package org.xipki.ca.server.impl;

import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TimeZone;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.xipki.ca.api.BadCertTemplateException;
import org.xipki.ca.api.BadFormatException;
import org.xipki.ca.api.EnvParameterResolver;
import org.xipki.ca.api.NameId;
import org.xipki.ca.api.profile.CertValidity;
import org.xipki.ca.api.profile.CertprofileException;
import org.xipki.ca.api.profile.ExtensionControl;
import org.xipki.ca.api.profile.ExtensionValue;
import org.xipki.ca.api.profile.ExtensionValues;
import org.xipki.ca.api.profile.GeneralNameMode;
import org.xipki.ca.api.profile.x509.AuthorityInfoAccessControl;
import org.xipki.ca.api.profile.x509.ExtKeyUsageControl;
import org.xipki.ca.api.profile.x509.KeyUsageControl;
import org.xipki.ca.api.profile.x509.SpecialX509CertprofileBehavior;
import org.xipki.ca.api.profile.x509.SubjectDnSpec;
import org.xipki.ca.api.profile.x509.SubjectInfo;
import org.xipki.ca.api.profile.x509.X509CertLevel;
import org.xipki.ca.api.profile.x509.X509CertVersion;
import org.xipki.ca.api.profile.x509.X509Certprofile;
import org.xipki.ca.api.profile.x509.X509CertprofileUtil;
import org.xipki.ca.server.impl.util.CaUtil;
import org.xipki.ca.server.mgmt.api.CertprofileEntry;
import org.xipki.common.util.CollectionUtil;
import org.xipki.common.util.ParamUtil;
import org.xipki.security.ExtensionExistence;
import org.xipki.security.HashAlgoType;
import org.xipki.security.KeyUsage;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.security.util.X509Util;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/xipki/ca/server/impl/IdentifiedX509Certprofile.class */
public class IdentifiedX509Certprofile {
    private static final Set<ASN1ObjectIdentifier> CRITICAL_ONLY_EXTENSION_TYPES = new HashSet();
    private static final Set<ASN1ObjectIdentifier> CA_CRITICAL_ONLY_EXTENSION_TYPES;
    private static final Set<ASN1ObjectIdentifier> NONCRITICAL_ONLY_EXTENSION_TYPES;
    private static final Set<ASN1ObjectIdentifier> CA_ONLY_EXTENSION_TYPES;
    private static final Set<ASN1ObjectIdentifier> NONE_REQUEST_EXTENSION_TYPES;
    private static final Set<ASN1ObjectIdentifier> REQUIRED_CA_EXTENSION_TYPES;
    private static final Set<ASN1ObjectIdentifier> REQUIRED_EE_EXTENSION_TYPES;
    private final CertprofileEntry dbEntry;
    private final X509Certprofile certprofile;

    /* JADX INFO: Access modifiers changed from: package-private */
    public IdentifiedX509Certprofile(CertprofileEntry certprofileEntry, X509Certprofile x509Certprofile) throws CertprofileException {
        this.dbEntry = (CertprofileEntry) ParamUtil.requireNonNull("entry", certprofileEntry);
        this.certprofile = (X509Certprofile) ParamUtil.requireNonNull("certProfile", x509Certprofile);
        this.certprofile.initialize(certprofileEntry.conf());
        if (x509Certprofile.specialCertprofileBehavior() == SpecialX509CertprofileBehavior.gematik_gSMC_K) {
            String parameter = x509Certprofile.parameter("maxLifetime");
            if (parameter == null) {
                throw new CertprofileException("parameter maxLifetime is not defined");
            }
            String trim = parameter.trim();
            try {
                if (Integer.parseInt(trim) < 1) {
                    throw new CertprofileException("invalid maxLifetime: " + trim);
                }
            } catch (NumberFormatException e) {
                throw new CertprofileException("invalid maxLifetime: " + trim);
            }
        }
    }

    public NameId ident() {
        return this.dbEntry.ident();
    }

    public CertprofileEntry dbEntry() {
        return this.dbEntry;
    }

    public X509CertVersion version() {
        return this.certprofile.version();
    }

