package net.pulsesecure.modules.scep;

import android.text.TextUtils;
import androidx.annotation.Nullable;
import java.math.BigInteger;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.InvalidParameterException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Date;
import javax.security.auth.x500.X500Principal;
import net.pulsesecure.infra.BaseModuleImpl;
import net.pulsesecure.infra.PSUtils;
import net.pulsesecure.modules.proto.CertificateScepResponseMsg;
import net.pulsesecure.modules.scep.IScepProtocol;
import org.jscep.client.Client;
import org.jscep.client.ClientException;
import org.jscep.client.DefaultCallbackHandler;
import org.jscep.client.verification.CachingCertificateVerifier;
import org.jscep.client.verification.CertificateVerifier;
import org.jscep.transaction.TransactionException;
import org.jscep.transaction.TransactionId;
import org.slf4j.Logger;
import org.spongycastle.asn1.DERPrintableString;
import org.spongycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.spongycastle.cert.jcajce.JcaX509CertificateConverter;
import org.spongycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.spongycastle.operator.OperatorCreationException;
import org.spongycastle.operator.jcajce.JcaContentSignerBuilder;
import org.spongycastle.pkcs.PKCS10CertificationRequest;
import org.spongycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;

/* loaded from: classes2.dex */
public class ScepProtoImpl extends BaseModuleImpl<IScepProtocol.Client> implements IScepProtocol {
    private static Logger logger = PSUtils.getClassLogger();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: net.pulsesecure.modules.scep.ScepProtoImpl$2, reason: invalid class name */
    /* loaded from: classes2.dex */
    public static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$net$pulsesecure$modules$scep$ScepProtoImpl$PKIOperation = new int[PKIOperation.values().length];

        static {
            try {
                $SwitchMap$net$pulsesecure$modules$scep$ScepProtoImpl$PKIOperation[PKIOperation.enroll.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$net$pulsesecure$modules$scep$ScepProtoImpl$PKIOperation[PKIOperation.renew.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            try {
                $SwitchMap$net$pulsesecure$modules$scep$ScepProtoImpl$PKIOperation[PKIOperation.poll.ordinal()] = 3;
            } catch (NoSuchFieldError unused3) {
            }
        }
    }

    /* loaded from: classes2.dex */
    private enum PKIOperation {
        enroll,
        renew,
        poll
    }

    @Nullable
    private X509Certificate createCertificate(KeyPair keyPair, X500Principal x500Principal, String str) {
        try {
            PublicKey publicKey = keyPair.getPublic();
            PrivateKey privateKey = keyPair.getPrivate();
            Calendar calendar = Calendar.getInstance();
            calendar.add(5, -1);
            Date time = calendar.getTime();
            calendar.add(5, 2);
            return new JcaX509CertificateConverter().getCertificate(new JcaX509v3CertificateBuilder(x500Principal, BigInteger.ONE, time, calendar.getTime(), x500Principal, publicKey).build(new JcaContentSignerBuilder(str).build(privateKey)));
        } catch (CertificateException | OperatorCreationException e) {
            logger.error("Error while creating a self-signed ephemeral certificate", e);
            return null;
        }
    }

    private Client createClient(String str) throws MalformedURLException {
        return new Client(new URL(str), new DefaultCallbackHandler(new CachingCertificateVerifier(new CertificateVerifier() { // from class: net.pulsesecure.modules.scep.ScepProtoImpl.1
            @Override // org.jscep.client.verification.CertificateVerifier
            public boolean verify(X509Certificate x509Certificate) {
                ScepProtoImpl.logger.info("Issuer DN :" + x509Certificate.getIssuerDN());
                ScepProtoImpl.logger.info("Version :" + x509Certificate.getVersion());
                return true;
            }
        })));
    }

    private X500Principal createPrincipal(CertificateScepResponseMsg certificateScepResponseMsg) {
        StringBuilder sb = new StringBuilder();
        sb.append("CN = " + certificateScepResponseMsg.subject_cn);
        if (!TextUtils.isEmpty(certificateScepResponseMsg.subject_o)) {
            sb.append(", O = " + certificateScepResponseMsg.subject_o);
        }
        if (!TextUtils.isEmpty(certificateScepResponseMsg.subject_email)) {
            sb.append(", EMAILADDRESS = " + certificateScepResponseMsg.subject_email);
        }
        return new X500Principal(sb.toString());
    }

