package org.xipki.ca.server.impl;

import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.x509.extension.X509ExtensionUtil;
import org.xipki.ca.api.OperationException;
import org.xipki.ca.server.mgmt.api.x509.CrlControl;
import org.xipki.ca.server.mgmt.api.x509.X509CrlSignerEntry;
import org.xipki.common.InvalidConfException;
import org.xipki.common.ObjectCreationException;
import org.xipki.common.util.ParamUtil;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.KeyUsage;
import org.xipki.security.SecurityFactory;
import org.xipki.security.SignerConf;
import org.xipki.security.exception.XiSecurityException;
import org.xipki.security.util.X509Util;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/xipki/ca/server/impl/X509CrlSignerEntryWrapper.class */
public class X509CrlSignerEntryWrapper {
    private X509CrlSignerEntry dbEntry;
    private CrlControl crlControl;
    private ConcurrentContentSigner signer;
    private byte[] subjectKeyIdentifier;

    public void setDbEntry(X509CrlSignerEntry x509CrlSignerEntry) throws InvalidConfException {
        this.dbEntry = x509CrlSignerEntry;
        this.crlControl = new CrlControl(x509CrlSignerEntry.crlControl());
    }

    public CrlControl crlControl() {
        return this.crlControl;
    }

    public void initSigner(SecurityFactory securityFactory) throws XiSecurityException, OperationException, InvalidConfException {
        ParamUtil.requireNonNull("securityFactory", securityFactory);
        if (this.signer != null) {
            return;
        }
        if (this.dbEntry == null) {
            throw new XiSecurityException("dbEntry is null");
        }
        if ("CA".equals(this.dbEntry.type())) {
            return;
        }
        this.dbEntry.setConfFaulty(true);
        try {
            this.signer = securityFactory.createSigner(this.dbEntry.type(), new SignerConf(this.dbEntry.conf()), this.dbEntry.certificate());
            X509Certificate certificate = this.signer.getCertificate();
            if (certificate == null) {
                throw new XiSecurityException("signer without certificate is not allowed");
            }
            if (this.dbEntry.base64Cert() == null) {
                this.dbEntry.setCertificate(certificate);
            }
            byte[] extensionValue = certificate.getExtensionValue(Extension.subjectKeyIdentifier.getId());
            if (extensionValue == null) {
                throw new OperationException(OperationException.ErrorCode.INVALID_EXTENSION, "CA certificate does not have required extension SubjectKeyIdentifier");
            }
            try {
                this.subjectKeyIdentifier = X509ExtensionUtil.fromExtensionValue(extensionValue).getOctets();
                if (!X509Util.hasKeyusage(certificate, KeyUsage.cRLSign)) {
                    throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, "CRL signer does not have keyusage cRLSign");
                }
                this.dbEntry.setConfFaulty(false);
            } catch (IOException e) {
                throw new OperationException(OperationException.ErrorCode.INVALID_EXTENSION, e);
            }
        } catch (ObjectCreationException e2) {
            throw new XiSecurityException("signer without certificate is not allowed");
        }
    }

    public X509CrlSignerEntry dbEntry() {
        return this.dbEntry;
    }

    public X509Certificate cert() {
        return this.signer == null ? this.dbEntry.certificate() : this.signer.getCertificate();
    }

    public byte[] subjectKeyIdentifier() {
        if (this.subjectKeyIdentifier == null) {
            return null;
        }
        return Arrays.copyOf(this.subjectKeyIdentifier, this.subjectKeyIdentifier.length);
    }

    public ConcurrentContentSigner signer() {
        return this.signer;
    }
}
