package com.wizvera.wcrypto.cmp;

import com.wizvera.cert.cmp.CMPException;
import com.wizvera.cert.cmp.GeneralPKIMessage;
import com.wizvera.cert.cmp.ProtectedPKIMessage;
import com.wizvera.cert.cmp.ProtectedPKIMessageBuilder;
import com.wizvera.cert.crmf.CRMFException;
import com.wizvera.cert.crmf.PKMACBuilder;
import com.wizvera.cert.crmf.ProofOfPossessionSigningKeyBuilder;
import com.wizvera.cert.crmf.jcajce.JcePKMACValuesCalculator;
import com.wizvera.cert.jcajce.JcaX509CertificateHolder;
import com.wizvera.operator.ContentSigner;
import com.wizvera.operator.OperatorCreationException;
import com.wizvera.operator.jcajce.JcaContentSignerBuilder;
import com.wizvera.operator.jcajce.JcaContentVerifierProviderBuilder;
import com.wizvera.provider.asn1.ASN1Integer;
import com.wizvera.provider.asn1.ASN1ObjectIdentifier;
import com.wizvera.provider.asn1.ASN1ParsingException;
import com.wizvera.provider.asn1.DERNull;
import com.wizvera.provider.asn1.cmp.CMPCertificate;
import com.wizvera.provider.asn1.cmp.CMPObjectIdentifiers;
import com.wizvera.provider.asn1.cmp.CertRepMessage;
import com.wizvera.provider.asn1.cmp.CertResponse;
import com.wizvera.provider.asn1.cmp.CertifiedKeyPair;
import com.wizvera.provider.asn1.cmp.ErrorMsgContent;
import com.wizvera.provider.asn1.cmp.PBMParameter;
import com.wizvera.provider.asn1.cmp.PKIBody;
import com.wizvera.provider.asn1.cmp.PKIMessage;
import com.wizvera.provider.asn1.cmp.PKIStatusInfo;
import com.wizvera.provider.asn1.crmf.AttributeTypeAndValue;
import com.wizvera.provider.asn1.crmf.CertId;
import com.wizvera.provider.asn1.crmf.CertReqMessages;
import com.wizvera.provider.asn1.crmf.CertReqMsg;
import com.wizvera.provider.asn1.crmf.CertRequest;
import com.wizvera.provider.asn1.crmf.CertTemplateBuilder;
import com.wizvera.provider.asn1.crmf.Controls;
import com.wizvera.provider.asn1.crmf.EncryptedValue;
import com.wizvera.provider.asn1.crmf.ProofOfPossession;
import com.wizvera.provider.asn1.nist.NISTObjectIdentifiers;
import com.wizvera.provider.asn1.pkcs.PKCSObjectIdentifiers;
import com.wizvera.provider.asn1.x500.RDN;
import com.wizvera.provider.asn1.x500.X500Name;
import com.wizvera.provider.asn1.x509.AlgorithmIdentifier;
import com.wizvera.provider.asn1.x509.GeneralName;
import com.wizvera.provider.asn1.x509.SubjectPublicKeyInfo;
import com.wizvera.provider.asn1.x9.X9ObjectIdentifiers;
import com.wizvera.provider.jcajce.provider.asymmetric.util.EC5Util;
import com.wizvera.provider.jcajce.provider.asymmetric.util.ECUtil;
import com.wizvera.provider.util.BigIntegers;
import com.wizvera.wcrypto.WHttpClient;
import com.wizvera.wcrypto.WHttpClientException;
import com.wizvera.wcrypto.WHttpURLConnectionHttpClient;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.net.URL;
import java.security.InvalidKeyException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;

/* loaded from: classes4.dex */
public class CmpClient {
    private static final String CMP_REQUEST_MIMETYPE = "application/pkixcmp";
    private static final String CMP_RESPONSE_MIMETYPE = "application/pkixcmp";
    private static final int PBM_ITERATION_COUNT = 10240;
    private static final AlgorithmIdentifier PBM_MAC = new AlgorithmIdentifier(PKCSObjectIdentifiers.id_hmacWithSHA256, DERNull.INSTANCE);
    private static final AlgorithmIdentifier PBM_OWF = new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256, DERNull.INSTANCE);
    private JcaX509CertificateHolder caCert;
    private URL caUrl;
    private WHttpClient httpClient;
    private SecureRandom secureRandom;

