package org.xipki.ca.server;

import java.io.Closeable;
import java.io.IOException;
import java.math.BigInteger;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.audit.AuditEvent;
import org.xipki.ca.api.CertWithDbId;
import org.xipki.ca.api.CertificateInfo;
import org.xipki.ca.api.NameId;
import org.xipki.ca.api.mgmt.CaProfileEntry;
import org.xipki.ca.api.mgmt.CertListInfo;
import org.xipki.ca.api.mgmt.CertListOrderBy;
import org.xipki.ca.api.mgmt.CertWithRevocationInfo;
import org.xipki.ca.api.mgmt.RequestorInfo;
import org.xipki.ca.api.mgmt.entry.CaHasRequestorEntry;
import org.xipki.ca.api.mgmt.entry.RequestorEntry;
import org.xipki.ca.api.profile.Certprofile;
import org.xipki.ca.api.profile.CertprofileException;
import org.xipki.ca.sdk.CaAuditConstants;
import org.xipki.ca.server.db.CertStore;
import org.xipki.ca.server.mgmt.CaManagerImpl;
import org.xipki.license.api.CmLicense;
import org.xipki.security.CertRevocationInfo;
import org.xipki.security.ConcurrentBagEntrySigner;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.CrlReason;
import org.xipki.security.KeypairGenerator;
import org.xipki.security.NoIdleSignerException;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.security.X509Cert;
import org.xipki.security.XiSecurityException;
import org.xipki.security.ctlog.CtLog;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.ConfPairs;
import org.xipki.util.DateUtil;
import org.xipki.util.LogUtil;
import org.xipki.util.StringUtil;
import org.xipki.util.exception.BadCertTemplateException;
import org.xipki.util.exception.ErrorCode;
import org.xipki.util.exception.OperationException;

/* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/X509Ca.class */
public class X509Ca extends X509CaModule implements Closeable {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) X509Ca.class);
    private final CtLogClient ctlogClient;
    private final CertStore certstore;
    private final CaIdNameMap caIdNameMap;
    private final CaManagerImpl caManager;
    private final X509PublisherModule publisherModule;
    private final X509CrlModule crlModule;
    private final GrandCertTemplateBuilder grandCertTemplateBuilder;
    private final X509RevokerModule revokerModule;
    private final X509RemoverModule removerModule;
    private final boolean saveCert;
    private final boolean saveKeypair;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/X509Ca$GrantedCertTemplate.class */
    public static class GrantedCertTemplate {
        private final BigInteger certId;
        private final boolean batch;
        private final ConcurrentContentSigner signer;
        private final Extensions extensions;
        private final IdentifiedCertprofile certprofile;
        private final Instant grantedNotBefore;
        private final Instant grantedNotAfter;
        private final X500Name requestedSubject;
        private final SubjectPublicKeyInfo grantedPublicKey;
        private final PrivateKeyInfo privateKey;
        private final String warning;
        private X500Name grantedSubject;
        private String grantedSubjectText;

        /* JADX INFO: Access modifiers changed from: package-private */
        public GrantedCertTemplate(boolean z, BigInteger bigInteger, Extensions extensions, IdentifiedCertprofile identifiedCertprofile, Instant instant, Instant instant2, X500Name x500Name, SubjectPublicKeyInfo subjectPublicKeyInfo, PrivateKeyInfo privateKeyInfo, ConcurrentContentSigner concurrentContentSigner, String str) {
            this.batch = z;
            this.certId = bigInteger == null ? BigInteger.ZERO : bigInteger;
            this.extensions = extensions;
            this.certprofile = identifiedCertprofile;
            this.grantedNotBefore = instant;
            this.grantedNotAfter = instant2;
            this.requestedSubject = x500Name;
            this.grantedPublicKey = subjectPublicKeyInfo;
            this.privateKey = privateKeyInfo;
            this.signer = concurrentContentSigner;
            this.warning = str;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void setGrantedSubject(X500Name x500Name) {
            this.grantedSubject = x500Name;
            this.grantedSubjectText = X509Util.x500NameText(x500Name);
        }

