package org.jscep.server;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.PrintWriter;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.io.IOUtils;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaCRLStore;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.CMSAbsentContent;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.SignerInfoGeneratorBuilder;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.util.encoders.Base64;
import org.eclipse.jetty.http.HttpHeaders;
import org.eclipse.jetty.http.MimeTypes;
import org.jscep.asn1.IssuerAndSubject;
import org.jscep.message.CertRep;
import org.jscep.message.MessageDecodingException;
import org.jscep.message.MessageEncodingException;
import org.jscep.message.PkcsPkiEnvelopeDecoder;
import org.jscep.message.PkcsPkiEnvelopeEncoder;
import org.jscep.message.PkiMessage;
import org.jscep.message.PkiMessageDecoder;
import org.jscep.message.PkiMessageEncoder;
import org.jscep.transaction.FailInfo;
import org.jscep.transaction.MessageType;
import org.jscep.transaction.Nonce;
import org.jscep.transaction.OperationFailureException;
import org.jscep.transaction.TransactionId;
import org.jscep.transport.request.Operation;
import org.jscep.transport.response.Capability;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jscep/server/ScepServlet.class */
public abstract class ScepServlet extends HttpServlet {
    private static final String GET = "GET";
    private static final String POST = "POST";
    private static final String MSG_PARAM = "message";
    private static final String OP_PARAM = "operation";
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) ScepServlet.class);
    private static final long serialVersionUID = 1;

