package org.xipki.ca.server;

import com.fasterxml.jackson.databind.deser.std.StdKeyDeserializer;
import java.io.IOException;
import java.math.BigInteger;
import java.time.Clock;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import org.apache.logging.log4j.util.ProcessIdUtil;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.pkcs.CertificationRequestInfo;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CRLHolder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.ca.api.CertificateInfo;
import org.xipki.ca.api.mgmt.CaMgmtException;
import org.xipki.ca.api.mgmt.CaStatus;
import org.xipki.ca.api.mgmt.CertWithRevocationInfo;
import org.xipki.ca.api.mgmt.RequestorInfo;
import org.xipki.ca.api.profile.Certprofile;
import org.xipki.ca.sdk.CaIdentifierRequest;
import org.xipki.ca.sdk.CaNameResponse;
import org.xipki.ca.sdk.CertChainResponse;
import org.xipki.ca.sdk.CertprofileInfoRequest;
import org.xipki.ca.sdk.CertsMode;
import org.xipki.ca.sdk.ConfirmCertRequestEntry;
import org.xipki.ca.sdk.ConfirmCertsRequest;
import org.xipki.ca.sdk.CrlResponse;
import org.xipki.ca.sdk.EnrollCertRequestEntry;
import org.xipki.ca.sdk.EnrollCertsRequest;
import org.xipki.ca.sdk.EnrollOrPollCertsResponse;
import org.xipki.ca.sdk.EnrollOrPullCertResponseEntry;
import org.xipki.ca.sdk.ErrorEntry;
import org.xipki.ca.sdk.ErrorResponse;
import org.xipki.ca.sdk.GenCRLRequest;
import org.xipki.ca.sdk.GetCRLRequest;
import org.xipki.ca.sdk.GetCertRequest;
import org.xipki.ca.sdk.OldCertInfoByIssuerAndSerial;
import org.xipki.ca.sdk.OldCertInfoBySubject;
import org.xipki.ca.sdk.PayloadResponse;
import org.xipki.ca.sdk.PollCertRequest;
import org.xipki.ca.sdk.PollCertRequestEntry;
import org.xipki.ca.sdk.RevokeCertRequestEntry;
import org.xipki.ca.sdk.RevokeCertsRequest;
import org.xipki.ca.sdk.RevokeCertsResponse;
import org.xipki.ca.sdk.SdkConstants;
import org.xipki.ca.sdk.SdkResponse;
import org.xipki.ca.sdk.SingleCertSerialEntry;
import org.xipki.ca.sdk.TransactionIdRequest;
import org.xipki.ca.sdk.UnSuspendOrRemoveCertsResponse;
import org.xipki.ca.sdk.UnsuspendOrRemoveRequest;
import org.xipki.ca.sdk.X500NameType;
import org.xipki.ca.server.mgmt.CaManagerImpl;
import org.xipki.security.CrlReason;
import org.xipki.security.X509Cert;
import org.xipki.security.util.TlsHelper;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.Hex;
import org.xipki.util.LogUtil;
import org.xipki.util.PermissionConstants;
import org.xipki.util.StringUtil;
import org.xipki.util.exception.DecodeException;
import org.xipki.util.exception.ErrorCode;
import org.xipki.util.exception.InsufficientPermissionException;
import org.xipki.util.exception.OperationException;
import org.xipki.util.http.XiHttpRequest;

/* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/SdkResponder.class */
public class SdkResponder {
    private static final int DFLT_CONFIRM_WAIT_TIME_MS = 600000;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SdkResponder.class);
    private static final Set<String> reenrollCertExtnIds = CollectionUtil.asUnmodifiableSet(Extension.biometricInfo.getId(), Extension.extendedKeyUsage.getId(), Extension.keyUsage.getId(), Extension.qCStatements.getId(), Extension.subjectAlternativeName.getId(), Extension.subjectInfoAccess.getId());
    private final CaManagerImpl caManager;
    private final PendingCertificatePool pendingCertPool = new PendingCertificatePool();
    private ScheduledThreadPoolExecutor threadPoolExecutor = new ScheduledThreadPoolExecutor(1);

    /* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/SdkResponder$PendingPoolCleaner.class */
    private class PendingPoolCleaner implements Runnable {
        private PendingPoolCleaner() {
        }

        @Override // java.lang.Runnable
        public void run() {
            Set<CertificateInfo> removeConfirmTimeoutedCertificates = SdkResponder.this.pendingCertPool.removeConfirmTimeoutedCertificates();
            if (CollectionUtil.isEmpty(removeConfirmTimeoutedCertificates)) {
                return;
            }
            Instant now = Instant.now();
            X509Ca x509Ca = null;
            for (CertificateInfo certificateInfo : removeConfirmTimeoutedCertificates) {
                String name = certificateInfo.getIssuer().getName();
                BigInteger serialNumber = certificateInfo.getCert().getCert().getSerialNumber();
                if (x509Ca == null || !x509Ca.getCaIdent().getName().equals(name)) {
                    try {
                        x509Ca = SdkResponder.this.caManager.getX509Ca(name);
                    } catch (CaMgmtException e) {
                        SdkResponder.LOG.error("could not revoke certificate (CA={}, serialNumber={}): unknown CA", name, LogUtil.formatCsn(serialNumber));
                    }
                }
                try {
                    x509Ca.revokeCert(null, serialNumber, CrlReason.CESSATION_OF_OPERATION, now);
                } catch (Throwable th) {
                    SdkResponder.LOG.error("could not revoke certificate (CA={}, serialNumber={}): {}", x509Ca.getCaInfo().getIdent(), LogUtil.formatCsn(serialNumber), th.getMessage());
                }
            }
        }
    }

