package org.xipki.ca.server;

import java.io.Closeable;
import java.math.BigInteger;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1IA5String;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.CertificatePolicies;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.PolicyInformation;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.util.encoders.Hex;
import org.xipki.ca.api.CaUris;
import org.xipki.ca.api.NameId;
import org.xipki.ca.api.PublicCaInfo;
import org.xipki.ca.api.mgmt.entry.CertprofileEntry;
import org.xipki.ca.api.profile.Certprofile;
import org.xipki.ca.api.profile.CertprofileException;
import org.xipki.ca.api.profile.ExtensionSpec;
import org.xipki.ca.api.profile.ExtensionValue;
import org.xipki.ca.api.profile.ExtensionValues;
import org.xipki.ca.api.profile.KeypairGenControl;
import org.xipki.ca.api.profile.NotAfterMode;
import org.xipki.ca.api.profile.SubjectDnSpec;
import org.xipki.ca.sdk.CaAuditConstants;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.security.SignAlgo;
import org.xipki.security.X509Cert;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.ConfPairs;
import org.xipki.util.Validity;
import org.xipki.util.exception.BadCertTemplateException;

/* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/IdentifiedCertprofile.class */
public class IdentifiedCertprofile implements Closeable {
    private final CertprofileEntry dbEntry;
    private final Certprofile certprofile;

    public IdentifiedCertprofile(CertprofileEntry certprofileEntry, Certprofile certprofile) throws CertprofileException {
        this.dbEntry = (CertprofileEntry) Args.notNull(certprofileEntry, "dbEntry");
        this.certprofile = (Certprofile) Args.notNull(certprofile, CaAuditConstants.NAME_certprofile);
        this.certprofile.initialize(certprofileEntry.getConf());
        if (this.certprofile.getCertLevel() != Certprofile.CertLevel.EndEntity && this.certprofile.hasNoWellDefinedExpirationDate()) {
            throw new CertprofileException("CA certificate is not allowed to have notAfter 99991231235959Z");
        }
    }

    public NameId getIdent() {
        return this.dbEntry.getIdent();
    }

    public Certprofile getCertprofile() {
        return this.certprofile;
    }

    public CertprofileEntry getDbEntry() {
        return this.dbEntry;
    }

    public Certprofile.X509CertVersion getVersion() {
        return this.certprofile.getVersion();
    }

    public List<SignAlgo> getSignatureAlgorithms() {
        return this.certprofile.getSignatureAlgorithms();
    }

    public Instant getNotBefore(Instant instant) {
        return this.certprofile.getNotBefore(instant);
    }

    public Validity getValidity() {
        return this.certprofile.getValidity();
    }

    public boolean hasNoWellDefinedExpirationDate() {
        return this.certprofile.hasNoWellDefinedExpirationDate();
    }

    public NotAfterMode getNotAfterMode() {
        return this.certprofile.getNotAfterMode();
    }

