package blended.security.scep.internal;

import blended.security.ssl.CertificateHolder;
import blended.security.ssl.CertificateHolder$;
import blended.security.ssl.CertificateProvider;
import blended.security.ssl.CertificateRequestBuilder;
import blended.security.ssl.CommonNameProvider;
import blended.security.ssl.MemoryKeystore;
import blended.security.ssl.SelfSignedCertificateProvider;
import blended.security.ssl.SelfSignedConfig;
import blended.util.logging.Logger;
import blended.util.logging.Logger$;
import java.io.StringWriter;
import java.math.BigInteger;
import java.net.URL;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.jscep.client.Client;
import org.jscep.client.DefaultCallbackHandler;
import org.jscep.client.EnrollmentResponse;
import org.jscep.client.verification.OptimisticCertificateVerifier;
import org.jscep.transaction.FailInfo;
import org.jscep.transport.response.Capabilities;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Predef$;
import scala.Predef$ArrowAssoc$;
import scala.Some;
import scala.Tuple2;
import scala.collection.JavaConverters$;
import scala.collection.TraversableOnce;
import scala.collection.immutable.List;
import scala.collection.immutable.List$;
import scala.reflect.ClassTag$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxedUnit;
import scala.sys.package$;
import scala.util.Try;
import scala.util.Try$;