    public SdkResponder(CaManagerImpl caManagerImpl) {
        this.caManager = (CaManagerImpl) Args.notNull(caManagerImpl, "caManager");
        this.threadPoolExecutor.setRemoveOnCancelPolicy(true);
        this.threadPoolExecutor.scheduleAtFixedRate(new PendingPoolCleaner(), 10L, 10L, TimeUnit.MINUTES);
    }

    public SdkResponse service(String str, byte[] bArr, XiHttpRequest xiHttpRequest) {
        try {
            SdkResponse service0 = service0(str, bArr, xiHttpRequest);
            if (service0 instanceof ErrorResponse) {
                LOG.warn("returned ErrorResponse: {}", service0);
            }
            return service0;
        } catch (Throwable th) {
            LOG.error("Throwable thrown, this should not happen!", th);
            return new ErrorResponse(null, ErrorCode.SYSTEM_FAILURE, "internal error");
        }
    }

    private SdkResponse service0(String str, byte[] bArr, XiHttpRequest xiHttpRequest) {
        X509Ca x509Ca;
        try {
            if (this.caManager == null) {
                return new ErrorResponse(null, ErrorCode.SYSTEM_FAILURE, "responderManager in servlet not configured");
            }
            String str2 = null;
            String str3 = null;
            if (str.length() > 1) {
                int indexOf = str.indexOf(47, 1);
                if (indexOf == -1 || indexOf == str.length() - 1) {
                    return new ErrorResponse(null, ErrorCode.PATH_NOT_FOUND, "invalid path " + str);
                }
                String lowerCase = str.substring(1, indexOf).toLowerCase();
                str3 = str.substring(indexOf + 1).toLowerCase();
                if (ProcessIdUtil.DEFAULT_PROCESSID.equals(lowerCase)) {
                    str2 = ProcessIdUtil.DEFAULT_PROCESSID;
                } else {
                    str2 = this.caManager.getCaNameForAlias(lowerCase);
                    if (str2 == null) {
                        str2 = lowerCase;
                    }
                }
            }
            if (StringUtil.isBlank(str3)) {
                return new ErrorResponse(null, ErrorCode.PATH_NOT_FOUND, "command is not specified");
            }
            CaIdentifierRequest caIdentifierRequest = null;
            if (ProcessIdUtil.DEFAULT_PROCESSID.equals(str2)) {
                String str4 = str3;
                boolean z = -1;
                switch (str4.hashCode()) {
                    case -1367726103:
                        if (str4.equals(SdkConstants.CMD_caname)) {
                            z = false;
                            break;
                        }
                        break;
                    case -553887683:
                        if (str4.equals("revoke_cert")) {
                            z = 5;
                            break;
                        }
                        break;
                    case -435851999:
                        if (str4.equals(SdkConstants.CMD_cacerts2)) {
                            z = 2;
                            break;
                        }
                        break;
                    case -294060801:
                        if (str4.equals("remove_cert")) {
                            z = 4;
                            break;
                        }
                        break;
                    case -144135516:
                        if (str4.equals(SdkConstants.CMD_poll_cert)) {
                            z = 3;
                            break;
                        }
                        break;
                    case 540129520:
                        if (str4.equals(SdkConstants.CMD_cacert2)) {
                            z = true;
                            break;
                        }
                        break;
                    case 968710496:
                        if (str4.equals("unsuspend_cert")) {
                            z = 6;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                    case true:
                    case true:
                        caIdentifierRequest = CaIdentifierRequest.decode(requireNonNullRequest(bArr));
                        break;
                    case true:
                    case true:
                    case true:
                    case true:
                        if (!SdkConstants.CMD_poll_cert.equals(str3)) {
                            if (!"revoke_cert".equals(str3)) {
                                caIdentifierRequest = UnsuspendOrRemoveRequest.decode(requireNonNullRequest(bArr));
                                break;
                            } else {
                                caIdentifierRequest = RevokeCertsRequest.decode(requireNonNullRequest(bArr));
                                break;
                            }
                        } else {
                            caIdentifierRequest = PollCertRequest.decode(requireNonNullRequest(bArr));
                            break;
                        }
                    default:
                        return new ErrorResponse(null, ErrorCode.PATH_NOT_FOUND, "invalid command '" + str3 + "'");
                }
                x509Ca = this.caManager.getCa(caIdentifierRequest);
                if (x509Ca == null) {
                    return new ErrorResponse(null, ErrorCode.PATH_NOT_FOUND, "could not find CA for " + caIdentifierRequest.idText());
                }
            } else {
                try {
                    x509Ca = this.caManager.getX509Ca(str2);
                    if (x509Ca == null) {
                        return new ErrorResponse(null, ErrorCode.PATH_NOT_FOUND, "unknown CA '" + str2 + "'");
                    }
                } catch (CaMgmtException e) {
                    return new ErrorResponse(null, ErrorCode.PATH_NOT_FOUND, "CA unknown");
                }
            }
            if (x509Ca.getCaInfo().getStatus() != CaStatus.ACTIVE) {
                return new ErrorResponse(null, ErrorCode.PATH_NOT_FOUND, "CA '" + x509Ca.getCaIdent().getName() + "' is out of service");
            }
            try {
                X509Cert tlsClientCert = TlsHelper.getTlsClientCert(xiHttpRequest);
                if (tlsClientCert == null) {
                    return new ErrorResponse(null, ErrorCode.UNAUTHORIZED, "no client certificate");
                }
                RequestorInfo.CertRequestorInfo requestor = x509Ca.getRequestor(tlsClientCert);
                if (requestor == null) {
                    return new ErrorResponse(null, ErrorCode.NOT_PERMITTED, "no requestor specified");
                }
                String str5 = str3;
                boolean z2 = -1;
                switch (str5.hashCode()) {
                    case -1368049790:
                        if (str5.equals(SdkConstants.CMD_cacert)) {
                            z2 = true;
                            break;
                        }
                        break;
                    case -1367726103:
                        if (str5.equals(SdkConstants.CMD_caname)) {
                            z2 = 18;
                            break;
                        }
                        break;
                    case -1298329434:
                        if (str5.equals(SdkConstants.CMD_enroll)) {
                            z2 = 3;
                            break;
                        }
                        break;
                    case -1221262756:
                        if (str5.equals(SdkConstants.CMD_health)) {
                            z2 = false;
                            break;
                        }
                        break;
                    case -742888295:
                        if (str5.equals(SdkConstants.CMD_reenroll)) {
                            z2 = 4;
                            break;
                        }
                        break;
                    case -553887683:
                        if (str5.equals("revoke_cert")) {
                            z2 = 7;