    public Certprofile.SubjectInfo getSubject(X500Name x500Name, SubjectPublicKeyInfo subjectPublicKeyInfo) throws CertprofileException, BadCertTemplateException {
        Certprofile.SubjectInfo subject = this.certprofile.getSubject(x500Name, subjectPublicKeyInfo);
        if (this.certprofile.getCertDomain() == Certprofile.CertDomain.CABForumBR) {
            X500Name grantedSubject = subject.getGrantedSubject();
            if (getCertLevel() == Certprofile.CertLevel.EndEntity) {
                CertificatePolicies certificatePolicies = this.certprofile.getCertificatePolicies();
                ASN1ObjectIdentifier aSN1ObjectIdentifier = null;
                if (certificatePolicies != null) {
                    for (PolicyInformation policyInformation : certificatePolicies.getPolicyInformation()) {
                        ASN1ObjectIdentifier policyIdentifier = policyInformation.getPolicyIdentifier();
                        if (ObjectIdentifiers.BaseRequirements.id_domain_validated.equals(policyIdentifier) || ObjectIdentifiers.BaseRequirements.id_organization_validated.equals(policyIdentifier) || ObjectIdentifiers.BaseRequirements.id_individual_validated.equals(policyIdentifier)) {
                            aSN1ObjectIdentifier = policyIdentifier;
                            break;
                        }
                    }
                }
                if (containsRdn(grantedSubject, ObjectIdentifiers.DN.street) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.O) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.surname)) {
                    throw new BadCertTemplateException("subject:street is prohibited if the subject:organizationName field, subject:givenName, and subject:surname field are absent.");
                }
                if (containsRdn(grantedSubject, ObjectIdentifiers.DN.localityName)) {
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.O) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.surname)) {
                        throw new BadCertTemplateException("subject:localityName is prohibited if the subject:organizationName field, subject:givenName, and subject:surname field are absent.");
                    }
                } else if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.ST) && (containsRdn(grantedSubject, ObjectIdentifiers.DN.O) || containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) || containsRdn(grantedSubject, ObjectIdentifiers.DN.surname))) {
                    throw new BadCertTemplateException("subject:localityName is required if the subject:organizationName field, subject:givenName field, or subject:surname field are present and the subject:stateOrProvinceName field is absent.");
                }
                if (containsRdn(grantedSubject, ObjectIdentifiers.DN.ST)) {
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.O) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.surname)) {
                        throw new BadCertTemplateException("subject:stateOrProvinceName is prohibited if the subject:organizationName field, subject:givenName, and subject:surname field are absent.");
                    }
                } else if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.localityName) && (containsRdn(grantedSubject, ObjectIdentifiers.DN.O) || containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) || containsRdn(grantedSubject, ObjectIdentifiers.DN.surname))) {
                    throw new BadCertTemplateException("subject:stateOrProvinceName is required if the subject:organizationName field, subject:givenName field, or subject:surname field are present and the subject:localityName field is absent.");
                }
                if (containsRdn(grantedSubject, ObjectIdentifiers.DN.postalCode) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.O) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.surname)) {
                    throw new BadCertTemplateException("subject:postalCode is prohibited if the subject:organizationName field, subject:givenName, and subject:surname field are absent.");
                }
                if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.C) && (containsRdn(grantedSubject, ObjectIdentifiers.DN.O) || containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) || containsRdn(grantedSubject, ObjectIdentifiers.DN.surname))) {
                    throw new BadCertTemplateException("subject:countryCode is required if the subject:organizationName field, subject:givenName, and subject:surname field are present");
                }
                if (ObjectIdentifiers.BaseRequirements.id_domain_validated.equals(aSN1ObjectIdentifier)) {
                    for (ASN1ObjectIdentifier aSN1ObjectIdentifier2 : new ASN1ObjectIdentifier[]{ObjectIdentifiers.DN.O, ObjectIdentifiers.DN.givenName, ObjectIdentifiers.DN.surname, ObjectIdentifiers.DN.street, ObjectIdentifiers.DN.localityName, ObjectIdentifiers.DN.ST, ObjectIdentifiers.DN.postalCode}) {
                        if (containsRdn(grantedSubject, aSN1ObjectIdentifier2)) {
                            throw new BadCertTemplateException("subject " + ObjectIdentifiers.getName(aSN1ObjectIdentifier2) + " is prohibited in domain validated certificate");
                        }
                    }
                } else if (ObjectIdentifiers.BaseRequirements.id_organization_validated.equals(aSN1ObjectIdentifier)) {
                    for (ASN1ObjectIdentifier aSN1ObjectIdentifier3 : new ASN1ObjectIdentifier[]{ObjectIdentifiers.DN.O, ObjectIdentifiers.DN.C}) {
                        if (!containsRdn(grantedSubject, aSN1ObjectIdentifier3)) {
                            throw new BadCertTemplateException("subject " + ObjectIdentifiers.getName(aSN1ObjectIdentifier3) + " is required in organization validated certificate");
                        }
                    }
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.localityName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.ST)) {
                        throw new BadCertTemplateException("at least one of subject:localityName and subject:stateOrProvinceName is required in organization validated certificate");
                    }
                } else if (ObjectIdentifiers.BaseRequirements.id_individual_validated.equals(aSN1ObjectIdentifier)) {
                    for (ASN1ObjectIdentifier aSN1ObjectIdentifier4 : new ASN1ObjectIdentifier[]{ObjectIdentifiers.DN.C}) {
                        if (!containsRdn(grantedSubject, aSN1ObjectIdentifier4)) {
                            throw new BadCertTemplateException("subject " + ObjectIdentifiers.getName(aSN1ObjectIdentifier4) + " is required in individual validated certificate");
                        }
                    }
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.O) && (!containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) || !containsRdn(grantedSubject, ObjectIdentifiers.DN.surname))) {
                        throw new BadCertTemplateException("at least one of subject:organizationName and (subject:givenName, subject:surName) is required in individual validated certificate");
                    }
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.localityName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.ST)) {
                        throw new BadCertTemplateException("at least one of subject:localityName and subject:stateOrProvinceName is required in individual validated certificate");
                    }
                }
            } else {
                for (ASN1ObjectIdentifier aSN1ObjectIdentifier5 : new ASN1ObjectIdentifier[]{ObjectIdentifiers.DN.CN, ObjectIdentifiers.DN.O, ObjectIdentifiers.DN.C}) {
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.CN)) {
                        throw new BadCertTemplateException("missing " + ObjectIdentifiers.getName(aSN1ObjectIdentifier5) + " in subject");
                    }
                }
            }
        }
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier6 : new ASN1ObjectIdentifier[]{ObjectIdentifiers.DN.C, ObjectIdentifiers.DN.countryOfCitizenship, ObjectIdentifiers.DN.countryOfResidence, ObjectIdentifiers.DN.jurisdictionOfIncorporationCountryName}) {
            RDN[] rDNs = subject.getGrantedSubject().getRDNs(aSN1ObjectIdentifier6);
            if (rDNs != null) {
                for (RDN rdn : rDNs) {
                    String valueToString = IETFUtils.valueToString(rdn.getFirst().getValue());
                    if (!SubjectDnSpec.isValidCountryAreaCode(valueToString)) {
                        String name = ObjectIdentifiers.getName(aSN1ObjectIdentifier6);
                        if (name == null) {
                            name = aSN1ObjectIdentifier6.getId();
                        }
                        throw new BadCertTemplateException("invalid country/area code '" + valueToString + "' in subject attribute " + name);
                    }
                }
            }
        }
        return subject;
    }

