package net.maritimeconnectivity.pki;

import java.io.BufferedWriter;
import java.io.FileWriter;
import java.io.IOException;
import java.security.AuthProvider;
import java.security.KeyStore;
import java.security.PublicKey;
import java.security.cert.CRLException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.Calendar;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.TimeZone;
import net.maritimeconnectivity.pki.exception.PKIRuntimeException;
import net.maritimeconnectivity.pki.pkcs11.P11PKIConfiguration;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.ocsp.OCSPResponse;
import org.bouncycastle.asn1.ocsp.OCSPResponseStatus;
import org.bouncycastle.asn1.ocsp.ResponseBytes;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v2CRLBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CRLConverter;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.OCSPRespBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/maritimeconnectivity/pki/Revocation.class */
public class Revocation {
    private static final Logger log = LoggerFactory.getLogger(Revocation.class);

    public static int getCRLReasonFromString(String str) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -1700134442:
                if (str.equals("superseded")) {
                    z = 3;
                    break;
                }
                break;
            case -1486006509:
                if (str.equals("privilegewithdrawn")) {
                    z = 7;
                    break;
                }
                break;
            case -1063486225:
                if (str.equals("removefromcrl")) {
                    z = 6;
                    break;
                }
                break;
            case -917007658:
                if (str.equals("certificatehold")) {
                    z = 5;
                    break;
                }
                break;
            case 74917913:
                if (str.equals("keycompromise")) {
                    z = false;
                    break;
                }
                break;
            case 368769437:
                if (str.equals("cessationofoperation")) {
                    z = 4;
                    break;
                }
                break;
            case 602517956:
                if (str.equals("affiliationchanged")) {
                    z = 2;
                    break;
                }
                break;
            case 1065097370:
                if (str.equals("aacompromise")) {
                    z = 8;
                    break;
                }
                break;
            case 1323262808:
                if (str.equals("cacompromise")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return 1;
            case true:
                return 2;
            case true:
                return 3;
            case true:
                return 4;
            case true:
                return 5;
            case true:
                return 6;
            case true:
                return 8;
            case true:
                return 9;
            case true:
                return 10;
            default:
                return 0;
        }
    }

    public static X509CRL generateCRL(List<RevocationInfo> list, KeyStore.PrivateKeyEntry privateKeyEntry, PKIConfiguration pKIConfiguration) {
        Date from = Date.from(Instant.now());
        Calendar calendar = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
        calendar.setTime(from);
        calendar.add(5, 7);
        try {
            X509v2CRLBuilder x509v2CRLBuilder = new X509v2CRLBuilder(new X500Name(new JcaX509CertificateHolder((X509Certificate) privateKeyEntry.getCertificate()).getSubject().toString()), from);
            x509v2CRLBuilder.setNextUpdate(calendar.getTime());
            for (RevocationInfo revocationInfo : list) {
                x509v2CRLBuilder.addCRLEntry(revocationInfo.getSerialNumber(), revocationInfo.getRevokedAt(), revocationInfo.getRevokeReason().ordinal());
            }
            JcaContentSignerBuilder jcaContentSignerBuilder = new JcaContentSignerBuilder(PKIConstants.SIGNER_ALGORITHM);
            if (pKIConfiguration instanceof P11PKIConfiguration) {
                jcaContentSignerBuilder.setProvider(((P11PKIConfiguration) pKIConfiguration).getProvider());
            } else {
                jcaContentSignerBuilder.setProvider(PKIConstants.BC_PROVIDER_NAME);
            }
            try {
                X509CRLHolder build = x509v2CRLBuilder.build(jcaContentSignerBuilder.build(privateKeyEntry.getPrivateKey()));
                JcaX509CRLConverter jcaX509CRLConverter = new JcaX509CRLConverter();
                jcaX509CRLConverter.setProvider(PKIConstants.BC_PROVIDER_NAME);
                X509CRL x509crl = null;
                try {
                    x509crl = jcaX509CRLConverter.getCRL(build);
                } catch (CRLException e) {
                    log.error(e.getMessage(), e);
                }
                return x509crl;
            } catch (OperatorCreationException e2) {
                log.error(e2.getMessage(), e2);
                return null;
            }
        } catch (CertificateEncodingException e3) {
            log.error(e3.getMessage(), e3);
            return null;
        }
    }