        String auditPrefix() {
            return this.batch ? this.certId + "." : "";
        }

        void audit(AuditEvent auditEvent) {
            String auditPrefix = auditPrefix();
            if (!this.grantedSubject.equals(this.requestedSubject)) {
                auditEvent.addEventData(auditPrefix + "req_subject", "\"" + X509Util.x500NameText(this.requestedSubject) + "\"");
            }
            auditEvent.addEventData(auditPrefix + "subject", "\"" + X509Util.x500NameText(this.grantedSubject) + "\"");
            auditEvent.addEventData(auditPrefix + "certprofile", this.certprofile.getIdent().getName());
            auditEvent.addEventData(auditPrefix + "not_before", DateUtil.toUtcTimeyyyyMMddhhmmss(this.grantedNotBefore));
            auditEvent.addEventData(auditPrefix + "not_after", DateUtil.toUtcTimeyyyyMMddhhmmss(this.grantedNotAfter));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/X509Ca$OperationExceptionWithIndex.class */
    public static class OperationExceptionWithIndex extends OperationException {
        private final int index;

        public OperationExceptionWithIndex(int i, OperationException operationException) {
            super(operationException.getErrorCode(), operationException.getErrorMessage());
            this.index = i;
        }

        public int getIndex() {
            return this.index;
        }
    }

    public X509Ca(CaManagerImpl caManagerImpl, CaInfo caInfo, CertStore certStore, CtLogClient ctLogClient) throws OperationException {
        super(caInfo);
        if (caInfo.isSignerRequired()) {
            try {
                caInfo.initSigner(caManagerImpl.getSecurityFactory());
            } catch (XiSecurityException e) {
                LogUtil.error(LOG, e, "security.createSigner caSigner for CA " + this.caIdent);
                throw new OperationException(ErrorCode.SYSTEM_FAILURE, e);
            }
        }
        this.caManager = (CaManagerImpl) Args.notNull(caManagerImpl, "caManager");
        this.caIdNameMap = caManagerImpl.idNameMap();
        this.ctlogClient = ctLogClient;
        this.certstore = (CertStore) Args.notNull(certStore, "certstore");
        this.publisherModule = new X509PublisherModule(caManagerImpl, caInfo, certStore);
        this.crlModule = new X509CrlModule(caManagerImpl, caInfo, certStore, this.publisherModule);
        this.grandCertTemplateBuilder = new GrandCertTemplateBuilder(caInfo);
        this.revokerModule = new X509RevokerModule(caManagerImpl, caInfo, certStore, this.publisherModule);
        this.removerModule = new X509RemoverModule(caManagerImpl, caInfo, certStore, this.publisherModule);
        this.saveKeypair = caInfo.isSaveKeypair();
        this.saveCert = caInfo.isSaveCert();
        if (this.saveCert) {
            return;
        }
        LOG.warn("CA {}: Certificates will not be saved in the database and will not be published!", caInfo.getIdent().getName());
    }

    public NameId getCaIdent() {
        return this.caIdent;
    }

    public CaInfo getCaInfo() {
        return this.caInfo;
    }

    public X509Cert getCaCert() {
        return this.caCert;
    }

    public List<byte[]> getEncodedCaCertChain() {
        return this.encodedCaCertChain;
    }

    public X509Cert getCert(BigInteger bigInteger) throws OperationException {
        CertificateInfo certInfo = this.certstore.getCertInfo(this.caIdent, this.caCert, bigInteger, this.caIdNameMap);
        if (certInfo == null) {
            return null;
        }
        return certInfo.getCert().getCert();
    }

    public X509Cert getCert(X500Name x500Name, String str) throws OperationException {
        return this.certstore.getCert(x500Name, str);
    }

    public CertWithRevocationInfo getCertWithRevocationInfo(BigInteger bigInteger) throws OperationException {
        return this.certstore.getCertWithRevocationInfo(this.caIdent.getId().intValue(), bigInteger, this.caIdNameMap);
    }

    public CertWithRevocationInfo getCertWithRevocationInfoBySubject(X500Name x500Name, byte[] bArr) throws OperationException {
        return this.certstore.getCertWithRevocationInfoBySubject(this.caIdent.getId().intValue(), x500Name, bArr, this.caIdNameMap);
    }

    public List<CertListInfo> listCerts(X500Name x500Name, Instant instant, Instant instant2, CertListOrderBy certListOrderBy, int i) throws OperationException {
        return this.certstore.listCerts(this.caIdent, x500Name, instant, instant2, certListOrderBy, i);
    }