    public List<String> signatureAlgorithms() {
        return this.certprofile.signatureAlgorithms();
    }

    public SpecialX509CertprofileBehavior specialCertprofileBehavior() {
        return this.certprofile.specialCertprofileBehavior();
    }

    public void setEnvParameterResolver(EnvParameterResolver envParameterResolver) {
        if (this.certprofile != null) {
            this.certprofile.setEnvParameterResolver(envParameterResolver);
        }
    }

    public Date notBefore(Date date) {
        return this.certprofile.getNotBefore(date);
    }

    public CertValidity validity() {
        return this.certprofile.validity();
    }

    public boolean hasMidnightNotBefore() {
        return this.certprofile.hasMidnightNotBefore();
    }

    public TimeZone timezone() {
        return this.certprofile.timezone();
    }

    public SubjectInfo getSubject(X500Name x500Name) throws CertprofileException, BadCertTemplateException {
        SubjectInfo subject = this.certprofile.getSubject(x500Name);
        RDN[] rDNs = subject.grantedSubject().getRDNs(ObjectIdentifiers.DN_C);
        if (rDNs != null) {
            for (RDN rdn : rDNs) {
                String valueToString = IETFUtils.valueToString(rdn.getFirst().getValue());
                if (!SubjectDnSpec.isValidCountryAreaCode(valueToString)) {
                    throw new BadCertTemplateException("invalid country/area code '" + valueToString + "'");
                }
            }
        }
        return subject;
    }

