package de.trustable.util;

import com.puppetlabs.ssl_utils.ExtensionsUtils;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.StringWriter;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.UnrecoverableEntryException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import java.util.Map;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.cmp.CMPCertificate;
import org.bouncycastle.asn1.cmp.CertOrEncCert;
import org.bouncycastle.asn1.cmp.CertRepMessage;
import org.bouncycastle.asn1.cmp.CertResponse;
import org.bouncycastle.asn1.cmp.CertifiedKeyPair;
import org.bouncycastle.asn1.cmp.ErrorMsgContent;
import org.bouncycastle.asn1.cmp.GenMsgContent;
import org.bouncycastle.asn1.cmp.InfoTypeAndValue;
import org.bouncycastle.asn1.cmp.PKIBody;
import org.bouncycastle.asn1.cmp.PKIFreeText;
import org.bouncycastle.asn1.cmp.PKIHeader;
import org.bouncycastle.asn1.cmp.PKIMessage;
import org.bouncycastle.asn1.cmp.PKIStatus;
import org.bouncycastle.asn1.cmp.PKIStatusInfo;
import org.bouncycastle.asn1.cmp.RevDetails;
import org.bouncycastle.asn1.cmp.RevRepContent;
import org.bouncycastle.asn1.cmp.RevRepContentBuilder;
import org.bouncycastle.asn1.cmp.RevReqContent;
import org.bouncycastle.asn1.crmf.AttributeTypeAndValue;
import org.bouncycastle.asn1.crmf.CertId;
import org.bouncycastle.asn1.crmf.CertReqMessages;
import org.bouncycastle.asn1.crmf.CertReqMsg;
import org.bouncycastle.asn1.crmf.CertRequest;
import org.bouncycastle.asn1.crmf.CertTemplate;
import org.bouncycastle.asn1.crmf.CertTemplateBuilder;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.pkcs.RSASSAPSSparams;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.CRLReason;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.cmp.CMPException;
import org.bouncycastle.cert.cmp.GeneralPKIMessage;
import org.bouncycastle.cert.cmp.ProtectedPKIMessage;
import org.bouncycastle.cert.cmp.ProtectedPKIMessageBuilder;
import org.bouncycastle.cert.crmf.CRMFException;
import org.bouncycastle.cert.crmf.CertificateRequestMessage;
import org.bouncycastle.cert.crmf.CertificateRequestMessageBuilder;
import org.bouncycastle.cert.crmf.PKMACBuilder;
import org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.MacCalculator;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
import org.bouncycastle.pkcs.PKCSException;
import org.bouncycastle.util.encoders.Base64;
import org.cryptacular.adapter.AbstractWrappedKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/cryptoUtil-1.3.6.jar:de/trustable/util/CryptoUtil.class */
public class CryptoUtil {
    private static final String SERIAL_PADDING_PATTERN = "000000000000000000000";
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) CryptoUtil.class);
    private static final Logger LOGGERContentProtection = LoggerFactory.getLogger(CryptoUtil.class.getName() + ".ContentProtection");
    SecureRandom secRandom = new SecureRandom();

    public static String getPaddedSerial(String str) {
        return str.length() >= SERIAL_PADDING_PATTERN.length() ? str : SERIAL_PADDING_PATTERN.substring(str.length()) + str;
    }

    public static byte[] generateSHA1Fingerprint(byte[] bArr) {
        return generateFingerprint(bArr, "SHA1");
    }

    public static byte[] generateMD5Fingerprint(byte[] bArr) {
        return generateFingerprint(bArr, "MD5");
    }

    public static byte[] generateFingerprint(byte[] bArr, String str) {
        try {
            return MessageDigest.getInstance(str).digest(bArr);
        } catch (NoSuchAlgorithmException e) {
            LOGGER.error("'" + str + "' algorithm not supported", (Throwable) e);
            return null;
        }
    }

    public static String usageAsString(boolean[] zArr) {
        String str;
        if (zArr == null || zArr.length == 0) {
            return "unspecified usage";
        }
        str = "valid for ";
        str = zArr[0] ? str + "digitalSignature " : "valid for ";
        if (zArr.length > 1 && zArr[1]) {
            str = str + "nonRepudiation ";
        }
        if (zArr.length > 2 && zArr[2]) {
            str = str + "keyEncipherment ";
        }
        if (zArr.length > 3 && zArr[3]) {
            str = str + "dataEncipherment ";
        }
        if (zArr.length > 4 && zArr[4]) {
            str = str + "keyAgreement ";
        }
        if (zArr.length > 5 && zArr[5]) {
            str = str + "keyCertSign ";
        }
        if (zArr.length > 6 && zArr[6]) {
            str = str + "cRLSign ";
        }
        if (zArr.length > 7 && zArr[7]) {
            str = str + "encipherOnly ";
        }
        if (zArr.length > 8 && zArr[8]) {
            str = str + "decipherOnly ";
        }
        return str;
    }

    public Pkcs10RequestHolder parseCertificateRequest(byte[] bArr) throws IOException, GeneralSecurityException {
        return parseCertificateRequest(new PKCS10CertificationRequest(bArr));
    }