    public X509CRLHolder getCurrentCrl(RequestorInfo requestorInfo) throws OperationException {
        return getCrl(requestorInfo, null);
    }

    public X509CRLHolder getCrl(RequestorInfo requestorInfo, BigInteger bigInteger) throws OperationException {
        return this.crlModule.getCrl(requestorInfo, bigInteger);
    }

    public X509CRLHolder generateCrlOnDemand(RequestorInfo requestorInfo) throws OperationException {
        return this.crlModule.generateCrlOnDemand(requestorInfo);
    }

    public boolean republishCerts(List<String> list, int i) {
        return this.publisherModule.republishCerts(list, i);
    }

    public CertWithRevocationInfo revokeCert(RequestorInfo requestorInfo, BigInteger bigInteger, CrlReason crlReason, Instant instant) throws OperationException {
        AuditEvent newAuditEvent = newAuditEvent(crlReason == CrlReason.CERTIFICATE_HOLD ? CaAuditConstants.TYPE_suspend_cert : "revoke_cert", requestorInfo);
        try {
            CertWithRevocationInfo revokeCert = this.revokerModule.revokeCert(bigInteger, crlReason, instant, newAuditEvent);
            finish(newAuditEvent, true);
            return revokeCert;
        } catch (OperationException e) {
            if (!(e instanceof OperationExceptionWithIndex)) {
                newAuditEvent.addEventData("message", e.getErrorMessage());
            }
            finish(newAuditEvent, false);
            throw e;
        }
    }

    public CertWithDbId unsuspendCert(RequestorInfo requestorInfo, BigInteger bigInteger) throws OperationException {
        AuditEvent newAuditEvent = newAuditEvent("unsuspend_cert", requestorInfo);
        try {
            CertWithDbId unsuspendCert = this.revokerModule.unsuspendCert(bigInteger, newAuditEvent);
            finish(newAuditEvent, true);
            return unsuspendCert;
        } catch (OperationException e) {
            if (!(e instanceof OperationExceptionWithIndex)) {
                newAuditEvent.addEventData("message", e.getErrorMessage());
            }
            finish(newAuditEvent, false);
            throw e;
        }
    }

    public CertWithDbId removeCert(RequestorInfo requestorInfo, BigInteger bigInteger) throws OperationException {
        AuditEvent newAuditEvent = newAuditEvent("remove_cert", requestorInfo);
        try {
            CertWithDbId removeCert = this.removerModule.removeCert(bigInteger, newAuditEvent);
            finish(newAuditEvent, true);
            return removeCert;
        } catch (OperationException e) {
            if (!(e instanceof OperationExceptionWithIndex)) {
                newAuditEvent.addEventData("message", e.getErrorMessage());
            }
            finish(newAuditEvent, false);
            throw e;
        }
    }

    public void revokeCa(RequestorInfo requestorInfo, CertRevocationInfo certRevocationInfo) throws OperationException {
        this.revokerModule.revokeCa(requestorInfo, certRevocationInfo);
    }

    public void unrevokeCa(RequestorInfo requestorInfo) throws OperationException {
        this.revokerModule.unrevokeCa(requestorInfo);
    }

    public List<CertificateInfo> generateCerts(RequestorInfo requestorInfo, List<CertTemplateData> list, String str) throws OperationException {
        AuditEvent newAuditEvent = newAuditEvent(CaAuditConstants.TYPE_gen_cert, requestorInfo);
        try {
            List<CertificateInfo> generateCerts = generateCerts(requestorInfo, list, str, newAuditEvent);
            finish(newAuditEvent, true);
            return generateCerts;
        } catch (OperationExceptionWithIndex e) {
            finish(newAuditEvent, false);
            throw e;
        }
    }

