package org.xipki.ca.server;

import java.io.Closeable;
import java.math.BigInteger;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.List;
import java.util.Random;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.audit.AuditEvent;
import org.xipki.ca.api.CertWithDbId;
import org.xipki.ca.api.mgmt.CertWithRevocationInfo;
import org.xipki.ca.api.mgmt.RequestorInfo;
import org.xipki.ca.api.mgmt.RevokeSuspendedControl;
import org.xipki.ca.sdk.CaAuditConstants;
import org.xipki.ca.server.db.CertStore;
import org.xipki.ca.server.mgmt.CaManagerImpl;
import org.xipki.security.CertRevocationInfo;
import org.xipki.security.CrlReason;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.DateUtil;
import org.xipki.util.LogUtil;
import org.xipki.util.Validity;
import org.xipki.util.exception.ErrorCode;
import org.xipki.util.exception.OperationException;

/* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/X509RevokerModule.class */
public class X509RevokerModule extends X509CaModule implements Closeable {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) X509RevokerModule.class);
    private final boolean masterMode;
    private final CertStore certstore;
    private final CaIdNameMap caIdNameMap;
    private final X509PublisherModule publisherModule;
    private ScheduledFuture<?> suspendedCertsRevoker;

    /* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/X509RevokerModule$SuspendedCertsRevoker.class */
    private class SuspendedCertsRevoker implements Runnable {
        private boolean inProcess;

        private SuspendedCertsRevoker() {
        }

        @Override // java.lang.Runnable
        public void run() {
            if (X509RevokerModule.this.caInfo.revokeSuspendedCertsControl() == null || !X509RevokerModule.this.caInfo.revokeSuspendedCertsControl().isEnabled() || this.inProcess) {
                return;
            }
            this.inProcess = true;
            try {
                X509RevokerModule.LOG.debug("revoking suspended certificates");
                int revokeSuspendedCerts = X509RevokerModule.this.revokeSuspendedCerts();
                if (revokeSuspendedCerts == 0) {
                    X509RevokerModule.LOG.debug("revoked {} suspended certificates of CA '{}'", Integer.valueOf(revokeSuspendedCerts), X509RevokerModule.this.caIdent);
                } else {
                    X509RevokerModule.LOG.info("revoked {} suspended certificates of CA '{}'", Integer.valueOf(revokeSuspendedCerts), X509RevokerModule.this.caIdent);
                }
            } catch (Throwable th) {
                LogUtil.error(X509RevokerModule.LOG, th, "could not revoke suspended certificates");
            } finally {
                this.inProcess = false;
            }
        }
    }

    public X509RevokerModule(CaManagerImpl caManagerImpl, CaInfo caInfo, CertStore certStore, X509PublisherModule x509PublisherModule) {
        super(caInfo);
        this.caIdNameMap = caManagerImpl.idNameMap();
        this.certstore = certStore;
        this.masterMode = caManagerImpl.isMasterMode();
        this.publisherModule = x509PublisherModule;
        if (this.masterMode) {
            this.suspendedCertsRevoker = caManagerImpl.getScheduledThreadPoolExecutor().scheduleAtFixedRate(new SuspendedCertsRevoker(), new Random().nextInt(60), 60L, TimeUnit.MINUTES);
        }
    }

    public CertWithRevocationInfo revokeCert(BigInteger bigInteger, CrlReason crlReason, Instant instant, AuditEvent auditEvent) throws OperationException {
        if (this.caInfo.isSelfSigned() && this.caInfo.getSerialNumber().equals(bigInteger)) {
            throw new OperationException(ErrorCode.NOT_PERMITTED, "insufficient permission to revoke CA certificate");
        }
        if (crlReason == null) {
            crlReason = CrlReason.UNSPECIFIED;
        }
        switch (crlReason) {
            case CA_COMPROMISE:
            case AA_COMPROMISE:
            case REMOVE_FROM_CRL:
                throw new OperationException(ErrorCode.NOT_PERMITTED, "insufficient permission to revoke certificate with reason " + crlReason.getDescription());
            case UNSPECIFIED:
            case KEY_COMPROMISE:
            case AFFILIATION_CHANGED:
            case SUPERSEDED:
            case CESSATION_OF_OPERATION:
            case CERTIFICATE_HOLD:
            case PRIVILEGE_WITHDRAWN:
                try {
                    CertWithRevocationInfo revokeCertificate0 = revokeCertificate0(bigInteger, crlReason, instant, false, auditEvent);
                    setEventStatus(auditEvent, revokeCertificate0 != null);
                    return revokeCertificate0;
                } catch (Throwable th) {
                    setEventStatus(auditEvent, true);
                    throw th;
                }
            default:
                throw new IllegalStateException("unknown CRL reason " + crlReason);
        }
    }

