package se.swedenconnect.ca.engine.revocation.crl.impl;

import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.List;
import org.bouncycastle.asn1.x509.CRLNumber;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.IssuingDistributionPoint;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.jcajce.JcaX509v2CRLBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.swedenconnect.ca.engine.ca.issuer.CertificateIssuer;
import se.swedenconnect.ca.engine.revocation.CertificateRevocationException;
import se.swedenconnect.ca.engine.revocation.crl.CRLIssuerModel;
import se.swedenconnect.ca.engine.revocation.crl.CRLRevocationDataProvider;
import se.swedenconnect.ca.engine.revocation.crl.RevokedCertificate;
import se.swedenconnect.ca.engine.utils.CAUtils;
import se.swedenconnect.security.credential.PkiCredential;

/* loaded from: input_file:se/swedenconnect/ca/engine/revocation/crl/impl/DefaultCRLIssuer.class */
public class DefaultCRLIssuer extends AbstractCRLIssuer {
    private static final Logger log = LoggerFactory.getLogger(DefaultCRLIssuer.class);
    protected final CRLIssuerModel crlIssuerModel;

    public DefaultCRLIssuer(CRLIssuerModel cRLIssuerModel, PkiCredential pkiCredential) throws NoSuchAlgorithmException {
        super(pkiCredential, cRLIssuerModel.getAlgorithm());
        this.crlIssuerModel = cRLIssuerModel;
    }

    @Override // se.swedenconnect.ca.engine.revocation.crl.CRLIssuer
    public X509CRLHolder issueCRL() throws CertificateRevocationException {
        try {
            X509Certificate cert = CAUtils.getCert(this.crlIssuerModel.getIssuerCertificate());
            Date offsetTime = CertificateIssuer.getOffsetTime(this.crlIssuerModel.getStartOffset());
            Date offsetTime2 = CertificateIssuer.getOffsetTime(this.crlIssuerModel.getExpiryOffset());
            JcaX509v2CRLBuilder jcaX509v2CRLBuilder = new JcaX509v2CRLBuilder(cert, offsetTime);
            CRLRevocationDataProvider cRLRevocationDataProvider = this.crlIssuerModel.getCRLRevocationDataProvider();
            List<RevokedCertificate> revokedCertificates = cRLRevocationDataProvider.getRevokedCertificates();
            jcaX509v2CRLBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(cRLRevocationDataProvider.getNextCrlNumber()));
            jcaX509v2CRLBuilder.addExtension(Extension.authorityKeyIdentifier, false, getAki());
            jcaX509v2CRLBuilder.addExtension(Extension.issuingDistributionPoint, true, new IssuingDistributionPoint(new DistributionPointName(new GeneralNames(new GeneralName(6, this.crlIssuerModel.getDistributionPointUrl()))), this.crlIssuerModel.isOnlyEECerts(), this.crlIssuerModel.isOnlyCACerts(), this.crlIssuerModel.getOnlySomeReasons(), this.crlIssuerModel.isIndirectCrl(), false));
            jcaX509v2CRLBuilder.setNextUpdate(offsetTime2);
            for (RevokedCertificate revokedCertificate : revokedCertificates) {
                jcaX509v2CRLBuilder.addCRLEntry(revokedCertificate.getCertificateSerialNumber(), revokedCertificate.getRevocationTime(), revokedCertificate.getReason());
            }
            return jcaX509v2CRLBuilder.build(getContentSigner());
        } catch (IOException | CertificateException e) {
            log.error("Failed to issue CRL", e);
            throw new CertificateRevocationException("Failed to issue CRL", e);
        } catch (OperatorCreationException e2) {
            log.error("Failed to create CRL content signer", e2);
            throw new CertificateRevocationException("Failed to create CRL content signer", e2);
        }
    }
}