    private List<CertificateInfo> generateCerts(RequestorInfo requestorInfo, List<CertTemplateData> list, String str, AuditEvent auditEvent) throws OperationExceptionWithIndex {
        String subjectText;
        Args.notEmpty((List) list, "certTemplates");
        CmLicense license = this.caManager.getLicense();
        if (!license.isValid()) {
            LOG.error("License not valid yet or expired, need new license");
            throw new OperationExceptionWithIndex(0, new OperationException(ErrorCode.SYSTEM_FAILURE, "License not valid yet or expired"));
        }
        int size = list.size();
        ArrayList arrayList = new ArrayList(size);
        ArrayList arrayList2 = null;
        boolean z = false;
        Iterator<CertTemplateData> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (it.next().isServerkeygen()) {
                z = true;
                break;
            }
        }
        if (z) {
            List<String> keypairGenNames = this.caInfo.getKeypairGenNames();
            if (CollectionUtil.isNotEmpty(keypairGenNames)) {
                arrayList2 = new ArrayList(keypairGenNames.size());
                Iterator<String> it2 = keypairGenNames.iterator();
                while (it2.hasNext()) {
                    KeypairGenerator keypairGenerator = this.caManager.getKeypairGenerator(it2.next());
                    if (keypairGenerator != null) {
                        arrayList2.add(keypairGenerator);
                    }
                }
            }
        }
        boolean z2 = size > 1;
        for (int i = 0; i < size; i++) {
            CertTemplateData certTemplateData = list.get(i);
            try {
                IdentifiedCertprofile x509Certprofile = getX509Certprofile(certTemplateData.getCertprofileName());
                if (x509Certprofile == null) {
                    throw new OperationException(ErrorCode.UNKNOWN_CERT_PROFILE, "unknown cert profile " + certTemplateData.getCertprofileName());
                }
                GrantedCertTemplate create = this.grandCertTemplateBuilder.create(z2, x509Certprofile, certTemplateData, arrayList2);
                create.audit(auditEvent);
                arrayList.add(create);
            } catch (OperationException e) {
                LOG.error("     FAILED createGrantedCertTemplate: CA={}, profile={}, subject='{}'", this.caIdent.getName(), certTemplateData.getCertprofileName(), certTemplateData.getSubject());
                auditEvent.addEventData((z2 ? certTemplateData.getCertReqId() + "." : "") + "message", e.getMessage());
                throw new OperationExceptionWithIndex(i, e);
            }
        }
        ArrayList arrayList3 = new ArrayList(size);
        OperationExceptionWithIndex operationExceptionWithIndex = null;
        for (int i2 = 0; i2 < size && operationExceptionWithIndex == null; i2++) {
            GrantedCertTemplate grantedCertTemplate = (GrantedCertTemplate) arrayList.get(i2);
            NameId ident = grantedCertTemplate.certprofile.getIdent();
            String str2 = grantedCertTemplate.grantedSubjectText;
            LOG.info("     START generateCertificate: CA={}, profile={}, subject='{}'", this.caIdent.getName(), ident.getName(), str2);
            try {
                try {
                    subjectText = this.caInfo.getCert().getSubjectText();
                } catch (Throwable th) {
                    if (0 == 0) {
                        LOG.error("    FAILED generateCertificate: CA={}, profile={}, subject='{}'", this.caIdent.getName(), ident.getName(), str2);
                    }
                    throw th;
                }
            } catch (OperationException e2) {
                operationExceptionWithIndex = new OperationExceptionWithIndex(i2, e2);
                if (0 == 0) {
                    LOG.error("    FAILED generateCertificate: CA={}, profile={}, subject='{}'", this.caIdent.getName(), ident.getName(), str2);
                }
            } catch (Throwable th2) {
                operationExceptionWithIndex = new OperationExceptionWithIndex(i2, new OperationException(ErrorCode.SYSTEM_FAILURE, th2));
                if (0 == 0) {
                    LOG.error("    FAILED generateCertificate: CA={}, profile={}, subject='{}'", this.caIdent.getName(), ident.getName(), str2);
                }
            }
            if (!license.grantAllCAs() && !license.grant(subjectText)) {
                LOG.error("Not granted for CA {}, need new license", subjectText);
                throw new OperationException(ErrorCode.SYSTEM_FAILURE, "new license needed");
            }
            long maxNumberOfCerts = license.getMaxNumberOfCerts();
            if (maxNumberOfCerts >= 0) {
                long countOfCerts = this.certstore.getCountOfCerts(0L);
                if (countOfCerts >= maxNumberOfCerts) {
                    LOG.error("Maximal {} certificates is allowed, {} already issued, need new license", Long.valueOf(maxNumberOfCerts), Long.valueOf(countOfCerts));
                    throw new OperationException(ErrorCode.SYSTEM_FAILURE, "new license needed");
                }
            }
            license.regulateSpeed();
            CertificateInfo generateCert = generateCert(requestorInfo, i2, grantedCertTemplate, str, auditEvent);
            arrayList3.add(generateCert);
            if (LOG.isInfoEnabled()) {
                String str3 = generateCert.isAlreadyIssued() ? "RETURN_OLD_CERT" : "SUCCESSFUL";
                CertWithDbId cert = generateCert.getCert();
                LOG.info("{} generateCertificate: CA={}, profile={}, subject='{}', serialNumber={}", str3, this.caIdent.getName(), ident.getName(), cert.getCert().getSubjectText(), cert.getCert().getSerialNumberHex());
            }
            if (1 == 0) {
                LOG.error("    FAILED generateCertificate: CA={}, profile={}, subject='{}'", this.caIdent.getName(), ident.getName(), str2);
            }
        }
        if (operationExceptionWithIndex == null) {
            return arrayList3;
        }
        LOG.error("could not generate certificate for request[{}], reverted all generated certificates", Integer.valueOf(operationExceptionWithIndex.getIndex()));
        Iterator it3 = arrayList3.iterator();
        while (it3.hasNext()) {
            BigInteger serialNumber = ((CertificateInfo) it3.next()).getCert().getCert().getSerialNumber();
            try {
                removeCert(requestorInfo, serialNumber);
            } catch (Throwable th3) {
                LogUtil.error(LOG, th3, "could not delete certificate serial=" + serialNumber);
            }
        }
        LogUtil.warn(LOG, operationExceptionWithIndex);
        throw operationExceptionWithIndex;
    }

