package blended.security.scep.internal;

import blended.security.ssl.CertificateHolder;
import blended.security.ssl.CertificateHolder$;
import blended.security.ssl.CertificateProvider;
import blended.security.ssl.CertificateRequestBuilder;
import blended.security.ssl.CommonNameProvider;
import blended.security.ssl.SelfSignedCertificateProvider;
import blended.security.ssl.SelfSignedConfig;
import blended.util.logging.Logger;
import blended.util.logging.Logger$;
import java.io.StringWriter;
import java.math.BigInteger;
import java.net.URL;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.jscep.client.Client;
import org.jscep.client.DefaultCallbackHandler;
import org.jscep.client.EnrollmentResponse;
import org.jscep.client.verification.OptimisticCertificateVerifier;
import org.jscep.transaction.FailInfo;
import org.jscep.transport.response.Capabilities;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Predef$;
import scala.Some;
import scala.collection.JavaConverters$;
import scala.collection.TraversableOnce;
import scala.collection.immutable.List;
import scala.collection.immutable.List$;
import scala.reflect.ClassTag$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxedUnit;
import scala.sys.package$;
import scala.util.Try;
import scala.util.Try$;

/* compiled from: ScepCertificateProvider.scala */
@ScalaSignature(bytes = "\u0006\u0001\u0005\u0005a\u0001\u0002\u0006\f\u0001QA\u0001\u0002\n\u0001\u0003\u0002\u0003\u0006I!\n\u0005\u0006S\u0001!\tA\u000b\u0005\t[\u0001A)\u0019)C\u0005]!Aq\u0007\u0001ECB\u0013%\u0001\b\u0003\u0005D\u0001!\u0015\r\u0015\"\u0003E\u0011\u0015i\u0005\u0001\"\u0011O\u0011\u0019\t\u0007\u0001)C\u0005E\")A\r\u0001C\u0005K\"11\u0010\u0001Q\u0005\nq\u0014qcU2fa\u000e+'\u000f^5gS\u000e\fG/\u001a)s_ZLG-\u001a:\u000b\u00051i\u0011\u0001C5oi\u0016\u0014h.\u00197\u000b\u00059y\u0011\u0001B:dKBT!\u0001E\t\u0002\u0011M,7-\u001e:jifT\u0011AE\u0001\bE2,g\u000eZ3e\u0007\u0001\u0019B\u0001A\u000b\u001cCA\u0011a#G\u0007\u0002/)\t\u0001$A\u0003tG\u0006d\u0017-\u0003\u0002\u001b/\t1\u0011I\\=SK\u001a\u0004\"\u0001H\u0010\u000e\u0003uQ!AH\b\u0002\u0007M\u001cH.\u0003\u0002!;\tI2)\u001a:uS\u001aL7-\u0019;f%\u0016\fX/Z:u\u0005VLG\u000eZ3s!\ta\"%\u0003\u0002$;\t\u00192)\u001a:uS\u001aL7-\u0019;f!J|g/\u001b3fe\u0006\u00191MZ4\u0011\u0005\u0019:S\"A\u0006\n\u0005!Z!AC*dKB\u001cuN\u001c4jO\u00061A(\u001b8jiz\"\"a\u000b\u0017\u0011\u0005\u0019\u0002\u0001\"\u0002\u0013\u0003\u0001\u0004)\u0013a\u00017pOV\tq\u0006\u0005\u00021k5\t\u0011G\u0003\u00023g\u00059An\\4hS:<'B\u0001\u001b\u0012\u0003\u0011)H/\u001b7\n\u0005Y\n$A\u0002'pO\u001e,'/\u0001\u0006tG\u0016\u00048\t\\5f]R,\u0012!\u000f\t\u0003u\u0005k\u0011a\u000f\u0006\u0003yu\naa\u00197jK:$(B\u0001 @\u0003\u0015Q7oY3q\u0015\u0005\u0001\u0015aA8sO&\u0011!i\u000f\u0002\u0007\u00072LWM\u001c;\u0002\t\r\f\u0007o]\u000b\u0002\u000bB\u0011aiS\u0007\u0002\u000f*\u0011\u0001*S\u0001\te\u0016\u001c\bo\u001c8tK*\u0011!*P\u0001\niJ\fgn\u001d9peRL!\u0001T$\u0003\u0019\r\u000b\u0007/\u00192jY&$\u0018.Z:\u0002%I,gM]3tQ\u000e+'\u000f^5gS\u000e\fG/\u001a\u000b\u0004\u001f^c\u0006c\u0001)S)6\t\u0011K\u0003\u00025/%\u00111+\u0015\u0002\u0004)JL\bC\u0001\u000fV\u0013\t1VDA\tDKJ$\u0018NZ5dCR,\u0007j\u001c7eKJDQ\u0001\u0017\u0004A\u0002e\u000b\u0001\"\u001a=jgRLgn\u001a\t\u0004-i#\u0016BA.\u0018\u0005\u0019y\u0005\u000f^5p]\")QL\u0002a\u0001=\u0006Q1M\u001c)s_ZLG-\u001a:\u0011\u0005qy\u0016B\u00011\u001e\u0005I\u0019u.\\7p]:\u000bW.\u001a)s_ZLG-\u001a:\u0002+M,GNZ*jO:,GmQ3si&4\u0017nY1uKR\u0011qj\u0019\u0005\u0006;\u001e\u0001\rAX\u0001\bIVl\u0007oQ:s)\t1\u0017\u000f\u0005\u0002h]:\u0011\u0001\u000e\u001c\t\u0003S^i\u0011A\u001b\u0006\u0003WN\ta\u0001\u0010:p_Rt\u0014BA7\u0018\u0003\u0019\u0001&/\u001a3fM&\u0011q\u000e\u001d\u0002\u0007'R\u0014\u0018N\\4\u000b\u00055<\u0002\"\u0002:\t\u0001\u0004\u0019\u0018aA2teB\u0011A/_\u0007\u0002k*\u0011ao^\u0001\u0005a.\u001c7O\u0003\u0002y\u007f\u0005a!m\\;oGf\u001c\u0017m\u001d;mK&\u0011!0\u001e\u0002\u001b!.\u001b5+\r\u0019DKJ$\u0018NZ5dCRLwN\u001c*fcV,7\u000f^\u0001\u0007K:\u0014x\u000e\u001c7\u0015\u0007=kx\u0010C\u0003\u007f\u0013\u0001\u0007\u0011,\u0001\u0004j]\u000e+'\u000f\u001e\u0005\u0006;&\u0001\rA\u0018")
/* loaded from: input_file:blended/security/scep/internal/ScepCertificateProvider.class */
public class ScepCertificateProvider implements CertificateRequestBuilder, CertificateProvider {
    private Logger log;
    private Client scepClient;
    private Capabilities caps;
    private final ScepConfig cfg;
    private final Logger blended$security$ssl$CertificateRequestBuilder$$log;
    private volatile byte bitmap$0;