                            break;
                        }
                        break;
                    case -509577369:
                        if (str5.equals(SdkConstants.CMD_enroll_cross)) {
                            z2 = 5;
                            break;
                        }
                        break;
                    case -435851999:
                        if (str5.equals(SdkConstants.CMD_cacerts2)) {
                            z2 = 17;
                            break;
                        }
                        break;
                    case -294060801:
                        if (str5.equals("remove_cert")) {
                            z2 = 11;
                            break;
                        }
                        break;
                    case -144135516:
                        if (str5.equals(SdkConstants.CMD_poll_cert)) {
                            z2 = 6;
                            break;
                        }
                        break;
                    case -80340882:
                        if (str5.equals("gen_crl")) {
                            z2 = 12;
                            break;
                        }
                        break;
                    case 98781:
                        if (str5.equals(SdkConstants.CMD_crl)) {
                            z2 = 13;
                            break;
                        }
                        break;
                    case 178319831:
                        if (str5.equals(SdkConstants.CMD_profileinfo)) {
                            z2 = 15;
                            break;
                        }
                        break;
                    case 540129520:
                        if (str5.equals(SdkConstants.CMD_cacert2)) {
                            z2 = 16;
                            break;
                        }
                        break;
                    case 540129585:
                        if (str5.equals(SdkConstants.CMD_cacerts)) {
                            z2 = 2;
                            break;
                        }
                        break;
                    case 747572997:
                        if (str5.equals(SdkConstants.CMD_confirm_enroll)) {
                            z2 = 8;
                            break;
                        }
                        break;
                    case 968710496:
                        if (str5.equals("unsuspend_cert")) {
                            z2 = 10;
                            break;
                        }
                        break;
                    case 1468056805:
                        if (str5.equals(SdkConstants.CMD_revoke_pending_cert)) {
                            z2 = 9;
                            break;
                        }
                        break;
                    case 1976162669:
                        if (str5.equals(SdkConstants.CMD_get_cert)) {
                            z2 = 14;
                            break;
                        }
                        break;
                }
                switch (z2) {
                    case false:
                        if (x509Ca.healthy()) {
                            return null;
                        }
                        return new ErrorResponse(null, ErrorCode.SYSTEM_UNAVAILABLE, "CA is not healthy");
                    case true:
                        return buildCertChainResponse(x509Ca.getCaInfo().getCert(), null);
                    case true:
                        return buildCertChainResponse(x509Ca.getCaInfo().getCert(), x509Ca.getCaInfo().getCertchain());
                    case true:
                        assertPermitted(requestor, 1);
                        return enroll(x509Ca, requireNonNullRequest(bArr), requestor, false, false);
                    case true:
                        assertPermitted(requestor, 16);
                        return enroll(x509Ca, requireNonNullRequest(bArr), requestor, true, false);
                    case true:
                        assertPermitted(requestor, PermissionConstants.ENROLL_CROSS);
                        return enroll(x509Ca, requireNonNullRequest(bArr), requestor, false, true);
                    case true:
                        if (requestor.isPermitted(1) || requestor.isPermitted(16)) {
                            return poll(x509Ca, (PollCertRequest) caIdentifierRequest, ProcessIdUtil.DEFAULT_PROCESSID.equals(str2));
                        }
                        throw new OperationException(ErrorCode.NOT_PERMITTED);
                    case true:
                        assertPermitted(requestor, 2);
                        return revoke(requestor, x509Ca, (RevokeCertsRequest) caIdentifierRequest, ProcessIdUtil.DEFAULT_PROCESSID.equals(str2));
                    case true:
                        if (requestor.isPermitted(1) || requestor.isPermitted(16)) {
                            return confirmCertificates(requestor, x509Ca, requireNonNullRequest(bArr));
                        }
                        throw new OperationException(ErrorCode.NOT_PERMITTED);
                    case true:
                        if (!requestor.isPermitted(1) && !requestor.isPermitted(16)) {
                            throw new OperationException(ErrorCode.NOT_PERMITTED);
                        }
                        revokePendingCertificates(requestor, x509Ca, TransactionIdRequest.decode(requireNonNullRequest(bArr)).getTid());
                        return null;
                    case true:
                        assertPermitted(requestor, 4);
                        return removeOrUnsuspend(requestor, x509Ca, (UnsuspendOrRemoveRequest) caIdentifierRequest, true, ProcessIdUtil.DEFAULT_PROCESSID.equals(str2));
                    case true:
                        assertPermitted(requestor, 8);
                        return removeOrUnsuspend(requestor, x509Ca, (UnsuspendOrRemoveRequest) caIdentifierRequest, false, ProcessIdUtil.DEFAULT_PROCESSID.equals(str2));
                    case true:
                        assertPermitted(requestor, 32);
                        return genCrl(requestor, x509Ca, requireNonNullRequest(bArr));
                    case true:
                        return getCrl(requestor, x509Ca, requireNonNullRequest(bArr));
                    case StdKeyDeserializer.TYPE_URL /* 14 */:
                        assertPermitted(requestor, PermissionConstants.GET_CERT);
                        return getCert(x509Ca, requireNonNullRequest(bArr));
                    case StdKeyDeserializer.TYPE_CLASS /* 15 */:
                        return getProfileInfo(requireNonNullRequest(bArr));
                    case true:
                        return buildCertChainResponse(x509Ca.getCaCert(), null);
                    case StdKeyDeserializer.TYPE_BYTE_ARRAY /* 17 */:
                        return buildCertChainResponse(x509Ca.getCaCert(), x509Ca.caInfo.getCertchain());
                    case true:
                        String name = x509Ca.getCaIdent().getName();
                        Set<String> aliasesForCa = this.caManager.getAliasesForCa(name);
                        return new CaNameResponse(name, CollectionUtil.isEmpty(aliasesForCa) ? null : (String[]) aliasesForCa.toArray(new String[0]));
                    default:
                        return new ErrorResponse(null, ErrorCode.PATH_NOT_FOUND, "invalid command '" + str3 + "'");
                }
            } catch (IOException e2) {
                LogUtil.error(LOG, e2, "error getTlsClientCert");
                return new ErrorResponse(null, ErrorCode.UNAUTHORIZED, "error retrieving client certificate");
            }
        } catch (DecodeException e3) {
            return new ErrorResponse(null, ErrorCode.BAD_REQUEST, e3.getMessage());
        } catch (OperationException e4) {
            return new ErrorResponse(null, e4.getErrorCode(), e4.getErrorMessage());
        }
    }

