B\u0001\u001c8\u0003\u0015Q7oY3q\u0015\u0005A\u0014aA8sO&\u0011!h\r\u0002\u0007\u00072LWM\u001c;\t\u0011q\u0002\u0001R1Q\u0005\nu\nAaY1qgV\ta\b\u0005\u0002@\t6\t\u0001I\u0003\u0002B\u0005\u0006A!/Z:q_:\u001cXM\u0003\u0002Dk\u0005IAO]1ogB|'\u000f^\u0005\u0003\u000b\u0002\u0013AbQ1qC\nLG.\u001b;jKNDQa\u0012\u0001\u0005B!\u000b!C]3ge\u0016\u001c\bnQ3si&4\u0017nY1uKR\u0019\u0011*\u0015,\u0011\u0007)ce*D\u0001L\u0015\tYc\"\u0003\u0002N\u0017\n\u0019AK]=\u0011\u0005My\u0015B\u0001)\u0015\u0005E\u0019VM\u001d<fe\u000e+'\u000f^5gS\u000e\fG/\u001a\u0005\u0006%\u001a\u0003\raU\u0001\tKbL7\u000f^5oOB\u0019Q\u0002\u0016(\n\u0005Us!AB(qi&|g\u000eC\u0003X\r\u0002\u0007\u0001,\u0001\u0006d]B\u0013xN^5eKJ\u0004\"aE-\n\u0005i#\"AE\"p[6|gNT1nKB\u0013xN^5eKJDa\u0001\u0018\u0001!\n\u0013i\u0016!F:fY\u001a\u001c\u0016n\u001a8fI\u000e+'\u000f^5gS\u000e\fG/\u001a\u000b\u0003\u0013zCQaV.A\u0002aCa\u0001\u0019\u0001!\n\u0013\t\u0017AB3oe>dG\u000eF\u0002JE\u0012DQaY0A\u00029\u000ba!\u001b8DKJ$\b\"B,`\u0001\u0004A\u0006")
/* loaded from: input_file:blended/security/scep/internal/ScepCertificateProvider.class */
public class ScepCertificateProvider implements CertificateProvider {
    private Logger log;
    private Client scepClient;
    private Capabilities caps;
    private final ScepConfig cfg;
    private volatile byte bitmap$0;

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [blended.security.scep.internal.ScepCertificateProvider] */
    private Logger log$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 1)) == 0) {
                this.log = Logger$.MODULE$.apply(ClassTag$.MODULE$.apply(ScepCertificateProvider.class));
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 1);
            }
        }
        return this.log;
    }

    private Logger log() {
        return ((byte) (this.bitmap$0 & 1)) == 0 ? log$lzycompute() : this.log;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [blended.security.scep.internal.ScepCertificateProvider] */
    private Client scepClient$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 2)) == 0) {
                this.scepClient = new Client(new URL(this.cfg.url()), new DefaultCallbackHandler(new OptimisticCertificateVerifier()));
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 2);
            }
        }
        return this.scepClient;
    }

    private Client scepClient() {
        return ((byte) (this.bitmap$0 & 2)) == 0 ? scepClient$lzycompute() : this.scepClient;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Capabilities caps$lzycompute() {
        Capabilities caCapabilities;
        synchronized (this) {
            if (((byte) (this.bitmap$0 & 4)) == 0) {
                Some profile = this.cfg.profile();
                if (None$.MODULE$.equals(profile)) {
                    caCapabilities = scepClient().getCaCapabilities();
                } else {
                    if (!(profile instanceof Some)) {
                        throw new MatchError(profile);
                    }
                    caCapabilities = scepClient().getCaCapabilities((String) profile.value());
                }
                this.caps = caCapabilities;
                this.bitmap$0 = (byte) (this.bitmap$0 | 4);
            }
        }
        return this.caps;
    }

    private Capabilities caps() {
        return ((byte) (this.bitmap$0 & 4)) == 0 ? caps$lzycompute() : this.caps;
    }

    public Try<ServerCertificate> refreshCertificate(Option<ServerCertificate> option, CommonNameProvider commonNameProvider) {
        Try<ServerCertificate> enroll;
        log().info(() -> {
            return new StringBuilder(57).append("Trying to refresh the server certificate via SCEP from [").append(this.cfg.url()).append("]").toString();
        });
        if (None$.MODULE$.equals(option)) {
            log().info(() -> {
                return "Obtaining initial server certificate from SCEP server.";
            });
            enroll = enroll((ServerCertificate) selfSignedCertificate(commonNameProvider).get(), commonNameProvider);
        } else {
            if (!(option instanceof Some)) {
                throw new MatchError(option);
            }
            ServerCertificate serverCertificate = (ServerCertificate) ((Some) option).value();
            log().info(() -> {
                return "Refreshing certificate previously obtained from SCEP server.";
            });
            enroll = enroll(serverCertificate, commonNameProvider);
        }
        return enroll;
    }

    private Try<ServerCertificate> selfSignedCertificate(CommonNameProvider commonNameProvider) {
        return new SelfSignedCertificateProvider(new SelfSignedConfig(commonNameProvider, this.cfg.keyLength(), caps().getStrongestSignatureAlgorithm(), 1)).refreshCertificate(None$.MODULE$, commonNameProvider);
    }

    private Try<ServerCertificate> enroll(ServerCertificate serverCertificate, CommonNameProvider commonNameProvider) {
        return Try$.MODULE$.apply(() -> {
            X509Certificate x509Certificate = (X509Certificate) serverCertificate.chain().head();
            this.log().info(() -> {
                return new StringBuilder(87).append("Trying to obtain server certificate from SCEP server at [").append(this.cfg.url()).append("] with existing certificate [").append(X509CertificateInfo$.MODULE$.apply(x509Certificate)).append("]").toString();
            });
            JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Principal((String) commonNameProvider.commonName().get()), serverCertificate.keyPair().getPublic());
            jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, new DERPrintableString(this.cfg.scepChallenge()));
            EnrollmentResponse enrol = this.scepClient().enrol(x509Certificate, serverCertificate.keyPair().getPrivate(), jcaPKCS10CertificationRequestBuilder.build(new JcaContentSignerBuilder(this.cfg.csrSignAlgorithm()).build(serverCertificate.keyPair().getPrivate())));
            while (enrol.isPending()) {
                this.log().info(() -> {
                    return new StringBuilder(32).append("Waiting for PKI response from [").append(this.cfg.url()).append("]").toString();
                });
                Thread.sleep(1000L);
            }
            if (enrol.isFailure()) {
                FailInfo failInfo = enrol.getFailInfo();
                this.log().error(() -> {
                    return new StringBuilder(35).append("Certificate provisioning failed: [").append(failInfo).append("]").toString();
                });
                throw package$.MODULE$.error(failInfo.toString());
            }
            List list = ((TraversableOnce) JavaConverters$.MODULE$.collectionAsScalaIterableConverter(enrol.getCertStore().getCertificates(null)).asScala()).toList();
            this.log().info(() -> {
                return new StringBuilder(34).append("Retrieved [").append(list.length()).append("] certificates from [").append(this.cfg.url()).append("].").toString();
            });
            return (ServerCertificate) ServerCertificate$.MODULE$.create(serverCertificate.keyPair(), list).get();
        });
    }

    public ScepCertificateProvider(ScepConfig scepConfig) {
        this.cfg = scepConfig;
    }
}