    public static void generateRootCACRL(String str, List<RevocationInfo> list, KeyStore.PrivateKeyEntry privateKeyEntry, String str2, AuthProvider authProvider) {
        Date from = Date.from(Instant.now());
        Calendar calendar = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
        calendar.setTime(from);
        calendar.add(1, 1);
        X509v2CRLBuilder x509v2CRLBuilder = new X509v2CRLBuilder(new X500Name(str), from);
        x509v2CRLBuilder.setNextUpdate(calendar.getTime());
        if (list != null) {
            for (RevocationInfo revocationInfo : list) {
                x509v2CRLBuilder.addCRLEntry(revocationInfo.getSerialNumber(), revocationInfo.getRevokedAt(), revocationInfo.getRevokeReason().ordinal());
            }
        }
        JcaContentSignerBuilder jcaContentSignerBuilder = new JcaContentSignerBuilder(PKIConstants.SIGNER_ALGORITHM);
        if (authProvider != null) {
            jcaContentSignerBuilder.setProvider(authProvider);
        } else {
            jcaContentSignerBuilder.setProvider(PKIConstants.BC_PROVIDER_NAME);
        }
        try {
            X509CRLHolder build = x509v2CRLBuilder.build(jcaContentSignerBuilder.build(privateKeyEntry.getPrivateKey()));
            JcaX509CRLConverter jcaX509CRLConverter = new JcaX509CRLConverter();
            jcaX509CRLConverter.setProvider(PKIConstants.BC_PROVIDER_NAME);
            try {
                try {
                    String pemFromEncoded = CertificateHandler.getPemFromEncoded("X509 CRL", jcaX509CRLConverter.getCRL(build).getEncoded());
                    try {
                        BufferedWriter bufferedWriter = new BufferedWriter(new FileWriter(str2));
                        try {
                            bufferedWriter.write(pemFromEncoded);
                            bufferedWriter.close();
                        } finally {
                        }
                    } catch (IOException e) {
                        log.error(e.getMessage(), e);
                    }
                } catch (CRLException e2) {
                    log.error("unable to generate Root CA CRL", e2);
                }
            } catch (CRLException e3) {
                throw new PKIRuntimeException(e3.getMessage(), e3);
            }
        } catch (OperatorCreationException e4) {
            log.error(e4.getMessage(), e4);
        }
    }

    public static OCSPResp handleOCSP(OCSPReq oCSPReq, PublicKey publicKey, KeyStore.PrivateKeyEntry privateKeyEntry, Map<CertificateID, CertificateStatus> map, PKIConfiguration pKIConfiguration) {
        if (oCSPReq == null) {
            return new OCSPResp(new OCSPResponse(new OCSPResponseStatus(1), (ResponseBytes) null));
        }
        try {
            BasicOCSPRespBuilder initOCSPRespBuilder = initOCSPRespBuilder(oCSPReq, publicKey);
            Objects.requireNonNull(initOCSPRespBuilder);
            map.forEach(initOCSPRespBuilder::addResponse);
            P11PKIConfiguration p11PKIConfiguration = null;
            if (pKIConfiguration instanceof P11PKIConfiguration) {
                p11PKIConfiguration = (P11PKIConfiguration) pKIConfiguration;
                p11PKIConfiguration.providerLogin();
            }
            try {
                OCSPResp generateOCSPResponse = generateOCSPResponse(initOCSPRespBuilder, privateKeyEntry, p11PKIConfiguration);
                if (p11PKIConfiguration != null) {
                    p11PKIConfiguration.providerLogout();
                }
                return generateOCSPResponse;
            } catch (OCSPException | IOException | OperatorCreationException | CertificateEncodingException e) {
                log.error("Could not generate OCSP response", e);
                OCSPResponse oCSPResponse = new OCSPResponse(new OCSPResponseStatus(2), (ResponseBytes) null);
                if (p11PKIConfiguration != null) {
                    p11PKIConfiguration.providerLogout();
                }
                return new OCSPResp(oCSPResponse);
            }
        } catch (OCSPException | OperatorCreationException e2) {
            log.error("Could not build OCSP responder", e2);
            return new OCSPResp(new OCSPResponse(new OCSPResponseStatus(2), (ResponseBytes) null));
        }
    }

    public static BasicOCSPRespBuilder initOCSPRespBuilder(OCSPReq oCSPReq, PublicKey publicKey) throws OCSPException, OperatorCreationException {
        BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()), new JcaDigestCalculatorProviderBuilder().setProvider(PKIConstants.BC_PROVIDER_NAME).build().get(CertificateID.HASH_SHA1));
        Extension extension = oCSPReq.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
        if (extension != null) {
            basicOCSPRespBuilder.setResponseExtensions(new Extensions(new Extension[]{extension}));
        }
        return basicOCSPRespBuilder;
    }

    public static OCSPResp generateOCSPResponse(BasicOCSPRespBuilder basicOCSPRespBuilder, KeyStore.PrivateKeyEntry privateKeyEntry, P11PKIConfiguration p11PKIConfiguration) throws OCSPException, IOException, OperatorCreationException, CertificateEncodingException {
        try {
            JcaContentSignerBuilder jcaContentSignerBuilder = new JcaContentSignerBuilder(PKIConstants.SIGNER_ALGORITHM);
            if (p11PKIConfiguration != null) {
                p11PKIConfiguration.providerLogin();
                jcaContentSignerBuilder.setProvider(p11PKIConfiguration.getProvider());
            } else {
                jcaContentSignerBuilder.setProvider(PKIConstants.BC_PROVIDER_NAME);
            }
            OCSPResp build = new OCSPRespBuilder().build(0, basicOCSPRespBuilder.build(jcaContentSignerBuilder.build(privateKeyEntry.getPrivateKey()), new X509CertificateHolder[]{new X509CertificateHolder(privateKeyEntry.getCertificate().getEncoded())}, Date.from(Instant.now())));
            if (p11PKIConfiguration != null) {
                p11PKIConfiguration.providerLogout();
            }
            return build;
        } catch (CertificateEncodingException e) {
            if (p11PKIConfiguration != null) {
                p11PKIConfiguration.providerLogout();
            }
            throw e;
        }
    }

    private Revocation() {
    }
}