    private static byte[] requireNonNullRequest(byte[] bArr) throws DecodeException {
        if (bArr == null) {
            throw new DecodeException("request must no be null");
        }
        return bArr;
    }

    /* JADX WARN: Type inference failed for: r0v3, types: [byte[], byte[][]] */
    private CertChainResponse buildCertChainResponse(X509Cert x509Cert, List<X509Cert> list) {
        int size = 1 + (list == null ? 0 : list.size());
        ?? r0 = new byte[size];
        r0[0] = x509Cert.getEncoded();
        if (size > 1) {
            for (int i = 1; i < size; i++) {
                r0[i] = list.get(i - 1).getEncoded();
            }
        }
        return new CertChainResponse(r0);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v15, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r1v17, types: [byte[], byte[][]] */
    private SdkResponse enroll(X509Ca x509Ca, byte[] bArr, RequestorInfo requestorInfo, boolean z, boolean z2) throws OperationException, DecodeException {
        Extensions extensions;
        SubjectPublicKeyInfo subjectPublicKeyInfo;
        boolean isReusePublicKey;
        String str;
        CertWithRevocationInfo certWithRevocationInfoBySubject;
        EnrollCertsRequest decode = EnrollCertsRequest.decode(bArr);
        EnrollCertRequestEntry[] entries = decode.getEntries();
        ArrayList arrayList = new ArrayList(entries.length);
        HashSet<String> hashSet = new HashSet();
        for (EnrollCertRequestEntry enrollCertRequestEntry : entries) {
            String certprofile = enrollCertRequestEntry.getCertprofile();
            Long notBefore = enrollCertRequestEntry.getNotBefore();
            Instant ofEpochSecond = notBefore == null ? null : Instant.ofEpochSecond(notBefore.longValue());
            Long notAfter = enrollCertRequestEntry.getNotAfter();
            Instant ofEpochSecond2 = notAfter == null ? null : Instant.ofEpochSecond(notAfter.longValue());
            X500Name x500Name = null;
            if (enrollCertRequestEntry.getP10req() != null) {
                CertificationRequestInfo certificationRequestInfo = X509Util.parseCsrInRequest(enrollCertRequestEntry.getP10req()).getCertificationRequestInfo();
                x500Name = certificationRequestInfo.getSubject();
                subjectPublicKeyInfo = certificationRequestInfo.getSubjectPublicKeyInfo();
                extensions = X509Util.getExtensions(certificationRequestInfo);
            } else {
                X500NameType subject = enrollCertRequestEntry.getSubject();
                if (subject != null) {
                    try {
                        x500Name = subject.toX500Name();
                    } catch (IOException e) {
                        throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE);
                    }
                } else if (!z) {
                    throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "subject is not set");
                }
                extensions = enrollCertRequestEntry.getExtensions() != null ? Extensions.getInstance(enrollCertRequestEntry.getExtensions()) : null;
                subjectPublicKeyInfo = enrollCertRequestEntry.getSubjectPublicKey() != null ? SubjectPublicKeyInfo.getInstance(enrollCertRequestEntry.getSubjectPublicKey()) : null;
                if (z) {
                    OldCertInfoByIssuerAndSerial oldCertIsn = enrollCertRequestEntry.getOldCertIsn();
                    OldCertInfoBySubject oldCertSubject = enrollCertRequestEntry.getOldCertSubject();
                    if (oldCertIsn == null && oldCertSubject == null) {
                        throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "Neither oldCertIsn nor oldCertSubject is specified in reenroll_cert command, but exactly one of them is permitted");
                    }
                    if (oldCertIsn != null && oldCertSubject != null) {
                        throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "Both oldCertIsn and oldCertSubject are specified in reenroll_cert command, but exactly one of them is permitted");
                    }
                    if (oldCertIsn != null) {
                        isReusePublicKey = oldCertIsn.isReusePublicKey();
                        X500Name x500Name2 = X500Name.getInstance(oldCertIsn.getIssuer());
                        BigInteger serialNumber = oldCertIsn.getSerialNumber();
                        str = "certificate with the issuer '" + X509Util.x500NameText(x500Name2) + "' and serial number " + serialNumber;
                        certWithRevocationInfoBySubject = x509Ca.getCertWithRevocationInfo(serialNumber);
                    } else {
                        isReusePublicKey = oldCertSubject.isReusePublicKey();
                        X500Name x500Name3 = X500Name.getInstance(oldCertSubject.getSubject());
                        str = "certificate with subject '" + X509Util.x500NameText(x500Name3) + "'";
