package org.bouncycastle.est;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.net.URL;
import java.text.SimpleDateFormat;
import java.util.Collection;
import java.util.HashSet;
import java.util.Locale;
import java.util.Set;
import java.util.TimeZone;
import java.util.regex.Pattern;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.asn1.est.CsrAttrs;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.DisplayText;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cmc.CMCException;
import org.bouncycastle.cmc.SimplePKIResponse;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
import org.bouncycastle.util.Selector;
import org.bouncycastle.util.Store;
import org.bouncycastle.util.encoders.Base64;

/* loaded from: input_file:lib/boot/bcpkix-jdk15on-1.68.jar:org/bouncycastle/est/ESTService.class */
public class ESTService {
    protected static final String CACERTS = "/cacerts";
    protected static final String SIMPLE_ENROLL = "/simpleenroll";
    protected static final String SIMPLE_REENROLL = "/simplereenroll";
    protected static final String FULLCMC = "/fullcmc";
    protected static final String SERVERGEN = "/serverkeygen";
    protected static final String CSRATTRS = "/csrattrs";
    protected static final Set<String> illegalParts = new HashSet();
    private final String server;
    private final ESTClientProvider clientProvider;
    private static final Pattern pathInValid;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ESTService(String str, String str2, ESTClientProvider eSTClientProvider) {
        String verifyServer = verifyServer(str);
        if (str2 != null) {
            this.server = "https://" + verifyServer + "/.well-known/est/" + verifyLabel(str2);
        } else {
            this.server = "https://" + verifyServer + "/.well-known/est";
        }
        this.clientProvider = eSTClientProvider;
    }

    public static X509CertificateHolder[] storeToArray(Store<X509CertificateHolder> store) {
        return storeToArray(store, null);
    }

    public static X509CertificateHolder[] storeToArray(Store<X509CertificateHolder> store, Selector<X509CertificateHolder> selector) {
        Collection<X509CertificateHolder> matches = store.getMatches(selector);
        return (X509CertificateHolder[]) matches.toArray(new X509CertificateHolder[matches.size()]);
    }

    public CACertsResponse getCACerts() throws ESTException {
        ESTResponse eSTResponse = null;
        Exception exc = null;
        try {
            try {
                URL url = new URL(this.server + CACERTS);
                ESTClient makeClient = this.clientProvider.makeClient();
                ESTRequest build = new ESTRequestBuilder("GET", url).withClient(makeClient).build();
                ESTResponse doRequest = makeClient.doRequest(build);
                Store<X509CertificateHolder> store = null;
                Store<X509CRLHolder> store2 = null;
                if (doRequest.getStatusCode() == 200) {
                    if (!"application/pkcs7-mime".equals(doRequest.getHeaders().getFirstValue("Content-Type"))) {
                        throw new ESTException("Response : " + url.toString() + "Expecting application/pkcs7-mime " + (doRequest.getHeaders().getFirstValue("Content-Type") != null ? " got " + doRequest.getHeaders().getFirstValue("Content-Type") : " but was not present."), null, doRequest.getStatusCode(), doRequest.getInputStream());
                    }
                    try {
                        if (doRequest.getContentLength() != null && doRequest.getContentLength().longValue() > 0) {
                            SimplePKIResponse simplePKIResponse = new SimplePKIResponse(ContentInfo.getInstance((ASN1Sequence) new ASN1InputStream(doRequest.getInputStream()).readObject()));
                            store = simplePKIResponse.getCertificates();
                            store2 = simplePKIResponse.getCRLs();
                        }
                    } catch (Throwable th) {
                        throw new ESTException("Decoding CACerts: " + url.toString() + " " + th.getMessage(), th, doRequest.getStatusCode(), doRequest.getInputStream());
                    }
                } else if (doRequest.getStatusCode() != 204) {
                    throw new ESTException("Get CACerts: " + url.toString(), null, doRequest.getStatusCode(), doRequest.getInputStream());
                }
                CACertsResponse cACertsResponse = new CACertsResponse(store, store2, build, doRequest.getSource(), this.clientProvider.isTrusted());
                if (doRequest != null) {
                    try {
                        doRequest.close();
                    } catch (Exception e) {
                        exc = e;
                    }
                }
                if (exc == null) {
                    return cACertsResponse;
                }
                if (exc instanceof ESTException) {
                    throw ((ESTException) exc);
                }
                throw new ESTException("Get CACerts: " + url.toString(), exc, doRequest.getStatusCode(), null);
            } catch (Throwable th2) {
                if (th2 instanceof ESTException) {
                    throw ((ESTException) th2);
                }
                throw new ESTException(th2.getMessage(), th2);
            }
        } catch (Throwable th3) {
            if (0 != 0) {
                try {
                    eSTResponse.close();
                } catch (Exception e2) {
                }
            }
            throw th3;
        }
    }

