package org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.enrollment;

import java.io.IOException;
import java.math.BigInteger;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Iterator;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.jscep.client.Client;
import org.jscep.client.ClientException;
import org.jscep.client.verification.OptimisticCertificateVerifier;
import org.jscep.transaction.TransactionException;
import org.jscep.transport.response.Capabilities;
import org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.core.AgentManager;
import org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.exception.AgentCoreOperationException;
import sun.security.x509.X509CertImpl;

/* JADX WARN: Classes with same name are omitted:
  input_file:org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/advanced/enrollment/EnrollmentManager.class
  input_file:wso2-firealarm-virtual-agent-advanced/target/classes/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/advanced/enrollment/EnrollmentManager.class
 */
/* loaded from: input_file:wso2-firealarm-virtual-agent-advanced/target/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.impl-3.0.14.jar:org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/advanced/enrollment/EnrollmentManager.class */
public class EnrollmentManager {
    private static EnrollmentManager enrollmentManager;
    private static final String KEY_PAIR_ALGORITHM = "RSA";
    private static final String PROVIDER = "BC";
    private static final String SIGNATURE_ALG = "SHA1withRSA";
    private static final String CERT_IS_CA_EXTENSION = "is_ca";
    private static final int KEY_SIZE = 2048;
    private static final int CERT_VALIDITY = 730;
    private PrivateKey privateKey;
    private PublicKey publicKey;
    private PublicKey serverPublicKey;
    private X509Certificate SCEPCertificate;
    private static final Log log = LogFactory.getLog(EnrollmentManager.class);
    private static final byte[] SEED = ")(*&^%$#@!".getBytes();
    private boolean isEnrolled = false;
    private String SCEPUrl = AgentManager.getInstance().getEnrollmentEP();

    private EnrollmentManager() {
    }

    public static EnrollmentManager getInstance() {
        if (enrollmentManager == null) {
            enrollmentManager = new EnrollmentManager();
        }
        return enrollmentManager;
    }

    public void beginEnrollmentFlow() throws AgentCoreOperationException {
        Security.addProvider(new BouncyCastleProvider());
        KeyPair generateKeyPair = generateKeyPair();
        this.privateKey = generateKeyPair.getPrivate();
        this.publicKey = generateKeyPair.getPublic();
        if (log.isDebugEnabled()) {
            log.info("AGENT_LOG:: DevicePrivateKey:\n[\n" + this.privateKey + "\n]\n");
            log.info("AGENT_LOG:: DevicePublicKey:\n[\n" + this.publicKey + "\n]\n");
        }
        PKCS10CertificationRequest generateCertSignRequest = generateCertSignRequest();
        try {
            X509Certificate certificate = new JcaX509CertificateConverter().setProvider("BC").getCertificate(new X509v3CertificateBuilder(new X500Name("CN=Temporary Issuer"), new BigInteger(32, new SecureRandom()), new Date(), new Date(System.currentTimeMillis() + 63072000000L), generateCertSignRequest.getSubject(), generateCertSignRequest.getSubjectPublicKeyInfo()).build(new JcaContentSignerBuilder(SIGNATURE_ALG).setProvider("BC").build(generateKeyPair.getPrivate())));
            this.SCEPCertificate = getSignedCertificateFromServer(certificate, generateCertSignRequest);
            this.serverPublicKey = initPublicKeyOfServer();
            if (log.isDebugEnabled()) {
                log.info("AGENT_LOG:: TemporaryCertPublicKey:\n[\n" + certificate.getPublicKey() + "\n]\n");
                log.info("AGENT_LOG:: ServerPublicKey:\n[\n" + this.serverPublicKey + "\n]\n");
            }
        } catch (CertificateException e) {
            log.error("Error occurred whilst trying to create Temp-Self-Signed Certificate.");
            throw new AgentCoreOperationException("Error occurred whilst trying to create Temp-Self-Signed Certificate.", (Exception) e);
        } catch (OperatorCreationException e2) {
            log.error("Error occurred whilst creating a ContentSigner for the Temp-Self-Signed Certificate.");
            throw new AgentCoreOperationException("Error occurred whilst creating a ContentSigner for the Temp-Self-Signed Certificate.", (Exception) e2);
        }
    }

    private KeyPair generateKeyPair() throws AgentCoreOperationException {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KEY_PAIR_ALGORITHM, "BC");
            keyPairGenerator.initialize(2048, new SecureRandom(SEED));
            return keyPairGenerator.genKeyPair();
        } catch (NoSuchAlgorithmException e) {
            log.error("Algorithm [RSA] provided for KeyPairGenerator is invalid.");
            throw new AgentCoreOperationException("Algorithm [RSA] provided for KeyPairGenerator is invalid.", (Exception) e);
        } catch (NoSuchProviderException e2) {
            log.error("Provider [BC] provided for KeyPairGenerator does not exist.");
            throw new AgentCoreOperationException("Provider [BC] provided for KeyPairGenerator does not exist.", (Exception) e2);
        }
    }