                        certWithRevocationInfoBySubject = x509Ca.getCertWithRevocationInfoBySubject(x500Name3, oldCertSubject.getSan());
                    }
                    if (certWithRevocationInfoBySubject == null) {
                        throw new OperationException(ErrorCode.UNKNOWN_CERT, "found no " + str);
                    }
                    if (certWithRevocationInfoBySubject.isRevoked()) {
                        throw new OperationException(ErrorCode.CERT_REVOKED, "could not update a revoked " + str);
                    }
                    if (certprofile == null) {
                        certprofile = certWithRevocationInfoBySubject.getCertprofile();
                        hashSet.add(certprofile);
                    }
                    if (x500Name == null) {
                        x500Name = certWithRevocationInfoBySubject.getCert().getCert().getSubject();
                    }
                    if (subjectPublicKeyInfo == null && isReusePublicKey) {
                        subjectPublicKeyInfo = certWithRevocationInfoBySubject.getCert().getCert().getSubjectPublicKeyInfo();
                    }
                    HashMap hashMap = new HashMap();
                    if (extensions != null) {
                        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : extensions.getExtensionOIDs()) {
                            hashMap.put(aSN1ObjectIdentifier.getId(), extensions.getExtension(aSN1ObjectIdentifier));
                        }
                    }
                    Extensions extensions2 = certWithRevocationInfoBySubject.getCert().getCert().toBcCert().getExtensions();
                    for (ASN1ObjectIdentifier aSN1ObjectIdentifier2 : extensions2.getExtensionOIDs()) {
                        String id = aSN1ObjectIdentifier2.getId();
                        if (!hashMap.containsKey(id) && !reenrollCertExtnIds.contains(id)) {
                            hashMap.put(id, extensions2.getExtension(aSN1ObjectIdentifier2));
                        }
                    }
                    extensions = new Extensions((Extension[]) hashMap.values().toArray(new Extension[0]));
                }
            }
            hashSet.add(certprofile);
            CertTemplateData certTemplateData = new CertTemplateData(x500Name, subjectPublicKeyInfo, ofEpochSecond, ofEpochSecond2, extensions, certprofile, enrollCertRequestEntry.getCertReqId(), subjectPublicKeyInfo == null);
            certTemplateData.setForCrossCert(z2);
            arrayList.add(certTemplateData);
        }
        for (String str2 : hashSet) {
            if (!requestorInfo.isCertprofilePermitted(str2)) {
                throw new OperationException(ErrorCode.NOT_PERMITTED, "cert profile " + str2 + " is not allowed");
            }
            if (z2) {
                IdentifiedCertprofile identifiedCertprofile = this.caManager.getIdentifiedCertprofile(str2);
                if (identifiedCertprofile == null) {
                    throw new OperationException(ErrorCode.UNKNOWN_CERT_PROFILE, "unknown cert profile " + str2);
                }
                if (Certprofile.CertLevel.CROSS != identifiedCertprofile.getCertLevel()) {
                    throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "cert profile " + str2 + " is not for CROSS certificate");
                }
            }
        }
        boolean z3 = decode.getExplicitConfirm() != null && decode.getExplicitConfirm().booleanValue();
        long millis = z3 ? Clock.systemUTC().millis() + (decode.getConfirmWaitTimeMs() == null ? DFLT_CONFIRM_WAIT_TIME_MS : decode.getConfirmWaitTimeMs().intValue()) : 0L;
        EnrollOrPullCertResponseEntry[] generateCertificates = generateCertificates(requestorInfo, x509Ca, arrayList, decode, millis);
        if (generateCertificates == null) {
            return new ErrorResponse(decode.getTransactionId(), ErrorCode.SYSTEM_FAILURE, null);
        }
        EnrollOrPollCertsResponse enrollOrPollCertsResponse = new EnrollOrPollCertsResponse();
        enrollOrPollCertsResponse.setTransactionId(decode.getTransactionId());
        enrollOrPollCertsResponse.setEntries(generateCertificates);
        if (z3) {
            enrollOrPollCertsResponse.setConfirmWaitTime(Long.valueOf(millis));
        }
        CertsMode caCertMode = decode.getCaCertMode();
        if (caCertMode == CertsMode.CERT) {
            enrollOrPollCertsResponse.setExtraCerts(new byte[]{x509Ca.getCaCert().getEncoded()});
        } else if (caCertMode == CertsMode.CHAIN) {
            if (CollectionUtil.isEmpty(x509Ca.getCaInfo().getCertchain())) {
                enrollOrPollCertsResponse.setExtraCerts(new byte[]{x509Ca.getCaCert().getEncoded()});
            } else {
                enrollOrPollCertsResponse.setExtraCerts((byte[][]) x509Ca.getEncodedCaCertChain().toArray(new byte[0][0]));
            }
        }
        return enrollOrPollCertsResponse;
    }