    public EnrollmentResponse simpleEnroll(EnrollmentResponse enrollmentResponse) throws Exception {
        if (!this.clientProvider.isTrusted()) {
            throw new IllegalStateException("No trust anchors.");
        }
        ESTResponse eSTResponse = null;
        try {
            try {
                ESTClient makeClient = this.clientProvider.makeClient();
                eSTResponse = makeClient.doRequest(new ESTRequestBuilder(enrollmentResponse.getRequestToRetry()).withClient(makeClient).build());
                EnrollmentResponse handleEnrollResponse = handleEnrollResponse(eSTResponse);
                if (eSTResponse != null) {
                    eSTResponse.close();
                }
                return handleEnrollResponse;
            } catch (Throwable th) {
                if (th instanceof ESTException) {
                    throw ((ESTException) th);
                }
                throw new ESTException(th.getMessage(), th);
            }
        } catch (Throwable th2) {
            if (eSTResponse != null) {
                eSTResponse.close();
            }
            throw th2;
        }
    }

    public EnrollmentResponse simpleEnroll(boolean z, PKCS10CertificationRequest pKCS10CertificationRequest, ESTAuth eSTAuth) throws IOException {
        if (!this.clientProvider.isTrusted()) {
            throw new IllegalStateException("No trust anchors.");
        }
        ESTResponse eSTResponse = null;
        try {
            try {
                byte[] bytes = annotateRequest(pKCS10CertificationRequest.getEncoded()).getBytes();
                URL url = new URL(this.server + (z ? SIMPLE_REENROLL : SIMPLE_ENROLL));
                ESTClient makeClient = this.clientProvider.makeClient();
                ESTRequestBuilder withClient = new ESTRequestBuilder("POST", url).withData(bytes).withClient(makeClient);
                withClient.addHeader("Content-Type", "application/pkcs10");
                withClient.addHeader("Content-Length", "" + bytes.length);
                withClient.addHeader("Content-Transfer-Encoding", "base64");
                if (eSTAuth != null) {
                    eSTAuth.applyAuth(withClient);
                }
                eSTResponse = makeClient.doRequest(withClient.build());
                EnrollmentResponse handleEnrollResponse = handleEnrollResponse(eSTResponse);
                if (eSTResponse != null) {
                    eSTResponse.close();
                }
                return handleEnrollResponse;
            } catch (Throwable th) {
                if (th instanceof ESTException) {
                    throw ((ESTException) th);
                }
                throw new ESTException(th.getMessage(), th);
            }
        } catch (Throwable th2) {
            if (eSTResponse != null) {
                eSTResponse.close();
            }
            throw th2;
        }
    }