    public Pkcs10RequestHolder parseCertificateRequest(PKCS10CertificationRequest pKCS10CertificationRequest) throws IOException, GeneralSecurityException {
        Pkcs10RequestHolder pkcs10RequestHolder = new Pkcs10RequestHolder();
        pkcs10RequestHolder.setP10Req(pKCS10CertificationRequest);
        X500Name subject = pkcs10RequestHolder.getP10Req().getSubject();
        pkcs10RequestHolder.setSubjectRDNs(subject.getRDNs());
        pkcs10RequestHolder.setSubject(subject.toString());
        pkcs10RequestHolder.setReqAttributes(pkcs10RequestHolder.getP10Req().getAttributes());
        String id = pkcs10RequestHolder.getP10Req().getSignatureAlgorithm().getAlgorithm().getId();
        AlgorithmInfo algorithmInfo = new AlgorithmInfo(id);
        if (PKCSObjectIdentifiers.id_RSASSA_PSS.equals((ASN1Primitive) pkcs10RequestHolder.getP10Req().getSignatureAlgorithm().getAlgorithm())) {
            RSASSAPSSparams rSASSAPSSparams = RSASSAPSSparams.getInstance(pkcs10RequestHolder.getP10Req().getSignatureAlgorithm().getParameters());
            LOGGER.info("rsassapsSparams : " + rSASSAPSSparams.getHashAlgorithm().getAlgorithm().getId());
            algorithmInfo = new AlgorithmInfo(rSASSAPSSparams);
        }
        pkcs10RequestHolder.setAlgorithmInfo(algorithmInfo);
        pkcs10RequestHolder.setSigningAlgorithm(id);
        pkcs10RequestHolder.setSigningAlgorithmName(OidNameMapper.lookupOid(id));
        SubjectPublicKeyInfo subjectPublicKeyInfo = pkcs10RequestHolder.getP10Req().getSubjectPublicKeyInfo();
        try {
            X509EncodedKeySpec x509EncodedKeySpec = new X509EncodedKeySpec(new DERBitString(subjectPublicKeyInfo).getBytes());
            pkcs10RequestHolder.setX509KeySpec(x509EncodedKeySpec.getFormat());
            AlgorithmIdentifier algorithm = subjectPublicKeyInfo.getAlgorithm();
            pkcs10RequestHolder.setPublicKeyAlgorithm(algorithm.getAlgorithm().getId());
            pkcs10RequestHolder.setPublicKeyAlgorithmName(OidNameMapper.lookupOid(algorithm.getAlgorithm().getId()));
            PublicKey generatePublic = KeyFactory.getInstance(algorithm.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME).generatePublic(x509EncodedKeySpec);
            pkcs10RequestHolder.setPublicSigningKey(generatePublic);
            pkcs10RequestHolder.setSubjectPublicKeyInfoBase64(Base64.toBase64String(subjectPublicKeyInfo.getEncoded()));
            pkcs10RequestHolder.setPublicKeyHash(getHashAsBase64(generatePublic.getEncoded()));
            pkcs10RequestHolder.setCSRValid(pkcs10RequestHolder.getP10Req().isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(BouncyCastleProvider.PROVIDER_NAME).build(generatePublic)));
            LOGGER.info("p10Request.getSignature() : \n" + Base64.toBase64String(pKCS10CertificationRequest.getSignature()));
            LOGGER.info("SubjectPublicKeyInfo().getAlgorithm() : " + pKCS10CertificationRequest.getSubjectPublicKeyInfo().getAlgorithm().getAlgorithm().getId());
            return pkcs10RequestHolder;
        } catch (NoSuchAlgorithmException e) {
            LOGGER.info("algorithm of CSR unknown", (Throwable) e);
            throw new GeneralSecurityException("algorithm of CSR unknown: " + e.getMessage());
        } catch (InvalidKeySpecException e2) {
            LOGGER.info("retrieving public key from CSR failed", (Throwable) e2);
            throw new GeneralSecurityException("error retrieving public key from CSR: " + e2.getMessage());
        } catch (OperatorCreationException e3) {
            LOGGER.info("Problem processing the incoming csr", (Throwable) e3);
            throw new GeneralSecurityException(e3.getMessage());
        } catch (PKCSException e4) {
            LOGGER.info("Problem parsing the incoming csr", (Throwable) e4);
            throw new GeneralSecurityException(e4.getMessage());
        }
    }

    public PublicKey getPublicKeyFromCSR(PKCS10CertificationRequest pKCS10CertificationRequest) throws IOException, GeneralSecurityException {
        SubjectPublicKeyInfo subjectPublicKeyInfo = pKCS10CertificationRequest.getSubjectPublicKeyInfo();
        try {
            return KeyFactory.getInstance(subjectPublicKeyInfo.getAlgorithm().getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME).generatePublic(new X509EncodedKeySpec(new DERBitString(subjectPublicKeyInfo).getBytes()));
        } catch (NoSuchAlgorithmException e) {
            LOGGER.info("algorithm of CSR unknown", (Throwable) e);
            throw new GeneralSecurityException("algorithm of CSR unknown: " + e.getMessage());
        } catch (InvalidKeySpecException e2) {
            LOGGER.info("retrieving public key from CSR failed", (Throwable) e2);
            throw new GeneralSecurityException("error retrieving public key from CSR: " + e2.getMessage());
        }
    }

    public static String pkcs10RequestToPem(PKCS10CertificationRequest pKCS10CertificationRequest) throws IOException {
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        jcaPEMWriter.writeObject(pKCS10CertificationRequest);
        jcaPEMWriter.close();
        return stringWriter.toString();
    }

    public String x509CertToPem(X509Certificate x509Certificate) throws IOException {
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        jcaPEMWriter.writeObject(x509Certificate);
        jcaPEMWriter.close();
        return stringWriter.toString();
    }

    public String publicKeyToPem(PublicKey publicKey) throws IOException {
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        jcaPEMWriter.writeObject(publicKey);
        jcaPEMWriter.close();
        return stringWriter.toString();
    }