    private boolean containsRdn(X500Name x500Name, ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        RDN[] rDNs = x500Name.getRDNs(aSN1ObjectIdentifier);
        return (rDNs == null || rDNs.length == 0) ? false : true;
    }

    public ExtensionValues getExtensions(X500Name x500Name, X500Name x500Name2, Extensions extensions, SubjectPublicKeyInfo subjectPublicKeyInfo, PublicCaInfo publicCaInfo, X509Cert x509Cert, Instant instant, Instant instant2) throws CertprofileException, BadCertTemplateException {
        Extension extension;
        BasicConstraints createBasicConstraints;
        int intValue;
        Args.notNull(subjectPublicKeyInfo, "publicKeyInfo");
        ExtensionValues extensionValues = new ExtensionValues();
        HashMap hashMap = new HashMap(this.certprofile.getExtensionControls());
        hashMap.remove(ObjectIdentifiers.Extn.id_SCTs);
        Map<ASN1ObjectIdentifier, Extension> hashMap2 = new HashMap<>();
        if (extensions != null) {
            for (ASN1ObjectIdentifier aSN1ObjectIdentifier : extensions.getExtensionOIDs()) {
                Certprofile.ExtensionControl extensionControl = (Certprofile.ExtensionControl) hashMap.get(aSN1ObjectIdentifier);
                if (extensionControl == null || extensionControl.isPermittedInRequest()) {
                    hashMap2.put(aSN1ObjectIdentifier, extensions.getExtension(aSN1ObjectIdentifier));
                }
            }
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier2 = Extension.subjectKeyIdentifier;
        Certprofile.ExtensionControl extensionControl2 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier2);
        if (extensionControl2 != null) {
            Extension extension2 = hashMap2.get(aSN1ObjectIdentifier2);
            CertprofileUtil.addExtension(extensionValues, aSN1ObjectIdentifier2, (ASN1Encodable) (extension2 == null ? this.certprofile.getSubjectKeyIdentifier(subjectPublicKeyInfo) : new SubjectKeyIdentifier(SubjectKeyIdentifier.getInstance(extension2.getParsedValue()).getKeyIdentifier())), extensionControl2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier3 = Extension.authorityKeyIdentifier;
        Certprofile.ExtensionControl extensionControl3 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier3);
        if (extensionControl3 != null) {
            AuthorityKeyIdentifier authorityKeyIdentifier = null;
            if (this.certprofile.useIssuerAndSerialInAki()) {
                authorityKeyIdentifier = new AuthorityKeyIdentifier(new GeneralNames(new GeneralName(publicCaInfo.getIssuer())), publicCaInfo.getSerialNumber());
            } else {
                byte[] subjectKeyIdentifer = publicCaInfo.getSubjectKeyIdentifer();
                if (subjectKeyIdentifer != null) {
                    authorityKeyIdentifier = new AuthorityKeyIdentifier(subjectKeyIdentifer);
                }
            }
            CertprofileUtil.addExtension(extensionValues, aSN1ObjectIdentifier3, (ASN1Encodable) authorityKeyIdentifier, extensionControl3);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier4 = Extension.issuerAlternativeName;
        Certprofile.ExtensionControl extensionControl4 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier4);
        if (extensionControl4 != null) {
            CertprofileUtil.addExtension(extensionValues, aSN1ObjectIdentifier4, (ASN1Encodable) publicCaInfo.getSubjectAltName(), extensionControl4);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier5 = Extension.authorityInfoAccess;
        Certprofile.ExtensionControl extensionControl5 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier5);
        CaUris caUris = publicCaInfo.getCaUris();
        if (extensionControl5 != null) {
            Certprofile.AuthorityInfoAccessControl aiaControl = this.certprofile.getAiaControl();
            List<String> list = null;
            if (aiaControl != null && aiaControl.isIncludesCaIssuers()) {
                list = caUris.getCacertUris();
                assertAllUrisHasProtocol(list, aiaControl.getCaIssuersProtocols());
            }
            List<String> list2 = null;
            if (aiaControl != null && aiaControl.isIncludesOcsp()) {
                list2 = caUris.getOcspUris();
                assertAllUrisHasProtocol(list2, aiaControl.getOcspProtocols());
            }