    public ExtensionValues getExtensions(X500Name x500Name, X500Name x500Name2, Extensions extensions, SubjectPublicKeyInfo subjectPublicKeyInfo, PublicCaInfo publicCaInfo, X509Certificate x509Certificate, Date date, Date date2) throws CertprofileException, BadCertTemplateException {
        Extension extension;
        ParamUtil.requireNonNull("publicKeyInfo", subjectPublicKeyInfo);
        ExtensionValues extensionValues = new ExtensionValues();
        HashMap hashMap = new HashMap(this.certprofile.extensionControls());
        HashSet<ASN1ObjectIdentifier> hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        if (extensions != null) {
            Extension extension2 = extensions.getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions);
            if (extension2 != null) {
                ExtensionExistence extensionExistence = ExtensionExistence.getInstance(extension2.getParsedValue());
                hashSet.addAll(extensionExistence.needExtensions());
                hashSet2.addAll(extensionExistence.wantExtensions());
            }
            for (ASN1ObjectIdentifier aSN1ObjectIdentifier : hashSet) {
                if (hashSet2.contains(aSN1ObjectIdentifier)) {
                    hashSet2.remove(aSN1ObjectIdentifier);
                }
                if (!hashMap.containsKey(aSN1ObjectIdentifier)) {
                    throw new BadCertTemplateException("could not add needed extension " + aSN1ObjectIdentifier.getId());
                }
            }
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier2 = Extension.subjectKeyIdentifier;
        ExtensionControl extensionControl = (ExtensionControl) hashMap.remove(aSN1ObjectIdentifier2);
        if (extensionControl != null && addMe(aSN1ObjectIdentifier2, extensionControl, hashSet, hashSet2)) {
            addExtension(extensionValues, aSN1ObjectIdentifier2, (ASN1Encodable) new SubjectKeyIdentifier(HashAlgoType.SHA1.hash(subjectPublicKeyInfo.getPublicKeyData().getBytes())), extensionControl, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier3 = Extension.authorityKeyIdentifier;
        ExtensionControl extensionControl2 = (ExtensionControl) hashMap.remove(aSN1ObjectIdentifier3);
        if (extensionControl2 != null && addMe(aSN1ObjectIdentifier3, extensionControl2, hashSet, hashSet2)) {
            byte[] subjectKeyIdentifer = publicCaInfo.subjectKeyIdentifer();
            addExtension(extensionValues, aSN1ObjectIdentifier3, (ASN1Encodable) (subjectKeyIdentifer != null ? this.certprofile.includeIssuerAndSerialInAki() ? new AuthorityKeyIdentifier(subjectKeyIdentifer, new GeneralNames(new GeneralName(publicCaInfo.x500Subject())), publicCaInfo.serialNumber()) : new AuthorityKeyIdentifier(subjectKeyIdentifer) : null), extensionControl2, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier4 = Extension.issuerAlternativeName;
        ExtensionControl extensionControl3 = (ExtensionControl) hashMap.remove(aSN1ObjectIdentifier4);
        if (extensionControl3 != null && addMe(aSN1ObjectIdentifier4, extensionControl3, hashSet, hashSet2)) {
            addExtension(extensionValues, aSN1ObjectIdentifier4, (ASN1Encodable) publicCaInfo.subjectAltName(), extensionControl3, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier5 = Extension.authorityInfoAccess;
        ExtensionControl extensionControl4 = (ExtensionControl) hashMap.remove(aSN1ObjectIdentifier5);
        if (extensionControl4 != null && addMe(aSN1ObjectIdentifier5, extensionControl4, hashSet, hashSet2)) {
            AuthorityInfoAccessControl aiaControl = this.certprofile.aiaControl();
            List<String> caCertUris = (aiaControl == null || aiaControl.includesCaIssuers()) ? publicCaInfo.caCertUris() : null;
            List<String> ocspUris = (aiaControl == null || aiaControl.includesOcsp()) ? publicCaInfo.ocspUris() : null;
            if (CollectionUtil.isNonEmpty(caCertUris) || CollectionUtil.isNonEmpty(ocspUris)) {
                addExtension(extensionValues, aSN1ObjectIdentifier5, (ASN1Encodable) CaUtil.createAuthorityInformationAccess(caCertUris, ocspUris), extensionControl4, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
            }
        }
        if (hashMap.containsKey(Extension.cRLDistributionPoints) || hashMap.containsKey(Extension.freshestCRL)) {
            X500Name x500Name3 = x509Certificate == null ? null : X500Name.getInstance(x509Certificate.getSubjectX500Principal().getEncoded());
            X500Name x500Subject = publicCaInfo.x500Subject();
            ASN1ObjectIdentifier aSN1ObjectIdentifier6 = Extension.cRLDistributionPoints;
            ExtensionControl extensionControl5 = (ExtensionControl) hashMap.remove(aSN1ObjectIdentifier6);
            if (extensionControl5 != null && addMe(aSN1ObjectIdentifier6, extensionControl5, hashSet, hashSet2) && CollectionUtil.isNonEmpty(publicCaInfo.crlUris())) {
                addExtension(extensionValues, aSN1ObjectIdentifier6, (ASN1Encodable) CaUtil.createCrlDistributionPoints(publicCaInfo.crlUris(), x500Subject, x500Name3), extensionControl5, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
            }
            ASN1ObjectIdentifier aSN1ObjectIdentifier7 = Extension.freshestCRL;
            ExtensionControl extensionControl6 = (ExtensionControl) hashMap.remove(aSN1ObjectIdentifier7);
            if (extensionControl6 != null && addMe(aSN1ObjectIdentifier7, extensionControl6, hashSet, hashSet2) && CollectionUtil.isNonEmpty(publicCaInfo.deltaCrlUris())) {
                addExtension(extensionValues, aSN1ObjectIdentifier7, (ASN1Encodable) CaUtil.createCrlDistributionPoints(publicCaInfo.deltaCrlUris(), x500Subject, x500Name3), extensionControl6, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
