package com.okta.mobile.android.scep.client;

import com.okta.mobile.android.scep.client.inspect.CertStoreInspector;
import com.okta.mobile.android.scep.client.inspect.CertStoreInspectorFactory;
import com.okta.mobile.android.scep.client.inspect.DefaultCertStoreInspectorFactory;
import com.okta.mobile.android.scep.message.PkcsPkiEnvelopeDecoder;
import com.okta.mobile.android.scep.message.PkcsPkiEnvelopeEncoder;
import com.okta.mobile.android.scep.message.PkiMessageDecoder;
import com.okta.mobile.android.scep.message.PkiMessageEncoder;
import com.okta.mobile.android.scep.transaction.EnrollmentTransaction;
import com.okta.mobile.android.scep.transaction.Transaction;
import com.okta.mobile.android.scep.transaction.TransactionException;
import com.okta.mobile.android.scep.transport.Transport;
import com.okta.mobile.android.scep.transport.TransportException;
import com.okta.mobile.android.scep.transport.TransportFactory;
import com.okta.mobile.android.scep.transport.UrlConnectionTransportFactory;
import com.okta.mobile.android.scep.transport.request.GetCaCapsRequest;
import com.okta.mobile.android.scep.transport.request.GetCaCertRequest;
import com.okta.mobile.android.scep.transport.response.Capabilities;
import com.okta.mobile.android.scep.transport.response.Capability;
import com.okta.mobile.android.scep.transport.response.GetCaCapsResponseHandler;
import com.okta.mobile.android.scep.transport.response.GetCaCertResponseHandler;
import com.okta.mobile.android.scep.util.X500Utils;
import java.io.IOException;
import java.net.URL;
import java.security.PrivateKey;
import java.security.SignatureException;
import java.security.cert.CertStore;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Objects;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.spongycastle.cert.CertException;
import org.spongycastle.cert.jcajce.JcaX509CertificateHolder;
import org.spongycastle.operator.OperatorCreationException;
import org.spongycastle.operator.RuntimeOperatorException;
import org.spongycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.spongycastle.pkcs.PKCS10CertificationRequest;

/* loaded from: classes.dex */
public class Client {
    private final CallbackHandler handler;
    private CertStoreInspectorFactory inspectorFactory = new DefaultCertStoreInspectorFactory();
    private TransportFactory transportFactory = new UrlConnectionTransportFactory();
    private final URL url;

    public Client(URL url, CallbackHandler callbackHandler) {
        this.url = url;
        this.handler = callbackHandler;
        validateInput();
    }

    private Transport createTransport(String str) {
        return getCaCapabilities(str).isPostSupported() ? this.transportFactory.forMethod(TransportFactory.Method.POST, this.url) : this.transportFactory.forMethod(TransportFactory.Method.GET, this.url);
    }

    private PkiMessageDecoder getDecoder(X509Certificate x509Certificate, PrivateKey privateKey, String str) throws ClientException {
        return new PkiMessageDecoder(this.inspectorFactory.getInstance(getCaCertificate(str)).getSigner(), new PkcsPkiEnvelopeDecoder(x509Certificate, privateKey));
    }

    private PkiMessageEncoder getEncoder(X509Certificate x509Certificate, PrivateKey privateKey, String str) throws ClientException {
        CertStore caCertificate = getCaCertificate(str);
        Capabilities caCapabilities = getCaCapabilities(str);
        return new PkiMessageEncoder(privateKey, x509Certificate, new PkcsPkiEnvelopeEncoder(this.inspectorFactory.getInstance(caCertificate).getRecipient(), caCapabilities.getStrongestCipher()), caCapabilities.getStrongestSignatureAlgorithm());
    }

    private boolean isSelfSigned(X509Certificate x509Certificate) throws ClientException {
        try {
            JcaX509CertificateHolder jcaX509CertificateHolder = new JcaX509CertificateHolder(x509Certificate);
            return jcaX509CertificateHolder.isSignatureValid(new JcaContentVerifierProviderBuilder().build(jcaX509CertificateHolder));
        } catch (RuntimeOperatorException e) {
            if (e.getCause() instanceof SignatureException) {
                return false;
            }
            throw new ClientException(e);
        } catch (Exception e2) {
            throw new ClientException(e2);
        }
    }