/* compiled from: ScepCertificateProvider.scala */
@ScalaSignature(bytes = "\u0006\u0001\u0005Ea\u0001B\u0006\r\u0001UA\u0001\"\n\u0001\u0003\u0002\u0003\u0006IA\n\u0005\u0006U\u0001!\ta\u000b\u0005\t]\u0001A)\u0019)C\u0005_!A\u0001\b\u0001ECB\u0013%\u0011\b\u0003\u0005E\u0001!\u0015\r\u0015\"\u0003F\u0011\u0015q\u0005\u0001\"\u0011P\u0011\u0015Y\u0006\u0001\"\u0011]\u0011\u0019I\u0007\u0001)C\u0005U\")A\u000e\u0001C\u0005[\"A\u0011q\u0001\u0001!\n\u0013\tIAA\fTG\u0016\u00048)\u001a:uS\u001aL7-\u0019;f!J|g/\u001b3fe*\u0011QBD\u0001\tS:$XM\u001d8bY*\u0011q\u0002E\u0001\u0005g\u000e,\u0007O\u0003\u0002\u0012%\u0005A1/Z2ve&$\u0018PC\u0001\u0014\u0003\u001d\u0011G.\u001a8eK\u0012\u001c\u0001a\u0005\u0003\u0001-q\u0011\u0003CA\f\u001b\u001b\u0005A\"\"A\r\u0002\u000bM\u001c\u0017\r\\1\n\u0005mA\"AB!osJ+g\r\u0005\u0002\u001eA5\taD\u0003\u0002 !\u0005\u00191o\u001d7\n\u0005\u0005r\"!G\"feRLg-[2bi\u0016\u0014V-];fgR\u0014U/\u001b7eKJ\u0004\"!H\u0012\n\u0005\u0011r\"aE\"feRLg-[2bi\u0016\u0004&o\u001c<jI\u0016\u0014\u0018aA2gOB\u0011q\u0005K\u0007\u0002\u0019%\u0011\u0011\u0006\u0004\u0002\u000b'\u000e,\u0007oQ8oM&<\u0017A\u0002\u001fj]&$h\b\u0006\u0002-[A\u0011q\u0005\u0001\u0005\u0006K\t\u0001\rAJ\u0001\u0004Y><W#\u0001\u0019\u0011\u0005E2T\"\u0001\u001a\u000b\u0005M\"\u0014a\u00027pO\u001eLgn\u001a\u0006\u0003kI\tA!\u001e;jY&\u0011qG\r\u0002\u0007\u0019><w-\u001a:\u0002\u0015M\u001cW\r]\"mS\u0016tG/F\u0001;!\tY$)D\u0001=\u0015\tid(\u0001\u0004dY&,g\u000e\u001e\u0006\u0003\u007f\u0001\u000bQA[:dKBT\u0011!Q\u0001\u0004_J<\u0017BA\"=\u0005\u0019\u0019E.[3oi\u0006!1-\u00199t+\u00051\u0005CA$M\u001b\u0005A%BA%K\u0003!\u0011Xm\u001d9p]N,'BA&?\u0003%!(/\u00198ta>\u0014H/\u0003\u0002N\u0011\na1)\u00199bE&d\u0017\u000e^5fg\u0006\u0001\"o\\8u\u0007\u0016\u0014H/\u001b4jG\u0006$Xm\u001d\u000b\u0002!B\u0019\u0011kU+\u000e\u0003IS!!\u000e\r\n\u0005Q\u0013&a\u0001+ssB\u0019qC\u0016-\n\u0005]C\"AB(qi&|g\u000e\u0005\u0002\u001e3&\u0011!L\b\u0002\u000f\u001b\u0016lwN]=LKf\u001cHo\u001c:f\u0003I\u0011XM\u001a:fg\"\u001cUM\u001d;jM&\u001c\u0017\r^3\u0015\u0007u\u000bG\rE\u0002R'z\u0003\"!H0\n\u0005\u0001t\"!E\"feRLg-[2bi\u0016Du\u000e\u001c3fe\")!m\u0002a\u0001G\u0006AQ\r_5ti&tw\rE\u0002\u0018-zCQ!Z\u0004A\u0002\u0019\f!b\u00198Qe>4\u0018\u000eZ3s!\tir-\u0003\u0002i=\t\u00112i\\7n_:t\u0015-\\3Qe>4\u0018\u000eZ3s\u0003U\u0019X\r\u001c4TS\u001etW\rZ\"feRLg-[2bi\u0016$\"!X6\t\u000b\u0015D\u0001\u0019\u00014\u0002\u000f\u0011,X\u000e]\"teR\u0011a.\u001f\t\u0003_Zt!\u0001\u001d;\u0011\u0005EDR\"\u0001:\u000b\u0005M$\u0012A\u0002\u001fs_>$h(\u0003\u0002v1\u00051\u0001K]3eK\u001aL!a\u001e=\u0003\rM#(/\u001b8h\u0015\t)\b\u0004C\u0003{\u0013\u0001\u000710A\u0002dgJ\u00042\u0001`A\u0002\u001b\u0005i(B\u0001@��\u0003\u0011\u00018nY:\u000b\u0007\u0005\u0005\u0001)\u0001\u0007c_Vt7-_2bgRdW-C\u0002\u0002\u0006u\u0014!\u0004U&D'F\u00024)\u001a:uS\u001aL7-\u0019;j_:\u0014V-];fgR\fa!\u001a8s_2dG#B/\u0002\f\u0005=\u0001BBA\u0007\u0015\u0001\u00071-\u0001\u0004j]\u000e+'\u000f\u001e\u0005\u0006K*\u0001\rA\u001a")
/* loaded from: input_file:blended/security/scep/internal/ScepCertificateProvider.class */
public class ScepCertificateProvider implements CertificateRequestBuilder, CertificateProvider {
    private Logger log;
    private Client scepClient;
    private Capabilities caps;
    private final ScepConfig cfg;
    private final Logger blended$security$ssl$CertificateRequestBuilder$$log;
    private volatile byte bitmap$0;

    public Try<X509v3CertificateBuilder> hostCertificateRequest(CommonNameProvider commonNameProvider, KeyPair keyPair, BigInteger bigInteger, int i, Option<CertificateHolder> option) {
        return CertificateRequestBuilder.hostCertificateRequest$(this, commonNameProvider, keyPair, bigInteger, i, option);
    }

    public BigInteger hostCertificateRequest$default$3() {
        return CertificateRequestBuilder.hostCertificateRequest$default$3$(this);
    }

    public int hostCertificateRequest$default$4() {
        return CertificateRequestBuilder.hostCertificateRequest$default$4$(this);
    }

    public Option<CertificateHolder> hostCertificateRequest$default$5() {
        return CertificateRequestBuilder.hostCertificateRequest$default$5$(this);
    }