    @Nullable
    private ScepResponse doPKIOperation(PKIOperation pKIOperation, KeyPair keyPair, CertificateScepResponseMsg certificateScepResponseMsg, @Nullable X509Certificate x509Certificate, @Nullable TransactionId transactionId, @Nullable IScepCsrAttributeAdder iScepCsrAttributeAdder) {
        logger.debug("Doing certificate {} from SCEP server", pKIOperation.name());
        try {
            Client createClient = createClient(certificateScepResponseMsg.scep_url);
            String strongestSignatureAlgorithm = (TextUtils.isEmpty(certificateScepResponseMsg.ca_name) ? createClient.getCaCapabilities() : createClient.getCaCapabilities(certificateScepResponseMsg.ca_name)).getStrongestSignatureAlgorithm();
            PrivateKey privateKey = keyPair.getPrivate();
            X500Principal createPrincipal = iScepCsrAttributeAdder != null ? iScepCsrAttributeAdder.createPrincipal(certificateScepResponseMsg) : createPrincipal(certificateScepResponseMsg);
            X509Certificate createCertificate = x509Certificate == null ? createCertificate(keyPair, createPrincipal, strongestSignatureAlgorithm) : x509Certificate;
            PKCS10CertificationRequest generateCSR = generateCSR(keyPair, createPrincipal, strongestSignatureAlgorithm, certificateScepResponseMsg, iScepCsrAttributeAdder);
            if (createCertificate == null || generateCSR == null) {
                return null;
            }
            int i = AnonymousClass2.$SwitchMap$net$pulsesecure$modules$scep$ScepProtoImpl$PKIOperation[pKIOperation.ordinal()];
            if (i == 1 || i == 2) {
                return new ScepResponse(TextUtils.isEmpty(certificateScepResponseMsg.ca_name) ? createClient.enrol(createCertificate, privateKey, generateCSR) : createClient.enrol(createCertificate, privateKey, generateCSR, certificateScepResponseMsg.ca_name), createCertificate);
            }
            if (i != 3) {
                return null;
            }
            return new ScepResponse(TextUtils.isEmpty(certificateScepResponseMsg.ca_name) ? createClient.poll(createCertificate, keyPair.getPrivate(), createPrincipal, transactionId) : createClient.poll(createCertificate, keyPair.getPrivate(), createPrincipal, transactionId, certificateScepResponseMsg.ca_name), createCertificate);
        } catch (MalformedURLException | ClientException | TransactionException e) {
            logger.error(String.format("Error while doing certificate '%1$s'", pKIOperation.name()), e);
            return null;
        }
    }

    @Nullable
    private PKCS10CertificationRequest generateCSR(KeyPair keyPair, X500Principal x500Principal, String str, CertificateScepResponseMsg certificateScepResponseMsg, @Nullable IScepCsrAttributeAdder iScepCsrAttributeAdder) {
        try {
            PublicKey publicKey = keyPair.getPublic();
            PrivateKey privateKey = keyPair.getPrivate();
            JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(x500Principal, publicKey);
            jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, new DERPrintableString(certificateScepResponseMsg.challenge == null ? "" : certificateScepResponseMsg.challenge));
            if (iScepCsrAttributeAdder != null) {
                iScepCsrAttributeAdder.addAttribute(jcaPKCS10CertificationRequestBuilder, certificateScepResponseMsg);
            }
            return jcaPKCS10CertificationRequestBuilder.build(new JcaContentSignerBuilder(str).build(privateKey));
        } catch (OperatorCreationException e) {
            logger.error("Error while generating CSR", (Throwable) e);
            return null;
        }
    }

    @Override // net.pulsesecure.modules.scep.IScepProtocol
    @Nullable
    public ScepResponse enrollCertificate(KeyPair keyPair, CertificateScepResponseMsg certificateScepResponseMsg) {
        return doPKIOperation(PKIOperation.enroll, keyPair, certificateScepResponseMsg, null, null, null);
    }

    @Override // net.pulsesecure.modules.scep.IScepProtocol
    @Nullable
    public ScepResponse enrollCertificate(KeyPair keyPair, CertificateScepResponseMsg certificateScepResponseMsg, IScepCsrAttributeAdder iScepCsrAttributeAdder) {
        return doPKIOperation(PKIOperation.enroll, keyPair, certificateScepResponseMsg, null, null, iScepCsrAttributeAdder);
    }

    @Override // net.pulsesecure.modules.scep.IScepProtocol
    public KeyPair generateKeyPair(int i, String str) throws NoSuchAlgorithmException, InvalidParameterException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str);
        keyPairGenerator.initialize(i);
        return keyPairGenerator.genKeyPair();
    }

    @Override // net.pulsesecure.modules.scep.IScepProtocol
    @Nullable
    public ScepResponse pollCertificate(X509Certificate x509Certificate, KeyPair keyPair, TransactionId transactionId, CertificateScepResponseMsg certificateScepResponseMsg) {
        return doPKIOperation(PKIOperation.poll, keyPair, certificateScepResponseMsg, x509Certificate, transactionId, null);
    }

    @Override // net.pulsesecure.modules.scep.IScepProtocol
    @Nullable
    public ScepResponse pollCertificate(X509Certificate x509Certificate, KeyPair keyPair, TransactionId transactionId, CertificateScepResponseMsg certificateScepResponseMsg, IScepCsrAttributeAdder iScepCsrAttributeAdder) {
        return doPKIOperation(PKIOperation.poll, keyPair, certificateScepResponseMsg, x509Certificate, transactionId, iScepCsrAttributeAdder);
    }

    @Override // net.pulsesecure.modules.scep.IScepProtocol
    @Nullable
    public ScepResponse renewCertificate(X509Certificate x509Certificate, KeyPair keyPair, CertificateScepResponseMsg certificateScepResponseMsg) {
        return doPKIOperation(PKIOperation.renew, keyPair, certificateScepResponseMsg, x509Certificate, null, null);
    }

    @Override // net.pulsesecure.modules.scep.IScepProtocol
    @Nullable
    public ScepResponse renewCertificate(X509Certificate x509Certificate, KeyPair keyPair, CertificateScepResponseMsg certificateScepResponseMsg, IScepCsrAttributeAdder iScepCsrAttributeAdder) {
        return doPKIOperation(PKIOperation.renew, keyPair, certificateScepResponseMsg, x509Certificate, null, iScepCsrAttributeAdder);
    }
}
