package org.xipki.scep.util;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.cert.CRLException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.LinkedList;
import java.util.List;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DERGeneralizedTime;
import org.bouncycastle.asn1.DERUTCTime;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.asn1.cms.SignedData;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.RSASSAPSSparams;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Time;
import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.xipki.util.Args;

/* loaded from: input_file:org/xipki/scep/util/ScepUtil.class */
public class ScepUtil {
    private static CertificateFactory certFact;
    private static Object certFactLock = new Object();

    private ScepUtil() {
    }

    public static List<X509Certificate> getCertsFromSignedData(SignedData signedData) throws CertificateException {
        int size;
        Args.notNull(signedData, "signedData");
        ASN1Set certificates = signedData.getCertificates();
        if (certificates != null && (size = certificates.size()) != 0) {
            LinkedList linkedList = new LinkedList();
            X509Certificate x509Certificate = null;
            for (int i = 0; i < size; i++) {
                try {
                    X509Certificate x509Cert = toX509Cert(Certificate.getInstance(certificates.getObjectAt(i)));
                    if (x509Certificate == null && x509Cert.getBasicConstraints() == -1) {
                        x509Certificate = x509Cert;
                    } else {
                        linkedList.add(x509Cert);
                    }
                } catch (IllegalArgumentException e) {
                    throw new CertificateException(e);
                }
            }
            if (x509Certificate != null) {
                linkedList.add(0, x509Certificate);
            }
            return linkedList;
        }
        return Collections.emptyList();
    }

    public static X509CRL getCrlFromPkiMessage(SignedData signedData) throws CRLException {
        Args.notNull(signedData, "signedData");
        ASN1Set cRLs = signedData.getCRLs();
        if (cRLs == null || cRLs.size() == 0) {
            return null;
        }
        try {
            try {
                X509CRL x509crl = (X509CRL) getCertFactory().generateCRL(new ByteArrayInputStream(CertificateList.getInstance(cRLs.getObjectAt(0)).getEncoded()));
                if (x509crl == null) {
                    throw new CRLException("the given one is not a valid X.509 CRL");
                }
                return x509crl;
            } catch (IOException e) {
                throw new CRLException("could not get encoded CRL", e);
            }
        } catch (IllegalArgumentException | CRLException | CertificateException e2) {
            throw new CRLException(e2);
        }
    }

    public static String getSignatureAlgorithm(PrivateKey privateKey, ScepHashAlgo scepHashAlgo) {
        Args.notNull(privateKey, "key");
        Args.notNull(scepHashAlgo, "hashAlgo");
        if ("RSA".equalsIgnoreCase(privateKey.getAlgorithm())) {
            return scepHashAlgo.getName() + "withRSA";
        }
        throw new UnsupportedOperationException("getSignatureAlgorithm() for non-RSA is not supported yet.");
    }

    public static X509Certificate toX509Cert(Certificate certificate) throws CertificateException {
        try {
            return parseCert(certificate.getEncoded());
        } catch (IOException e) {
            throw new CertificateEncodingException("could not get encoded certificate", e);
        }
    }

    public static X509Certificate parseCert(byte[] bArr) throws CertificateException {
        Args.notNull(bArr, "certBytes");
        return (X509Certificate) getCertFactory().generateCertificate(new ByteArrayInputStream(bArr));
    }

    private static byte[] extractSki(X509Certificate x509Certificate) throws CertificateEncodingException {
        byte[] coreExtValue = getCoreExtValue(x509Certificate, Extension.subjectKeyIdentifier);
        if (coreExtValue == null) {
            return null;
        }
        try {
            return ASN1OctetString.getInstance(coreExtValue).getOctets();
        } catch (IllegalArgumentException e) {
            throw new CertificateEncodingException(e.getMessage());
        }
    }

    private static byte[] extractAki(X509Certificate x509Certificate) throws CertificateEncodingException {
        byte[] coreExtValue = getCoreExtValue(x509Certificate, Extension.authorityKeyIdentifier);
        if (coreExtValue == null) {
            return null;
        }
        try {
            return AuthorityKeyIdentifier.getInstance(coreExtValue).getKeyIdentifier();
        } catch (IllegalArgumentException e) {
            throw new CertificateEncodingException("invalid extension AuthorityKeyIdentifier: " + e.getMessage());
        }
    }

    private static byte[] getCoreExtValue(X509Certificate x509Certificate, ASN1ObjectIdentifier aSN1ObjectIdentifier) throws CertificateEncodingException {
        Args.notNull(x509Certificate, "cert");
        Args.notNull(aSN1ObjectIdentifier, "type");
        byte[] extensionValue = x509Certificate.getExtensionValue(aSN1ObjectIdentifier.getId());
        if (extensionValue == null) {
            return null;
        }
        try {
            return ASN1OctetString.getInstance(extensionValue).getOctets();
        } catch (IllegalArgumentException e) {
            throw new CertificateEncodingException("invalid extension " + aSN1ObjectIdentifier.getId() + ": " + e.getMessage());
        }
    }

    public static boolean isSelfSigned(X509Certificate x509Certificate) {
        Args.notNull(x509Certificate, "cert");
        if (!x509Certificate.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal())) {
            return false;
        }
        try {
            byte[] extractSki = extractSki(x509Certificate);
            byte[] extractAki = extractAki(x509Certificate);
            if (extractSki == null || extractAki == null) {
                return true;
            }
            return Arrays.equals(extractSki, extractAki);
        } catch (CertificateEncodingException e) {
            return false;
        }
    }