    private PKCS10CertificationRequest generateCertSignRequest() throws AgentCoreOperationException {
        X500NameBuilder x500NameBuilder = new X500NameBuilder(BCStyle.INSTANCE);
        x500NameBuilder.addRDN(BCStyle.CN, AgentManager.getInstance().getAgentConfigs().getTenantDomain());
        x500NameBuilder.addRDN(BCStyle.O, AgentManager.getInstance().getAgentConfigs().getDeviceOwner());
        x500NameBuilder.addRDN(BCStyle.OU, AgentManager.getInstance().getAgentConfigs().getDeviceOwner());
        x500NameBuilder.addRDN(BCStyle.UNIQUE_IDENTIFIER, AgentManager.getInstance().getAgentConfigs().getDeviceId());
        x500NameBuilder.addRDN(BCStyle.SERIALNUMBER, AgentManager.getInstance().getAgentConfigs().getDeviceId());
        X500Name build = x500NameBuilder.build();
        try {
            return new JcaPKCS10CertificationRequestBuilder(build, this.publicKey).build(new JcaContentSignerBuilder(SIGNATURE_ALG).setProvider("BC").build(this.privateKey));
        } catch (OperatorCreationException e) {
            log.error("Could not create content signer with private key.");
            throw new AgentCoreOperationException("Could not create content signer with private key.", (Exception) e);
        }
    }

    private X509Certificate getSignedCertificateFromServer(X509Certificate x509Certificate, PKCS10CertificationRequest pKCS10CertificationRequest) throws AgentCoreOperationException {
        X509Certificate x509Certificate2 = null;
        try {
            for (Certificate certificate : new Client(new URL(this.SCEPUrl), new OptimisticCertificateVerifier()).enrol(x509Certificate, this.privateKey, pKCS10CertificationRequest).getCertStore().getCertificates(null)) {
                if (log.isDebugEnabled()) {
                    log.debug(certificate.toString());
                }
                x509Certificate2 = (X509Certificate) certificate;
            }
            return x509Certificate2;
        } catch (MalformedURLException e) {
            String str = "Could not create valid URL from given SCEP URI: " + this.SCEPUrl;
            log.error(str);
            throw new AgentCoreOperationException(str, (Exception) e);
        } catch (CertStoreException e2) {
            log.error("Could not retrieve [Signed-Certificate] from the response message from SCEP-Server.");
            throw new AgentCoreOperationException("Could not retrieve [Signed-Certificate] from the response message from SCEP-Server.", (Exception) e2);
        } catch (ClientException | TransactionException e3) {
            String str2 = "Enrollment process to SCEP Server at: " + this.SCEPUrl + " failed.";
            log.error(str2);
            throw new AgentCoreOperationException(str2, e3);
        }
    }

    private PublicKey initPublicKeyOfServer() throws AgentCoreOperationException {
        PublicKey publicKey = null;
        try {
            Client client = new Client(new URL(this.SCEPUrl), new OptimisticCertificateVerifier());
            if (log.isDebugEnabled()) {
                Capabilities caCapabilities = client.getCaCapabilities();
                log.debug(String.format("\nStrongestCipher: %s,\nStrongestMessageDigest: %s,\nStrongestSignatureAlgorithm: %s,\nIsRenewalSupported: %s,\nIsRolloverSupported: %s", caCapabilities.getStrongestCipher(), caCapabilities.getStrongestMessageDigest(), caCapabilities.getStrongestSignatureAlgorithm(), Boolean.valueOf(caCapabilities.isRenewalSupported()), Boolean.valueOf(caCapabilities.isRolloverSupported())));
            }
            Iterator<? extends Certificate> it = client.getCaCertificate().getCertificates(null).iterator();
            while (it.hasNext()) {
                X509CertImpl x509CertImpl = (Certificate) it.next();
                if (x509CertImpl instanceof X509Certificate) {
                    if (log.isDebugEnabled()) {
                        log.debug(((X509Certificate) x509CertImpl).getIssuerDN().getName());
                    }
                    if (((Boolean) x509CertImpl.getBasicConstraintsExtension().get(CERT_IS_CA_EXTENSION)).booleanValue()) {
                        publicKey = x509CertImpl.getPublicKey();
                    }
                }
            }
            return publicKey;
        } catch (MalformedURLException e) {
            String str = "Could not create valid URL from given SCEP URI: " + this.SCEPUrl;
            log.error(str);
            throw new AgentCoreOperationException(str, (Exception) e);
        } catch (IOException e2) {
            log.error("Error occurred whilst trying to get property ['is_ca'] from the retreived Certificates");
            throw new AgentCoreOperationException("Error occurred whilst trying to get property ['is_ca'] from the retreived Certificates", (Exception) e2);
        } catch (CertStoreException e3) {
            log.error("Could not retrieve [Server-Certificates] from the response message from SCEP-Server.");
            throw new AgentCoreOperationException("Could not retrieve [Server-Certificates] from the response message from SCEP-Server.", (Exception) e3);
        } catch (ClientException e4) {
            log.error("Could not retrieve [Server-Certificate] from the SCEP-Server.");
            throw new AgentCoreOperationException("Could not retrieve [Server-Certificate] from the SCEP-Server.", (Exception) e4);
        }
    }

    public PublicKey getPublicKey() {
        return this.publicKey;
    }

    public PrivateKey getPrivateKey() {
        return this.privateKey;
    }

    public X509Certificate getSCEPCertificate() {
        return this.SCEPCertificate;
    }

    public PublicKey getServerPublicKey() {
        return this.serverPublicKey;
    }

    public boolean isEnrolled() {
        return this.isEnrolled;
    }
}
