package org.xipki.ca.server.mgmt;

import java.io.IOException;
import java.math.BigInteger;
import java.time.Instant;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.pkcs.CertificationRequestInfo;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CRLHolder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.audit.AuditEvent;
import org.xipki.ca.api.CertificateInfo;
import org.xipki.ca.api.NameId;
import org.xipki.ca.api.mgmt.CaMgmtException;
import org.xipki.ca.api.mgmt.CaProfileEntry;
import org.xipki.ca.api.mgmt.CaStatus;
import org.xipki.ca.api.mgmt.CertListInfo;
import org.xipki.ca.api.mgmt.CertListOrderBy;
import org.xipki.ca.api.mgmt.CertWithRevocationInfo;
import org.xipki.ca.api.mgmt.CtlogControl;
import org.xipki.ca.api.mgmt.entry.CaEntry;
import org.xipki.ca.api.mgmt.entry.CaHasRequestorEntry;
import org.xipki.ca.api.mgmt.entry.ChangeCaEntry;
import org.xipki.ca.api.profile.Certprofile;
import org.xipki.ca.sdk.CaAuditConstants;
import org.xipki.ca.server.CaInfo;
import org.xipki.ca.server.CaUtil;
import org.xipki.ca.server.CertTemplateData;
import org.xipki.ca.server.CtLogClient;
import org.xipki.ca.server.IdentifiedCertprofile;
import org.xipki.ca.server.X509Ca;
import org.xipki.ca.server.db.CaManagerQueryExecutor;
import org.xipki.ca.server.db.CertStore;
import org.xipki.ca.server.mgmt.SelfSignedCertBuilder;
import org.xipki.datasource.DataAccessException;
import org.xipki.security.AlgorithmValidator;
import org.xipki.security.CertRevocationInfo;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.CrlReason;
import org.xipki.security.DHSigStaticKeyCertPair;
import org.xipki.security.KeyCertBytesPair;
import org.xipki.security.SecurityFactory;
import org.xipki.security.SignerConf;
import org.xipki.security.X509Cert;
import org.xipki.security.XiSecurityException;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.LogUtil;
import org.xipki.util.RandomUtil;
import org.xipki.util.StringUtil;
import org.xipki.util.exception.ErrorCode;
import org.xipki.util.exception.InvalidConfException;
import org.xipki.util.exception.ObjectCreationException;
import org.xipki.util.exception.OperationException;
import org.xipki.util.http.SslContextConf;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/mgmt/Ca2Manager.class */
public class Ca2Manager {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) Ca2Manager.class);
    private boolean caAliasesInitialized;
    private boolean casInitialized;
    private final CaManagerImpl manager;

    /* JADX INFO: Access modifiers changed from: package-private */
    public Ca2Manager(CaManagerImpl caManagerImpl) {
        this.manager = (CaManagerImpl) Args.notNull(caManagerImpl, "manager");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void reset() {
        this.caAliasesInitialized = false;
        this.casInitialized = false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void close() {
        for (String str : this.manager.x509cas.keySet()) {
            try {
                this.manager.x509cas.get(str).close();
            } catch (Throwable th) {
                LogUtil.error(LOG, th, "could not call ca.close() for CA " + str);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void restartCa(String str) throws CaMgmtException {
        assertMasterMode();
        String nonBlankLower = Args.toNonBlankLower(str, "name");
        if (this.manager.idNameMap.getCa(nonBlankLower) == null) {
            throw new CaMgmtException("Unknown CA " + nonBlankLower);
        }
        if (!createCa(nonBlankLower)) {
            LOG.error("could not create CA {}", nonBlankLower);
            return;
        }
        if (CaStatus.ACTIVE != this.manager.caInfos.get(nonBlankLower).getStatus()) {
            return;
        }
        if (startCa(nonBlankLower)) {
            LOG.info("started CA {}", nonBlankLower);
        } else {
            LOG.error("could not start CA {}", nonBlankLower);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean startCa(String str) {
        SslContextConf sslContextConf;
        CaInfo caInfo = this.manager.caInfos.get(str);
        CtlogControl ctlogControl = caInfo.getCtlogControl();
        CtLogClient ctLogClient = null;
        if (ctlogControl != null && ctlogControl.isEnabled()) {
            String sslContextName = ctlogControl.getSslContextName();
            if (sslContextName == null) {
                sslContextConf = null;
            } else {
                sslContextConf = this.manager.caServerConf.getSslContextConf(sslContextName);
                if (sslContextConf == null) {
                    LOG.error("getSslContextConf (ca={}): found no SslContext named {}", str, sslContextName);