    public CertificateInfo generateCert(RequestorInfo requestorInfo, CertTemplateData certTemplateData, String str) throws OperationException {
        Args.notNull(certTemplateData, "certTemplate");
        AuditEvent newAuditEvent = newAuditEvent(CaAuditConstants.TYPE_gen_cert, requestorInfo);
        try {
            CertificateInfo certificateInfo = generateCerts(requestorInfo, Collections.singletonList(certTemplateData), str, newAuditEvent).get(0);
            finish(newAuditEvent, true);
            return certificateInfo;
        } catch (OperationException e) {
            if (!(e instanceof OperationExceptionWithIndex)) {
                newAuditEvent.addEventData("message", e.getErrorMessage());
            }
            finish(newAuditEvent, false);
            throw e;
        }
    }

    private CertificateInfo generateCert(RequestorInfo requestorInfo, int i, GrantedCertTemplate grantedCertTemplate, String str, AuditEvent auditEvent) throws OperationExceptionWithIndex {
        try {
            CertificateInfo generateCert0 = generateCert0(requestorInfo, grantedCertTemplate, str, auditEvent);
            setEventStatus(auditEvent, generateCert0 != null);
            return generateCert0;
        } catch (OperationException e) {
            auditEvent.addEventData(grantedCertTemplate.auditPrefix() + "message", e.getMessage());
            setEventStatus(auditEvent, false);
            if (e instanceof OperationExceptionWithIndex) {
                throw ((OperationExceptionWithIndex) e);
            }
            throw new OperationExceptionWithIndex(i, e);
        }
    }

