package org.xipki.litecaclient;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.MessageDigest;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Base64;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.x509.CRLReason;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/xipki/litecaclient/RestCaClient.class */
public class RestCaClient {
    public static final String CT_pkix_cert = "application/pkix-cert";
    private static final Logger LOG = LoggerFactory.getLogger(RestCaClient.class);
    private final String caUrl;
    private final String authorization;
    private X509Certificate caCert;
    private String caCertSha1Fp;

    public RestCaClient(String str, String str2, String str3) throws Exception {
        this.caUrl = new URL(SdkUtil.requireNonBlank("caUrl", str)).toString();
        this.authorization = Base64.getEncoder().encodeToString((str2 + ":" + str3).getBytes());
    }

    public void init() throws Exception {
        TlsInit.init();
        this.caCert = httpgetCaCert();
        this.caCertSha1Fp = Hex.toHexString(MessageDigest.getInstance("SHA1").digest(this.caCert.getEncoded()));
    }

    public X509Certificate getCaCert() {
        return this.caCert;
    }

    public void shutdown() {
        TlsInit.shutdown();
    }

    private X509Certificate httpgetCaCert() throws Exception {
        return SdkUtil.parseCert(httpGet(this.caUrl + "/cacert", CT_pkix_cert));
    }

    public X509Certificate requestCert(String str, CertificationRequest certificationRequest) throws Exception {
        X509Certificate parseCert = SdkUtil.parseCert(httpPost(this.caUrl + "/enroll-cert?profile=" + str, "application/pkcs10", certificationRequest.getEncoded(), CT_pkix_cert));
        if (verify(this.caCert, parseCert)) {
            return parseCert;
        }
        throw new Exception("The returned certificate is not issued by the given CA");
    }

    public boolean revokeCert(BigInteger bigInteger, CRLReason cRLReason) throws Exception {
        StringBuilder sb = new StringBuilder(200);
        sb.append(this.caUrl).append("/revoke-cert?ca-sha1=").append(this.caCertSha1Fp);
        sb.append("&serial-number=0X").append(bigInteger.toString(16));
        sb.append("&reason=").append(cRLReason.getValue().intValue());
        return simpleHttpGet(sb.toString());
    }

    public boolean unrevokeCert(BigInteger bigInteger) throws Exception {
        return revokeCert(bigInteger, CRLReason.lookup(8));
    }

    private boolean verify(Certificate certificate, Certificate certificate2) {
        if (!(certificate instanceof X509Certificate) || !(certificate2 instanceof X509Certificate)) {
            return false;
        }
        X509Certificate x509Certificate = (X509Certificate) certificate;
        X509Certificate x509Certificate2 = (X509Certificate) certificate2;
        if (!x509Certificate2.getIssuerX500Principal().equals(x509Certificate.getSubjectX500Principal())) {
            return false;
        }
        try {
            x509Certificate2.verify(x509Certificate.getPublicKey());
            return true;
        } catch (Exception e) {
            LOG.debug("{} while verifying signature: {}", e.getClass().getName(), e.getMessage());
            return false;
        }
    }

    private boolean simpleHttpGet(String str) throws IOException {
        HttpURLConnection openHttpConn = SdkUtil.openHttpConn(new URL(str));
        openHttpConn.setDoOutput(true);
        openHttpConn.setUseCaches(false);
        openHttpConn.setRequestMethod("GET");
        openHttpConn.setRequestProperty("Authorization", "Basic " + this.authorization);
        boolean z = openHttpConn.getResponseCode() == 200;
        if (!z) {
            LOG.warn("bad response: " + openHttpConn.getResponseCode() + "    " + openHttpConn.getResponseMessage());
        }
        return z;
    }

    private byte[] httpGet(String str, String str2) throws IOException {
        HttpURLConnection openHttpConn = SdkUtil.openHttpConn(new URL(str));
        openHttpConn.setDoOutput(true);
        openHttpConn.setUseCaches(false);
        openHttpConn.setRequestMethod("GET");
        openHttpConn.setRequestProperty("Authorization", "Basic " + this.authorization);
        InputStream inputStream = openHttpConn.getInputStream();
        if (openHttpConn.getResponseCode() != 200) {
            inputStream.close();
            throw new IOException("bad response: " + openHttpConn.getResponseCode() + "    " + openHttpConn.getResponseMessage());
        }
        String contentType = openHttpConn.getContentType();
        boolean z = false;
        if (contentType != null && contentType.equalsIgnoreCase(str2)) {
            z = true;
        }
        if (z) {
            return SdkUtil.read(inputStream);
        }
        inputStream.close();
        throw new IOException("bad response: mime type " + contentType + " not supported!");
    }

    private byte[] httpPost(String str, String str2, byte[] bArr, String str3) throws IOException {
        SdkUtil.requireNonNull("request", bArr);
        HttpURLConnection openHttpConn = SdkUtil.openHttpConn(new URL(str));
        openHttpConn.setDoOutput(true);
        openHttpConn.setUseCaches(false);
        int length = bArr.length;
        openHttpConn.setRequestMethod("POST");
        openHttpConn.setRequestProperty("Content-Type", str2);
        openHttpConn.setRequestProperty("Content-Length", Integer.toString(length));
        openHttpConn.setRequestProperty("Authorization", "Basic " + this.authorization);
        OutputStream outputStream = openHttpConn.getOutputStream();
        outputStream.write(bArr);
        outputStream.flush();
        InputStream inputStream = openHttpConn.getInputStream();
        if (openHttpConn.getResponseCode() != 200) {
            inputStream.close();
            throw new IOException("bad response: " + openHttpConn.getResponseCode() + "    " + openHttpConn.getResponseMessage());
        }
        String contentType = openHttpConn.getContentType();
        boolean z = false;
        if (contentType != null && contentType.equalsIgnoreCase(str3)) {
            z = true;
        }
        if (z) {
            return SdkUtil.read(inputStream);
        }
        inputStream.close();
        throw new IOException("bad response: mime type " + contentType + " not supported!");
    }
}