                    return false;
                }
            }
            ctLogClient = new CtLogClient(ctlogControl.getServers(), sslContextConf);
        }
        try {
            this.manager.x509cas.put(str, new X509Ca(this.manager, caInfo, this.manager.certstore, ctLogClient));
            return true;
        } catch (OperationException e) {
            LogUtil.error(LOG, e, "X509CA.<init> (ca=" + str + ")");
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<String> getSuccessfulCaNames() {
        HashSet hashSet = new HashSet();
        for (String str : this.manager.x509cas.keySet()) {
            if (CaStatus.ACTIVE == this.manager.caInfos.get(str).getStatus()) {
                hashSet.add(str);
            }
        }
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<String> getFailedCaNames() {
        HashSet hashSet = new HashSet();
        for (String str : this.manager.caInfos.keySet()) {
            if (CaStatus.ACTIVE == this.manager.caInfos.get(str).getStatus() && !this.manager.x509cas.containsKey(str)) {
                hashSet.add(str);
            }
        }
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<String> getInactiveCaNames() {
        HashSet hashSet = new HashSet();
        for (String str : this.manager.caInfos.keySet()) {
            if (CaStatus.INACTIVE == this.manager.caInfos.get(str).getStatus()) {
                hashSet.add(str);
            }
        }
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void initCaAliases() throws CaMgmtException {
        if (this.caAliasesInitialized) {
            return;
        }
        Map<String, Integer> createCaAliases = this.manager.queryExecutor.createCaAliases();
        this.manager.caAliases.clear();
        this.manager.caAliases.putAll(createCaAliases);
        LOG.info("caAliases: {}", this.manager.caAliases);
        this.caAliasesInitialized = true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void initCas() throws CaMgmtException {
        if (this.casInitialized) {
            return;
        }
        this.manager.caInfos.clear();
        this.manager.caHasRequestors.clear();
        this.manager.caHasPublishers.clear();
        this.manager.caHasProfiles.clear();
        this.manager.idNameMap.clearCa();
        Iterator it = this.manager.queryExecutor.namesFromTable("CA").iterator();
        while (it.hasNext()) {
            createCa((String) it.next());
        }
        this.casInitialized = true;
    }

    boolean createCa(String str) throws CaMgmtException {
        this.manager.caInfos.remove(str);
        this.manager.idNameMap.removeCa(str);
        this.manager.caHasProfiles.remove(str);
        this.manager.caHasPublishers.remove(str);
        this.manager.caHasRequestors.remove(str);
        X509Ca remove = this.manager.x509cas.remove(str);
        if (remove != null) {
            remove.close();
        }
        CaManagerQueryExecutor caManagerQueryExecutor = this.manager.queryExecutor;
        CaInfo createCaInfo = caManagerQueryExecutor.createCaInfo(str, this.manager.certstore);
        LOG.info("created CA {}:\n{}", str, createCaInfo.toString(false));
        this.manager.caInfos.put(str, createCaInfo);
        this.manager.idNameMap.addCa(createCaInfo.getIdent());
        Set<CaHasRequestorEntry> createCaHasRequestors = caManagerQueryExecutor.createCaHasRequestors(createCaInfo.getIdent());
        this.manager.caHasRequestors.put(str, createCaHasRequestors);
        if (LOG.isInfoEnabled()) {
            StringBuilder sb = new StringBuilder();
            Iterator<CaHasRequestorEntry> it = createCaHasRequestors.iterator();
            while (it.hasNext()) {
                sb.append("\n").append(it.next().toString("    "));
            }
            LOG.info("CA {} is associated requestors:{}", str, sb);
        }
        Set<CaProfileIdAliases> createCaHasProfiles = caManagerQueryExecutor.createCaHasProfiles(createCaInfo.getIdent());
        HashSet hashSet = new HashSet();
        for (CaProfileIdAliases caProfileIdAliases : createCaHasProfiles) {
            hashSet.add(new CaProfileEntry(this.manager.idNameMap.getCertprofileName(caProfileIdAliases.getId()), StringUtil.split(caProfileIdAliases.getAliases(), ",")));
        }
        this.manager.caHasProfiles.put(str, hashSet);
        LOG.info("CA {} is associated with profiles: {}", str, hashSet);
        Set<Integer> createCaHasPublishers = caManagerQueryExecutor.createCaHasPublishers(createCaInfo.getIdent());
        HashSet hashSet2 = new HashSet();
        Iterator<Integer> it2 = createCaHasPublishers.iterator();
