package org.xipki.ca.server;

import java.io.IOException;
import java.math.BigInteger;
import java.security.interfaces.RSAPublicKey;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.cmp.CMPCertificate;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.ca.api.CaUris;
import org.xipki.ca.api.NameId;
import org.xipki.ca.api.PublicCaInfo;
import org.xipki.ca.api.mgmt.CaStatus;
import org.xipki.ca.api.mgmt.CrlControl;
import org.xipki.ca.api.mgmt.CtlogControl;
import org.xipki.ca.api.mgmt.RevokeSuspendedControl;
import org.xipki.ca.api.mgmt.ValidityMode;
import org.xipki.ca.api.mgmt.entry.CaConfColumn;
import org.xipki.ca.api.mgmt.entry.CaEntry;
import org.xipki.ca.server.db.CertStore;
import org.xipki.security.CertRevocationInfo;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.EdECConstants;
import org.xipki.security.SecurityFactory;
import org.xipki.security.SignAlgo;
import org.xipki.security.SignerConf;
import org.xipki.security.X509Cert;
import org.xipki.security.XiSecurityException;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.ConfPairs;
import org.xipki.util.LogUtil;
import org.xipki.util.PermissionConstants;
import org.xipki.util.Validity;
import org.xipki.util.exception.ErrorCode;
import org.xipki.util.exception.OperationException;

/* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/CaInfo.class */
public class CaInfo {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CaInfo.class);
    private final CaEntry caEntry;
    private final CaConfColumn caConfColumn;
    private final Instant noNewCertificateAfter;
    private final BigInteger serialNumber;
    private final Instant notBefore;
    private final Instant notAfter;
    private final boolean selfSigned;
    private final CMPCertificate certInCmpFormat;
    private final PublicCaInfo publicCaInfo;
    private final byte[] encodedSubject;
    private final List<X509Cert> certchain;
    private final List<CMPCertificate> certchainInCmpFormat;
    private final CertStore certStore;
    private final RandomSerialNumberGenerator randomSnGenerator;
    private final String caKeyspec;
    private final AlgorithmIdentifier caKeyAlgId;
    private Map<SignAlgo, ConcurrentContentSigner> signers;
    private ConcurrentContentSigner dfltSigner;
    private final ConfPairs extraControl;

    public CaInfo(CaEntry caEntry, CaConfColumn caConfColumn, CertStore certStore) throws OperationException {
        this.caEntry = (CaEntry) Args.notNull(caEntry, "caEntry");
        this.caConfColumn = (CaConfColumn) Args.notNull(caConfColumn, "caConfColumn");
        this.certStore = (CertStore) Args.notNull(certStore, "certStore");
        X509Cert cert = caEntry.getCert();
        this.notBefore = cert.getNotBefore();
        this.notAfter = cert.getNotAfter();
        this.serialNumber = cert.getSerialNumber();
        this.selfSigned = cert.isSelfSigned();
        this.certInCmpFormat = new CMPCertificate(cert.toBcCert().toASN1Structure());
        this.publicCaInfo = new PublicCaInfo(cert, caEntry.getCaUris(), caEntry.getExtraControl());
        try {
            this.encodedSubject = cert.getSubject().getEncoded();
            List<X509Cert> certchain = caEntry.getCertchain();
            if (certchain == null || certchain.isEmpty()) {
                this.certchain = Collections.emptyList();
                this.certchainInCmpFormat = Collections.emptyList();
            } else {
                this.certchain = new ArrayList(certchain);
                this.certchainInCmpFormat = new ArrayList(certchain.size());
                Iterator<X509Cert> it = certchain.iterator();
                while (it.hasNext()) {
                    this.certchainInCmpFormat.add(new CMPCertificate(it.next().toBcCert().toASN1Structure()));
                }
            }
            this.noNewCertificateAfter = this.notAfter.minus(caEntry.getExpirationPeriod(), (TemporalUnit) ChronoUnit.DAYS);
            this.randomSnGenerator = RandomSerialNumberGenerator.getInstance();
            this.extraControl = caEntry.getExtraControl();
            this.caKeyAlgId = cert.toBcCert().getSubjectPublicKeyInfo().getAlgorithm();
            ASN1ObjectIdentifier algorithm = this.caKeyAlgId.getAlgorithm();
            if (algorithm.equals(PKCSObjectIdentifiers.rsaEncryption)) {
                this.caKeyspec = "RSA/" + ((RSAPublicKey) cert.getPublicKey()).getModulus().bitLength();
                return;
            }
            if (algorithm.equals(X9ObjectIdentifiers.id_ecPublicKey)) {
                this.caKeyspec = "EC/" + ASN1ObjectIdentifier.getInstance(this.caKeyAlgId.getParameters()).getId();
                return;
            }
            if (algorithm.equals(X9ObjectIdentifiers.id_dsa)) {
                ASN1Sequence dERSequence = DERSequence.getInstance(this.caKeyAlgId.getParameters());
                this.caKeyspec = "DSA/" + ASN1Integer.getInstance(dERSequence.getObjectAt(0)).getValue().bitLength() + "/" + ASN1Integer.getInstance(dERSequence.getObjectAt(1)).getValue().bitLength();
                return;
            }
            if (algorithm.equals(EdECConstants.id_ED25519)) {
                this.caKeyspec = EdECConstants.ED25519;
            } else {
                if (!algorithm.equals(EdECConstants.id_ED448)) {
                    throw new IllegalStateException("unknown key algorithm " + algorithm.getId());
                }
                this.caKeyspec = EdECConstants.ED448;
            }
        } catch (IOException e) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, e);
        }
    }