            }
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier8 = Extension.basicConstraints;
        ExtensionControl extensionControl7 = (ExtensionControl) hashMap.remove(aSN1ObjectIdentifier8);
        if (extensionControl7 != null && addMe(aSN1ObjectIdentifier8, extensionControl7, hashSet, hashSet2)) {
            addExtension(extensionValues, aSN1ObjectIdentifier8, (ASN1Encodable) CaUtil.createBasicConstraints(this.certprofile.certLevel(), this.certprofile.pathLenBasicConstraint()), extensionControl7, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier9 = Extension.keyUsage;
        ExtensionControl extensionControl8 = (ExtensionControl) hashMap.remove(aSN1ObjectIdentifier9);
        if (extensionControl8 != null && addMe(aSN1ObjectIdentifier9, extensionControl8, hashSet, hashSet2)) {
            HashSet hashSet3 = new HashSet();
            Set<KeyUsageControl> keyUsage = this.certprofile.keyUsage();
            for (KeyUsageControl keyUsageControl : keyUsage) {
                if (keyUsageControl.isRequired()) {
                    hashSet3.add(keyUsageControl.keyUsage());
                }
            }
            if (extensions != null && extensionControl8.isRequest()) {
                addRequestedKeyusage(hashSet3, extensions, keyUsage);
            }
            addExtension(extensionValues, aSN1ObjectIdentifier9, (ASN1Encodable) X509Util.createKeyUsage(hashSet3), extensionControl8, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier10 = Extension.extendedKeyUsage;
        ExtensionControl extensionControl9 = (ExtensionControl) hashMap.remove(aSN1ObjectIdentifier10);
        if (extensionControl9 != null && addMe(aSN1ObjectIdentifier10, extensionControl9, hashSet, hashSet2)) {
            LinkedList linkedList = new LinkedList();
            Set<ExtKeyUsageControl> extendedKeyUsages = this.certprofile.extendedKeyUsages();
            for (ExtKeyUsageControl extKeyUsageControl : extendedKeyUsages) {
                if (extKeyUsageControl.isRequired()) {
                    linkedList.add(extKeyUsageControl.extKeyUsage());
                }
            }
            if (extensions != null && extensionControl9.isRequest()) {
                addRequestedExtKeyusage(linkedList, extensions, extendedKeyUsages);
            }
            if (extensionControl9.isCritical() && linkedList.contains(ObjectIdentifiers.id_anyExtendedKeyUsage)) {
                extensionControl9 = new ExtensionControl(false, extensionControl9.isRequired(), extensionControl9.isRequest());
            }
            addExtension(extensionValues, aSN1ObjectIdentifier10, (ASN1Encodable) X509Util.createExtendedUsage(linkedList), extensionControl9, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier11 = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck;
        ExtensionControl extensionControl10 = (ExtensionControl) hashMap.remove(aSN1ObjectIdentifier11);
        if (extensionControl10 != null && addMe(aSN1ObjectIdentifier11, extensionControl10, hashSet, hashSet2)) {
            addExtension(extensionValues, aSN1ObjectIdentifier11, (ASN1Encodable) DERNull.INSTANCE, extensionControl10, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier12 = Extension.subjectInfoAccess;
        ExtensionControl extensionControl11 = (ExtensionControl) hashMap.remove(aSN1ObjectIdentifier12);
        if (extensionControl11 != null && addMe(aSN1ObjectIdentifier12, extensionControl11, hashSet, hashSet2)) {
            ASN1Sequence aSN1Sequence = null;
            if (extensions != null && extensionControl11.isRequest()) {
                aSN1Sequence = createSubjectInfoAccess(extensions, this.certprofile.subjectInfoAccessModes());
            }
            addExtension(extensionValues, aSN1ObjectIdentifier12, (ASN1Encodable) aSN1Sequence, extensionControl11, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        ExtensionValues extensions2 = this.certprofile.getExtensions(Collections.unmodifiableMap(hashMap), x500Name, x500Name2, extensions, date, date2);
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier13 : new HashSet(hashMap.keySet())) {
            ExtensionControl extensionControl12 = (ExtensionControl) hashMap.remove(aSN1ObjectIdentifier13);
            if (addMe(aSN1ObjectIdentifier13, extensionControl12, hashSet, hashSet2)) {
                ExtensionValue extensionValue = null;
                if (extensions != null && extensionControl12.isRequest() && (extension = extensions.getExtension(aSN1ObjectIdentifier13)) != null) {
                    extensionValue = new ExtensionValue(extension.isCritical(), extension.getParsedValue());
                }
                if (extensionValue == null) {
                    extensionValue = extensions2.getExtensionValue(aSN1ObjectIdentifier13);
                }
                addExtension(extensionValues, aSN1ObjectIdentifier13, extensionValue, extensionControl12, hashSet, hashSet2);
            }
        }
        HashSet hashSet4 = new HashSet();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier14 : hashMap.keySet()) {
            if (((ExtensionControl) hashMap.get(aSN1ObjectIdentifier14)).isRequired()) {
                hashSet4.add(aSN1ObjectIdentifier14);
            }
        }
        if (CollectionUtil.isNonEmpty(hashSet4)) {
            throw new CertprofileException("could not add required extensions " + toString(hashSet4));
        }
        if (CollectionUtil.isNonEmpty(hashSet)) {
            throw new BadCertTemplateException("could not add requested extensions " + toString(hashSet));
        }
        return extensionValues;
    }