        while (it2.hasNext()) {
            hashSet2.add(this.manager.idNameMap.getPublisherName(it2.next().intValue()));
        }
        this.manager.caHasPublishers.put(str, hashSet2);
        LOG.info("CA {} is associated with publishers: {}", str, hashSet2);
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void addCa(CaEntry caEntry, CertStore certStore) throws CaMgmtException {
        assertMasterMode();
        String name = ((CaEntry) Args.notNull(caEntry, "caEntry")).getIdent().getName();
        CaManagerImpl.checkName(name, "CA name");
        if (this.manager.caInfos.containsKey(name)) {
            throw new CaMgmtException("CA named " + name + " exists");
        }
        SecurityFactory securityFactory = this.manager.securityFactory;
        String signerConf = caEntry.getSignerConf();
        String canonicalizeSignerConf = CaUtil.canonicalizeSignerConf(signerConf);
        if (!signerConf.equals(canonicalizeSignerConf)) {
            caEntry.setSignerConf(canonicalizeSignerConf);
        }
        try {
            Iterator<CaEntry.CaSignerConf> it = CaEntry.splitCaSignerConfs(caEntry.getSignerConf()).iterator();
            while (it.hasNext()) {
                ConcurrentContentSigner createSigner = securityFactory.createSigner(caEntry.getSignerType(), new SignerConf(it.next().getConf()), caEntry.getCert());
                try {
                    if (caEntry.getCert() == null) {
                        if (createSigner.getCertificate() == null) {
                            throw new CaMgmtException("CA signer without certificate is not allowed");
                        }
                        caEntry.setCert(createSigner.getCertificate());
                    }
                    if (createSigner != null) {
                        createSigner.close();
                    }
                } catch (Throwable th) {
                    if (createSigner != null) {
                        try {
                            createSigner.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }
            this.manager.queryExecutor.addCa(caEntry);
            certStore.addCa(caEntry.getIdent(), caEntry.getCert());
            if (!createCa(name)) {
                LOG.error("could not create CA {}", name);
            } else if (startCa(name)) {
                LOG.info("started CA {}", name);
            } else {
                LOG.error("could not start CA {}", name);
            }
        } catch (IOException | XiSecurityException | ObjectCreationException e) {
            throw new CaMgmtException("could not create signer for new CA " + name + ": " + e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void changeCa(ChangeCaEntry changeCaEntry) throws CaMgmtException {
        assertMasterMode();
        String name = ((ChangeCaEntry) Args.notNull(changeCaEntry, "entry")).getIdent().getName();
        NameId ca = this.manager.idNameMap.getCa(name);
        if (ca == null) {
            throw new CaMgmtException("Unknown CA " + name);
        }
        changeCaEntry.getIdent().setId(ca.getId());
        this.manager.queryExecutor.changeCa(changeCaEntry, this.manager.caInfos.get(name).getCaConfColumn(), this.manager.securityFactory);
        if (!createCa(name)) {
            LOG.error("could not create CA {}", name);
            return;
        }
        if (CaStatus.ACTIVE != this.manager.caInfos.get(name).getStatus()) {
            return;
        }
        if (startCa(name)) {
            LOG.info("started CA {}", name);
        } else {
            LOG.error("could not start CA {}", name);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void addCaAlias(String str, String str2) throws CaMgmtException {
        assertMasterMode();
        String nonBlankLower = Args.toNonBlankLower(str, "aliasName");
        X509Ca x509Ca = getX509Ca(str2);
        if (x509Ca == null) {
            throw new CaMgmtException("unknown CA " + str2);
        }
        if (this.manager.caAliases.get(nonBlankLower) != null) {
            throw new CaMgmtException("unknown CA alias " + nonBlankLower);
        }
        this.manager.queryExecutor.addCaAlias(nonBlankLower, x509Ca.getCaIdent());
        this.manager.caAliases.put(nonBlankLower, x509Ca.getCaIdent().getId());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void removeCaAlias(String str) throws CaMgmtException {
        assertMasterMode();
        String nonBlankLower = Args.toNonBlankLower(str, "name");
        this.manager.queryExecutor.removeCaAlias(nonBlankLower);
        this.manager.caAliases.remove(nonBlankLower);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getCaNameForAlias(String str) {