    public Pkcs10RequestHolder parseCertificateRequest(String str) throws IOException, GeneralSecurityException {
        return parseCertificateRequest(convertPemToPKCS10CertificationRequest(str));
    }

    public PKCS10CertificationRequest convertPemToPKCS10CertificationRequest(String str) throws GeneralSecurityException {
        PKCS10CertificationRequest pKCS10CertificationRequest = null;
        PEMParser pEMParser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8))));
        try {
            try {
                Object readObject = pEMParser.readObject();
                if (readObject == null) {
                    throw new GeneralSecurityException("Parsing of CSR failed! Not PEM encoded?");
                }
                if (readObject instanceof PKCS10CertificationRequest) {
                    pKCS10CertificationRequest = (PKCS10CertificationRequest) readObject;
                }
                return pKCS10CertificationRequest;
            } catch (IOException e) {
                LOGGER.error("IOException, convertPemToPublicKey", (Throwable) e);
                throw new GeneralSecurityException("Parsing of CSR failed! Not PEM encoded?");
            }
        } finally {
            try {
                pEMParser.close();
            } catch (IOException e2) {
                LOGGER.debug("IOException on close()", (Throwable) e2);
            }
        }
    }

    public PublicKey convertPemToPublicKey(String str) throws GeneralSecurityException {
        PublicKey publicKey = null;
        PEMParser pEMParser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8))));
        try {
            try {
                Object readObject = pEMParser.readObject();
                if (readObject == null) {
                    throw new GeneralSecurityException("Parsing of PublicKey failed! Not PEM encoded?");
                }
                if (readObject instanceof PublicKey) {
                    publicKey = (PublicKey) readObject;
                }
                return publicKey;
            } catch (IOException e) {
                LOGGER.error("IOException, convertPemToPublicKey", (Throwable) e);
                throw new GeneralSecurityException("Parsing of PublicKey  failed! Not PEM encoded?");
            }
        } finally {
            try {
                pEMParser.close();
            } catch (IOException e2) {
                LOGGER.debug("IOException on close()", (Throwable) e2);
            }
        }
    }

    public X509CertificateHolder convertPemToCertificateHolder(String str) throws GeneralSecurityException {
        try {
            return new X509CertificateHolder(convertPemToCertificate(str).getEncoded());
        } catch (IOException e) {
            throw new GeneralSecurityException(e);
        }
    }

    public static X509Certificate convertPemToCertificate(String str) throws GeneralSecurityException {
        PEMParser pEMParser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8))));
        try {
            try {
                Object readObject = pEMParser.readObject();
                if (readObject == null) {
                    throw new GeneralSecurityException("Parsing of certificate failed! Not PEM encoded?");
                }
                LOGGER.debug("PemParser returned: " + readObject);
                if (readObject instanceof X509CertificateHolder) {
                    return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate((X509CertificateHolder) readObject);
                }
                throw new GeneralSecurityException("Unexpected parsing result: " + readObject.getClass().getName());
            } finally {
                try {
                    pEMParser.close();
                } catch (IOException e) {
                    LOGGER.debug("IOException on close()", (Throwable) e);
                }
            }
        } catch (IOException e2) {
            LOGGER.error("IOException, convertPemToCertificate", (Throwable) e2);
            throw new GeneralSecurityException("Parsing of certificate failed! Not PEM encoded?");
        }
    }

    public PrivateKey convertPemToPrivateKey(String str) throws GeneralSecurityException {
        PEMParser pEMParser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8))));
        try {
            try {
                Object readObject = pEMParser.readObject();
                if (readObject == null) {
                    throw new GeneralSecurityException("Parsing of certificate failed! Not PEM encoded?");
                }
                if (readObject instanceof PrivateKeyInfo) {
                    return new JcaPEMKeyConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getPrivateKey((PrivateKeyInfo) readObject);
                }
                throw new GeneralSecurityException("Unexpected parsing result: " + readObject.getClass().getName());
            } catch (IOException e) {
                LOGGER.error("IOException, convertPemToCertificate", (Throwable) e);
                throw new GeneralSecurityException("Parsing of certificate failed! Not PEM encoded?");
            }
        } finally {
            try {
                pEMParser.close();
            } catch (IOException e2) {
                LOGGER.debug("IOException on close()", (Throwable) e2);
            }
        }
    }

    public ASN1Primitive getDERObject(byte[] bArr) throws IOException {
        ASN1InputStream aSN1InputStream = new ASN1InputStream(bArr);
        try {
            ASN1Primitive readObject = aSN1InputStream.readObject();
            aSN1InputStream.close();
            return readObject;
        } catch (Throwable th) {
            try {
                aSN1InputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    String getHashAsBase64(byte[] bArr) throws GeneralSecurityException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
        messageDigest.update(bArr);
        return Base64.toBase64String(messageDigest.digest());
    }

    public static String getCsrAsPEM(X500Principal x500Principal, PublicKey publicKey, PrivateKey privateKey, char[] cArr) throws GeneralSecurityException, IOException {
        return pkcs10RequestToPem(getCsr(x500Principal, publicKey, privateKey, cArr));
    }

    public static PKCS10CertificationRequest getCsr(X500Principal x500Principal, PublicKey publicKey, PrivateKey privateKey, char[] cArr) throws GeneralSecurityException, IOException {
        return getCsr(x500Principal, publicKey, privateKey, cArr, null, null);
    }