    public static boolean issues(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertificateEncodingException {
        Args.notNull(x509Certificate, "issuerCert");
        Args.notNull(x509Certificate2, "cert");
        if (!(x509Certificate.getBasicConstraints() >= 0)) {
            return false;
        }
        boolean equals = x509Certificate.getSubjectX500Principal().equals(x509Certificate2.getIssuerX500Principal());
        if (equals) {
            byte[] extractSki = extractSki(x509Certificate);
            byte[] extractAki = extractAki(x509Certificate2);
            if (extractSki != null) {
                equals = Arrays.equals(extractSki, extractAki);
            }
        }
        if (equals) {
            long time = x509Certificate.getNotBefore().getTime();
            long time2 = x509Certificate.getNotAfter().getTime();
            long time3 = x509Certificate2.getNotBefore().getTime();
            equals = time3 <= time2 && time3 >= time;
        }
        return equals;
    }

    public static ASN1ObjectIdentifier extractDigesetAlgorithmIdentifier(String str, byte[] bArr) throws NoSuchAlgorithmException {
        ASN1ObjectIdentifier algorithm;
        Args.notBlank(str, "sigOid");
        ASN1ObjectIdentifier aSN1ObjectIdentifier = new ASN1ObjectIdentifier(str);
        if (PKCSObjectIdentifiers.md5WithRSAEncryption.equals(aSN1ObjectIdentifier)) {
            algorithm = PKCSObjectIdentifiers.md5;
        } else if (PKCSObjectIdentifiers.sha1WithRSAEncryption.equals(aSN1ObjectIdentifier)) {
            algorithm = X509ObjectIdentifiers.id_SHA1;
        } else if (PKCSObjectIdentifiers.sha224WithRSAEncryption.equals(aSN1ObjectIdentifier)) {
            algorithm = NISTObjectIdentifiers.id_sha224;
        } else if (PKCSObjectIdentifiers.sha256WithRSAEncryption.equals(aSN1ObjectIdentifier)) {
            algorithm = NISTObjectIdentifiers.id_sha256;
        } else if (PKCSObjectIdentifiers.sha384WithRSAEncryption.equals(aSN1ObjectIdentifier)) {
            algorithm = NISTObjectIdentifiers.id_sha384;
        } else if (PKCSObjectIdentifiers.sha512WithRSAEncryption.equals(aSN1ObjectIdentifier)) {
            algorithm = NISTObjectIdentifiers.id_sha512;
        } else {
            if (!PKCSObjectIdentifiers.id_RSASSA_PSS.equals(aSN1ObjectIdentifier)) {
                throw new NoSuchAlgorithmException("unknown signature algorithm" + aSN1ObjectIdentifier.getId());
            }
            algorithm = RSASSAPSSparams.getInstance(bArr).getHashAlgorithm().getAlgorithm();
        }
        return algorithm;
    }

    public static ASN1Encodable getFirstAttrValue(AttributeTable attributeTable, ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        Args.notNull(attributeTable, "attrs");
        Args.notNull(aSN1ObjectIdentifier, "type");
        Attribute attribute = attributeTable.get(aSN1ObjectIdentifier);
        if (attribute == null) {
            return null;
        }
        ASN1Set attrValues = attribute.getAttrValues();
        if (attrValues.size() == 0) {
            return null;
        }
        return attrValues.getObjectAt(0);
    }

    public static void addCmsCertSet(CMSSignedDataGenerator cMSSignedDataGenerator, X509Certificate[] x509CertificateArr) throws CertificateEncodingException, CMSException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            return;
        }
        Args.notNull(cMSSignedDataGenerator, "geneator");
        LinkedList linkedList = new LinkedList();
        for (X509Certificate x509Certificate : x509CertificateArr) {
            linkedList.add(x509Certificate);
        }
        cMSSignedDataGenerator.addCertificates(new JcaCertStore(linkedList));
    }

    public static Date getTime(Object obj) {
        if (!(obj instanceof byte[])) {
            return obj instanceof Time ? ((Time) obj).getDate() : obj instanceof org.bouncycastle.asn1.cms.Time ? ((org.bouncycastle.asn1.cms.Time) obj).getDate() : Time.getInstance(obj).getDate();
        }
        byte[] bArr = (byte[]) obj;
        int i = bArr[0] & 255;
        try {
            if (i == 23) {
                return DERUTCTime.getInstance(bArr).getDate();
            }
            if (i == 24) {
                return DERGeneralizedTime.getInstance(bArr).getDate();
            }
            throw new IllegalArgumentException("invalid tag " + i);
        } catch (ParseException e) {
            throw new IllegalArgumentException("error parsing time", e);
        }
    }

    private static CertificateFactory getCertFactory() throws CertificateException {
        CertificateFactory certificateFactory;
        synchronized (certFactLock) {
            if (certFact == null) {
                try {
                    certFact = CertificateFactory.getInstance("X.509", "BC");
                } catch (NoSuchProviderException e) {
                    certFact = CertificateFactory.getInstance("X.509");
                }
            }
            certificateFactory = certFact;
        }
        return certificateFactory;
    }
}