    public CertWithDbId unsuspendCert(BigInteger bigInteger, AuditEvent auditEvent) throws OperationException {
        if (this.caInfo.isSelfSigned() && this.caInfo.getSerialNumber().equals(bigInteger)) {
            throw new OperationException(ErrorCode.NOT_PERMITTED, "insufficient permission to unsuspend CA certificate");
        }
        boolean z = false;
        try {
            CertWithDbId unsuspendCert0 = unsuspendCert0(bigInteger, false, auditEvent);
            z = true;
            setEventStatus(auditEvent, true);
            return unsuspendCert0;
        } catch (Throwable th) {
            setEventStatus(auditEvent, z);
            throw th;
        }
    }

    private CertWithRevocationInfo revokeCertificate0(BigInteger bigInteger, CrlReason crlReason, Instant instant, boolean z, AuditEvent auditEvent) throws OperationException {
        String formatCsn = LogUtil.formatCsn(bigInteger);
        auditEvent.addEventData(CaAuditConstants.NAME_serial, formatCsn);
        auditEvent.addEventData(CaAuditConstants.NAME_reason, crlReason.getDescription());
        if (instant != null) {
            auditEvent.addEventData(CaAuditConstants.NAME_invalidity_time, DateUtil.toUtcTimeyyyyMMddhhmmss(instant));
        }
        LOG.info("     START revokeCertificate: ca={}, serialNumber={}, reason={}, invalidityTime={}", this.caIdent.getName(), formatCsn, crlReason.getDescription(), instant);
        CertWithRevocationInfo revokeCert = this.certstore.revokeCert(this.caIdent, bigInteger, new CertRevocationInfo(crlReason, Instant.now(), instant), z, this.caIdNameMap);
        if (revokeCert == null) {
            return null;
        }
        this.publisherModule.publishCertRevoked(revokeCert);
        if (LOG.isInfoEnabled()) {
            LOG.info("SUCCESSFUL revokeCertificate: ca={}, serialNumber={}, reason={}, invalidityTime={}, revocationResult=REVOKED", this.caIdent.getName(), formatCsn, crlReason.getDescription(), instant);
        }
        return revokeCert;
    }

    private CertWithRevocationInfo revokeSuspendedCert(CertStore.SerialWithId serialWithId, CrlReason crlReason) throws OperationException {
        AuditEvent newAuditEvent = newAuditEvent(CaAuditConstants.TYPE_revoke_suspendedCert, null);
        try {
            CertWithRevocationInfo revokeSuspendedCert0 = revokeSuspendedCert0(serialWithId, crlReason, newAuditEvent);
            finish(newAuditEvent, revokeSuspendedCert0 != null);
            return revokeSuspendedCert0;
        } catch (Throwable th) {
            finish(newAuditEvent, false);
            throw th;
        }
    }

    private CertWithRevocationInfo revokeSuspendedCert0(CertStore.SerialWithId serialWithId, CrlReason crlReason, AuditEvent auditEvent) throws OperationException {
        String formatCsn = LogUtil.formatCsn(serialWithId.getSerial());
        auditEvent.addEventData(CaAuditConstants.NAME_serial, formatCsn);
        auditEvent.addEventData(CaAuditConstants.NAME_reason, crlReason.getDescription());
        if (LOG.isInfoEnabled()) {
            LOG.info("     START revokeSuspendedCert: ca={}, serialNumber={}, reason={}", this.caIdent.getName(), formatCsn, crlReason.getDescription());
        }
        CertWithRevocationInfo revokeSuspendedCert = this.certstore.revokeSuspendedCert(this.caIdent, serialWithId, crlReason, this.caIdNameMap);
        if (revokeSuspendedCert == null) {
            return null;
        }
        this.publisherModule.publishCertRevoked(revokeSuspendedCert);
        if (LOG.isInfoEnabled()) {
            LOG.info("SUCCESSFUL revokeSuspendedCert: ca={}, serialNumber={}, reason={}", this.caIdent.getName(), formatCsn, crlReason.getDescription());
        }
        return revokeSuspendedCert;
    }

    private CertWithDbId unsuspendCert0(BigInteger bigInteger, boolean z, AuditEvent auditEvent) throws OperationException {
        String formatCsn = LogUtil.formatCsn(bigInteger);
        auditEvent.addEventData(CaAuditConstants.NAME_serial, formatCsn);
        LOG.info("     START unsuspendertificate: ca={}, serialNumber={}", this.caIdent.getName(), formatCsn);
        CertWithDbId unsuspendCert = this.certstore.unsuspendCert(this.caIdent, bigInteger, z, this.caIdNameMap);
        if (unsuspendCert == null) {
            return null;
        }
        this.publisherModule.publishCertUnrevoked(unsuspendCert);
        LOG.info("SUCCESSFUL unsuspendCertificate: ca={}, serialNumber={}", this.caIdent.getName(), formatCsn);
        return unsuspendCert;
    }