    private EnrollmentResponse send(EnrollmentTransaction enrollmentTransaction) throws TransactionException {
        Transaction.State send = enrollmentTransaction.send();
        return send == Transaction.State.CERT_ISSUED ? new EnrollmentResponse(enrollmentTransaction.getId(), enrollmentTransaction.getCertStore()) : send == Transaction.State.CERT_REQ_PENDING ? new EnrollmentResponse(enrollmentTransaction.getId()) : new EnrollmentResponse(enrollmentTransaction.getId(), enrollmentTransaction.getFailInfo());
    }

    private void validateInput() {
        URL url = this.url;
        Objects.requireNonNull(url, "URL should not be null");
        if (!url.getProtocol().matches("^https?$")) {
            throw new IllegalArgumentException("URL protocol should be HTTP or HTTPS");
        }
        if (this.url.getRef() != null) {
            throw new IllegalArgumentException("URL should contain no reference");
        }
        if (this.url.getQuery() != null) {
            throw new IllegalArgumentException("URL should contain no query string");
        }
        Objects.requireNonNull(this.handler, "Callback handler should not be null");
    }

    private void verifyCA(X509Certificate x509Certificate) throws ClientException {
        CertificateVerificationCallback certificateVerificationCallback = new CertificateVerificationCallback(x509Certificate);
        try {
            this.handler.handle(new Callback[]{certificateVerificationCallback});
            if (!certificateVerificationCallback.isVerified()) {
                throw new ClientException("CA certificate fingerprint could not be verified.");
            }
        } catch (IOException e) {
            throw new ClientException(e);
        } catch (UnsupportedCallbackException e2) {
            throw new ClientException(e2);
        }
    }

    private void verifyRA(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws ClientException {
        if (x509Certificate.equals(x509Certificate2)) {
            return;
        }
        try {
            if (new JcaX509CertificateHolder(x509Certificate2).isSignatureValid(new JcaContentVerifierProviderBuilder().build(x509Certificate))) {
            } else {
                throw new ClientException("RA not issued by CA");
            }
        } catch (CertificateEncodingException e) {
            throw new ClientException(e);
        } catch (CertException e2) {
            throw new ClientException(e2);
        } catch (OperatorCreationException e3) {
            throw new ClientException(e3);
        }
    }

    public EnrollmentResponse enrol(X509Certificate x509Certificate, PrivateKey privateKey, PKCS10CertificationRequest pKCS10CertificationRequest) throws ClientException, TransactionException {
        return enrol(x509Certificate, privateKey, pKCS10CertificationRequest, null);
    }

    public EnrollmentResponse enrol(X509Certificate x509Certificate, PrivateKey privateKey, PKCS10CertificationRequest pKCS10CertificationRequest, String str) throws ClientException, TransactionException {
        if (isSelfSigned(x509Certificate)) {
            pKCS10CertificationRequest.getSubject().equals(X500Utils.toX500Name(x509Certificate.getSubjectX500Principal()));
        }
        EnrollmentTransaction enrollmentTransaction = new EnrollmentTransaction(createTransport(str), getEncoder(x509Certificate, privateKey, str), getDecoder(x509Certificate, privateKey, str), pKCS10CertificationRequest);
        try {
            getCaCapabilities(str).getStrongestMessageDigest().digest(pKCS10CertificationRequest.getEncoded());
        } catch (IOException unused) {
        }
        return send(enrollmentTransaction);
    }

    public Capabilities getCaCapabilities(String str) {
        GetCaCapsRequest getCaCapsRequest = new GetCaCapsRequest(str);
        try {
            return (Capabilities) this.transportFactory.forMethod(TransportFactory.Method.GET, this.url).sendRequest(getCaCapsRequest, new GetCaCapsResponseHandler());
        } catch (TransportException unused) {
            return new Capabilities(new Capability[0]);
        }
    }

    public CertStore getCaCertificate(String str) throws ClientException {
        GetCaCertRequest getCaCertRequest = new GetCaCertRequest(str);
        try {
            CertStore certStore = (CertStore) this.transportFactory.forMethod(TransportFactory.Method.GET, this.url).sendRequest(getCaCertRequest, new GetCaCertResponseHandler());
            CertStoreInspector certStoreInspectorFactory = this.inspectorFactory.getInstance(certStore);
            verifyCA(certStoreInspectorFactory.getIssuer());
            verifyRA(certStoreInspectorFactory.getIssuer(), certStoreInspectorFactory.getRecipient());
            verifyRA(certStoreInspectorFactory.getIssuer(), certStoreInspectorFactory.getSigner());
            return certStore;
        } catch (TransportException e) {
            throw new ClientException(e);
        }
    }
}