    public X509CertLevel certLevel() {
        return this.certprofile.certLevel();
    }

    public boolean isOnlyForRa() {
        return this.certprofile.isOnlyForRa();
    }

    public SubjectPublicKeyInfo checkPublicKey(SubjectPublicKeyInfo subjectPublicKeyInfo) throws BadCertTemplateException {
        ParamUtil.requireNonNull("publicKey", subjectPublicKeyInfo);
        return this.certprofile.checkPublicKey(subjectPublicKeyInfo);
    }

    public boolean incSerialNumberIfSubjectExists() {
        return this.certprofile.incSerialNumberIfSubjectExists();
    }

    public void shutdown() {
        if (this.certprofile != null) {
            this.certprofile.shutdown();
        }
    }

    public boolean includeIssuerAndSerialInAki() {
        return this.certprofile.includeIssuerAndSerialInAki();
    }

    public String incSerialNumber(String str) throws BadFormatException {
        return this.certprofile.incSerialNumber(str);
    }

    public boolean isDuplicateKeyPermitted() {
        return this.certprofile.isDuplicateKeyPermitted();
    }

    public boolean isDuplicateSubjectPermitted() {
        return this.certprofile.isDuplicateSubjectPermitted();
    }

    public boolean isSerialNumberInReqPermitted() {
        return this.certprofile.isSerialNumberInReqPermitted();
    }

    public String parameter(String str) {
        return this.certprofile.parameter(str);
    }

    public Map<ASN1ObjectIdentifier, ExtensionControl> extensionControls() {
        return this.certprofile.extensionControls();
    }

    public Set<KeyUsageControl> keyUsage() {
        return this.certprofile.keyUsage();
    }

    public Integer pathLenBasicConstraint() {
        return this.certprofile.pathLenBasicConstraint();
    }

    public Set<ExtKeyUsageControl> extendedKeyUsages() {
        return this.certprofile.extendedKeyUsages();
    }

