package org.xipki.ca.server;

import java.io.Closeable;
import java.math.BigInteger;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.List;
import java.util.Random;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import org.xipki.audit.AuditEvent;
import org.xipki.ca.api.CertWithDbId;
import org.xipki.ca.api.mgmt.CertWithRevocationInfo;
import org.xipki.ca.sdk.CaAuditConstants;
import org.xipki.ca.server.db.CertStore;
import org.xipki.ca.server.mgmt.CaManagerImpl;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.LogUtil;
import org.xipki.util.exception.ErrorCode;
import org.xipki.util.exception.OperationException;

/* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/X509RemoverModule.class */
public class X509RemoverModule extends X509CaModule implements Closeable {
    private final boolean masterMode;
    private final CertStore certstore;
    private final CaIdNameMap caIdNameMap;
    private final X509PublisherModule publisherModule;
    private ScheduledFuture<?> expiredCertsRemover;

    /* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/X509RemoverModule$ExpiredCertsRemover.class */
    private class ExpiredCertsRemover implements Runnable {
        private boolean inProcess;

        private ExpiredCertsRemover() {
        }

        @Override // java.lang.Runnable
        public void run() {
            if (X509RemoverModule.this.caInfo.getKeepExpiredCertInDays() >= 0 && !this.inProcess) {
                this.inProcess = true;
                Instant minus = Instant.now().minus(r0 + 1, (TemporalUnit) ChronoUnit.DAYS);
                try {
                    try {
                        X509RemoverModule.this.LOG.debug("revoking expired certificates");
                        AuditEvent newAuditEvent = X509RemoverModule.this.newAuditEvent(CaAuditConstants.TYPE_remove_expired_certs, null);
                        boolean z = false;
                        try {
                            X509RemoverModule.this.LOG.info("removed {} certificates expired at {} of CA {}", Integer.valueOf(X509RemoverModule.this.removeExpiredCerts0(minus, newAuditEvent)), minus, X509RemoverModule.this.caIdent);
                            z = true;
                            X509RemoverModule.this.finish(newAuditEvent, true);
                            this.inProcess = false;
                        } catch (Throwable th) {
                            X509RemoverModule.this.finish(newAuditEvent, z);
                            throw th;
                        }
                    } catch (Throwable th2) {
                        LogUtil.error(X509RemoverModule.this.LOG, th2, "could not remove expired certificates");
                        this.inProcess = false;
                    }
                } catch (Throwable th3) {
                    this.inProcess = false;
                    throw th3;
                }
            }
        }
    }

    public X509RemoverModule(CaManagerImpl caManagerImpl, CaInfo caInfo, CertStore certStore, X509PublisherModule x509PublisherModule) {
        super(caInfo);
        this.caIdNameMap = caManagerImpl.idNameMap();
        this.certstore = certStore;
        this.masterMode = caManagerImpl.isMasterMode();
        this.publisherModule = x509PublisherModule;
        if (this.masterMode) {
            this.expiredCertsRemover = caManagerImpl.getScheduledThreadPoolExecutor().scheduleAtFixedRate(new ExpiredCertsRemover(), 1440 + new Random().nextInt(60), 1440L, TimeUnit.MINUTES);
        }
    }

    public CertWithDbId removeCert(CertStore.SerialWithId serialWithId, AuditEvent auditEvent) throws OperationException {
        return removeCert0(serialWithId.getId(), serialWithId.getSerial(), auditEvent);
    }

    public CertWithDbId removeCert(BigInteger bigInteger, AuditEvent auditEvent) throws OperationException {
        return removeCert0(0L, bigInteger, auditEvent);
    }

    private CertWithDbId removeCert0(long j, BigInteger bigInteger, AuditEvent auditEvent) throws OperationException {
        if (this.caInfo.isSelfSigned() && this.caInfo.getSerialNumber().equals(bigInteger)) {
            throw new OperationException(ErrorCode.NOT_PERMITTED, "could not remove CA certificate");
        }
        try {
            auditEvent.addEventData(CaAuditConstants.NAME_serial, LogUtil.formatCsn(bigInteger));
            CertWithRevocationInfo certWithRevocationInfo = j == 0 ? this.certstore.getCertWithRevocationInfo(this.caIdent.getId().intValue(), bigInteger, this.caIdNameMap) : this.certstore.getCertWithRevocationInfo(j, this.caIdNameMap);
            if (certWithRevocationInfo == null) {
                return null;
            }
            CertWithDbId cert = certWithRevocationInfo.getCert();
            if (!this.publisherModule.publishCertRemoved(cert)) {
                setEventStatus(auditEvent, true);
                return null;
            }
            this.certstore.removeCert(certWithRevocationInfo.getCert().getCertId().longValue());
            setEventStatus(auditEvent, cert != null);
            return cert;
        } finally {
            setEventStatus(auditEvent, true);
        }
    }

    private int removeExpiredCerts0(Instant instant, AuditEvent auditEvent) throws OperationException {
        Args.notNull(instant, "expiredtime");
        if (!this.masterMode) {
            throw new OperationException(ErrorCode.NOT_PERMITTED, "CA could not remove expired certificates in slave mode");
        }
        auditEvent.addEventData(CaAuditConstants.NAME_expired_at, instant);
        long epochSecond = instant.getEpochSecond();
        int i = 0;
        while (true) {
            List<CertStore.SerialWithId> expiredUnrevokedSerialNumbers = this.certstore.getExpiredUnrevokedSerialNumbers(this.caIdent, epochSecond, 100);
            if (CollectionUtil.isEmpty(expiredUnrevokedSerialNumbers)) {
                return i;
            }
            for (CertStore.SerialWithId serialWithId : expiredUnrevokedSerialNumbers) {
                if (!this.caInfo.isSelfSigned() || !this.caInfo.getSerialNumber().equals(serialWithId.getSerial())) {
                    try {
                        if (removeCert(serialWithId, auditEvent) != null) {
                            i++;
                        }
                    } catch (OperationException e) {
                        this.LOG.info("removed {} expired certificates of CA {}", Integer.valueOf(i), this.caIdent.getName());
                        LogUtil.error(this.LOG, e, "could not remove expired certificate with serial" + serialWithId.getSerial());
                        throw e;
                    }
                }
            }
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.expiredCertsRemover != null) {
            this.expiredCertsRemover.cancel(false);
            this.expiredCertsRemover = null;
        }
    }
}