    public CmpClient(URL url, X509Certificate x509Certificate) throws CertificateEncodingException {
        this(url, x509Certificate, new WHttpURLConnectionHttpClient());
    }

    public CmpClient(URL url, X509Certificate x509Certificate, WHttpClient wHttpClient) throws CertificateEncodingException {
        this.secureRandom = new SecureRandom();
        this.caUrl = url;
        this.caCert = new JcaX509CertificateHolder(x509Certificate);
        this.httpClient = wHttpClient;
    }

    public static ContentSigner buildContentSigner(PrivateKey privateKey) throws OperatorCreationException {
        String str;
        String upperCase = privateKey.getAlgorithm().toUpperCase();
        if ("EC".equals(upperCase)) {
            str = "SHA256WITHECDSA";
        } else {
            str = "SHA256WITH" + upperCase;
        }
        return new JcaContentSignerBuilder(str).build(privateKey);
    }

    private ProtectedPKIMessage buildProtectedPKIMessage(ProtectedPKIMessageBuilder protectedPKIMessageBuilder, char[] cArr) throws CRMFException, CMPException {
        PBMParameter pBMParameter = new PBMParameter(getRandomBytes(64), PBM_OWF, 10240, PBM_MAC);
        PKMACBuilder pKMACBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
        pKMACBuilder.setParameters(pBMParameter);
        return protectedPKIMessageBuilder.build(pKMACBuilder.build(cArr));
    }

    public static SubjectPublicKeyInfo createSubjectPublicKeyInfo(PublicKey publicKey) throws InvalidKeyException {
        if (publicKey instanceof RSAPublicKey) {
            RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
            try {
                return new SubjectPublicKeyInfo(new AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption, DERNull.INSTANCE), new com.wizvera.provider.asn1.pkcs.RSAPublicKey(rSAPublicKey.getModulus(), rSAPublicKey.getPublicExponent()));
            } catch (IOException e) {
                throw new InvalidKeyException(e.getMessage(), e);
            }
        }
        if (!(publicKey instanceof ECPublicKey)) {
            throw new InvalidKeyException("unknown publicKey class " + publicKey.getClass().getName());
        }
        ECPublicKey eCPublicKey = (ECPublicKey) publicKey;
        ECParameterSpec params = eCPublicKey.getParams();
        ASN1ObjectIdentifier detectCurveOid = detectCurveOid(params);
        if (detectCurveOid == null) {
            throw new InvalidKeyException("Cannot find namedCurve of the given private key");
        }
        ECPoint w = eCPublicKey.getW();
        BigInteger affineX = w.getAffineX();
        if (affineX.signum() != 1) {
            throw new InvalidKeyException("Wx is not positive");
        }
        BigInteger affineY = w.getAffineY();
        if (affineY.signum() != 1) {
            throw new InvalidKeyException("Wy is not positive");
        }
        int bitLength = (params.getOrder().bitLength() + 7) / 8;
        byte[] asUnsignedByteArray = BigIntegers.asUnsignedByteArray(bitLength, affineX);
        byte[] asUnsignedByteArray2 = BigIntegers.asUnsignedByteArray(bitLength, affineY);
        byte[] bArr = new byte[(bitLength * 2) + 1];
        bArr[0] = 4;
        System.arraycopy(asUnsignedByteArray, 0, bArr, 1, bitLength);
        System.arraycopy(asUnsignedByteArray2, 0, bArr, bitLength + 1, bitLength);
        return new SubjectPublicKeyInfo(new AlgorithmIdentifier(X9ObjectIdentifiers.id_ecPublicKey, detectCurveOid), bArr);
    }

    public static ASN1ObjectIdentifier detectCurveOid(ECParameterSpec eCParameterSpec) {
        return ECUtil.getNamedCurveOid(EC5Util.convertSpec(eCParameterSpec, false));
    }

    private byte[] getRandomBytes(int i) {
        byte[] bArr = new byte[i];
        this.secureRandom.nextBytes(bArr);
        return bArr;
    }

    private static X509Certificate parseCert(CMPCertificate cMPCertificate) throws ASN1EncodeException, CmpClientException {
        try {
            return parseCert(cMPCertificate.getX509v3PKCert().getEncoded());
        } catch (IOException e) {
            throw new ASN1EncodeException(e.getMessage(), e);
        } catch (CertificateException e2) {
            throw new CmpClientException(e2.getMessage(), e2);
        }
    }