    private SdkResponse poll(X509Ca x509Ca, PollCertRequest pollCertRequest, boolean z) throws OperationException {
        if (!z) {
            assertIssuerMatch(x509Ca, pollCertRequest);
        }
        String transactionId = pollCertRequest.getTransactionId();
        PollCertRequestEntry[] entries = pollCertRequest.getEntries();
        EnrollOrPullCertResponseEntry[] enrollOrPullCertResponseEntryArr = new EnrollOrPullCertResponseEntry[entries.length];
        for (int i = 0; i < entries.length; i++) {
            PollCertRequestEntry pollCertRequestEntry = entries[i];
            ErrorEntry errorEntry = null;
            X500Name x500Name = null;
            try {
                x500Name = pollCertRequestEntry.getSubject().toX500Name();
            } catch (IOException e) {
                errorEntry = new ErrorEntry(ErrorCode.BAD_REQUEST, "invalid subject");
            }
            byte[] bArr = null;
            if (errorEntry == null) {
                X509Cert cert = x509Ca.getCert(x500Name, transactionId);
                if (cert != null) {
                    bArr = cert.getEncoded();
                } else {
                    errorEntry = new ErrorEntry(ErrorCode.UNKNOWN_CERT, (String) null);
                }
            }
            enrollOrPullCertResponseEntryArr[i] = new EnrollOrPullCertResponseEntry(pollCertRequestEntry.getId(), errorEntry, bArr, null);
        }
        EnrollOrPollCertsResponse enrollOrPollCertsResponse = new EnrollOrPollCertsResponse();
        enrollOrPollCertsResponse.setTransactionId(transactionId);
        enrollOrPollCertsResponse.setEntries(enrollOrPullCertResponseEntryArr);
        return enrollOrPollCertsResponse;
    }

    private SdkResponse revoke(RequestorInfo requestorInfo, X509Ca x509Ca, RevokeCertsRequest revokeCertsRequest, boolean z) throws OperationException {
        if (!z) {
            assertIssuerMatch(x509Ca, revokeCertsRequest);
        }
        RevokeCertRequestEntry[] entries = revokeCertsRequest.getEntries();
        SingleCertSerialEntry[] singleCertSerialEntryArr = new SingleCertSerialEntry[entries.length];
        for (int i = 0; i < entries.length; i++) {
            RevokeCertRequestEntry revokeCertRequestEntry = entries[i];
            BigInteger serialNumber = revokeCertRequestEntry.getSerialNumber();
            CrlReason reason = revokeCertRequestEntry.getReason();
            ErrorEntry errorEntry = null;
            if (reason == CrlReason.REMOVE_FROM_CRL) {
                errorEntry = new ErrorEntry(ErrorCode.BAD_REQUEST, "Reason removeFromCRL is not permitted");
            } else {
                try {
                    x509Ca.revokeCert(requestorInfo, serialNumber, reason, revokeCertRequestEntry.getInvalidityTime() == null ? null : Instant.ofEpochSecond(revokeCertRequestEntry.getInvalidityTime().longValue()));
                } catch (OperationException e) {
                    errorEntry = new ErrorEntry(e.getErrorCode(), e.getErrorMessage());
                }
            }
            singleCertSerialEntryArr[i] = new SingleCertSerialEntry(serialNumber, errorEntry);
        }
        return new RevokeCertsResponse(singleCertSerialEntryArr);
    }

    private SdkResponse removeOrUnsuspend(RequestorInfo requestorInfo, X509Ca x509Ca, UnsuspendOrRemoveRequest unsuspendOrRemoveRequest, boolean z, boolean z2) throws OperationException {
        if (!z2) {
            assertIssuerMatch(x509Ca, unsuspendOrRemoveRequest);
        }
        BigInteger[] entries = unsuspendOrRemoveRequest.getEntries();
        SingleCertSerialEntry[] singleCertSerialEntryArr = new SingleCertSerialEntry[entries.length];
        for (int i = 0; i < entries.length; i++) {
            BigInteger bigInteger = entries[i];
            ErrorEntry errorEntry = null;
            if (z) {
                try {
                    x509Ca.unsuspendCert(requestorInfo, bigInteger);
                } catch (OperationException e) {
                    errorEntry = new ErrorEntry(e.getErrorCode(), e.getErrorMessage());
                }
            } else {
                x509Ca.removeCert(requestorInfo, bigInteger);
            }
            singleCertSerialEntryArr[i] = new SingleCertSerialEntry(bigInteger, errorEntry);
        }
        return new UnSuspendOrRemoveCertsResponse(singleCertSerialEntryArr);
    }