    public static PKCS10CertificationRequest getCsr(X500Principal x500Principal, PublicKey publicKey, PrivateKey privateKey, char[] cArr, List<Map<String, Object>> list) throws GeneralSecurityException, IOException {
        return getCsr(x500Principal, publicKey, privateKey, cArr, list, null);
    }

    public static PKCS10CertificationRequest getCsr(X500Principal x500Principal, PublicKey publicKey, PrivateKey privateKey, char[] cArr, List<Map<String, Object>> list, GeneralName[] generalNameArr) throws GeneralSecurityException, IOException {
        return getCsr(x500Principal, publicKey, privateKey, cArr, list, generalNameArr, "SHA256WithRSAEncryption");
    }

    public static PKCS10CertificationRequest getCsr(X500Principal x500Principal, PublicKey publicKey, PrivateKey privateKey, char[] cArr, List<Map<String, Object>> list, GeneralName[] generalNameArr, String str) throws GeneralSecurityException, IOException {
        SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
        try {
            ContentSigner build = new JcaContentSignerBuilder(str).build(privateKey);
            PKCS10CertificationRequestBuilder pKCS10CertificationRequestBuilder = new PKCS10CertificationRequestBuilder(X500Name.getInstance(x500Principal.getEncoded()), subjectPublicKeyInfo);
            if (cArr != null) {
                pKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, new DERPrintableString(new String(cArr)));
            }
            if (list != null && list.size() > 0) {
                pKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, ExtensionsUtils.getExtensionsObjFromMap(list));
            }
            ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
            if (generalNameArr != null) {
                extensionsGenerator.addExtension(Extension.subjectAlternativeName, false, (ASN1Encodable) new GeneralNames(generalNameArr));
                LOGGER.debug("added #" + generalNameArr.length + " sans");
                for (GeneralName generalName : generalNameArr) {
                    LOGGER.debug("san :" + generalName);
                }
            }
            pKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
            return pKCS10CertificationRequestBuilder.build(build);
        } catch (OperatorCreationException e) {
            throw new IOException(e);
        }
    }

    public String getDescription(X509Certificate x509Certificate) {
        String str;
        String str2;
        str = "noSubject";
        str2 = "noIssuer";
        String str3 = "noSerial";
        if (x509Certificate != null) {
            str = x509Certificate.getSubjectDN() != null ? x509Certificate.getSubjectDN().getName() : "noSubject";
            str2 = x509Certificate.getIssuerDN() != null ? x509Certificate.getIssuerDN().getName() : "noIssuer";
            str3 = String.valueOf(x509Certificate.getSerialNumber());
        }
        return (str == null || str.length() == 0) ? str2 + " / #" + str3 : str + " (#" + str3 + ")";
    }

    public CRLReason crlReasonFromString(String str) {
        int i = 0;
        try {
            i = Integer.parseInt(str);
        } catch (NumberFormatException e) {
            if ("keyCompromise".equalsIgnoreCase(str)) {
                i = 1;
            } else if ("cACompromise".equalsIgnoreCase(str)) {
                i = 2;
            } else if ("affiliationChanged".equalsIgnoreCase(str)) {
                i = 3;
            } else if ("superseded".equalsIgnoreCase(str)) {
                i = 4;
            } else if ("cessationOfOperation".equalsIgnoreCase(str)) {
                i = 5;
            } else if ("privilegeWithdrawn".equalsIgnoreCase(str)) {
                i = 9;
            } else if ("aACompromise".equalsIgnoreCase(str)) {
                i = 10;
            } else if ("certificateHold".equalsIgnoreCase(str)) {
                i = 6;
            } else if ("removeFromCRL".equalsIgnoreCase(str)) {
                i = 8;
            }
        }
        return CRLReason.lookup(i);
    }

    public String crlReasonAsString(CRLReason cRLReason) {
        switch (cRLReason.getValue().intValue()) {
            case 1:
                return "keyCompromise";
            case 2:
                return "cACompromise";
            case 3:
                return "affiliationChanged";
            case 4:
                return "superseded";
            case 5:
                return "cessationOfOperation";
            case 6:
                return "certificateHold";
            case 7:
            default:
                return "unspecified";
            case 8:
                return "removeFromCRL";
            case 9:
                return "privilegeWithdrawn";
            case 10:
                return "aACompromise";
        }
    }

    public static String limitLength(String str, int i) {
        return str == null ? "" : str.substring(0, Math.min(str.length(), i));
    }

    public static SubjectKeyIdentifier[] getSKI(X509Certificate x509Certificate) throws NoSuchAlgorithmException {
        JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
        return new SubjectKeyIdentifier[]{jcaX509ExtensionUtils.createSubjectKeyIdentifier(x509Certificate.getPublicKey()), jcaX509ExtensionUtils.createTruncatedSubjectKeyIdentifier(x509Certificate.getPublicKey())};
    }

    public String getSHA256DigestAsString(byte[] bArr) throws NoSuchAlgorithmException {
        return Base64.toBase64String(getSHA256Digest(bArr));
    }

    public byte[] getSHA256Digest(byte[] bArr) throws NoSuchAlgorithmException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
        messageDigest.update(bArr);
        return messageDigest.digest();
    }

    public ProtectedPKIMessageBuilder getPKIBuilder(X500Name x500Name, X500Name x500Name2) {
        long currentTimeMillis = System.currentTimeMillis();
        return getPKIBuilder(x500Name, x500Name2, ("nonce" + currentTimeMillis).getBytes(), null, ("transactionId" + currentTimeMillis).getBytes(), ("keyId" + currentTimeMillis).getBytes(), null);
    }