    public Logger blended$security$ssl$CertificateRequestBuilder$$log() {
        return this.blended$security$ssl$CertificateRequestBuilder$$log;
    }

    public final void blended$security$ssl$CertificateRequestBuilder$_setter_$blended$security$ssl$CertificateRequestBuilder$$log_$eq(Logger logger) {
        this.blended$security$ssl$CertificateRequestBuilder$$log = logger;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [blended.security.scep.internal.ScepCertificateProvider] */
    private Logger log$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 1)) == 0) {
                this.log = Logger$.MODULE$.apply(ClassTag$.MODULE$.apply(ScepCertificateProvider.class));
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 1);
            }
        }
        return this.log;
    }

    private Logger log() {
        return ((byte) (this.bitmap$0 & 1)) == 0 ? log$lzycompute() : this.log;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [blended.security.scep.internal.ScepCertificateProvider] */
    private Client scepClient$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 2)) == 0) {
                this.scepClient = new Client(new URL(this.cfg.url()), new DefaultCallbackHandler(new OptimisticCertificateVerifier()));
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 2);
            }
        }
        return this.scepClient;
    }

    private Client scepClient() {
        return ((byte) (this.bitmap$0 & 2)) == 0 ? scepClient$lzycompute() : this.scepClient;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Capabilities caps$lzycompute() {
        Capabilities caCapabilities;
        synchronized (this) {
            if (((byte) (this.bitmap$0 & 4)) == 0) {
                Some profile = this.cfg.profile();
                if (None$.MODULE$.equals(profile)) {
                    caCapabilities = scepClient().getCaCapabilities();
                } else {
                    if (!(profile instanceof Some)) {
                        throw new MatchError(profile);
                    }
                    caCapabilities = scepClient().getCaCapabilities((String) profile.value());
                }
                this.caps = caCapabilities;
                this.bitmap$0 = (byte) (this.bitmap$0 | 4);
            }
        }
        return this.caps;
    }

    private Capabilities caps() {
        return ((byte) (this.bitmap$0 & 4)) == 0 ? caps$lzycompute() : this.caps;
    }

    public Try<Option<MemoryKeystore>> rootCertificates() {
        return Try$.MODULE$.apply(() -> {
            return new Some(new MemoryKeystore(Predef$.MODULE$.Map().apply(Predef$.MODULE$.wrapRefArray(new Tuple2[]{Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("ca"), CertificateHolder$.MODULE$.create(((TraversableOnce) JavaConverters$.MODULE$.collectionAsScalaIterableConverter(this.scepClient().getCaCertificate().getCertificates(null)).asScala()).toList()).get())}))));
        });
    }

    public Try<CertificateHolder> refreshCertificate(Option<CertificateHolder> option, CommonNameProvider commonNameProvider) {
        Try<CertificateHolder> enroll;
        log().info(() -> {
            return new StringBuilder(57).append("Trying to refresh the server certificate via SCEP from [").append(this.cfg.url()).append("]").toString();
        });
        if (None$.MODULE$.equals(option)) {
            log().info(() -> {
                return "Obtaining initial server certificate from SCEP server.";
            });
            enroll = enroll(None$.MODULE$, commonNameProvider);
        } else {
            if (!(option instanceof Some)) {
                throw new MatchError(option);
            }
            CertificateHolder certificateHolder = (CertificateHolder) ((Some) option).value();
            log().info(() -> {
                return "Refreshing certificate previously obtained from SCEP server.";
            });
            enroll = enroll(new Some(certificateHolder), commonNameProvider);
        }
        return enroll;
    }

    private Try<CertificateHolder> selfSignedCertificate(CommonNameProvider commonNameProvider) {
        return new SelfSignedCertificateProvider(new SelfSignedConfig(commonNameProvider, this.cfg.keyLength(), caps().getStrongestSignatureAlgorithm(), 1)).refreshCertificate(None$.MODULE$, commonNameProvider);
    }