            CertprofileUtil.addExtension(extensionValues, aSN1ObjectIdentifier5, (CollectionUtil.isNotEmpty(list) || CollectionUtil.isNotEmpty(list2)) ? CaUtil.createAuthorityInformationAccess(list, list2) : null, extensionControl5);
        }
        if (hashMap.containsKey(Extension.cRLDistributionPoints) || hashMap.containsKey(Extension.freshestCRL)) {
            X500Name subject = x509Cert == null ? null : x509Cert.getSubject();
            X500Name subject2 = publicCaInfo.getSubject();
            ASN1ObjectIdentifier aSN1ObjectIdentifier6 = Extension.cRLDistributionPoints;
            Certprofile.ExtensionControl extensionControl6 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier6);
            if (extensionControl6 != null) {
                CRLDistPoint cRLDistPoint = null;
                List<String> crlUris = caUris.getCrlUris();
                if (CollectionUtil.isNotEmpty(crlUris)) {
                    Certprofile.CrlDistributionPointsControl crlDpControl = this.certprofile.getCrlDpControl();
                    assertAllUrisHasProtocol(crlUris, crlDpControl == null ? null : crlDpControl.getProtocols());
                    cRLDistPoint = CaUtil.createCrlDistributionPoints(crlUris, subject2, subject);
                }
                CertprofileUtil.addExtension(extensionValues, aSN1ObjectIdentifier6, (ASN1Encodable) cRLDistPoint, extensionControl6);
            }
            ASN1ObjectIdentifier aSN1ObjectIdentifier7 = Extension.freshestCRL;
            Certprofile.ExtensionControl extensionControl7 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier7);
            if (extensionControl7 != null) {
                CRLDistPoint cRLDistPoint2 = null;
                List<String> deltaCrlUris = caUris.getDeltaCrlUris();
                if (CollectionUtil.isNotEmpty(deltaCrlUris)) {
                    Certprofile.CrlDistributionPointsControl freshestCrlControl = this.certprofile.getFreshestCrlControl();
                    assertAllUrisHasProtocol(deltaCrlUris, freshestCrlControl == null ? null : freshestCrlControl.getProtocols());
                    cRLDistPoint2 = CaUtil.createCrlDistributionPoints(caUris.getDeltaCrlUris(), subject2, subject);
                }
                CertprofileUtil.addExtension(extensionValues, aSN1ObjectIdentifier7, (ASN1Encodable) cRLDistPoint2, extensionControl7);
            }
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier8 = Extension.basicConstraints;
        Certprofile.ExtensionControl extensionControl8 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier8);
        if (extensionControl8 != null) {
            Certprofile.CertLevel certLevel = this.certprofile.getCertLevel();
            if (certLevel == Certprofile.CertLevel.EndEntity) {
                createBasicConstraints = CaUtil.createBasicConstraints(Certprofile.CertLevel.EndEntity, null);
            } else {
                Integer pathLenBasicConstraint = this.certprofile.getPathLenBasicConstraint();
                Extension extension3 = hashMap2.get(aSN1ObjectIdentifier8);
                if (extension3 != null) {
                    BasicConstraints basicConstraints = BasicConstraints.getInstance(extension3.getParsedValue());
                    if (!basicConstraints.isCA()) {
                        throw new CertprofileException("could not enroll a CA certificate for an EndEntity request");
                    }
                    if (basicConstraints.getPathLenConstraint() != null && (intValue = basicConstraints.getPathLenConstraint().intValue()) >= 0 && (pathLenBasicConstraint == null || intValue < pathLenBasicConstraint.intValue())) {
                        pathLenBasicConstraint = Integer.valueOf(intValue);
                    }
                }
                createBasicConstraints = CaUtil.createBasicConstraints(certLevel, pathLenBasicConstraint);
            }
            CertprofileUtil.addExtension(extensionValues, aSN1ObjectIdentifier8, (ASN1Encodable) createBasicConstraints, extensionControl8);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier9 = Extension.keyUsage;
        Certprofile.ExtensionControl extensionControl9 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier9);
        if (extensionControl9 != null) {
            HashSet hashSet = new HashSet();
            Set<Certprofile.KeyUsageControl> keyUsage = this.certprofile.getKeyUsage();
            for (Certprofile.KeyUsageControl keyUsageControl : keyUsage) {
                if (keyUsageControl.isRequired()) {