    public EnrollmentResponse simpleEnrollPoP(boolean z, final PKCS10CertificationRequestBuilder pKCS10CertificationRequestBuilder, final ContentSigner contentSigner, ESTAuth eSTAuth) throws IOException {
        if (!this.clientProvider.isTrusted()) {
            throw new IllegalStateException("No trust anchors.");
        }
        ESTResponse eSTResponse = null;
        try {
            try {
                URL url = new URL(this.server + (z ? SIMPLE_REENROLL : SIMPLE_ENROLL));
                ESTClient makeClient = this.clientProvider.makeClient();
                ESTRequestBuilder withConnectionListener = new ESTRequestBuilder("POST", url).withClient(makeClient).withConnectionListener(new ESTSourceConnectionListener() { // from class: org.bouncycastle.est.ESTService.1
                    @Override // org.bouncycastle.est.ESTSourceConnectionListener
                    public ESTRequest onConnection(Source source, ESTRequest eSTRequest) throws IOException {
                        if (!(source instanceof TLSUniqueProvider) || !((TLSUniqueProvider) source).isTLSUniqueAvailable()) {
                            throw new IOException("Source does not supply TLS unique.");
                        }
                        PKCS10CertificationRequestBuilder pKCS10CertificationRequestBuilder2 = new PKCS10CertificationRequestBuilder(pKCS10CertificationRequestBuilder);
                        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                        pKCS10CertificationRequestBuilder2.setAttribute(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, new DERPrintableString(Base64.toBase64String(((TLSUniqueProvider) source).getTLSUnique())));
                        byteArrayOutputStream.write(ESTService.this.annotateRequest(pKCS10CertificationRequestBuilder2.build(contentSigner).getEncoded()).getBytes());
                        byteArrayOutputStream.flush();
                        ESTRequestBuilder withData = new ESTRequestBuilder(eSTRequest).withData(byteArrayOutputStream.toByteArray());
                        withData.setHeader("Content-Type", "application/pkcs10");
                        withData.setHeader("Content-Transfer-Encoding", "base64");
                        withData.setHeader("Content-Length", Long.toString(byteArrayOutputStream.size()));
                        return withData.build();
                    }
                });
                if (eSTAuth != null) {
                    eSTAuth.applyAuth(withConnectionListener);
                }
                eSTResponse = makeClient.doRequest(withConnectionListener.build());
                EnrollmentResponse handleEnrollResponse = handleEnrollResponse(eSTResponse);
                if (eSTResponse != null) {
                    eSTResponse.close();
                }
                return handleEnrollResponse;
            } catch (Throwable th) {
                if (th instanceof ESTException) {
                    throw ((ESTException) th);
                }
                throw new ESTException(th.getMessage(), th);
            }
        } catch (Throwable th2) {
            if (eSTResponse != null) {
                eSTResponse.close();
            }
            throw th2;
        }
    }

    protected EnrollmentResponse handleEnrollResponse(ESTResponse eSTResponse) throws IOException {
        long time;
        ESTRequest originalRequest = eSTResponse.getOriginalRequest();
        if (eSTResponse.getStatusCode() != 202) {
            if (eSTResponse.getStatusCode() != 200) {
                throw new ESTException("Simple Enroll: " + originalRequest.getURL().toString(), null, eSTResponse.getStatusCode(), eSTResponse.getInputStream());
            }
            try {
                return new EnrollmentResponse(new SimplePKIResponse(ContentInfo.getInstance(new ASN1InputStream(eSTResponse.getInputStream()).readObject())).getCertificates(), -1L, null, eSTResponse.getSource());
            } catch (CMCException e) {
                throw new ESTException(e.getMessage(), e.getCause());
            }
        }
        String header = eSTResponse.getHeader("Retry-After");
        if (header == null) {
            throw new ESTException("Got Status 202 but not Retry-After header from: " + originalRequest.getURL().toString());
        }
        try {
            time = System.currentTimeMillis() + (Long.parseLong(header) * 1000);
        } catch (NumberFormatException e2) {
            try {
                SimpleDateFormat simpleDateFormat = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss z", Locale.US);
                simpleDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
                time = simpleDateFormat.parse(header).getTime();
            } catch (Exception e3) {
                throw new ESTException("Unable to parse Retry-After header:" + originalRequest.getURL().toString() + " " + e3.getMessage(), null, eSTResponse.getStatusCode(), eSTResponse.getInputStream());
            }
        }
        return new EnrollmentResponse(null, time, originalRequest, eSTResponse.getSource());
    }