    public ProtectedPKIMessageBuilder getPKIResponseBuilder(X500Name x500Name, X500Name x500Name2, PKIHeader pKIHeader) {
        byte[] bArr = null;
        if (pKIHeader.getSenderNonce() != null) {
            bArr = pKIHeader.getSenderNonce().getOctets();
        }
        byte[] bArr2 = null;
        if (pKIHeader.getTransactionID() != null) {
            bArr2 = pKIHeader.getTransactionID().getOctets();
        }
        byte[] bArr3 = null;
        if (pKIHeader.getRecipKID() != null) {
            bArr3 = pKIHeader.getRecipKID().getOctets();
        }
        return getPKIBuilder(x500Name, x500Name2, null, bArr, bArr2, null, bArr3);
    }

    public ProtectedPKIMessageBuilder getPKIBuilder(X500Name x500Name, X500Name x500Name2, byte[] bArr, byte[] bArr2, byte[] bArr3, byte[] bArr4, byte[] bArr5) {
        ProtectedPKIMessageBuilder protectedPKIMessageBuilder = new ProtectedPKIMessageBuilder(new GeneralName(x500Name2), new GeneralName(x500Name));
        protectedPKIMessageBuilder.setMessageTime(new Date());
        if (bArr != null) {
            protectedPKIMessageBuilder.setSenderNonce(bArr);
        }
        if (bArr2 != null) {
            protectedPKIMessageBuilder.setRecipNonce(bArr2);
        }
        if (bArr3 != null) {
            protectedPKIMessageBuilder.setTransactionID(bArr3);
        }
        if (bArr4 != null) {
            protectedPKIMessageBuilder.setSenderKID(bArr4);
        }
        if (bArr5 != null) {
            protectedPKIMessageBuilder.setRecipKID(bArr5);
        }
        return protectedPKIMessageBuilder;
    }

    public PKMACBuilder getMacCalculatorBuilder() throws CRMFException {
        JcePKMACValuesCalculator jcePKMACValuesCalculator = new JcePKMACValuesCalculator();
        jcePKMACValuesCalculator.setup(new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26")), new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.840.113549.2.7")));
        return new PKMACBuilder(jcePKMACValuesCalculator);
    }

    public MacCalculator getMacCalculator(String str) throws CRMFException {
        return getMacCalculatorBuilder().build(str.toCharArray());
    }

    public X509Certificate buildSelfsignedCertificate(X500Name x500Name, KeyPair keyPair) throws NoSuchAlgorithmException, IOException, CertificateException {
        return issueCertificate(x500Name, keyPair, x500Name, keyPair.getPublic().getEncoded(), 1, 1, PKILevel.ROOT);
    }

    public byte[] handleCMPRequest(String str, String str2, byte[] bArr, Certificate certificate, X500Name x500Name, KeyPair keyPair) throws IOException, GeneralSecurityException, CRMFException, CMPException {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("incoming CMP request: " + Base64.toBase64String(bArr));
        }
        PKIMessage pKIMessage = PKIMessage.getInstance(getDERObject(bArr));
        if (pKIMessage == null) {
            throw new GeneralSecurityException("No CMP message could be parsed from received Der object.");
        }
        printPKIMessageInfo(pKIMessage);
        PKIBody body = pKIMessage.getBody();
        switch (body.getType()) {
            case 0:
            case 2:
                LOGGER.debug("incoming CMP certificate request");
                return "fail".equals(str) ? buildErrorResponse(pKIMessage, str2, x500Name) : buildCertificateResponse(pKIMessage, ((CertReqMessages) body.getContent()).toCertReqMsgArray(), str2, certificate, x500Name, keyPair);
            case 11:
                LOGGER.debug("incoming CMP revocation request");
                return buildRevocationResponse(pKIMessage, str2, x500Name);
            case 21:
                LOGGER.debug("incoming CMP general message");
                return buildErrorResponse(pKIMessage, str2, x500Name);
            default:
                throw new CMPException("unexpected request type '" + body.getType() + "'");
        }
    }

    PKIBody readPKIBodyFromRequest(byte[] bArr) throws IOException, GeneralSecurityException {
        PKIMessage pKIMessage = PKIMessage.getInstance(getDERObject(bArr));
        if (pKIMessage == null) {
            throw new GeneralSecurityException("No CMP message could be parsed from received Der object.");
        }
        printPKIMessageInfo(pKIMessage);
        return pKIMessage.getBody();
    }

    private void printPKIMessageInfo(PKIMessage pKIMessage) {
        PKIHeader header = pKIMessage.getHeader();
        PKIBody body = pKIMessage.getBody();
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Received CMP message with pvno=" + header.getPvno() + ", sender=" + header.getSender().toString() + ", recipient=" + header.getRecipient().toString());
            LOGGER.debug("Body is of type: " + body.getType());
            LOGGER.debug("Transaction id: " + header.getTransactionID());
        }
    }

    private void printPKIMessageInfo(GeneralPKIMessage generalPKIMessage) {
        PKIHeader header = generalPKIMessage.getHeader();
        PKIBody body = generalPKIMessage.getBody();
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Received " + (generalPKIMessage.hasProtection() ? " protected " : "") + "CMP message with pvno=" + header.getPvno() + ", sender=" + header.getSender().toString() + ", recipient=" + header.getRecipient().toString());
            LOGGER.debug("Body is of type: " + body.getType());
            LOGGER.debug("Transaction id: " + header.getTransactionID());
        }
    }