                    hashSet.add(keyUsageControl.getKeyUsage());
                }
            }
            CertprofileUtil.addRequestedKeyusage(hashSet, hashMap2, keyUsage);
            CertprofileUtil.addExtension(extensionValues, aSN1ObjectIdentifier9, (ASN1Encodable) X509Util.createKeyUsage(hashSet), extensionControl9);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier10 = Extension.extendedKeyUsage;
        Certprofile.ExtensionControl extensionControl10 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier10);
        if (extensionControl10 != null) {
            LinkedList linkedList = new LinkedList();
            Set<Certprofile.ExtKeyUsageControl> extendedKeyUsages = this.certprofile.getExtendedKeyUsages();
            for (Certprofile.ExtKeyUsageControl extKeyUsageControl : extendedKeyUsages) {
                if (extKeyUsageControl.isRequired()) {
                    linkedList.add(extKeyUsageControl.getExtKeyUsage());
                }
            }
            CertprofileUtil.addRequestedExtKeyusage(linkedList, hashMap2, extendedKeyUsages);
            if (extensionControl10.isCritical() && linkedList.contains(ObjectIdentifiers.XKU.id_kp_anyExtendedKeyUsage)) {
                extensionControl10 = new Certprofile.ExtensionControl(false, extensionControl10.isRequired(), extensionControl10.getInRequest());
            }
            if (!extensionControl10.isCritical() && linkedList.contains(ObjectIdentifiers.XKU.id_kp_timeStamping)) {
                extensionControl10 = new Certprofile.ExtensionControl(true, extensionControl10.isRequired(), extensionControl10.getInRequest());
            }
            CertprofileUtil.addExtension(extensionValues, aSN1ObjectIdentifier10, (ASN1Encodable) X509Util.createExtendedUsage(linkedList), extensionControl10);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier11 = ObjectIdentifiers.Extn.id_extension_pkix_ocsp_nocheck;
        Certprofile.ExtensionControl extensionControl11 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier11);
        if (extensionControl11 != null) {
            CertprofileUtil.addExtension(extensionValues, aSN1ObjectIdentifier11, (ASN1Encodable) DERNull.INSTANCE, extensionControl11);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier12 = Extension.subjectInfoAccess;
        Certprofile.ExtensionControl extensionControl12 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier12);
        if (extensionControl12 != null) {
            CertprofileUtil.addExtension(extensionValues, aSN1ObjectIdentifier12, (ASN1Encodable) CertprofileUtil.createSubjectInfoAccess(hashMap2, this.certprofile.getSubjectInfoAccessModes()), extensionControl12);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier13 = Extension.certificatePolicies;
        Certprofile.ExtensionControl extensionControl13 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier13);
        if (extensionControl13 != null) {
            CertprofileUtil.addExtension(extensionValues, aSN1ObjectIdentifier13, (ASN1Encodable) this.certprofile.getCertificatePolicies(), extensionControl13);
        }
        ExtensionValues extensions2 = this.certprofile.getExtensions(Collections.unmodifiableMap(hashMap), x500Name, x500Name2, hashMap2, instant, instant2, publicCaInfo);
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier14 : new HashSet(hashMap.keySet())) {
            Certprofile.ExtensionControl extensionControl14 = (Certprofile.ExtensionControl) hashMap.get(aSN1ObjectIdentifier14);
            ExtensionValue extensionValue = extensions2.getExtensionValue(aSN1ObjectIdentifier14);
            if (extensionValue == null && extensionControl14.isPermittedInRequest() && (extension = hashMap2.get(aSN1ObjectIdentifier14)) != null) {
                extensionValue = new ExtensionValue(extensionControl14.isCritical(), extension.getParsedValue());
            }
            if (extensionValue != null) {
                CertprofileUtil.addExtension(extensionValues, aSN1ObjectIdentifier14, extensionValue, extensionControl14);
                hashMap.remove(aSN1ObjectIdentifier14);
            }
        }
        HashSet hashSet2 = new HashSet();
        for (Map.Entry entry : hashMap.entrySet()) {
            if (((Certprofile.ExtensionControl) entry.getValue()).isRequired()) {
                hashSet2.add((ASN1ObjectIdentifier) entry.getKey());
            }
        }
        if (CollectionUtil.isNotEmpty(hashSet2)) {