    private String dumpCsr(PKCS10CertificationRequest pKCS10CertificationRequest) {
        StringWriter stringWriter = new StringWriter();
        PEMWriter pEMWriter = new PEMWriter(stringWriter);
        pEMWriter.writeObject(pKCS10CertificationRequest);
        pEMWriter.close();
        stringWriter.close();
        return stringWriter.toString();
    }

    private Try<CertificateHolder> enroll(Option<CertificateHolder> option, CommonNameProvider commonNameProvider) {
        return Try$.MODULE$.apply(() -> {
            CertificateHolder certificateHolder;
            CertificateHolder certificateHolder2 = (CertificateHolder) this.selfSignedCertificate(commonNameProvider).get();
            if (None$.MODULE$.equals(option)) {
                this.log().info(() -> {
                    return new StringBuilder(54).append("Requesting initial certificate from SCEP server at [").append(this.cfg.url()).append("].").toString();
                });
                certificateHolder = certificateHolder2;
            } else {
                if (!(option instanceof Some)) {
                    throw new MatchError(option);
                }
                CertificateHolder certificateHolder3 = (CertificateHolder) ((Some) option).value();
                this.log().info(() -> {
                    return new StringBuilder(46).append("Refreshing certificate from SCEP server at [").append(this.cfg.url()).append("].").toString();
                });
                certificateHolder = certificateHolder3;
            }
            CertificateHolder certificateHolder4 = certificateHolder;
            PrivateKey privateKey = (PrivateKey) certificateHolder4.privateKey().get();
            JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Principal((String) commonNameProvider.commonName().get()), certificateHolder4.publicKey());
            jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, new DERPrintableString(this.cfg.scepChallenge()));
            if (((TraversableOnce) commonNameProvider.alternativeNames().get()).nonEmpty()) {
                GeneralNames generalNames = new GeneralNames((GeneralName[]) ((TraversableOnce) ((List) commonNameProvider.alternativeNames().get()).map(str -> {
                    this.log().info(() -> {
                        return new StringBuilder(59).append("Adding alternative dns name [").append(str).append("] to SCEP certificate request.").toString();
                    });
                    return new GeneralName(2, str);
                }, List$.MODULE$.canBuildFrom())).toArray(ClassTag$.MODULE$.apply(GeneralName.class)));
                ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
                extensionsGenerator.addExtension(Extension.subjectAlternativeName, false, (ASN1Encodable) generalNames);
                BoxedUnit boxedUnit = BoxedUnit.UNIT;
                jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
            } else {
                BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
            }
            PKCS10CertificationRequest build = jcaPKCS10CertificationRequestBuilder.build(new JcaContentSignerBuilder(this.cfg.csrSignAlgorithm()).build(privateKey));
            Predef$.MODULE$.println(this.dumpCsr(build));
            EnrollmentResponse enrol = this.scepClient().enrol((X509Certificate) certificateHolder4.chain().head(), privateKey, build);
            while (enrol.isPending()) {
                this.log().info(() -> {
                    return new StringBuilder(32).append("Waiting for PKI response from [").append(this.cfg.url()).append("]").toString();
                });
                Thread.sleep(1000L);
            }
            if (enrol.isFailure()) {
                FailInfo failInfo = enrol.getFailInfo();
                this.log().error(() -> {
                    return new StringBuilder(35).append("Certificate provisioning failed: [").append(failInfo).append("]").toString();
                });
                throw package$.MODULE$.error(failInfo.toString());
            }
            List list = ((TraversableOnce) JavaConverters$.MODULE$.collectionAsScalaIterableConverter(enrol.getCertStore().getCertificates(null)).asScala()).toList();
            this.log().info(() -> {
                return new StringBuilder(34).append("Retrieved [").append(list.length()).append("] certificates from [").append(this.cfg.url()).append("].").toString();
            });
            return (CertificateHolder) CertificateHolder$.MODULE$.create(certificateHolder4.publicKey(), new Some(privateKey), list).get();
        });
    }

    public ScepCertificateProvider(ScepConfig scepConfig) {
        this.cfg = scepConfig;
        CertificateRequestBuilder.$init$(this);
        CertificateProvider.$init$(this);
    }
}