    PKIMessage readPKIMessageFromRequest(byte[] bArr) throws IOException, GeneralSecurityException {
        PKIMessage pKIMessage = PKIMessage.getInstance(getDERObject(bArr));
        if (pKIMessage == null) {
            throw new GeneralSecurityException("No CMP message could be parsed from received Der object.");
        }
        return pKIMessage;
    }

    public byte[] buildCertificateResponse(PKIMessage pKIMessage, CertReqMsg[] certReqMsgArr, String str, Certificate certificate, X500Name x500Name, KeyPair keyPair) throws IOException, CRMFException, CMPException, GeneralSecurityException {
        CMPCertificate[] cMPCertificateArr = {new CMPCertificate(org.bouncycastle.asn1.x509.Certificate.getInstance(getDERObject(certificate.getEncoded())))};
        CertReqMsg certReqMsg = certReqMsgArr[0];
        CertRequest certReq = certReqMsg.getCertReq();
        CertTemplate certTemplate = certReq.getCertTemplate();
        AttributeTypeAndValue[] regInfo = certReqMsg.getRegInfo();
        if (regInfo != null) {
            for (AttributeTypeAndValue attributeTypeAndValue : regInfo) {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("certificate request AttributeTypeAndValue: " + attributeTypeAndValue.getType().getId() + " -> " + attributeTypeAndValue.toASN1Primitive());
                }
            }
        }
        CertRepMessage certRepMessage = new CertRepMessage(cMPCertificateArr, new CertResponse[]{new CertResponse(certReq.getCertReqId(), new PKIStatusInfo(PKIStatus.granted), new CertifiedKeyPair(new CertOrEncCert(new CMPCertificate(org.bouncycastle.asn1.x509.Certificate.getInstance(getDERObject(issueCertificate(x500Name, keyPair, certTemplate.getSubject(), certTemplate.getPublicKey().getEncoded(), 1, 1).getEncoded()))))), null)});
        ProtectedPKIMessageBuilder pKIResponseBuilder = getPKIResponseBuilder(x500Name, certTemplate.getSubject(), pKIMessage.getHeader());
        pKIResponseBuilder.setBody(new PKIBody(3, certRepMessage));
        pKIResponseBuilder.addCMPCertificate(new X509CertificateHolder(cMPCertificateArr[0].getX509v3PKCert()));
        return pKIResponseBuilder.build(getMacCalculator(str)).toASN1Structure().getEncoded();
    }

    public X509Certificate issueCertificate(X500Name x500Name, KeyPair keyPair, X500Name x500Name2, byte[] bArr, int i, int i2) throws NoSuchAlgorithmException, CertificateException, IOException {
        return issueCertificate(x500Name, keyPair, x500Name2, SubjectPublicKeyInfo.getInstance(bArr), i, i2, null, null, PKILevel.END_ENTITY);
    }

    public X509Certificate issueCertificate(X500Name x500Name, KeyPair keyPair, X500Name x500Name2, byte[] bArr, int i, int i2, PKILevel pKILevel) throws NoSuchAlgorithmException, CertificateException, IOException {
        return issueCertificate(x500Name, keyPair, x500Name2, SubjectPublicKeyInfo.getInstance(bArr), i, i2, null, null, pKILevel);
    }

    public X509Certificate issueCertificate(X500Name x500Name, KeyPair keyPair, X500Name x500Name2, SubjectPublicKeyInfo subjectPublicKeyInfo, int i, int i2, PKILevel pKILevel) throws NoSuchAlgorithmException, CertificateException, IOException {
        return issueCertificate(x500Name, keyPair, x500Name2, subjectPublicKeyInfo, i, i2, null, null, pKILevel);
    }

    public X509Certificate issueCertificate(X500Name x500Name, KeyPair keyPair, X500Name x500Name2, SubjectPublicKeyInfo subjectPublicKeyInfo, int i, int i2, GeneralNames generalNames, List<Map<String, Object>> list, PKILevel pKILevel) throws NoSuchAlgorithmException, CertificateException, IOException {
        KeyUsage keyUsage;
        Date date = new Date();
        Calendar calendar = Calendar.getInstance();
        calendar.add(i, i2);
        Date time = calendar.getTime();
        BigInteger abs = BigInteger.valueOf(this.secRandom.nextLong()).abs();
        LOGGER.debug("certification request for subject '" + x500Name2 + "'");
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(x500Name, abs, date, time, x500Name2, subjectPublicKeyInfo);
        if (PKILevel.ROOT.equals(pKILevel) || PKILevel.INTERMEDIATE.equals(pKILevel)) {
            x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, (ASN1Encodable) new BasicConstraints(true));
            keyUsage = new KeyUsage(132);
        } else {
            x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, (ASN1Encodable) new BasicConstraints(false));
            keyUsage = new KeyUsage(224);
        }
        x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, (ASN1Encodable) keyUsage);
        if (list != null && list.size() > 0) {
            try {
                x509v3CertificateBuilder.addExtension(ExtensionsUtils.getExtensionsObjFromMap(list).getExtension(Extension.extendedKeyUsage));
            } catch (GeneralSecurityException e) {
                LOGGER.debug("problem parsing requested extensions", (Throwable) e);
                throw new CertificateException(e.getMessage());
            }
        }
        if (generalNames != null) {
            x509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, (ASN1Encodable) generalNames);
            LOGGER.debug("added #" + generalNames.getNames().length + " sans");
        }
        JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
        x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, (ASN1Encodable) jcaX509ExtensionUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo));
        if (!PKILevel.ROOT.equals(pKILevel)) {
            x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, (ASN1Encodable) jcaX509ExtensionUtils.createAuthorityKeyIdentifier(keyPair.getPublic()));
        }
        return (X509Certificate) CertificateFactory.getInstance(AbstractWrappedKey.X509_FORMAT).generateCertificate(new ByteArrayInputStream(x509v3CertificateBuilder.build(new JCESigner(keyPair.getPrivate())).getEncoded()));
    }