    public int maxCertSize() {
        return this.certprofile.maxCertSize();
    }

    public void validate() throws CertprofileException {
        ASN1ObjectIdentifier aSN1ObjectIdentifier;
        ExtensionControl extensionControl;
        StringBuilder sb = new StringBuilder();
        Map<ASN1ObjectIdentifier, ExtensionControl> extensionControls = extensionControls();
        HashSet hashSet = new HashSet();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier2 : NONE_REQUEST_EXTENSION_TYPES) {
            ExtensionControl extensionControl2 = extensionControls.get(aSN1ObjectIdentifier2);
            if (extensionControl2 != null && extensionControl2.isRequest()) {
                hashSet.add(aSN1ObjectIdentifier2);
            }
        }
        if (CollectionUtil.isNonEmpty(hashSet)) {
            sb.append("extensions ").append(toString(hashSet));
            sb.append(" must not be contained in request, ");
        }
        X509CertLevel certLevel = certLevel();
        boolean z = certLevel == X509CertLevel.RootCA || certLevel == X509CertLevel.SubCA;
        hashSet.clear();
        if (!z) {
            hashSet.clear();
            for (ASN1ObjectIdentifier aSN1ObjectIdentifier3 : CA_ONLY_EXTENSION_TYPES) {
                if (extensionControls.containsKey(aSN1ObjectIdentifier3)) {
                    hashSet.add(aSN1ObjectIdentifier3);
                }
            }
            if (CollectionUtil.isNonEmpty(hashSet)) {
                sb.append("EE profile contains CA-only extensions ").append(toString(hashSet)).append(", ");
            }
        }
        hashSet.clear();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier4 : extensionControls.keySet()) {
            ExtensionControl extensionControl3 = extensionControls.get(aSN1ObjectIdentifier4);
            if (CRITICAL_ONLY_EXTENSION_TYPES.contains(aSN1ObjectIdentifier4) && !extensionControl3.isCritical()) {
                hashSet.add(aSN1ObjectIdentifier4);
            }
            if (z && CA_CRITICAL_ONLY_EXTENSION_TYPES.contains(aSN1ObjectIdentifier4) && !extensionControl3.isCritical()) {
                hashSet.add(aSN1ObjectIdentifier4);
            }
        }
        if (CollectionUtil.isNonEmpty(hashSet)) {
            sb.append("critical only extensions are marked as non-critical ");
            sb.append(toString(hashSet)).append(", ");
        }
        hashSet.clear();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier5 : extensionControls.keySet()) {
            ExtensionControl extensionControl4 = extensionControls.get(aSN1ObjectIdentifier5);
            if (NONCRITICAL_ONLY_EXTENSION_TYPES.contains(aSN1ObjectIdentifier5) && extensionControl4.isCritical()) {
                hashSet.add(aSN1ObjectIdentifier5);
            }
        }
        if (CollectionUtil.isNonEmpty(hashSet)) {
            sb.append("non-critical extensions are marked as critical ").append(toString(hashSet));
            sb.append(", ");
        }
        hashSet.clear();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier6 : z ? REQUIRED_CA_EXTENSION_TYPES : REQUIRED_EE_EXTENSION_TYPES) {
            ExtensionControl extensionControl5 = extensionControls.get(aSN1ObjectIdentifier6);
            if (extensionControl5 == null || !extensionControl5.isRequired()) {
                hashSet.add(aSN1ObjectIdentifier6);
            }
        }
        if (certLevel == X509CertLevel.SubCA && ((extensionControl = extensionControls.get((aSN1ObjectIdentifier = Extension.authorityKeyIdentifier))) == null || !extensionControl.isRequired())) {
            hashSet.add(aSN1ObjectIdentifier);
        }
        if (!hashSet.isEmpty()) {
            sb.append("required extensions are not marked as required ");
            sb.append(toString(hashSet)).append(", ");
        }
        Set<KeyUsageControl> keyUsage = keyUsage();
        if (!z) {
            KeyUsage[] keyUsageArr = {KeyUsage.keyCertSign, KeyUsage.cRLSign};
            HashSet hashSet2 = new HashSet();
            for (KeyUsage keyUsage2 : keyUsageArr) {
                if (containsKeyusage(keyUsage, keyUsage2)) {
                    hashSet2.add(keyUsage2);
                }
            }
            if (CollectionUtil.isNonEmpty(hashSet)) {
                sb.append("EE profile contains CA-only keyUsage ").append(hashSet2).append(", ");
            }
        } else if (!containsKeyusage(keyUsage, KeyUsage.keyCertSign)) {
            sb.append("CA profile does not contain keyUsage ");
            sb.append(KeyUsage.keyCertSign).append(", ");
        }
        int length = sb.length();
        if (length > 2) {
            sb.delete(length - 2, length);
            throw new CertprofileException(sb.toString());
        }
    }

    private static String toString(Set<ASN1ObjectIdentifier> set) {
        if (set == null) {
            return "null";
        }
        StringBuilder sb = new StringBuilder();
        sb.append("[");
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : set) {
            String name = ObjectIdentifiers.getName(aSN1ObjectIdentifier);
            if (name != null) {
                sb.append(name);
                sb.append(" (").append(aSN1ObjectIdentifier.getId()).append(")");
            } else {
                sb.append(aSN1ObjectIdentifier.getId());
            }
            sb.append(", ");
        }
        if (CollectionUtil.isNonEmpty(set)) {
            int length = sb.length();
            sb.delete(length - 2, length);
        }
        sb.append("]");
        return sb.toString();
    }

    private static boolean containsKeyusage(Set<KeyUsageControl> set, KeyUsage keyUsage) {
        Iterator<KeyUsageControl> it = set.iterator();
        while (it.hasNext()) {
            if (keyUsage == it.next().keyUsage()) {
                return true;
            }
        }
        return false;
    }