            throw new CertprofileException("could not add required extensions " + CertprofileUtil.toString(hashSet2));
        }
        if (this.certprofile.getCertDomain() == Certprofile.CertDomain.CABForumBR && getCertLevel() == Certprofile.CertLevel.EndEntity) {
            String commonName = X509Util.getCommonName(x500Name2);
            boolean z = commonName == null;
            for (GeneralName generalName : GeneralNames.getInstance(extensionValues.getExtensionValue(Extension.subjectAlternativeName).getValue()).getNames()) {
                if (2 == generalName.getTagNo()) {
                    String string = ASN1IA5String.getInstance(generalName.getName()).getString();
                    if (!z && string.equals(commonName)) {
                        z = true;
                    }
                    if (string.indexOf(95) != -1) {
                        throw new BadCertTemplateException("invalid DNSName " + string);
                    }
                    if (!ExtensionSpec.isValidPublicDomain(string)) {
                        throw new BadCertTemplateException("invalid DNSName " + string);
                    }
                } else if (7 == generalName.getTagNo()) {
                    byte[] octets = DEROctetString.getInstance(generalName.getName()).getOctets();
                    if (octets.length != 4) {
                        if (octets.length != 8) {
                            throw new BadCertTemplateException("invalid IP address " + Hex.toHexString(octets));
                        }
                        if (z) {
                            continue;
                        } else {
                            ArrayList arrayList = new ArrayList(7);
                            int length = commonName.length();
                            for (int i = 0; i < length; i++) {
                                if (commonName.charAt(i) == ':') {
                                    arrayList.add(Integer.valueOf(i));
                                }
                            }
                            if (arrayList.size() == 7) {
                                String[] strArr = new String[8];
                                strArr[0] = commonName.substring(0, ((Integer) arrayList.get(0)).intValue());
                                for (int i2 = 0; i2 < 6; i2++) {
                                    strArr[i2 + 1] = commonName.substring(((Integer) arrayList.get(i2)).intValue() + 1, ((Integer) arrayList.get(i2 + 1)).intValue());
                                }
                                strArr[7] = commonName.substring(((Integer) arrayList.get(6)).intValue() + 1);
                                byte[] bArr = new byte[16];
                                for (int i3 = 0; i3 < 8; i3++) {
                                    String str = strArr[i3];
                                    int length2 = str.length();
                                    if ((length2 == 1) || (length2 == 2)) {
                                        bArr[(i3 * 2) + 1] = (byte) Integer.parseInt(str, 16);
                                    } else if ((length2 == 3) || (length2 == 4)) {
                                        bArr[i3 * 2] = (byte) Integer.parseInt(str.substring(0, length2 - 2), 16);
                                        bArr[(i3 * 2) + 1] = (byte) Integer.parseInt(str.substring(length2 - 2), 16);
                                    } else if (length2 != 0) {
                                        throw new BadCertTemplateException("invalid IP address in commonName " + commonName);
                                    }
                                }
                                if (Arrays.equals(bArr, octets)) {
                                    z = true;
                                }
                            } else {
                                continue;
                            }
                        }
                    } else if (!z && ((255 & octets[0]) + "." + (255 & octets[1]) + "." + (255 & octets[2]) + "." + (255 & octets[3])).equals(commonName)) {
                        z = true;
                    }
                } else {
                    continue;
                }
            }
            if (!z) {
                throw new BadCertTemplateException("content of subject:commonName is not included in extension:SubjectAlternativeNames");
            }
        }
        return extensionValues;
    }