    public static X509Certificate parseCert(InputStream inputStream) throws CertificateException {
        X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(inputStream);
        if (x509Certificate != null) {
            return x509Certificate;
        }
        throw new CertificateEncodingException("the given one is not a valid X.509 certificate");
    }

    public static X509Certificate parseCert(byte[] bArr) throws CertificateException {
        return parseCert(new ByteArrayInputStream(bArr));
    }

    private static Map<BigInteger, X509Certificate> parseEnrollCertResult(PKIMessage pKIMessage, int i, int i2) throws CmpClientException, ASN1EncodeException, CmpErrorResponseException {
        HashMap hashMap = new HashMap();
        PKIBody body = pKIMessage.getBody();
        int type = body.getType();
        if (23 == type) {
            throw new CmpErrorResponseException(ErrorMsgContent.getInstance(body.getContent()));
        }
        if (i != type) {
            throw new CmpClientException(String.format("unknown PKI body type %s instead the expected [%s, %s]", Integer.valueOf(type), Integer.valueOf(i), 23));
        }
        CertResponse[] response = CertRepMessage.getInstance(body.getContent()).getResponse();
        if (response.length != i2) {
            throw new CmpClientException("expected " + i2 + " CertResponse, but returned " + response.length);
        }
        for (int i3 = 0; i3 < i2; i3++) {
            CertResponse certResponse = response[i3];
            PKIStatusInfo status = certResponse.getStatus();
            int intValue = status.getStatus().intValue();
            BigInteger value = certResponse.getCertReqId().getValue();
            if (intValue != 0 && intValue != 1) {
                throw new CmpErrorResponseException(status);
            }
            CertifiedKeyPair certifiedKeyPair = certResponse.getCertifiedKeyPair();
            if (certifiedKeyPair != null) {
                X509Certificate parseCert = parseCert(certifiedKeyPair.getCertOrEncCert().getCertificate());
                EncryptedValue privateKey = certifiedKeyPair.getPrivateKey();
                if (privateKey != null) {
                    System.out.println(privateKey);
                }
                hashMap.put(value, parseCert);
            }
        }
        return hashMap;
    }

    private GeneralPKIMessage send(ProtectedPKIMessage protectedPKIMessage) throws ASN1EncodeException, WHttpClientException {
        try {
            try {
                return new GeneralPKIMessage(this.httpClient.post(this.caUrl, protectedPKIMessage.toASN1Structure().getEncoded(), "application/pkixcmp", "application/pkixcmp"));
            } catch (IOException e) {
                throw new ASN1ParsingException("KUP PKIMessage parser error", e);
            }
        } catch (IOException e2) {
            throw new ASN1EncodeException("PKIMessage encode fail", e2);
        }
    }

    protected static boolean verifyProtection(GeneralPKIMessage generalPKIMessage, JcaX509CertificateHolder jcaX509CertificateHolder) throws CMPException, CertificateException, OperatorCreationException, CmpClientException {
        if (generalPKIMessage.hasProtection()) {
            return new ProtectedPKIMessage(generalPKIMessage).verify(new JcaContentVerifierProviderBuilder().build(jcaX509CertificateHolder));
        }
        throw new CmpClientException("PKIMessage is not protected");
    }

    protected static boolean verifyProtection(GeneralPKIMessage generalPKIMessage, char[] cArr) throws CMPException, CmpClientException {
        if (!generalPKIMessage.hasProtection()) {
            throw new CmpClientException("PKIMessage is not protected");
        }
        ProtectedPKIMessage protectedPKIMessage = new ProtectedPKIMessage(generalPKIMessage);
        if (protectedPKIMessage.hasPasswordBasedMacProtection()) {
            return protectedPKIMessage.verify(new PKMACBuilder(new JcePKMACValuesCalculator()), cArr);
        }
        return false;
    }