    private static boolean addMe(ASN1ObjectIdentifier aSN1ObjectIdentifier, ExtensionControl extensionControl, Set<ASN1ObjectIdentifier> set, Set<ASN1ObjectIdentifier> set2) {
        return extensionControl.isRequired() || set.contains(aSN1ObjectIdentifier) || set2.contains(aSN1ObjectIdentifier);
    }

    private static void addRequestedKeyusage(Set<KeyUsage> set, Extensions extensions, Set<KeyUsageControl> set2) {
        Extension extension = extensions.getExtension(Extension.keyUsage);
        if (extension == null) {
            return;
        }
        org.bouncycastle.asn1.x509.KeyUsage keyUsage = org.bouncycastle.asn1.x509.KeyUsage.getInstance(extension.getParsedValue());
        for (KeyUsageControl keyUsageControl : set2) {
            if (!keyUsageControl.isRequired() && keyUsage.hasUsages(keyUsageControl.keyUsage().bcUsage())) {
                set.add(keyUsageControl.keyUsage());
            }
        }
    }

    private static void addRequestedExtKeyusage(List<ASN1ObjectIdentifier> list, Extensions extensions, Set<ExtKeyUsageControl> set) {
        Extension extension = extensions.getExtension(Extension.extendedKeyUsage);
        if (extension == null) {
            return;
        }
        ExtendedKeyUsage extendedKeyUsage = ExtendedKeyUsage.getInstance(extension.getParsedValue());
        for (ExtKeyUsageControl extKeyUsageControl : set) {
            if (!extKeyUsageControl.isRequired() && extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.getInstance(extKeyUsageControl.extKeyUsage()))) {
                list.add(extKeyUsageControl.extKeyUsage());
            }
        }
    }

    private static ASN1Sequence createSubjectInfoAccess(Extensions extensions, Map<ASN1ObjectIdentifier, Set<GeneralNameMode>> map) throws BadCertTemplateException {
        ASN1Encodable extensionParsedValue;
        if (map == null || (extensionParsedValue = extensions.getExtensionParsedValue(Extension.subjectInfoAccess)) == null) {
            return null;
        }
        ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(extensionParsedValue);
        int size = aSN1Sequence.size();
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        for (int i = 0; i < size; i++) {
            AccessDescription accessDescription = AccessDescription.getInstance(aSN1Sequence.getObjectAt(i));
            ASN1ObjectIdentifier accessMethod = accessDescription.getAccessMethod();
            Set<GeneralNameMode> set = map.get(accessMethod);
            if (set == null) {
                throw new BadCertTemplateException("subjectInfoAccess.accessMethod " + accessMethod.getId() + " is not allowed");
            }
            aSN1EncodableVector.add(new AccessDescription(accessMethod, X509CertprofileUtil.createGeneralName(accessDescription.getAccessLocation(), set)));
        }
        if (aSN1EncodableVector.size() > 0) {
            return new DERSequence(aSN1EncodableVector);
        }
        return null;
    }

    private static void addExtension(ExtensionValues extensionValues, ASN1ObjectIdentifier aSN1ObjectIdentifier, ExtensionValue extensionValue, ExtensionControl extensionControl, Set<ASN1ObjectIdentifier> set, Set<ASN1ObjectIdentifier> set2) throws CertprofileException {
        if (extensionValue != null) {
            extensionValues.addExtension(aSN1ObjectIdentifier, extensionValue);
            set.remove(aSN1ObjectIdentifier);
            set2.remove(aSN1ObjectIdentifier);
        } else if (extensionControl.isRequired()) {
            String name = ObjectIdentifiers.getName(aSN1ObjectIdentifier);
            if (name == null) {
                name = aSN1ObjectIdentifier.getId();
            }
            throw new CertprofileException("could not add required extension " + name);
        }
    }