    public CSRRequestResponse getCSRAttributes() throws ESTException {
        if (!this.clientProvider.isTrusted()) {
            throw new IllegalStateException("No trust anchors.");
        }
        ESTResponse eSTResponse = null;
        CSRAttributesResponse cSRAttributesResponse = null;
        Exception exc = null;
        try {
            try {
                URL url = new URL(this.server + CSRATTRS);
                ESTClient makeClient = this.clientProvider.makeClient();
                ESTRequest build = new ESTRequestBuilder("GET", url).withClient(makeClient).build();
                ESTResponse doRequest = makeClient.doRequest(build);
                switch (doRequest.getStatusCode()) {
                    case DisplayText.DISPLAY_TEXT_MAXIMUM_SIZE /* 200 */:
                        try {
                            if (doRequest.getContentLength() != null && doRequest.getContentLength().longValue() > 0) {
                                cSRAttributesResponse = new CSRAttributesResponse(CsrAttrs.getInstance(ASN1Sequence.getInstance(new ASN1InputStream(doRequest.getInputStream()).readObject())));
                            }
                            break;
                        } catch (Throwable th) {
                            throw new ESTException("Decoding CACerts: " + url.toString() + " " + th.getMessage(), th, doRequest.getStatusCode(), doRequest.getInputStream());
                        }
                        break;
                    case 204:
                        cSRAttributesResponse = null;
                        break;
                    case 404:
                        cSRAttributesResponse = null;
                        break;
                    default:
                        throw new ESTException("CSR Attribute request: " + build.getURL().toString(), null, doRequest.getStatusCode(), doRequest.getInputStream());
                }
                if (doRequest != null) {
                    try {
                        doRequest.close();
                    } catch (Exception e) {
                        exc = e;
                    }
                }
                if (exc == null) {
                    return new CSRRequestResponse(cSRAttributesResponse, doRequest.getSource());
                }
                if (exc instanceof ESTException) {
                    throw ((ESTException) exc);
                }
                throw new ESTException(exc.getMessage(), exc, doRequest.getStatusCode(), null);
            } catch (Throwable th2) {
                if (th2 instanceof ESTException) {
                    throw ((ESTException) th2);
                }
                throw new ESTException(th2.getMessage(), th2);
            }
        } catch (Throwable th3) {
            if (0 != 0) {
                try {
                    eSTResponse.close();
                } catch (Exception e2) {
                }
            }
            throw th3;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String annotateRequest(byte[] bArr) {
        int i = 0;
        StringWriter stringWriter = new StringWriter();
        PrintWriter printWriter = new PrintWriter(stringWriter);
        do {
            if (i + 48 < bArr.length) {
                printWriter.print(Base64.toBase64String(bArr, i, 48));
                i += 48;
            } else {
                printWriter.print(Base64.toBase64String(bArr, i, bArr.length - i));
                i = bArr.length;
            }
            printWriter.print('\n');
        } while (i < bArr.length);
        printWriter.flush();
        return stringWriter.toString();
    }

    private String verifyLabel(String str) {
        while (str.endsWith("/") && str.length() > 0) {
            str = str.substring(0, str.length() - 1);
        }
        while (str.startsWith("/") && str.length() > 0) {
            str = str.substring(1);
        }
        if (str.length() == 0) {
            throw new IllegalArgumentException("Label set but after trimming '/' is not zero length string.");
        }
        if (!pathInValid.matcher(str).matches()) {
            throw new IllegalArgumentException("Server path " + str + " contains invalid characters");
        }
        if (illegalParts.contains(str)) {
            throw new IllegalArgumentException("Label " + str + " is a reserved path segment.");
        }
        return str;
    }

    private String verifyServer(String str) {
        while (str.endsWith("/") && str.length() > 0) {
            try {
                str = str.substring(0, str.length() - 1);
            } catch (Exception e) {
                if (e instanceof IllegalArgumentException) {
                    throw ((IllegalArgumentException) e);
                }
                throw new IllegalArgumentException("Scheme and host is invalid: " + e.getMessage(), e);
            }
        }
        if (str.contains("://")) {
            throw new IllegalArgumentException("Server contains scheme, must only be <dnsname/ipaddress>:port, https:// will be added arbitrarily.");
        }
        URL url = new URL("https://" + str);
        if (url.getPath().length() == 0 || url.getPath().equals("/")) {
            return str;
        }
        throw new IllegalArgumentException("Server contains path, must only be <dnsname/ipaddress>:port, a path of '/.well-known/est/<label>' will be added arbitrarily.");
    }

    static {
        illegalParts.add(CACERTS.substring(1));
        illegalParts.add(SIMPLE_ENROLL.substring(1));
        illegalParts.add(SIMPLE_REENROLL.substring(1));
        illegalParts.add(FULLCMC.substring(1));
        illegalParts.add(SERVERGEN.substring(1));
        illegalParts.add(CSRATTRS.substring(1));
        pathInValid = Pattern.compile("^[0-9a-zA-Z_\\-.~!$&'()*+,;:=]+");
    }
}