    public String getCaKeyspec() {
        return this.caKeyspec;
    }

    public AlgorithmIdentifier getCaKeyAlgId() {
        return this.caKeyAlgId;
    }

    public long getNextCrlNumber() {
        return this.caEntry.getNextCrlNumber();
    }

    public void setNextCrlNumber(long j) {
        this.caEntry.setNextCrlNumber(j);
    }

    public PublicCaInfo getPublicCaInfo() {
        return this.publicCaInfo;
    }

    public String getSubject() {
        return this.caEntry.getSubject();
    }

    public Instant getNotBefore() {
        return this.notBefore;
    }

    public Instant getNotAfter() {
        return this.notAfter;
    }

    public BigInteger getSerialNumber() {
        return this.serialNumber;
    }

    public boolean isSelfSigned() {
        return this.selfSigned;
    }

    public CMPCertificate getCertInCmpFormat() {
        return this.certInCmpFormat;
    }

    public Instant getNoNewCertificateAfter() {
        return this.noNewCertificateAfter;
    }

    public CaEntry getCaEntry() {
        return this.caEntry;
    }

    public CaConfColumn getCaConfColumn() {
        return this.caConfColumn;
    }

    public int getPathLenConstraint() {
        return this.caEntry.getPathLenConstraint();
    }

    public NameId getIdent() {
        return this.caEntry.getIdent();
    }

    public CaUris getCaUris() {
        return this.caEntry.getCaUris();
    }

    public Validity getMaxValidity() {
        return this.caEntry.getMaxValidity();
    }

    public boolean hasSubject(byte[] bArr) {
        return Arrays.equals(this.encodedSubject, bArr);
    }

    public X509Cert getCert() {
        return this.publicCaInfo.getCaCert();
    }

    public List<X509Cert> getCertchain() {
        return this.certchain;
    }

    public List<CMPCertificate> getCertchainInCmpFormat() {
        return this.certchainInCmpFormat;
    }

    public String getCrlSignerName() {
        return this.caEntry.getCrlSignerName();
    }

    public void setCrlSignerName(String str) {
        this.caEntry.setCrlSignerName(str);
    }

    public CrlControl getCrlControl() {
        return this.caEntry.getCrlControl();
    }

    public CtlogControl getCtlogControl() {
        return this.caEntry.getCtlogControl();
    }

    public List<String> getKeypairGenNames() {
        return this.caEntry.getKeypairGenNames();
    }

    public ConfPairs getExtraControl() {
        return this.extraControl;
    }

    public int getNumCrls() {
        return this.caEntry.getNumCrls();
    }

    public CaStatus getStatus() {
        return this.caEntry.getStatus();
    }

    public void setStatus(CaStatus caStatus) {
        this.caEntry.setStatus(caStatus);
    }