    @Override // javax.servlet.http.HttpServlet
    public final void service(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        CertRep certRep;
        byte[] messageBytes = getMessageBytes(httpServletRequest);
        try {
            Operation operation = getOperation(httpServletRequest);
            if (operation == null) {
                httpServletResponse.setStatus(400);
                PrintWriter writer = httpServletResponse.getWriter();
                writer.write("Missing \"operation\" parameter.");
                writer.flush();
                return;
            }
            LOGGER.debug("Incoming Operation: " + operation);
            String method = httpServletRequest.getMethod();
            if (operation == Operation.PKI_OPERATION) {
                if (!method.equals("POST") && !method.equals("GET")) {
                    httpServletResponse.setStatus(405);
                    httpServletResponse.addHeader(HttpHeaders.ALLOW, "GET, POST");
                    return;
                }
            } else if (!method.equals("GET")) {
                httpServletResponse.setStatus(405);
                httpServletResponse.addHeader(HttpHeaders.ALLOW, "GET");
                return;
            }
            LOGGER.debug("Method " + method + " Allowed for Operation: " + operation);
            if (operation == Operation.GET_CA_CAPS) {
                try {
                    LOGGER.debug("Invoking doGetCaCaps");
                    doGetCaCaps(httpServletRequest, httpServletResponse);
                    return;
                } catch (Exception e) {
                    throw new ServletException(e);
                }
            }
            if (operation == Operation.GET_CA_CERT) {
                try {
                    LOGGER.debug("Invoking doGetCaCert");
                    doGetCaCert(httpServletRequest, httpServletResponse);
                    return;
                } catch (Exception e2) {
                    throw new ServletException(e2);
                }
            }
            if (operation == Operation.GET_NEXT_CA_CERT) {
                try {
                    LOGGER.debug("Invoking doGetNextCaCert");
                    doGetNextCaCert(httpServletRequest, httpServletResponse);
                    return;
                } catch (Exception e3) {
                    throw new ServletException(e3);
                }
            }
            if (operation != Operation.PKI_OPERATION) {
                httpServletResponse.sendError(400, "Unknown Operation");
                return;
            }
            httpServletResponse.setHeader(HttpHeaders.CONTENT_TYPE, "application/x-pki-message");
            try {
                CMSSignedData cMSSignedData = new CMSSignedData(messageBytes);
                try {
                    try {
                        X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(((X509CertificateHolder) cMSSignedData.getCertificates().getMatches(null).iterator().next()).getEncoded()));
                        try {
                            PkiMessage<?> decode = new PkiMessageDecoder(x509Certificate, new PkcsPkiEnvelopeDecoder(getRecipient(), getRecipientKey())).decode(cMSSignedData);
                            LOGGER.debug("Processing message {}", decode);
                            MessageType messageType = decode.getMessageType();
                            Object messageData = decode.getMessageData();
                            Nonce nextNonce = Nonce.nextNonce();
                            TransactionId transactionId = decode.getTransactionId();
                            Nonce senderNonce = decode.getSenderNonce();
                            if (messageType == MessageType.GET_CERT) {
                                IssuerAndSerialNumber issuerAndSerialNumber = (IssuerAndSerialNumber) messageData;
                                try {
                                    List<X509Certificate> doGetCert = doGetCert(issuerAndSerialNumber.getName(), issuerAndSerialNumber.getSerialNumber().getValue());
                                    certRep = doGetCert.size() == 0 ? new CertRep(transactionId, nextNonce, senderNonce, FailInfo.badCertId) : new CertRep(transactionId, nextNonce, senderNonce, getMessageData(doGetCert));
                                } catch (OperationFailureException e4) {
                                    certRep = new CertRep(transactionId, nextNonce, senderNonce, e4.getFailInfo());
                                } catch (Exception e5) {
                                    throw new ServletException(e5);
                                }
                            } else if (messageType == MessageType.GET_CERT_INITIAL) {
                                IssuerAndSubject issuerAndSubject = (IssuerAndSubject) messageData;
                                try {
                                    List<X509Certificate> doGetCertInitial = doGetCertInitial(X500Name.getInstance(issuerAndSubject.getIssuer()), X500Name.getInstance(issuerAndSubject.getSubject()), transactionId);
                                    certRep = doGetCertInitial.size() == 0 ? new CertRep(transactionId, nextNonce, senderNonce) : new CertRep(transactionId, nextNonce, senderNonce, getMessageData(doGetCertInitial));
                                } catch (OperationFailureException e6) {
                                    certRep = new CertRep(transactionId, nextNonce, senderNonce, e6.getFailInfo());
                                } catch (Exception e7) {
                                    throw new ServletException(e7);
                                }
                            } else if (messageType == MessageType.GET_CRL) {
                                IssuerAndSerialNumber issuerAndSerialNumber2 = (IssuerAndSerialNumber) messageData;
                                X500Name name = issuerAndSerialNumber2.getName();
                                BigInteger value = issuerAndSerialNumber2.getSerialNumber().getValue();
                                try {
                                    LOGGER.debug("Invoking doGetCrl");
                                    certRep = new CertRep(transactionId, nextNonce, senderNonce, getMessageData(doGetCrl(name, value)));
                                } catch (OperationFailureException e8) {
                                    LOGGER.error("Error executing GetCRL request", (Throwable) e8);
                                    certRep = new CertRep(transactionId, nextNonce, senderNonce, e8.getFailInfo());
                                } catch (Exception e9) {
                                    LOGGER.error("Error executing GetCRL request", (Throwable) e9);
                                    throw new ServletException(e9);
                                }
                            } else {
                                if (messageType != MessageType.PKCS_REQ) {
                                    throw new ServletException("Unknown Message for Operation");
                                }
                                PKCS10CertificationRequest pKCS10CertificationRequest = (PKCS10CertificationRequest) messageData;
                                try {
                                    LOGGER.debug("Invoking doEnrol");
                                    List<X509Certificate> doEnrol = doEnrol(pKCS10CertificationRequest, transactionId);
                                    certRep = doEnrol.size() == 0 ? new CertRep(transactionId, nextNonce, senderNonce) : new CertRep(transactionId, nextNonce, senderNonce, getMessageData(doEnrol));
                                } catch (OperationFailureException e10) {
                                    certRep = new CertRep(transactionId, nextNonce, senderNonce, e10.getFailInfo());
                                } catch (Exception e11) {
                                    throw new ServletException(e11);
                                }
                            }
                            try {
                                httpServletResponse.getOutputStream().write(new PkiMessageEncoder(getSignerKey(), getSigner(), new PkcsPkiEnvelopeEncoder(x509Certificate, "DESede")).encode(certRep).getEncoded());
                                httpServletResponse.getOutputStream().close();
                            } catch (MessageEncodingException e12) {
                                LOGGER.error("Error decoding response", (Throwable) e12);
                                throw new ServletException(e12);
                            }
                        } catch (MessageDecodingException e13) {
                            LOGGER.error("Error decoding request", (Throwable) e13);
                            throw new ServletException(e13);
                        }
                    } catch (CertificateException e14) {
                        throw new ServletException(e14);
                    }
                } catch (CertificateException e15) {
                    throw new ServletException(e15);
                }
            } catch (CMSException e16) {
                throw new ServletException(e16);
            }
        } catch (IllegalArgumentException e17) {
            httpServletResponse.setStatus(400);
            PrintWriter writer2 = httpServletResponse.getWriter();
            writer2.write("Invalid \"operation\" parameter.");
            writer2.flush();
        }
    }

    private CMSSignedData getMessageData(List<X509Certificate> list) throws IOException, CMSException, GeneralSecurityException {
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        try {
            cMSSignedDataGenerator.addCertificates(new JcaCertStore(list));
            return cMSSignedDataGenerator.generate(new CMSAbsentContent());
        } catch (CertificateEncodingException e) {
            IOException iOException = new IOException();
            iOException.initCause(e);
            throw iOException;
        }
    }

    private CMSSignedData getMessageData(X509CRL x509crl) throws IOException, CMSException, GeneralSecurityException {
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        cMSSignedDataGenerator.addCertificates(x509crl == null ? new JcaCRLStore(Collections.emptyList()) : new JcaCRLStore(Collections.singleton(x509crl)));
        return cMSSignedDataGenerator.generate(new CMSAbsentContent());
    }