        Integer num = this.manager.caAliases.get(Args.toNonBlankLower(str, "aliasName"));
        Iterator<String> it = this.manager.x509cas.keySet().iterator();
        while (it.hasNext()) {
            X509Ca x509Ca = this.manager.x509cas.get(it.next());
            if (x509Ca.getCaIdent().getId().equals(num)) {
                return x509Ca.getCaIdent().getName();
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<String> getAliasesForCa(String str) {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        HashSet hashSet = new HashSet();
        X509Ca x509Ca = this.manager.x509cas.get(nonBlankLower);
        if (x509Ca == null) {
            return hashSet;
        }
        NameId caIdent = x509Ca.getCaIdent();
        for (String str2 : this.manager.caAliases.keySet()) {
            if (caIdent.getId().equals(this.manager.caAliases.get(str2))) {
                hashSet.add(str2);
            }
        }
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void removeCa(String str) throws CaMgmtException {
        assertMasterMode();
        String nonBlankLower = Args.toNonBlankLower(str, "name");
        this.manager.queryExecutor.removeCa(nonBlankLower);
        LOG.info("removed CA '{}'", nonBlankLower);
        this.manager.caInfos.remove(nonBlankLower);
        this.manager.idNameMap.removeCa(nonBlankLower);
        this.manager.idNameMap.removeCa(nonBlankLower);
        this.manager.caHasProfiles.remove(nonBlankLower);
        this.manager.caHasPublishers.remove(nonBlankLower);
        this.manager.caHasRequestors.remove(nonBlankLower);
        X509Ca remove = this.manager.x509cas.remove(nonBlankLower);
        if (remove != null) {
            remove.close();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void revokeCa(String str, CertRevocationInfo certRevocationInfo) throws CaMgmtException {
        CrlReason reason;
        assertMasterModeAndSetuped();
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        Args.notNull(certRevocationInfo, "revocationInfo");
        if (!this.manager.x509cas.containsKey(nonBlankLower)) {
            throw new CaMgmtException("unkown CA " + nonBlankLower);
        }
        LOG.info("revoking CA '{}'", nonBlankLower);
        X509Ca x509Ca = this.manager.x509cas.get(nonBlankLower);
        CertRevocationInfo revocationInfo = x509Ca.getCaInfo().getRevocationInfo();
        if (revocationInfo != null && (reason = revocationInfo.getReason()) != CrlReason.CERTIFICATE_HOLD) {
            throw new CaMgmtException("CA " + nonBlankLower + " has been revoked with reason " + reason.name());
        }
        this.manager.queryExecutor.revokeCa(nonBlankLower, certRevocationInfo);
        try {
            x509Ca.revokeCa(this.manager.byCaRequestor, certRevocationInfo);
            LOG.info("revoked CA '{}'", nonBlankLower);
            CaManagerImpl.auditLogPciEvent(true, "REVOKE CA " + nonBlankLower);
        } catch (OperationException e) {
            throw new CaMgmtException("could not revoke CA: " + e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void unrevokeCa(String str) throws CaMgmtException {
        assertMasterModeAndSetuped();
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        if (!this.manager.x509cas.containsKey(nonBlankLower)) {
            throw new CaMgmtException("could not find CA named " + nonBlankLower);
        }
        LOG.info("unrevoking of CA '{}'", nonBlankLower);
        this.manager.queryExecutor.unrevokeCa(nonBlankLower);
        try {
            this.manager.x509cas.get(nonBlankLower).unrevokeCa(this.manager.byCaRequestor);
            LOG.info("unrevoked CA '{}'", nonBlankLower);
            CaManagerImpl.auditLogPciEvent(true, "UNREVOKE CA " + nonBlankLower);
        } catch (OperationException e) {
            throw new CaMgmtException("could not unrevoke CA " + nonBlankLower + ": " + e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509Ca getX509Ca(String str) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        X509Ca x509Ca = this.manager.x509cas.get(nonBlankLower);
        if (x509Ca == null) {
            throw new CaMgmtException("unknown CA " + nonBlankLower);
        }
        return x509Ca;
    }

    X509Ca getX509Ca(NameId nameId) throws CaMgmtException {
        Args.notNull(nameId, "ident");
        X509Ca x509Ca = this.manager.x509cas.get(nameId.getName());
        if (x509Ca == null) {
            throw new CaMgmtException("unknown CA " + nameId);
        }