    private static void assertAllUrisHasProtocol(List<String> list, Set<String> set) throws CertprofileException {
        if (set == null || list == null) {
            return;
        }
        for (String str : list) {
            boolean z = false;
            Iterator<String> it = set.iterator();
            while (true) {
                if (it.hasNext()) {
                    if (str.startsWith(it.next() + ":")) {
                        z = true;
                        break;
                    }
                } else {
                    break;
                }
            }
            if (!z) {
                throw new CertprofileException("URL '" + str + "' does not have any of protocols " + set);
            }
        }
    }

    public Certprofile.CertLevel getCertLevel() {
        return this.certprofile.getCertLevel();
    }

    public KeypairGenControl getKeypairGenControl() {
        return this.certprofile.getKeypairGenControl();
    }

    public String getSerialNumberMode() {
        return this.certprofile.getSerialNumberMode();
    }

    public BigInteger generateSerialNumber(X500Name x500Name, SubjectPublicKeyInfo subjectPublicKeyInfo, X500Name x500Name2, SubjectPublicKeyInfo subjectPublicKeyInfo2, ConfPairs confPairs) throws CertprofileException {
        return this.certprofile.generateSerialNumber(x500Name, subjectPublicKeyInfo, x500Name2, subjectPublicKeyInfo2, confPairs);
    }

    public SubjectPublicKeyInfo checkPublicKey(SubjectPublicKeyInfo subjectPublicKeyInfo) throws CertprofileException, BadCertTemplateException {
        return this.certprofile.checkPublicKey((SubjectPublicKeyInfo) Args.notNull(subjectPublicKeyInfo, "publicKey"));
    }

    public SubjectKeyIdentifier getSubjectKeyIdentifier(SubjectPublicKeyInfo subjectPublicKeyInfo) throws CertprofileException {
        return this.certprofile.getSubjectKeyIdentifier(subjectPublicKeyInfo);
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.certprofile != null) {
            this.certprofile.close();
        }
    }

    public Map<ASN1ObjectIdentifier, Certprofile.ExtensionControl> getExtensionControls() {
        return this.certprofile.getExtensionControls();
    }

    public Integer getPathLenBasicConstraint() {
        return this.certprofile.getPathLenBasicConstraint();
    }

    public int getMaxCertSize() {
        return this.certprofile.getMaxCertSize();
    }
}