    private void doGetNextCaCert(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        httpServletResponse.setHeader(HttpHeaders.CONTENT_TYPE, "application/x-x509-next-ca-cert");
        List<X509Certificate> nextCaCertificate = getNextCaCertificate(httpServletRequest.getParameter(MSG_PARAM));
        if (nextCaCertificate.size() == 0) {
            httpServletResponse.sendError(501, "GetNextCACert Not Supported");
            return;
        }
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        try {
            cMSSignedDataGenerator.addCertificates(new JcaCertStore(nextCaCertificate));
            cMSSignedDataGenerator.addSignerInfoGenerator(new SignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build()).build(new JcaContentSignerBuilder("SHA1withRSA").build(getRecipientKey()), new X509CertificateHolder(getRecipient().getEncoded())));
            httpServletResponse.getOutputStream().write(cMSSignedDataGenerator.generate(new CMSAbsentContent()).getEncoded());
            httpServletResponse.getOutputStream().close();
        } catch (CertificateEncodingException e) {
            IOException iOException = new IOException();
            iOException.initCause(e);
            throw iOException;
        }
    }

    private void doGetCaCert(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        byte[] encoded;
        List<X509Certificate> doGetCaCertificate = doGetCaCertificate(httpServletRequest.getParameter(MSG_PARAM));
        if (doGetCaCertificate.size() == 0) {
            httpServletResponse.sendError(500, "GetCaCert failed to obtain CA from store");
            encoded = new byte[0];
        } else if (doGetCaCertificate.size() == 1) {
            httpServletResponse.setHeader(HttpHeaders.CONTENT_TYPE, "application/x-x509-ca-cert");
            encoded = doGetCaCertificate.get(0).getEncoded();
        } else {
            httpServletResponse.setHeader(HttpHeaders.CONTENT_TYPE, "application/x-x509-ca-ra-cert");
            CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
            try {
                cMSSignedDataGenerator.addCertificates(new JcaCertStore(doGetCaCertificate));
                encoded = cMSSignedDataGenerator.generate(new CMSAbsentContent()).getEncoded();
            } catch (CertificateEncodingException e) {
                IOException iOException = new IOException();
                iOException.initCause(e);
                throw iOException;
            }
        }
        httpServletResponse.getOutputStream().write(encoded);
        httpServletResponse.getOutputStream().close();
    }

    private Operation getOperation(HttpServletRequest httpServletRequest) {
        if (httpServletRequest.getParameter(OP_PARAM) == null) {
            return null;
        }
        return Operation.forName(httpServletRequest.getParameter(OP_PARAM));
    }

    private void doGetCaCaps(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        httpServletResponse.setHeader(HttpHeaders.CONTENT_TYPE, MimeTypes.TEXT_PLAIN);
        Iterator<Capability> it = doCapabilities(httpServletRequest.getParameter(MSG_PARAM)).iterator();
        while (it.hasNext()) {
            httpServletResponse.getWriter().write(it.next().toString());
            httpServletResponse.getWriter().write(10);
        }
        httpServletResponse.getWriter().close();
    }

    protected abstract Set<Capability> doCapabilities(String str) throws Exception;

    protected abstract List<X509Certificate> doGetCaCertificate(String str) throws Exception;

    protected abstract List<X509Certificate> getNextCaCertificate(String str) throws Exception;

    protected abstract List<X509Certificate> doGetCert(X500Name x500Name, BigInteger bigInteger) throws Exception;

    protected abstract List<X509Certificate> doGetCertInitial(X500Name x500Name, X500Name x500Name2, TransactionId transactionId) throws Exception;

    protected abstract X509CRL doGetCrl(X500Name x500Name, BigInteger bigInteger) throws Exception;

    protected abstract List<X509Certificate> doEnrol(PKCS10CertificationRequest pKCS10CertificationRequest, TransactionId transactionId) throws Exception;

    protected abstract PrivateKey getRecipientKey();

    protected abstract X509Certificate getRecipient();

    protected abstract PrivateKey getSignerKey();

    protected abstract X509Certificate getSigner();

    private byte[] getMessageBytes(HttpServletRequest httpServletRequest) throws IOException {
        if (httpServletRequest.getMethod().equals("POST")) {
            return IOUtils.toByteArray(httpServletRequest.getInputStream());
        }
        if (getOperation(httpServletRequest) != Operation.PKI_OPERATION) {
            return new byte[0];
        }
        String parameter = httpServletRequest.getParameter(MSG_PARAM);
        if (parameter.length() == 0) {
            return new byte[0];
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Decoding {}", parameter);
        }
        return Base64.decode(parameter);
    }
}