    private CertificateInfo generateCert0(RequestorInfo requestorInfo, GrantedCertTemplate grantedCertTemplate, String str, AuditEvent auditEvent) throws OperationException {
        ConcurrentBagEntrySigner borrowSigner;
        int length;
        Args.notNull(grantedCertTemplate, "gct");
        IdentifiedCertprofile identifiedCertprofile = grantedCertTemplate.certprofile;
        Certprofile.ExtensionControl extensionControl = identifiedCertprofile.getExtensionControls().get(ObjectIdentifiers.Extn.id_SCTs);
        boolean z = this.caInfo.getCtlogControl() != null && this.caInfo.getCtlogControl().isEnabled();
        if (!z && extensionControl != null && extensionControl.isRequired()) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, "extension " + ObjectIdentifiers.getName(ObjectIdentifiers.Extn.id_SCTs) + " is required but CTLog of the CA is not activated");
        }
        String auditPrefix = grantedCertTemplate.auditPrefix();
        String serialNumberMode = identifiedCertprofile.getSerialNumberMode();
        BigInteger bigInteger = null;
        do {
            if (StringUtil.isBlank(serialNumberMode) || "CA".equalsIgnoreCase(serialNumberMode)) {
                bigInteger = this.caInfo.nextSerial();
                if (this.caInfo.getCaEntry().getSerialNoLen() > 12) {
                    break;
                }
            } else {
                if (!"PROFILE".equalsIgnoreCase(serialNumberMode)) {
                    throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "unknown SerialNumberMode '" + serialNumberMode + "'");
                }
                try {
                    BigInteger bigInteger2 = bigInteger;
                    ConfPairs extraControl = this.caInfo.getExtraControl();
                    bigInteger = identifiedCertprofile.generateSerialNumber(this.caInfo.getCert().getSubject(), this.caInfo.getCert().getSubjectPublicKeyInfo(), grantedCertTemplate.requestedSubject, grantedCertTemplate.grantedPublicKey, extraControl == null ? null : extraControl.unmodifiable());
                    if (bigInteger.equals(bigInteger2)) {
                        throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "serialNumber generated by the profile " + identifiedCertprofile.getIdent().getName() + " has been used before.");
                    }
                } catch (CertprofileException e) {
                    LogUtil.error(LOG, e, "error generateSerialNumber");
                    throw new OperationException(ErrorCode.SYSTEM_FAILURE, "error generateSerialNumber");
                }
            }
        } while (this.certstore.getCertId(this.caIdent, bigInteger) != 0);
        auditEvent.addEventData(auditPrefix + "serial", LogUtil.formatCsn(bigInteger));
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(this.caInfo.getPublicCaInfo().getSubject(), bigInteger, Date.from(grantedCertTemplate.grantedNotBefore), Date.from(grantedCertTemplate.grantedNotAfter), grantedCertTemplate.grantedSubject, grantedCertTemplate.grantedPublicKey);
        try {
            SignerEntryWrapper crlSigner = this.crlModule.getCrlSigner();
            CaUtil.addExtensions(identifiedCertprofile.getExtensions(grantedCertTemplate.requestedSubject, grantedCertTemplate.grantedSubject, grantedCertTemplate.extensions, grantedCertTemplate.grantedPublicKey, this.caInfo.getPublicCaInfo(), crlSigner == null ? null : crlSigner.getSigner().getCertificate(), grantedCertTemplate.grantedNotBefore, grantedCertTemplate.grantedNotAfter), x509v3CertificateBuilder);
            if (z && extensionControl != null) {
                x509v3CertificateBuilder.addExtension(ObjectIdentifiers.Extn.id_precertificate, true, DERNull.INSTANCE);
                try {
                    borrowSigner = grantedCertTemplate.signer.borrowSigner();
                    try {
                        X509CertificateHolder build = x509v3CertificateBuilder.build(borrowSigner.value());
                        grantedCertTemplate.signer.requiteSigner(borrowSigner);
                        CtLogPublicKeyFinder ctLogPublicKeyFinder = this.caManager.getCtLogPublicKeyFinder();
                        if (ctLogPublicKeyFinder == null) {
                            throw new OperationException(ErrorCode.SYSTEM_FAILURE, "ctLog not configured for CA " + this.caInfo.getIdent().getName());
                        }
                        CtLog.SignedCertificateTimestampList ctLogScts = this.ctlogClient.getCtLogScts(build, this.caCert, this.caInfo.getCertchain(), ctLogPublicKeyFinder);
                        x509v3CertificateBuilder.removeExtension(ObjectIdentifiers.Extn.id_precertificate);
                        try {
                            x509v3CertificateBuilder.addExtension(new Extension(ObjectIdentifiers.Extn.id_SCTs, extensionControl.isCritical(), new DEROctetString(new DEROctetString(ctLogScts.getEncoded()).getEncoded())));
                        } catch (IOException e2) {
                            throw new CertIOException("could not encode SCT extension", e2);
                        }
                    } finally {
                    }
                } catch (NoIdleSignerException e3) {
                    throw new OperationException(ErrorCode.SYSTEM_FAILURE, e3);
                }
            }
            try {
                borrowSigner = grantedCertTemplate.signer.borrowSigner();
                try {
                    X509CertificateHolder build2 = x509v3CertificateBuilder.build(borrowSigner.value());
                    grantedCertTemplate.signer.requiteSigner(borrowSigner);
                    byte[] encoded = build2.getEncoded();
                    int maxCertSize = grantedCertTemplate.certprofile.getMaxCertSize();
                    if (maxCertSize > 0 && (length = encoded.length) > maxCertSize) {
                        throw new OperationException(ErrorCode.NOT_PERMITTED, String.format("certificate exceeds the maximal allowed size: %d > %d", Integer.valueOf(length), Integer.valueOf(maxCertSize)));
                    }
                    X509Cert x509Cert = new X509Cert(build2, encoded);
                    if (!verifySignature(x509Cert)) {
                        throw new OperationException(ErrorCode.SYSTEM_FAILURE, "could not verify the signature of generated certificate");
                    }
                    CertificateInfo certificateInfo = new CertificateInfo(new CertWithDbId(x509Cert), grantedCertTemplate.privateKey, this.caIdent, this.caCert, grantedCertTemplate.certprofile.getIdent(), requestorInfo.getIdent());
                    certificateInfo.setTransactionId(str);
                    certificateInfo.setRequestedSubject(grantedCertTemplate.requestedSubject);
                    if (this.saveCert && this.publisherModule.publishCert(certificateInfo, this.saveKeypair) == 1) {
                        throw new OperationException(ErrorCode.SYSTEM_FAILURE, "could not save certificate");
                    }
                    if (grantedCertTemplate.warning != null) {
                        certificateInfo.setWarningMessage(grantedCertTemplate.warning);
                    }
                    return certificateInfo;
                } finally {
                }
            } catch (NoIdleSignerException e4) {
                throw new OperationException(ErrorCode.SYSTEM_FAILURE, e4);
            }
        } catch (BadCertTemplateException e5) {
            throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, e5);
        } catch (OperationException e6) {
            throw e6;
        } catch (Throwable th) {
            LogUtil.error(LOG, th, "could not generate certificate");
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, th);
        }
    }