    public Try<X509v3CertificateBuilder> hostCertificateRequest(CommonNameProvider commonNameProvider, KeyPair keyPair, BigInteger bigInteger, int i, Option<CertificateHolder> option) {
        return CertificateRequestBuilder.hostCertificateRequest$(this, commonNameProvider, keyPair, bigInteger, i, option);
    }

    public BigInteger hostCertificateRequest$default$3() {
        return CertificateRequestBuilder.hostCertificateRequest$default$3$(this);
    }

    public int hostCertificateRequest$default$4() {
        return CertificateRequestBuilder.hostCertificateRequest$default$4$(this);
    }

    public Option<CertificateHolder> hostCertificateRequest$default$5() {
        return CertificateRequestBuilder.hostCertificateRequest$default$5$(this);
    }

    public Logger blended$security$ssl$CertificateRequestBuilder$$log() {
        return this.blended$security$ssl$CertificateRequestBuilder$$log;
    }

    public final void blended$security$ssl$CertificateRequestBuilder$_setter_$blended$security$ssl$CertificateRequestBuilder$$log_$eq(Logger logger) {
        this.blended$security$ssl$CertificateRequestBuilder$$log = logger;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [blended.security.scep.internal.ScepCertificateProvider] */
    private Logger log$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 1)) == 0) {
                this.log = Logger$.MODULE$.apply(ClassTag$.MODULE$.apply(ScepCertificateProvider.class));
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 1);
            }
        }
        return this.log;
    }

    private Logger log() {
        return ((byte) (this.bitmap$0 & 1)) == 0 ? log$lzycompute() : this.log;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [blended.security.scep.internal.ScepCertificateProvider] */
    private Client scepClient$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 2)) == 0) {
                this.scepClient = new Client(new URL(this.cfg.url()), new DefaultCallbackHandler(new OptimisticCertificateVerifier()));
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 2);
            }
        }
        return this.scepClient;
    }

    private Client scepClient() {
        return ((byte) (this.bitmap$0 & 2)) == 0 ? scepClient$lzycompute() : this.scepClient;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Capabilities caps$lzycompute() {
        Capabilities caCapabilities;
        synchronized (this) {
            if (((byte) (this.bitmap$0 & 4)) == 0) {
                Some profile = this.cfg.profile();
                if (None$.MODULE$.equals(profile)) {
                    caCapabilities = scepClient().getCaCapabilities();
                } else {
                    if (!(profile instanceof Some)) {
                        throw new MatchError(profile);
                    }
                    caCapabilities = scepClient().getCaCapabilities((String) profile.value());
                }
                this.caps = caCapabilities;
                this.bitmap$0 = (byte) (this.bitmap$0 | 4);
            }
        }
        return this.caps;
    }

    private Capabilities caps() {
        return ((byte) (this.bitmap$0 & 4)) == 0 ? caps$lzycompute() : this.caps;
    }