        return x509Ca;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509Cert generateRootCa(CaEntry caEntry, String str, String str2, String str3, Instant instant, Instant instant2, CertStore certStore) throws CaMgmtException {
        BigInteger bigInteger;
        assertMasterModeAndSetuped();
        Args.notNull(caEntry, "caEntry");
        String nonBlankLower = Args.toNonBlankLower(str, "profileName");
        Args.notBlank(str2, CaAuditConstants.NAME_subject);
        int numCrls = caEntry.getNumCrls();
        String signerType = caEntry.getSignerType();
        if (numCrls < 0) {
            LOG.warn("invalid numCrls: {}", Integer.valueOf(numCrls));
            return null;
        }
        if (caEntry.getExpirationPeriod() < 0) {
            LOG.warn("invalid expirationPeriod: {}", Integer.valueOf(caEntry.getExpirationPeriod()));
            return null;
        }
        IdentifiedCertprofile identifiedCertprofile = this.manager.getIdentifiedCertprofile(nonBlankLower);
        if (identifiedCertprofile == null) {
            throw new CaMgmtException("unknown certprofile " + nonBlankLower);
        }
        if (str3 == null) {
            bigInteger = BigInteger.ONE;
        } else if (StringUtil.startsWithIgnoreCase(str3, "RANDOM:")) {
            int i = -1;
            try {
                i = Integer.parseUnsignedInt(str3.substring("RANDOM:".length()));
            } catch (NumberFormatException e) {
                LogUtil.error(LOG, e, "cannot parse int in " + str3);
            }
            if (i < 1 || i > 20) {
                throw new CaMgmtException("invalid SerialNumber for SelfSigned " + nonBlankLower + ": " + str3);
            }
            byte[] nextBytes = RandomUtil.nextBytes(i);
            nextBytes[0] = (byte) (nextBytes[0] & Byte.MAX_VALUE);
            bigInteger = new BigInteger(nextBytes);
        } else {
            bigInteger = StringUtil.startsWithIgnoreCase(str3, "0x") ? new BigInteger(str3.substring(2), 16) : new BigInteger(str3);
        }
        try {
            SelfSignedCertBuilder.GenerateSelfSignedResult generateSelfSigned = SelfSignedCertBuilder.generateSelfSigned(this.manager.securityFactory, signerType, caEntry.getSignerConf(), identifiedCertprofile, str2, bigInteger, caEntry.getCaUris(), caEntry.getExtraControl(), instant, instant2);
            String signerConf = generateSelfSigned.getSignerConf();
            X509Cert cert = generateSelfSigned.getCert();
            if (StringUtil.orEqualsIgnoreCase(signerType, "PKCS12", "JCEKS")) {
                try {
                    signerConf = CaUtil.canonicalizeSignerConf(signerConf);
                } catch (Exception e2) {
                    throw new CaMgmtException(e2.getClass().getName() + ": " + e2.getMessage(), e2);
                }
            }
            CaEntry copy = caEntry.copy();
            copy.setSignerConf(signerConf);
            copy.setCert(cert);
            addCa(copy, certStore);
            return cert;
        } catch (InvalidConfException | OperationException e3) {
            throw new CaMgmtException(e3.getClass().getName() + ": " + e3.getMessage(), e3);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509Cert generateCrossCertificate(String str, String str2, byte[] bArr, byte[] bArr2, Instant instant, Instant instant2) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        String nonBlankLower2 = Args.toNonBlankLower(str2, "profileName");
        Args.notNull(bArr, "encodedCsr");
        Args.notNull(bArr2, "encodedTargetCert");
        IdentifiedCertprofile identifiedCertprofile = this.manager.getIdentifiedCertprofile(nonBlankLower2);
        if (identifiedCertprofile == null) {
            throw new CaMgmtException("unknown certificate profile " + nonBlankLower2);
        }
        if (identifiedCertprofile.getCertLevel() != Certprofile.CertLevel.CROSS) {
            throw new CaMgmtException("certificate profile " + nonBlankLower2 + " is not for CROSS certificate");
        }
        X509Ca x509Ca = getX509Ca(nonBlankLower);
        try {
            CertificationRequest parseCsr = X509Util.parseCsr(bArr);
            Certificate certificate = Certificate.getInstance(bArr2);
            try {
                X509Util.assertCsrAndCertMatch(parseCsr, certificate, true);
                if (!this.manager.getSecurityFactory().verifyPop(parseCsr, (AlgorithmValidator) null, (DHSigStaticKeyCertPair) null)) {
                    throw new CaMgmtException("could not validate POP for the CSR");
                }
                Extensions extensions = certificate.getTBSCertificate().getExtensions();
                X500Name subject = certificate.getSubject();
