package org.xipki.ca.server;

import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.CertificatePolicies;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.PolicyInformation;
import org.xipki.ca.api.mgmt.CaManager;
import org.xipki.ca.api.profile.BaseCertprofile;
import org.xipki.ca.api.profile.Certprofile;
import org.xipki.ca.api.profile.CertprofileException;
import org.xipki.ca.api.profile.ExtensionValue;
import org.xipki.ca.api.profile.ExtensionValues;
import org.xipki.ca.api.profile.SubjectDnSpec;
import org.xipki.security.KeyUsage;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.util.CollectionUtil;
import org.xipki.util.exception.BadCertTemplateException;

/* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/CertprofileUtil.class */
public class CertprofileUtil {
    public static Certprofile.SubjectInfo getSubject(Certprofile certprofile, X500Name x500Name) throws CertprofileException, BadCertTemplateException {
        Certprofile.SubjectInfo subject = certprofile.getSubject(x500Name);
        if (certprofile.getCertDomain() == Certprofile.CertDomain.CABForumBR) {
            X500Name grantedSubject = subject.getGrantedSubject();
            if (certprofile.getCertLevel() == Certprofile.CertLevel.EndEntity) {
                CertificatePolicies certificatePolicies = certprofile.getCertificatePolicies();
                ASN1ObjectIdentifier aSN1ObjectIdentifier = null;
                if (certificatePolicies != null) {
                    for (PolicyInformation policyInformation : certificatePolicies.getPolicyInformation()) {
                        ASN1ObjectIdentifier policyIdentifier = policyInformation.getPolicyIdentifier();
                        if (ObjectIdentifiers.BaseRequirements.id_domain_validated.equals(policyIdentifier) || ObjectIdentifiers.BaseRequirements.id_organization_validated.equals(policyIdentifier) || ObjectIdentifiers.BaseRequirements.id_individual_validated.equals(policyIdentifier)) {
                            aSN1ObjectIdentifier = policyIdentifier;
                            break;
                        }
                    }
                }
                if (containsRdn(grantedSubject, ObjectIdentifiers.DN.street) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.O) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.surname)) {
                    throw new BadCertTemplateException("subject:street is prohibited if the subject:organizationName field, subject:givenName, and subject:surname field are absent.");
                }
                if (containsRdn(grantedSubject, ObjectIdentifiers.DN.localityName)) {
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.O) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.surname)) {
                        throw new BadCertTemplateException("subject:localityName is prohibited if the subject:organizationName field, subject:givenName, and subject:surname field are absent.");
                    }
                } else if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.ST) && (containsRdn(grantedSubject, ObjectIdentifiers.DN.O) || containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) || containsRdn(grantedSubject, ObjectIdentifiers.DN.surname))) {
                    throw new BadCertTemplateException("subject:localityName is required if the subject:organizationName field, subject:givenName field, or subject:surname field are present and the subject:stateOrProvinceName field is absent.");
                }
                if (containsRdn(grantedSubject, ObjectIdentifiers.DN.ST)) {
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.O) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.surname)) {
                        throw new BadCertTemplateException("subject:stateOrProvinceName is prohibited if the subject:organizationName field, subject:givenName, and subject:surname field are absent.");
                    }
                } else if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.localityName) && (containsRdn(grantedSubject, ObjectIdentifiers.DN.O) || containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) || containsRdn(grantedSubject, ObjectIdentifiers.DN.surname))) {
                    throw new BadCertTemplateException("subject:stateOrProvinceName is required if the subject:organizationName field, subject:givenName field, or subject:surname field are present and the subject:localityName field is absent.");
                }
                if (containsRdn(grantedSubject, ObjectIdentifiers.DN.postalCode) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.O) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.surname)) {
                    throw new BadCertTemplateException("subject:postalCode is prohibited if the subject:organizationName field, subject:givenName, and subject:surname field are absent.");
                }
                if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.C) && (containsRdn(grantedSubject, ObjectIdentifiers.DN.O) || containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) || containsRdn(grantedSubject, ObjectIdentifiers.DN.surname))) {