    public Try<CertificateHolder> refreshCertificate(Option<CertificateHolder> option, CommonNameProvider commonNameProvider) {
        Try<CertificateHolder> enroll;
        log().info(() -> {
            return new StringBuilder(57).append("Trying to refresh the server certificate via SCEP from [").append(this.cfg.url()).append("]").toString();
        });
        if (None$.MODULE$.equals(option)) {
            log().info(() -> {
                return "Obtaining initial server certificate from SCEP server.";
            });
            enroll = enroll(None$.MODULE$, commonNameProvider);
        } else {
            if (!(option instanceof Some)) {
                throw new MatchError(option);
            }
            CertificateHolder certificateHolder = (CertificateHolder) ((Some) option).value();
            log().info(() -> {
                return "Refreshing certificate previously obtained from SCEP server.";
            });
            enroll = enroll(new Some(certificateHolder), commonNameProvider);
        }
        return enroll;
    }

    private Try<CertificateHolder> selfSignedCertificate(CommonNameProvider commonNameProvider) {
        return new SelfSignedCertificateProvider(new SelfSignedConfig(commonNameProvider, this.cfg.keyLength(), caps().getStrongestSignatureAlgorithm(), 1)).refreshCertificate(None$.MODULE$, commonNameProvider);
    }

    private String dumpCsr(PKCS10CertificationRequest pKCS10CertificationRequest) {
        StringWriter stringWriter = new StringWriter();
        PEMWriter pEMWriter = new PEMWriter(stringWriter);
        pEMWriter.writeObject(pKCS10CertificationRequest);
        pEMWriter.close();
        stringWriter.close();
        return stringWriter.toString();
    }

    private Try<CertificateHolder> enroll(Option<CertificateHolder> option, CommonNameProvider commonNameProvider) {
        return Try$.MODULE$.apply(() -> {
            CertificateHolder certificateHolder;
            CertificateHolder certificateHolder2 = (CertificateHolder) this.selfSignedCertificate(commonNameProvider).get();
            if (None$.MODULE$.equals(option)) {
                this.log().info(() -> {
                    return new StringBuilder(54).append("Requesting initial certificate from SCEP server at [").append(this.cfg.url()).append("].").toString();
                });
                certificateHolder = certificateHolder2;
            } else {
                if (!(option instanceof Some)) {
                    throw new MatchError(option);
                }
                CertificateHolder certificateHolder3 = (CertificateHolder) ((Some) option).value();
                this.log().info(() -> {
                    return new StringBuilder(46).append("Refreshing certificate from SCEP server at [").append(this.cfg.url()).append("].").toString();
                });
                certificateHolder = certificateHolder3;
            }
            CertificateHolder certificateHolder4 = certificateHolder;
            PrivateKey privateKey = (PrivateKey) certificateHolder4.privateKey().get();
            JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Principal((String) commonNameProvider.commonName().get()), certificateHolder4.publicKey());
            jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, new DERPrintableString(this.cfg.scepChallenge()));
            if (((TraversableOnce) commonNameProvider.alternativeNames().get()).nonEmpty()) {
                GeneralNames generalNames = new GeneralNames((GeneralName[]) ((TraversableOnce) ((List) commonNameProvider.alternativeNames().get()).map(str -> {
                    this.log().info(() -> {
                        return new StringBuilder(59).append("Adding alternative dns name [").append(str).append("] to SCEP certificate request.").toString();
                    });
                    return new GeneralName(2, str);
                }, List$.MODULE$.canBuildFrom())).toArray(ClassTag$.MODULE$.apply(GeneralName.class)));
                ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
                extensionsGenerator.addExtension(Extension.subjectAlternativeName, false, (ASN1Encodable) generalNames);
                BoxedUnit boxedUnit = BoxedUnit.UNIT;
                jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
            } else {
                BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
            }
            PKCS10CertificationRequest build = jcaPKCS10CertificationRequestBuilder.build(new JcaContentSignerBuilder(this.cfg.csrSignAlgorithm()).build(privateKey));
            Predef$.MODULE$.println(this.dumpCsr(build));
            EnrollmentResponse enrol = this.scepClient().enrol((X509Certificate) certificateHolder4.chain().head(), privateKey, build);
            while (enrol.isPending()) {
                this.log().info(() -> {
                    return new StringBuilder(32).append("Waiting for PKI response from [").append(this.cfg.url()).append("]").toString();
                });
                Thread.sleep(1000L);
            }
            if (enrol.isFailure()) {
                FailInfo failInfo = enrol.getFailInfo();
                this.log().error(() -> {
                    return new StringBuilder(35).append("Certificate provisioning failed: [").append(failInfo).append("]").toString();
                });
                throw package$.MODULE$.error(failInfo.toString());
            }
            List list = ((TraversableOnce) JavaConverters$.MODULE$.collectionAsScalaIterableConverter(enrol.getCertStore().getCertificates(null)).asScala()).toList();
            this.log().info(() -> {
                return new StringBuilder(34).append("Retrieved [").append(list.length()).append("] certificates from [").append(this.cfg.url()).append("].").toString();
            });
            return (CertificateHolder) CertificateHolder$.MODULE$.create(certificateHolder4.publicKey(), new Some(privateKey), list).get();
        });
    }

    public ScepCertificateProvider(ScepConfig scepConfig) {
        this.cfg = scepConfig;
        CertificateRequestBuilder.$init$(this);
    }
}