                SubjectPublicKeyInfo subjectPublicKeyInfo = certificate.getSubjectPublicKeyInfo();
                if (instant != null) {
                    Instant now = Instant.now();
                    if (instant.isBefore(now)) {
                        instant = now;
                    }
                    Instant instant3 = certificate.getStartDate().getDate().toInstant();
                    if (instant.isBefore(instant3)) {
                        instant = instant3;
                    }
                }
                Instant instant4 = certificate.getEndDate().getDate().toInstant();
                if (instant2 == null) {
                    instant2 = instant4;
                } else if (instant2.isAfter(instant4)) {
                    instant2 = instant4;
                }
                CertTemplateData certTemplateData = new CertTemplateData(subject, subjectPublicKeyInfo, instant, instant2, extensions, nonBlankLower2);
                certTemplateData.setForCrossCert(true);
                try {
                    return x509Ca.generateCert(this.manager.byCaRequestor, certTemplateData, null).getCert().getCert();
                } catch (OperationException e) {
                    throw new CaMgmtException(e.getMessage(), e);
                }
            } catch (XiSecurityException e2) {
                throw new CaMgmtException(e2.getMessage());
            }
        } catch (Exception e3) {
            throw new CaMgmtException("invalid CSR request. ERROR: " + e3.getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public KeyCertBytesPair generateKeyCert(String str, String str2, String str3, Instant instant, Instant instant2) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str2, "profileName");
        Args.notBlank(str3, CaAuditConstants.NAME_subject);
        AuditEvent auditEvent = new AuditEvent();
        auditEvent.setApplicationName("ca");
        auditEvent.addEventType("CAMGMT_GEN_KEYCERT");
        try {
            CertificateInfo generateCert = getX509Ca(str).generateCert(this.manager.byCaRequestor, new CertTemplateData(new X500Name(str3), null, instant, instant2, null, nonBlankLower, BigInteger.ONE, true), null);
            try {
                return new KeyCertBytesPair(generateCert.getPrivateKey().getEncoded(), generateCert.getCert().getCert().getEncoded());
            } catch (IOException e) {
                throw new CaMgmtException(e.getMessage(), e);
            }
        } catch (OperationException e2) {
            throw new CaMgmtException(e2.getMessage(), e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509Cert generateCertificate(String str, String str2, byte[] bArr, Instant instant, Instant instant2) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str2, "profileName");
        Args.notNull(bArr, "encodedCsr");
        AuditEvent auditEvent = new AuditEvent();
        auditEvent.setApplicationName("ca");
        auditEvent.addEventType("CAMGMT_GEN_CERT");
        X509Ca x509Ca = getX509Ca(str);
        try {
            CertificationRequest parseCsr = X509Util.parseCsr(bArr);
            CertificationRequestInfo certificationRequestInfo = parseCsr.getCertificationRequestInfo();
            if (!this.manager.getSecurityFactory().verifyPop(parseCsr, (AlgorithmValidator) null, (DHSigStaticKeyCertPair) null)) {
                throw new CaMgmtException("could not validate POP for the CSR");
            }
            Extensions extensions = null;
            ASN1Set attributes = certificationRequestInfo.getAttributes();
            for (int i = 0; i < attributes.size(); i++) {
                Attribute attribute = Attribute.getInstance(attributes.getObjectAt(i));
                if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attribute.getAttrType())) {
                    extensions = Extensions.getInstance(attribute.getAttributeValues()[0]);
                }
            }
            try {
                return x509Ca.generateCert(this.manager.byCaRequestor, new CertTemplateData(certificationRequestInfo.getSubject(), certificationRequestInfo.getSubjectPublicKeyInfo(), instant, instant2, extensions, nonBlankLower), null).getCert().getCert();
            } catch (OperationException e) {
                throw new CaMgmtException(e.getMessage(), e);
            }
        } catch (Exception e2) {
            throw new CaMgmtException("invalid CSR request. ERROR: " + e2.getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void revokeCertificate(String str, BigInteger bigInteger, CrlReason crlReason, Instant instant) throws CaMgmtException {
        assertMasterModeAndSetuped();
        Args.notNull(bigInteger, "serialNumber");