    private void assertIssuerMatch(X509Ca x509Ca, CaIdentifierRequest caIdentifierRequest) throws OperationException {
        X500NameType issuer = caIdentifierRequest.getIssuer();
        byte[] authorityKeyIdentifier = caIdentifierRequest.getAuthorityKeyIdentifier();
        byte[] issuerCertSha1Fp = caIdentifierRequest.getIssuerCertSha1Fp();
        if (issuer == null && authorityKeyIdentifier == null && issuerCertSha1Fp == null) {
            throw new OperationException(ErrorCode.BAD_REQUEST, "no issuer's identifier is specified");
        }
        if (issuer != null) {
            try {
                if (!issuer.toX500Name().equals(x509Ca.getCaCert().getSubject())) {
                    throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "issuer does not target at the CA");
                }
            } catch (IOException e) {
                throw new OperationException(ErrorCode.BAD_REQUEST, "error toX500Name");
            }
        }
        if (authorityKeyIdentifier != null && !Arrays.equals(x509Ca.getCaCert().getSubjectKeyId(), authorityKeyIdentifier)) {
            throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "AuthorityKeyIdentifier does not target at the CA");
        }
        if (issuerCertSha1Fp != null && !Hex.encode(issuerCertSha1Fp).equalsIgnoreCase(x509Ca.getHexSha1OfCert())) {
            throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "IssuerCertSha256Fp does not target at the CA");
        }
    }

    private SdkResponse genCrl(RequestorInfo requestorInfo, X509Ca x509Ca, byte[] bArr) throws OperationException, DecodeException {
        GenCRLRequest.decode(bArr);
        return buildCrlResp(x509Ca.generateCrlOnDemand(requestorInfo), "generate CRL");
    }

    private SdkResponse getCrl(RequestorInfo requestorInfo, X509Ca x509Ca, byte[] bArr) throws OperationException, DecodeException {
        return buildCrlResp(x509Ca.getCrl(requestorInfo, GetCRLRequest.decode(bArr).getCrlNumber()), "get CRL");
    }

    private static SdkResponse buildCrlResp(X509CRLHolder x509CRLHolder, String str) {
        if (x509CRLHolder != null) {
            try {
                return new CrlResponse(x509CRLHolder.getEncoded());
            } catch (IOException e) {
                return new ErrorResponse(null, ErrorCode.SYSTEM_FAILURE, "error encoding CRL");
            }
        }
        String str2 = "could not " + str;
        LOG.warn(str2);
        return new ErrorResponse(null, ErrorCode.SYSTEM_FAILURE, str2);
    }

    private SdkResponse getCert(X509Ca x509Ca, byte[] bArr) throws OperationException, DecodeException {
        GetCertRequest decode = GetCertRequest.decode(bArr);
        try {
            if (!decode.getIssuer().toX500Name().equals(x509Ca.getCaCert().getSubject())) {
                throw new OperationException(ErrorCode.BAD_REQUEST, "unknown issuer");
            }
            X509Cert cert = x509Ca.getCert(decode.getSerialNumber());
            if (cert == null) {
                return null;
            }
            return new PayloadResponse(cert.getEncoded());
        } catch (IOException e) {
            throw new OperationException(ErrorCode.BAD_REQUEST, "error toX500Name");
        }
    }

    private SdkResponse getProfileInfo(byte[] bArr) throws OperationException, DecodeException {
        return this.caManager.getCertprofileInfo(CertprofileInfoRequest.decode(bArr).getProfile());
    }

    private static void assertPermitted(RequestorInfo requestorInfo, int i) throws OperationException {
        try {
            requestorInfo.assertPermitted(i);
        } catch (InsufficientPermissionException e) {
            throw new OperationException(ErrorCode.NOT_PERMITTED, e.getMessage());
        }
    }