    public String toString() {
        return this.caEntry.toString(false);
    }

    public String toString(boolean z) {
        return this.caEntry.toString(z);
    }

    public boolean isSaveCert() {
        return this.caEntry.isSaveCert();
    }

    public boolean isSaveKeypair() {
        return this.caEntry.isSaveKeypair();
    }

    public String getHexSha1OfCert() {
        return this.caEntry.getHexSha1OfCert();
    }

    public ValidityMode getValidityMode() {
        return this.caEntry.getValidityMode();
    }

    public int getPermission() {
        return this.caEntry.getPermission();
    }

    public void setPermission(int i) {
        this.caEntry.setPermission(i);
    }

    public CertRevocationInfo getRevocationInfo() {
        return this.caEntry.getRevocationInfo();
    }

    public void setRevocationInfo(CertRevocationInfo certRevocationInfo) {
        this.caEntry.setRevocationInfo(certRevocationInfo);
    }

    public int getKeepExpiredCertInDays() {
        return this.caEntry.getKeepExpiredCertInDays();
    }

    public BigInteger nextSerial() {
        return this.randomSnGenerator.nextSerialNumber(this.caEntry.getSerialNoLen());
    }

    public BigInteger nextCrlNumber() throws OperationException {
        long nextCrlNumber = this.caEntry.getNextCrlNumber();
        long maxCrlNumber = this.certStore.getMaxCrlNumber(this.caEntry.getIdent());
        if (nextCrlNumber <= maxCrlNumber) {
            nextCrlNumber = maxCrlNumber + 1;
        }
        this.caEntry.setNextCrlNumber(nextCrlNumber + 1);
        return BigInteger.valueOf(nextCrlNumber);
    }

    public BigInteger getMaxFullCrlNumber() throws OperationException {
        long maxFullCrlNumber = this.certStore.getMaxFullCrlNumber(this.caEntry.getIdent());
        if (maxFullCrlNumber == 0) {
            return null;
        }
        return BigInteger.valueOf(maxFullCrlNumber);
    }

    public ConcurrentContentSigner getSigner(List<SignAlgo> list) {
        if (CollectionUtil.isEmpty(list)) {
            return this.dfltSigner;
        }
        for (SignAlgo signAlgo : list) {
            if (this.signers.containsKey(signAlgo)) {
                return this.signers.get(signAlgo);
            }
        }
        return null;
    }

    public boolean initSigner(SecurityFactory securityFactory) throws XiSecurityException {
        if (this.signers != null) {
            return true;
        }
        this.dfltSigner = null;
        List<CaEntry.CaSignerConf> splitCaSignerConfs = CaEntry.splitCaSignerConfs(this.caEntry.getSignerConf());
        HashMap hashMap = new HashMap();
        for (CaEntry.CaSignerConf caSignerConf : splitCaSignerConfs) {
            try {
                ConcurrentContentSigner createSigner = securityFactory.createSigner(this.caEntry.getSignerType(), new SignerConf(caSignerConf.getConf()), this.caEntry.getCert());
                if (this.dfltSigner == null) {
                    this.dfltSigner = createSigner;
                }
                hashMap.put(caSignerConf.getAlgo(), createSigner);
            } catch (Throwable th) {
                LogUtil.error(LOG, th, "could not initialize the CA signer for CA " + this.caEntry.getIdent().getName());
                for (ConcurrentContentSigner concurrentContentSigner : hashMap.values()) {
                    try {
                        concurrentContentSigner.close();
                    } catch (IOException e) {
                        LogUtil.error(LOG, e, "could not close ConcurrentContentSigner " + concurrentContentSigner.getName());
                    }
                }
                hashMap.clear();
                throw new XiSecurityException("could not initialize the CA signer");
            }
        }
        this.signers = Collections.unmodifiableMap(hashMap);
        return true;
    }

    public boolean isSignerRequired() {
        int permission = this.caEntry.getPermission();
        return PermissionConstants.contains(permission, PermissionConstants.ENROLL_CROSS) || PermissionConstants.contains(permission, 1) || PermissionConstants.contains(permission, 32) || PermissionConstants.contains(permission, 16);
    }

    public RevokeSuspendedControl revokeSuspendedCertsControl() {
        return this.caEntry.getRevokeSuspendedControl();
    }
}