    public IdentifiedCertprofile getX509Certprofile(String str) {
        if (str == null) {
            return null;
        }
        CaProfileEntry caProfileEntry = null;
        Iterator<CaProfileEntry> it = this.caManager.getCertprofilesForCa(this.caIdent.getName()).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            CaProfileEntry next = it.next();
            if (next.containsNameOrAlias(str)) {
                caProfileEntry = next;
                break;
            }
        }
        if (caProfileEntry == null) {
            return null;
        }
        return this.caManager.getIdentifiedCertprofile(caProfileEntry.getProfileName());
    }

    public RequestorInfo.CertRequestorInfo getRequestor(X509Cert x509Cert) {
        Set<CaHasRequestorEntry> requestorsForCa = this.caManager.getRequestorsForCa(this.caIdent.getName());
        if (CollectionUtil.isEmpty(requestorsForCa)) {
            return null;
        }
        for (CaHasRequestorEntry caHasRequestorEntry : requestorsForCa) {
            RequestorEntryWrapper requestorWrapper = this.caManager.getRequestorWrapper(caHasRequestorEntry.getRequestorIdent().getName());
            if (RequestorEntry.TYPE_CERT.equals(requestorWrapper.getDbEntry().getType()) && requestorWrapper.getCert().getCert().equals(x509Cert)) {
                return new RequestorInfo.CertRequestorInfo(caHasRequestorEntry, requestorWrapper.getCert());
            }
        }
        return null;
    }

    public boolean healthy() {
        ConcurrentContentSigner signer = this.caInfo.getSigner(null);
        boolean z = true;
        if (signer != null) {
            z = signer.isHealthy();
        }
        if (z) {
            z = this.certstore.isHealthy();
        }
        if (z) {
            z = this.crlModule.healthy();
        }
        return z;
    }

    public String getHexSha1OfCert() {
        return this.caInfo.getHexSha1OfCert();
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        this.crlModule.close();
        this.revokerModule.close();
        ScheduledThreadPoolExecutor scheduledThreadPoolExecutor = this.caManager.getScheduledThreadPoolExecutor();
        if (scheduledThreadPoolExecutor != null) {
            scheduledThreadPoolExecutor.purge();
        }
    }
}