    public byte[] buildRevocationResponse(PKIMessage pKIMessage, String str, X500Name x500Name) throws IOException, CRMFException, CMPException {
        RevRepContent build = new RevRepContentBuilder().add(new PKIStatusInfo(PKIStatus.revocationNotification)).build();
        ProtectedPKIMessageBuilder pKIResponseBuilder = getPKIResponseBuilder(x500Name, new X500Name("CN=test cert " + System.currentTimeMillis() + ", O=trustable Ltd, C=DE"), pKIMessage.getHeader());
        pKIResponseBuilder.setBody(new PKIBody(12, build));
        return pKIResponseBuilder.build(getMacCalculator(str)).toASN1Structure().getEncoded();
    }

    public byte[] buildErrorResponse(PKIMessage pKIMessage, String str, X500Name x500Name) throws IOException, CRMFException, CMPException {
        ErrorMsgContent errorMsgContent = new ErrorMsgContent(new PKIStatusInfo(PKIStatus.rejection));
        ProtectedPKIMessageBuilder pKIResponseBuilder = getPKIResponseBuilder(x500Name, new X500Name("CN=test cert " + System.currentTimeMillis() + ", O=trustable Ltd, C=DE"), pKIMessage.getHeader());
        pKIResponseBuilder.setBody(new PKIBody(23, errorMsgContent));
        return pKIResponseBuilder.build(getMacCalculator(str)).toASN1Structure().getEncoded();
    }

    public RevRepContent readRevResponse(byte[] bArr, String str) throws IOException, GeneralSecurityException {
        GeneralPKIMessage buildPKIMessage = buildPKIMessage(bArr, str);
        PKIHeader header = buildPKIMessage.getHeader();
        if (header.getRecipNonce() == null) {
            LOGGER.debug("no recip nonce");
        } else if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("recip nonce : " + Base64.toBase64String(header.getRecipNonce().getOctets()));
        }
        if (header.getSenderNonce() == null) {
            LOGGER.debug("no sender nonce");
        } else if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("sender nonce : " + Base64.toBase64String(header.getSenderNonce().getOctets()));
        }
        PKIBody body = buildPKIMessage.getBody();
        int type = body.getType();
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Received CMP message with pvno=" + header.getPvno() + ", sender=" + header.getSender().toString() + ", recipient=" + header.getRecipient().toString());
            LOGGER.debug("Body is of type: " + type);
            LOGGER.debug("Transaction id: " + header.getTransactionID());
        }
        if (type == 23) {
            handleCMPError(body);
            return null;
        }
        if (type != 12) {
            throw new GeneralSecurityException("unexpected PKI body type :" + type);
        }
        LOGGER.debug("Rev response received");
        if (body.getContent() == null) {
            return null;
        }
        RevRepContent revRepContent = RevRepContent.getInstance(body.getContent());
        CertId[] revCerts = revRepContent.getRevCerts();
        if (revCerts != null) {
            for (CertId certId : revCerts) {
                LOGGER.info("revoked certId : " + certId.getIssuer() + " / " + certId.getSerialNumber().getValue());
            }
        } else {
            LOGGER.debug("no certId ");
        }
        return revRepContent;
    }

    public GenMsgContent readGenMsgResponse(byte[] bArr, String str) throws IOException, GeneralSecurityException {
        buildPKIMessage(bArr, str);
        PKIMessage pKIMessage = PKIMessage.getInstance(getDERObject(bArr));
        if (pKIMessage == null) {
            throw new GeneralSecurityException("No CMP message could be parsed from received Der object.");
        }
        PKIHeader header = pKIMessage.getHeader();
        if (LOGGER.isDebugEnabled()) {
            if (header.getRecipNonce() == null) {
                LOGGER.debug("no recip nonce");
            } else {
                LOGGER.debug("recip nonce : " + Base64.toBase64String(header.getRecipNonce().getOctets()));
            }
            if (header.getSenderNonce() == null) {
                LOGGER.debug("no sender nonce");
            } else {
                LOGGER.debug("sender nonce : " + Base64.toBase64String(header.getSenderNonce().getOctets()));
            }
        }
        PKIBody body = pKIMessage.getBody();
        int type = body.getType();
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Received CMP message with pvno=" + header.getPvno() + ", sender=" + header.getSender().toString() + ", recipient=" + header.getRecipient().toString());
            LOGGER.debug("Body is of type: " + type);
            LOGGER.debug("Transaction id: " + header.getTransactionID());
        }
        if (type == 23) {
            handleCMPError(body);
            return null;
        }
        if (type != 22) {
            throw new GeneralSecurityException("unexpected PKI body type :" + type);
        }
        LOGGER.debug("Rev response received");
        if (body.getContent() == null) {
            return null;
        }
        GenMsgContent genMsgContent = GenMsgContent.getInstance(body.getContent());
        InfoTypeAndValue[] infoTypeAndValueArray = genMsgContent.toInfoTypeAndValueArray();
        if (infoTypeAndValueArray != null) {
            for (InfoTypeAndValue infoTypeAndValue : infoTypeAndValueArray) {
                LOGGER.info("infoTypeAndValue : " + infoTypeAndValue.getInfoType() + " / " + infoTypeAndValue.getInfoValue());
            }
        } else {
            LOGGER.debug("no certId ");
        }
        return genMsgContent;
    }