    public void revokeCa(RequestorInfo requestorInfo, CertRevocationInfo certRevocationInfo) throws OperationException {
        this.caInfo.setRevocationInfo((CertRevocationInfo) Args.notNull(certRevocationInfo, "revocationInfo"));
        if (this.caInfo.isSelfSigned()) {
            AuditEvent newAuditEvent = newAuditEvent(certRevocationInfo.getReason() == CrlReason.CERTIFICATE_HOLD ? "revoke_ca" : "revoke_ca", requestorInfo);
            try {
                finish(newAuditEvent, revokeCertificate0(this.caInfo.getSerialNumber(), certRevocationInfo.getReason(), certRevocationInfo.getInvalidityTime(), true, newAuditEvent) != null);
            } catch (Throwable th) {
                finish(newAuditEvent, true);
                throw th;
            }
        }
        if (!this.publisherModule.publishCaRevoked(certRevocationInfo)) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, "could not publish event caRevoked of CA " + this.caIdent + " to at least one publisher");
        }
    }

    public void unrevokeCa(RequestorInfo requestorInfo) throws OperationException {
        this.caInfo.setRevocationInfo(null);
        if (this.caInfo.isSelfSigned()) {
            AuditEvent newAuditEvent = newAuditEvent(CaAuditConstants.TYPE_unsuspend_ca, requestorInfo);
            boolean z = false;
            try {
                unsuspendCert0(this.caInfo.getSerialNumber(), true, newAuditEvent);
                z = true;
                finish(newAuditEvent, true);
            } catch (Throwable th) {
                finish(newAuditEvent, z);
                throw th;
            }
        }
        if (!this.publisherModule.publishCaUnrevoked()) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, "could not event caUnrevoked of CA " + this.caIdent + " to at least one publisher");
        }
    }

    private int revokeSuspendedCerts() throws OperationException {
        LOG.debug("revoking suspended certificates");
        AuditEvent newAuditEvent = newAuditEvent(CaAuditConstants.TYPE_revoke_suspendedCert, null);
        boolean z = false;
        try {
            int revokeSuspendedCerts0 = revokeSuspendedCerts0();
            LOG.info("revoked {} suspended certificates of CA {}", Integer.valueOf(revokeSuspendedCerts0), this.caIdent.getName());
            z = true;
            finish(newAuditEvent, true);
            return revokeSuspendedCerts0;
        } catch (Throwable th) {
            finish(newAuditEvent, z);
            throw th;
        }
    }

    private int revokeSuspendedCerts0() throws OperationException {
        if (!this.masterMode) {
            throw new OperationException(ErrorCode.NOT_PERMITTED, "CA could not remove expired certificates in slave mode");
        }
        RevokeSuspendedControl revokeSuspendedCertsControl = this.caInfo.revokeSuspendedCertsControl();
        Validity unchangedSince = revokeSuspendedCertsControl.getUnchangedSince();
        int validity = unchangedSince.getValidity();
        Validity.Unit unit = unchangedSince.getUnit();
        long j = unit == Validity.Unit.MINUTE ? validity : unit == Validity.Unit.HOUR ? validity * 60 : unit == Validity.Unit.DAY ? validity * 24 * 60 : unit == Validity.Unit.WEEK ? validity * 7 * 24 * 60 : unit == Validity.Unit.YEAR ? validity * 365 * 24 * 60 : -1L;
        if (j == -1) {
            throw new IllegalStateException("should not reach here, unknown Validity Unit " + unchangedSince.getUnit());
        }
        Instant minus = Instant.now().minus(j, (TemporalUnit) ChronoUnit.MINUTES);
        CrlReason targetReason = revokeSuspendedCertsControl.getTargetReason();
        int i = 0;
        while (true) {
            List<CertStore.SerialWithId> suspendedCertSerials = this.certstore.getSuspendedCertSerials(this.caIdent, minus, 100);
            if (CollectionUtil.isEmpty(suspendedCertSerials)) {
                return i;
            }
            for (CertStore.SerialWithId serialWithId : suspendedCertSerials) {
                try {
                    if (revokeSuspendedCert(serialWithId, targetReason) != null) {
                        i++;
                    }
                } catch (OperationException e) {
                    LOG.info("revoked {} suspended certificates of CA {}", Integer.valueOf(i), this.caIdent.getName());
                    LogUtil.error(LOG, e, "could not revoke suspended certificate with serial" + serialWithId);
                    throw e;
                }
            }
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.suspendedCertsRevoker != null) {
            this.suspendedCertsRevoker.cancel(false);
            this.suspendedCertsRevoker = null;
        }
    }
}