    private EnrollOrPullCertResponseEntry[] generateCertificates(RequestorInfo requestorInfo, X509Ca x509Ca, List<CertTemplateData> list, EnrollCertsRequest enrollCertsRequest, long j) {
        String name = x509Ca.getCaInfo().getIdent().getName();
        int size = list.size();
        String transactionId = enrollCertsRequest.getTransactionId();
        Boolean groupEnroll = enrollCertsRequest.getGroupEnroll();
        boolean z = groupEnroll != null && groupEnroll.booleanValue();
        Boolean explicitConfirm = enrollCertsRequest.getExplicitConfirm();
        boolean z2 = explicitConfirm != null && explicitConfirm.booleanValue();
        ArrayList arrayList = new ArrayList(size);
        if (!z) {
            for (CertTemplateData certTemplateData : list) {
                BigInteger certReqId = certTemplateData.getCertReqId();
                byte[] bArr = null;
                ErrorEntry errorEntry = null;
                try {
                    CertificateInfo generateCert = x509Ca.generateCert(requestorInfo, certTemplateData, transactionId);
                    if (z2) {
                        this.pendingCertPool.addCertificate(transactionId, certReqId, generateCert, j);
                    }
                    if (generateCert.getPrivateKey() != null) {
                        try {
                            bArr = generateCert.getPrivateKey().getEncoded();
                        } catch (IOException e) {
                            errorEntry = new ErrorEntry(ErrorCode.SYSTEM_FAILURE, "error encoding CRL");
                        }
                    }
                    r25 = errorEntry == null ? generateCert.getCert().getCert().getEncoded() : null;
                } catch (OperationException e2) {
                    errorEntry = new ErrorEntry(e2.getErrorCode(), e2.getErrorMessage());
                }
                arrayList.add(new EnrollOrPullCertResponseEntry(certReqId, errorEntry, r25, bArr));
            }
            return (EnrollOrPullCertResponseEntry[]) arrayList.toArray(new EnrollOrPullCertResponseEntry[0]);
        }
        List<CertificateInfo> list2 = null;
        try {
            list2 = x509Ca.generateCerts(requestorInfo, list, transactionId);
            for (int i = 0; i < size; i++) {
                CertificateInfo certificateInfo = list2.get(i);
                BigInteger certReqId2 = list.get(i).getCertReqId();
                if (z2) {
                    this.pendingCertPool.addCertificate(transactionId, certReqId2, certificateInfo, j);
                }
                byte[] bArr2 = null;
                ErrorEntry errorEntry2 = null;
                if (certificateInfo.getPrivateKey() != null) {
                    try {
                        bArr2 = certificateInfo.getPrivateKey().getEncoded();
                    } catch (IOException e3) {
                        errorEntry2 = new ErrorEntry(ErrorCode.SYSTEM_FAILURE, "error encoding CRL");
                    }
                }
                byte[] bArr3 = null;
                if (errorEntry2 == null) {
                    bArr3 = certificateInfo.getCert().getCert().getEncoded();
                }
                arrayList.add(new EnrollOrPullCertResponseEntry(certReqId2, errorEntry2, bArr3, bArr2));
            }
            return (EnrollOrPullCertResponseEntry[]) arrayList.toArray(new EnrollOrPullCertResponseEntry[0]);
        } catch (OperationException e4) {
            if (list2 == null) {
                return null;
            }
            Iterator<CertificateInfo> it = list2.iterator();
            while (it.hasNext()) {
                BigInteger serialNumber = it.next().getCert().getCert().getSerialNumber();
                try {
                    x509Ca.revokeCert(requestorInfo, serialNumber, CrlReason.CESSATION_OF_OPERATION, null);
                } catch (OperationException e5) {
                    LogUtil.error(LOG, e5, "CA " + name + " could not revoke certificate " + serialNumber);
                }
            }
            return null;
        }
    }

    protected SdkResponse confirmCertificates(RequestorInfo requestorInfo, X509Ca x509Ca, byte[] bArr) throws DecodeException {
        ConfirmCertsRequest decode = ConfirmCertsRequest.decode(bArr);
        String transactionId = decode.getTransactionId();
        boolean z = true;
        for (ConfirmCertRequestEntry confirmCertRequestEntry : decode.getEntries()) {
            BigInteger certReqId = confirmCertRequestEntry.getCertReqId();
            byte[] certhash = confirmCertRequestEntry.getCerthash();
            CertificateInfo removeCertificate = this.pendingCertPool.removeCertificate(transactionId, certReqId, certhash);
            if (removeCertificate == null) {
                LOG.warn("no cert under transactionId={}, certReqId={} and certHash=0X{}", transactionId, certReqId, Hex.encode(certhash));
            } else if (!confirmCertRequestEntry.isAccept()) {
                BigInteger serialNumber = removeCertificate.getCert().getCert().getSerialNumber();
                try {
                    x509Ca.revokeCert(requestorInfo, serialNumber, CrlReason.CESSATION_OF_OPERATION, Instant.now());
                } catch (OperationException e) {
                    LogUtil.warn(LOG, e, "could not revoke certificate ca=" + x509Ca.getCaInfo().getIdent() + " serialNumber=" + LogUtil.formatCsn(serialNumber));
                }
                z = false;
            }
        }
        if (!revokePendingCertificates(requestorInfo, x509Ca, transactionId)) {
            z = false;
        }
        if (z) {
            return null;
        }
        return new ErrorResponse(transactionId, ErrorCode.SYSTEM_FAILURE, null);
    }

    public boolean revokePendingCertificates(RequestorInfo requestorInfo, X509Ca x509Ca, String str) {
        Set<CertificateInfo> removeCertificates = this.pendingCertPool.removeCertificates(str);
        if (CollectionUtil.isEmpty(removeCertificates)) {
            return true;
        }
        boolean z = true;
        Instant now = Instant.now();
        Iterator<CertificateInfo> it = removeCertificates.iterator();
        while (it.hasNext()) {
            try {
                x509Ca.revokeCert(requestorInfo, it.next().getCert().getCert().getSerialNumber(), CrlReason.CESSATION_OF_OPERATION, now);
            } catch (OperationException e) {
                z = false;
            }
        }
        return z;
    }

    public void close() {
        if (this.threadPoolExecutor == null) {
            return;
        }
        this.threadPoolExecutor.shutdown();
        this.threadPoolExecutor = null;
    }
}