        try {
            if (getX509Ca(str).revokeCert(this.manager.byCaRequestor, bigInteger, crlReason, instant) == null) {
                throw new CaMgmtException("could not revoke non-existing certificate");
            }
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void unsuspendCertificate(String str, BigInteger bigInteger) throws CaMgmtException {
        assertMasterModeAndSetuped();
        Args.notNull(bigInteger, "serialNumber");
        try {
            if (getX509Ca(str).unsuspendCert(this.manager.byCaRequestor, bigInteger) == null) {
                throw new CaMgmtException("could not unsuspend non-existing certificate");
            }
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void removeCertificate(String str, BigInteger bigInteger) throws CaMgmtException {
        assertMasterModeAndSetuped();
        Args.notNull(bigInteger, "serialNumber");
        try {
            if (getX509Ca(str).removeCert(this.manager.byCaRequestor, bigInteger) == null) {
                throw new CaMgmtException("could not remove certificate");
            }
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509CRLHolder generateCrlOnDemand(String str) throws CaMgmtException {
        assertMasterModeAndSetuped();
        try {
            return getX509Ca(str).generateCrlOnDemand(this.manager.byCaRequestor);
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509CRLHolder getCrl(String str, BigInteger bigInteger) throws CaMgmtException {
        Args.notNull(bigInteger, "crlNumber");
        try {
            X509CRLHolder crl = getX509Ca(str).getCrl(this.manager.byCaRequestor, bigInteger);
            if (crl == null) {
                LOG.warn("found no CRL for CA {} and crlNumber {}", str, bigInteger);
            }
            return crl;
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509CRLHolder getCurrentCrl(String str) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        try {
            X509CRLHolder currentCrl = getX509Ca(nonBlankLower).getCurrentCrl(this.manager.byCaRequestor);
            if (currentCrl == null) {
                LOG.warn("found no CRL for CA {}", nonBlankLower);
            }
            return currentCrl;
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertWithRevocationInfo getCert(String str, BigInteger bigInteger) throws CaMgmtException {
        Args.notNull(bigInteger, "serialNumber");
        try {
            return getX509Ca(str).getCertWithRevocationInfo(bigInteger);
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertWithRevocationInfo getCert(X500Name x500Name, BigInteger bigInteger) throws CaMgmtException {
        Args.notNull(x500Name, CaAuditConstants.NAME_issuer);
        Args.notNull(bigInteger, "serialNumber");
        NameId nameId = null;
        Iterator<String> it = this.manager.caInfos.keySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            String next = it.next();
            CaInfo caInfo = this.manager.caInfos.get(next);
            if (x500Name.equals(this.manager.caInfos.get(next).getCert().getSubject())) {
                nameId = caInfo.getIdent();
                break;
            }
        }
        if (nameId == null) {
            return null;
        }
        try {
            return this.manager.certstore.getCertWithRevocationInfo(nameId.getId().intValue(), bigInteger, this.manager.idNameMap);
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<CertListInfo> listCertificates(String str, X500Name x500Name, Instant instant, Instant instant2, CertListOrderBy certListOrderBy, int i) throws CaMgmtException {
        Args.range(i, "numEntries", 1, 1000);
        try {
            return getX509Ca(str).listCerts(x500Name, instant, instant2, certListOrderBy, i);
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void commitNextCrlNo(NameId nameId, long j) throws OperationException {
        try {
            this.manager.queryExecutor.commitNextCrlNoIfLess(nameId, j);
        } catch (RuntimeException e) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, e.getMessage());
        } catch (CaMgmtException e2) {
            if (!(e2.getCause() instanceof DataAccessException)) {
                throw new OperationException(ErrorCode.SYSTEM_FAILURE, e2.getMessage());
            }
            throw new OperationException(ErrorCode.DATABASE_FAILURE, e2.getMessage());
        }
    }

    private void assertMasterMode() throws CaMgmtException {
        this.manager.assertMasterMode();
    }

    private void assertMasterModeAndSetuped() throws CaMgmtException {
        this.manager.assertMasterModeAndSetuped();
    }
}