                    throw new BadCertTemplateException("subject:countryCode is required if the subject:organizationName field, subject:givenName, and subject:surname field are present");
                }
                if (ObjectIdentifiers.BaseRequirements.id_domain_validated.equals(aSN1ObjectIdentifier)) {
                    for (ASN1ObjectIdentifier aSN1ObjectIdentifier2 : new ASN1ObjectIdentifier[]{ObjectIdentifiers.DN.O, ObjectIdentifiers.DN.givenName, ObjectIdentifiers.DN.surname, ObjectIdentifiers.DN.street, ObjectIdentifiers.DN.localityName, ObjectIdentifiers.DN.ST, ObjectIdentifiers.DN.postalCode}) {
                        if (containsRdn(grantedSubject, aSN1ObjectIdentifier2)) {
                            throw new BadCertTemplateException("subject " + ObjectIdentifiers.getName(aSN1ObjectIdentifier2) + " is prohibited in domain validated certificate");
                        }
                    }
                } else if (ObjectIdentifiers.BaseRequirements.id_organization_validated.equals(aSN1ObjectIdentifier)) {
                    for (ASN1ObjectIdentifier aSN1ObjectIdentifier3 : new ASN1ObjectIdentifier[]{ObjectIdentifiers.DN.O, ObjectIdentifiers.DN.C}) {
                        if (!containsRdn(grantedSubject, aSN1ObjectIdentifier3)) {
                            throw new BadCertTemplateException("subject " + ObjectIdentifiers.getName(aSN1ObjectIdentifier3) + " is required in organization validated certificate");
                        }
                    }
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.localityName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.ST)) {
                        throw new BadCertTemplateException("at least one of subject:localityName and subject:stateOrProvinceName is required in organization validated certificate");
                    }
                } else if (ObjectIdentifiers.BaseRequirements.id_individual_validated.equals(aSN1ObjectIdentifier)) {
                    for (ASN1ObjectIdentifier aSN1ObjectIdentifier4 : new ASN1ObjectIdentifier[]{ObjectIdentifiers.DN.C}) {
                        if (!containsRdn(grantedSubject, aSN1ObjectIdentifier4)) {
                            throw new BadCertTemplateException("subject " + ObjectIdentifiers.getName(aSN1ObjectIdentifier4) + " is required in individual validated certificate");
                        }
                    }
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.O) && (!containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) || !containsRdn(grantedSubject, ObjectIdentifiers.DN.surname))) {
                        throw new BadCertTemplateException("at least one of subject:organizationName and (subject:givenName, subject:surName) is required in individual validated certificate");
                    }
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.localityName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.ST)) {
                        throw new BadCertTemplateException("at least one of subject:localityName and subject:stateOrProvinceName is required in individual validated certificate");
                    }
                }
            } else {
                for (ASN1ObjectIdentifier aSN1ObjectIdentifier5 : new ASN1ObjectIdentifier[]{ObjectIdentifiers.DN.CN, ObjectIdentifiers.DN.O, ObjectIdentifiers.DN.C}) {
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.CN)) {
                        throw new BadCertTemplateException("missing " + ObjectIdentifiers.getName(aSN1ObjectIdentifier5) + " in subject");
                    }
                }
            }
        }
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier6 : new ASN1ObjectIdentifier[]{ObjectIdentifiers.DN.C, ObjectIdentifiers.DN.countryOfCitizenship, ObjectIdentifiers.DN.countryOfResidence, ObjectIdentifiers.DN.jurisdictionOfIncorporationCountryName}) {
            RDN[] rDNs = subject.getGrantedSubject().getRDNs(aSN1ObjectIdentifier6);
            if (rDNs != null) {
                for (RDN rdn : rDNs) {
                    String valueToString = IETFUtils.valueToString(rdn.getFirst().getValue());
                    if (!SubjectDnSpec.isValidCountryAreaCode(valueToString)) {
                        String name = ObjectIdentifiers.getName(aSN1ObjectIdentifier6);
                        if (name == null) {
                            name = aSN1ObjectIdentifier6.getId();
                        }
                        throw new BadCertTemplateException("invalid country/area code '" + valueToString + "' in subject attribute " + name);
                    }
                }
            }
        }
        return subject;
    }

    static boolean containsRdn(X500Name x500Name, ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        RDN[] rDNs = x500Name.getRDNs(aSN1ObjectIdentifier);