    private void handleCMPError(PKIBody pKIBody) throws UnrecoverableEntryException {
        ErrorMsgContent errorMsgContent = ErrorMsgContent.getInstance(pKIBody.getContent());
        PKIFreeText statusString = errorMsgContent.getPKIStatusInfo().getStatusString();
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < statusString.size(); i++) {
            try {
                sb.append(StringUtils.SPACE).append(statusString.getStringAt(i).getString());
            } catch (NullPointerException e) {
            }
        }
        String str = "errMsg : #" + errorMsgContent.getErrorCode() + StringUtils.SPACE + errorMsgContent.getErrorDetails() + " / " + ((Object) sb);
        if ("Can not handle message type '21'.".equals(sb.toString())) {
            LOGGER.debug(str);
        } else {
            LOGGER.info(str);
        }
        throw new UnrecoverableEntryException(str);
    }

    public PKIMessage buildGeneralMessageRequest(String str) throws CRMFException, CMPException {
        GenMsgContent genMsgContent = new GenMsgContent(new InfoTypeAndValue[0]);
        ProtectedPKIMessageBuilder pKIBuilder = getPKIBuilder(X500Name.getInstance(new X500Name("CN=AdminCA1").toASN1Primitive()), X500Name.getInstance(new X500Name("CN=User1").toASN1Primitive()));
        pKIBuilder.setBody(new PKIBody(21, genMsgContent));
        PKIMessage aSN1Structure = pKIBuilder.build(getMacCalculator(str)).toASN1Structure();
        LOGGER.debug("sender nonce : " + Base64.toBase64String(aSN1Structure.getHeader().getSenderNonce().getOctets()));
        return aSN1Structure;
    }

    public PKIMessage buildCertRequest(long j, X500Name x500Name, Collection<Extension> collection, SubjectPublicKeyInfo subjectPublicKeyInfo, String str) throws GeneralSecurityException {
        CertificateRequestMessageBuilder certificateRequestMessageBuilder = new CertificateRequestMessageBuilder(BigInteger.valueOf(j));
        X500Name x500Name2 = X500Name.getInstance(new X500Name("CN=AdminCA1").toASN1Primitive());
        certificateRequestMessageBuilder.setSubject(x500Name);
        certificateRequestMessageBuilder.setIssuer(x500Name2);
        try {
            for (Extension extension : collection) {
                LOGGER.debug("Csr Extension : " + extension.getExtnId().getId() + " -> " + extension.getExtnValue());
                certificateRequestMessageBuilder.addExtension(extension.getExtnId(), extension.isCritical(), extension.getParsedValue());
            }
            certificateRequestMessageBuilder.setPublicKey(subjectPublicKeyInfo);
            certificateRequestMessageBuilder.setAuthInfoSender(new GeneralName(x500Name));
            certificateRequestMessageBuilder.setProofOfPossessionRaVerified();
            CertificateRequestMessage build = certificateRequestMessageBuilder.build();
            LOGGER.debug("CertTemplate : " + build.getCertTemplate());
            ProtectedPKIMessageBuilder pKIBuilder = getPKIBuilder(x500Name2, x500Name);
            pKIBuilder.setBody(new PKIBody(0, new CertReqMessages(build.toASN1Structure())));
            return pKIBuilder.build(getMacCalculator(str)).toASN1Structure();
        } catch (IOException | CMPException | CRMFException e) {
            LOGGER.warn("Exception occured processing extensions", (Throwable) e);
            throw new GeneralSecurityException(e.getMessage());
        }
    }

    public byte[] buildRevocationRequest(long j, X500Name x500Name, X500Name x500Name2, BigInteger bigInteger, CRLReason cRLReason, String str) throws IOException, CRMFException, CMPException {
        CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder();
        certTemplateBuilder.setIssuer(x500Name);
        certTemplateBuilder.setSerialNumber(new ASN1Integer(bigInteger));
        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        extensionsGenerator.addExtension(Extension.reasonCode, false, (ASN1Encodable) cRLReason);
        Extensions generate = extensionsGenerator.generate();
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(certTemplateBuilder.build());
        aSN1EncodableVector.add(generate);
        RevReqContent revReqContent = new RevReqContent(RevDetails.getInstance(new DERSequence(aSN1EncodableVector)));
        ProtectedPKIMessageBuilder pKIBuilder = getPKIBuilder(x500Name, x500Name2);
        pKIBuilder.setBody(new PKIBody(11, revReqContent));
        PKIMessage aSN1Structure = pKIBuilder.build(getMacCalculator(str)).toASN1Structure();
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("sender nonce : " + Base64.toBase64String(aSN1Structure.getHeader().getSenderNonce().getOctets()));
        }
        return aSN1Structure.getEncoded();
    }

    private GeneralPKIMessage buildPKIMessage(byte[] bArr, String str) throws IOException, GeneralSecurityException {
        GeneralPKIMessage generalPKIMessage = new GeneralPKIMessage(bArr);
        printPKIMessageInfo(generalPKIMessage);
        if (generalPKIMessage.hasProtection()) {
            try {
                if (!new ProtectedPKIMessage(generalPKIMessage).verify(getMacCalculatorBuilder(), str.toCharArray())) {
                    throw new GeneralSecurityException("received response message failed verification (by HMAC)!");
                }
                LOGGERContentProtection.debug("received response message verified successfully by HMAC");
            } catch (CMPException | CRMFException e) {
                throw new GeneralSecurityException(e);
            }
        } else {
            LOGGERContentProtection.info("received response message contains NO content protection!");
        }
        return generalPKIMessage;
    }
}