    public X509Certificate issueCert(byte[] bArr, char[] cArr, PublicKey publicKey, ContentSigner contentSigner) throws ASN1EncodeException, CRMFException, CMPException, CmpClientException, InvalidKeyException, WHttpClientException, CertificateEncodingException, CmpErrorResponseException {
        ProtectedPKIMessageBuilder protectedPKIMessageBuilder = new ProtectedPKIMessageBuilder(new GeneralName(new X500Name(new RDN[0])), new GeneralName(this.caCert.getSubject()));
        protectedPKIMessageBuilder.setMessageTime(new Date());
        protectedPKIMessageBuilder.setSenderKID(bArr);
        protectedPKIMessageBuilder.setTransactionID(getRandomBytes(20));
        protectedPKIMessageBuilder.setSenderNonce(getRandomBytes(20));
        SubjectPublicKeyInfo createSubjectPublicKeyInfo = createSubjectPublicKeyInfo(publicKey);
        CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder();
        certTemplateBuilder.setPublicKey(createSubjectPublicKeyInfo);
        CertRequest certRequest = new CertRequest(new ASN1Integer(0L), certTemplateBuilder.build(), (Controls) null);
        protectedPKIMessageBuilder.setBody(new PKIBody(0, new CertReqMessages(new CertReqMsg(certRequest, new ProofOfPossession(new ProofOfPossessionSigningKeyBuilder(certRequest).build(contentSigner)), null))));
        ProtectedPKIMessage buildProtectedPKIMessage = buildProtectedPKIMessage(protectedPKIMessageBuilder, cArr);
        GeneralPKIMessage send = send(buildProtectedPKIMessage);
        if (23 == send.getBody().getType()) {
            throw new CmpErrorResponseException(ErrorMsgContent.getInstance(send.getBody().getContent()));
        }
        if (!buildProtectedPKIMessage.getHeader().getTransactionID().equals(send.getHeader().getTransactionID())) {
            throw new CmpClientException("response.transactionId != request.transactionId");
        }
        if (!buildProtectedPKIMessage.getHeader().getSenderNonce().equals(send.getHeader().getRecipNonce())) {
            throw new CmpClientException("response.recipientNonce != request.senderNonce");
        }
        if (verifyProtection(send, cArr)) {
            return parseEnrollCertResult(send.toASN1Structure(), 1, 1).get(BigInteger.valueOf(0L));
        }
        System.out.println("invalid signature/MAC in PKI protection");
        throw new CmpClientException("invalid signature/MAC in PKI protection");
    }

    public X509Certificate renewCert(X509Certificate x509Certificate, ContentSigner contentSigner, PublicKey publicKey, ContentSigner contentSigner2) throws ASN1EncodeException, CMPException, OperatorCreationException, WHttpClientException, CmpClientException, CertificateException, CmpErrorResponseException, InvalidKeyException {
        ProtectedPKIMessageBuilder protectedPKIMessageBuilder = new ProtectedPKIMessageBuilder(new GeneralName(new JcaX509CertificateHolder(x509Certificate).getSubject()), new GeneralName(this.caCert.getSubject()));
        protectedPKIMessageBuilder.setMessageTime(new Date());
        protectedPKIMessageBuilder.setTransactionID(getRandomBytes(20));
        protectedPKIMessageBuilder.setSenderNonce(getRandomBytes(20));
        SubjectPublicKeyInfo createSubjectPublicKeyInfo = createSubjectPublicKeyInfo(publicKey);
        CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder();
        certTemplateBuilder.setPublicKey(createSubjectPublicKeyInfo);
        CertRequest certRequest = new CertRequest(new ASN1Integer(0L), certTemplateBuilder.build(), new Controls(new AttributeTypeAndValue(CMPObjectIdentifiers.regCtrl_oldCertID, new CertId(new GeneralName(new JcaX509CertificateHolder(x509Certificate).getIssuer()), x509Certificate.getSerialNumber()))));
        protectedPKIMessageBuilder.setBody(new PKIBody(7, new CertReqMessages(new CertReqMsg(certRequest, new ProofOfPossession(new ProofOfPossessionSigningKeyBuilder(certRequest).build(contentSigner2)), null))));
        ProtectedPKIMessage build = protectedPKIMessageBuilder.build(contentSigner);
        GeneralPKIMessage send = send(build);
        if (!build.getHeader().getTransactionID().equals(send.getHeader().getTransactionID())) {
            throw new CmpClientException("response.transactionId != request.transactionId");
        }
        if (!build.getHeader().getSenderNonce().equals(send.getHeader().getRecipNonce())) {
            throw new CmpClientException("response.recipientNonce != request.senderNonce");
        }
        Map<BigInteger, X509Certificate> parseEnrollCertResult = parseEnrollCertResult(send.toASN1Structure(), 8, 1);
        if (verifyProtection(send, this.caCert)) {
            return parseEnrollCertResult.get(BigInteger.valueOf(0L));
        }
        System.out.println("invalid signature/MAC in PKI protection");
        throw new CmpClientException("invalid signature/MAC in PKI protection");
    }
}