        return rDNs != null && rDNs.length > 0;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void addRequestedKeyusage(Set<KeyUsage> set, Map<ASN1ObjectIdentifier, Extension> map, Set<Certprofile.KeyUsageControl> set2) {
        Extension extension = map.get(Extension.keyUsage);
        if (extension == null) {
            return;
        }
        org.bouncycastle.asn1.x509.KeyUsage keyUsage = org.bouncycastle.asn1.x509.KeyUsage.getInstance(extension.getParsedValue());
        for (Certprofile.KeyUsageControl keyUsageControl : set2) {
            if (!keyUsageControl.isRequired() && keyUsage.hasUsages(keyUsageControl.getKeyUsage().getBcUsage())) {
                set.add(keyUsageControl.getKeyUsage());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void addRequestedExtKeyusage(List<ASN1ObjectIdentifier> list, Map<ASN1ObjectIdentifier, Extension> map, Set<Certprofile.ExtKeyUsageControl> set) {
        Extension extension = map.get(Extension.extendedKeyUsage);
        if (extension == null) {
            return;
        }
        ExtendedKeyUsage extendedKeyUsage = ExtendedKeyUsage.getInstance(extension.getParsedValue());
        for (Certprofile.ExtKeyUsageControl extKeyUsageControl : set) {
            if (!extKeyUsageControl.isRequired() && extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.getInstance(extKeyUsageControl.getExtKeyUsage()))) {
                list.add(extKeyUsageControl.getExtKeyUsage());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ASN1Sequence createSubjectInfoAccess(Map<ASN1ObjectIdentifier, Extension> map, Map<ASN1ObjectIdentifier, Set<Certprofile.GeneralNameMode>> map2) throws BadCertTemplateException {
        Extension extension;
        ASN1Encodable parsedValue;
        if (map2 == null || (extension = map.get(Extension.subjectInfoAccess)) == null || (parsedValue = extension.getParsedValue()) == null) {
            return null;
        }
        ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(parsedValue);
        int size = aSN1Sequence.size();
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        for (int i = 0; i < size; i++) {
            AccessDescription accessDescription = AccessDescription.getInstance(aSN1Sequence.getObjectAt(i));
            ASN1ObjectIdentifier accessMethod = accessDescription.getAccessMethod();
            Set<Certprofile.GeneralNameMode> set = map2.get(accessMethod);
            if (set == null) {
                throw new BadCertTemplateException("subjectInfoAccess.accessMethod " + accessMethod.getId() + " is not allowed");
            }
            aSN1EncodableVector.add(new AccessDescription(accessMethod, BaseCertprofile.createGeneralName(accessDescription.getAccessLocation(), set)));
        }
        if (aSN1EncodableVector.size() > 0) {
            return new DERSequence(aSN1EncodableVector);
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void addExtension(ExtensionValues extensionValues, ASN1ObjectIdentifier aSN1ObjectIdentifier, ExtensionValue extensionValue, Certprofile.ExtensionControl extensionControl) throws CertprofileException {
        if (extensionValue != null) {
            extensionValues.addExtension(aSN1ObjectIdentifier, extensionValue);
        } else if (extensionControl.isRequired()) {
            String name = ObjectIdentifiers.getName(aSN1ObjectIdentifier);
            if (name == null) {
                name = aSN1ObjectIdentifier.getId();
            }
            throw new CertprofileException("could not add required extension " + name);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void addExtension(ExtensionValues extensionValues, ASN1ObjectIdentifier aSN1ObjectIdentifier, ASN1Encodable aSN1Encodable, Certprofile.ExtensionControl extensionControl) throws CertprofileException {
        if (aSN1Encodable != null) {
            extensionValues.addExtension(aSN1ObjectIdentifier, extensionControl.isCritical(), aSN1Encodable);
        } else if (extensionControl.isRequired()) {
            String name = ObjectIdentifiers.getName(aSN1ObjectIdentifier);
            if (name == null) {
                name = aSN1ObjectIdentifier.getId();
            }
            throw new CertprofileException("could not add required extension " + name);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String toString(Set<ASN1ObjectIdentifier> set) {
        if (set == null) {
            return CaManager.NULL;
        }
        StringBuilder sb = new StringBuilder();
        sb.append("[");
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : set) {
            String name = ObjectIdentifiers.getName(aSN1ObjectIdentifier);
            if (name != null) {
                sb.append(name);
                sb.append(" (").append(aSN1ObjectIdentifier.getId()).append(")");
            } else {
                sb.append(aSN1ObjectIdentifier.getId());
            }
            sb.append(", ");
        }
        if (CollectionUtil.isNotEmpty(set)) {
            int length = sb.length();
            sb.delete(length - 2, length);
        }
        sb.append("]");
        return sb.toString();
    }
}