    private static void addExtension(ExtensionValues extensionValues, ASN1ObjectIdentifier aSN1ObjectIdentifier, ASN1Encodable aSN1Encodable, ExtensionControl extensionControl, Set<ASN1ObjectIdentifier> set, Set<ASN1ObjectIdentifier> set2) throws CertprofileException {
        if (aSN1Encodable != null) {
            extensionValues.addExtension(aSN1ObjectIdentifier, extensionControl.isCritical(), aSN1Encodable);
            set.remove(aSN1ObjectIdentifier);
            set2.remove(aSN1ObjectIdentifier);
        } else if (extensionControl.isRequired()) {
            String name = ObjectIdentifiers.getName(aSN1ObjectIdentifier);
            if (name == null) {
                name = aSN1ObjectIdentifier.getId();
            }
            throw new CertprofileException("could not add required extension " + name);
        }
    }

    static {
        CRITICAL_ONLY_EXTENSION_TYPES.add(Extension.keyUsage);
        CRITICAL_ONLY_EXTENSION_TYPES.add(Extension.policyMappings);
        CRITICAL_ONLY_EXTENSION_TYPES.add(Extension.nameConstraints);
        CRITICAL_ONLY_EXTENSION_TYPES.add(Extension.policyConstraints);
        CRITICAL_ONLY_EXTENSION_TYPES.add(Extension.inhibitAnyPolicy);
        CRITICAL_ONLY_EXTENSION_TYPES.add(ObjectIdentifiers.id_pe_tlsfeature);
        CA_CRITICAL_ONLY_EXTENSION_TYPES = new HashSet();
        CA_CRITICAL_ONLY_EXTENSION_TYPES.add(Extension.basicConstraints);
        NONCRITICAL_ONLY_EXTENSION_TYPES = new HashSet();
        NONCRITICAL_ONLY_EXTENSION_TYPES.add(Extension.authorityKeyIdentifier);
        NONCRITICAL_ONLY_EXTENSION_TYPES.add(Extension.subjectKeyIdentifier);
        NONCRITICAL_ONLY_EXTENSION_TYPES.add(Extension.issuerAlternativeName);
        NONCRITICAL_ONLY_EXTENSION_TYPES.add(Extension.subjectDirectoryAttributes);
        NONCRITICAL_ONLY_EXTENSION_TYPES.add(Extension.freshestCRL);
        NONCRITICAL_ONLY_EXTENSION_TYPES.add(Extension.authorityInfoAccess);
        NONCRITICAL_ONLY_EXTENSION_TYPES.add(Extension.subjectInfoAccess);
        CA_ONLY_EXTENSION_TYPES = new HashSet();
        CA_ONLY_EXTENSION_TYPES.add(Extension.policyMappings);
        CA_ONLY_EXTENSION_TYPES.add(Extension.nameConstraints);
        CA_ONLY_EXTENSION_TYPES.add(Extension.policyConstraints);
        CA_ONLY_EXTENSION_TYPES.add(Extension.inhibitAnyPolicy);
        NONE_REQUEST_EXTENSION_TYPES = new HashSet();
        NONE_REQUEST_EXTENSION_TYPES.add(Extension.subjectKeyIdentifier);
        NONE_REQUEST_EXTENSION_TYPES.add(Extension.authorityKeyIdentifier);
        NONE_REQUEST_EXTENSION_TYPES.add(Extension.issuerAlternativeName);
        NONE_REQUEST_EXTENSION_TYPES.add(Extension.cRLDistributionPoints);
        NONE_REQUEST_EXTENSION_TYPES.add(Extension.freshestCRL);
        NONE_REQUEST_EXTENSION_TYPES.add(Extension.basicConstraints);
        NONE_REQUEST_EXTENSION_TYPES.add(Extension.inhibitAnyPolicy);
        REQUIRED_CA_EXTENSION_TYPES = new HashSet();
        REQUIRED_CA_EXTENSION_TYPES.add(Extension.basicConstraints);
        REQUIRED_CA_EXTENSION_TYPES.add(Extension.subjectKeyIdentifier);
        REQUIRED_CA_EXTENSION_TYPES.add(Extension.keyUsage);
        REQUIRED_EE_EXTENSION_TYPES = new HashSet();
        REQUIRED_EE_EXTENSION_TYPES.add(Extension.authorityKeyIdentifier);
        REQUIRED_EE_EXTENSION_TYPES.add(Extension.subjectKeyIdentifier);
    }
}
