package org.xipki.ca.server;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.serializer.SerializerFeature;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.Closeable;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.net.SocketException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import java.util.zip.ZipEntry;
import java.util.zip.ZipOutputStream;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.pkcs.CertificationRequestInfo;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extensions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.audit.AuditEvent;
import org.xipki.audit.AuditLevel;
import org.xipki.audit.AuditStatus;
import org.xipki.audit.Audits;
import org.xipki.audit.PciAuditEvent;
import org.xipki.ca.api.CaUris;
import org.xipki.ca.api.CertificateInfo;
import org.xipki.ca.api.NameId;
import org.xipki.ca.api.OperationException;
import org.xipki.ca.api.RequestType;
import org.xipki.ca.api.mgmt.CaConf;
import org.xipki.ca.api.mgmt.CaConfType;
import org.xipki.ca.api.mgmt.CaManager;
import org.xipki.ca.api.mgmt.CaMgmtException;
import org.xipki.ca.api.mgmt.CaStatus;
import org.xipki.ca.api.mgmt.CaSystemStatus;
import org.xipki.ca.api.mgmt.CertListInfo;
import org.xipki.ca.api.mgmt.CertListOrderBy;
import org.xipki.ca.api.mgmt.CertWithRevocationInfo;
import org.xipki.ca.api.mgmt.CtlogControl;
import org.xipki.ca.api.mgmt.MgmtEntry;
import org.xipki.ca.api.mgmt.PermissionConstants;
import org.xipki.ca.api.mgmt.RequestorInfo;
import org.xipki.ca.api.profile.CertprofileException;
import org.xipki.ca.api.profile.CertprofileFactoryRegister;
import org.xipki.ca.api.publisher.CertPublisherException;
import org.xipki.ca.api.publisher.CertPublisherFactoryRegister;
import org.xipki.ca.server.CaAuditConstants;
import org.xipki.ca.server.CaManagerQueryExecutor;
import org.xipki.ca.server.SelfSignedCertBuilder;
import org.xipki.ca.server.cmp.CmpResponder;
import org.xipki.datasource.DataAccessException;
import org.xipki.datasource.DataSourceConf;
import org.xipki.datasource.DataSourceFactory;
import org.xipki.datasource.DataSourceWrapper;
import org.xipki.password.PasswordResolver;
import org.xipki.password.PasswordResolverException;
import org.xipki.security.CertRevocationInfo;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.CrlReason;
import org.xipki.security.SecurityFactory;
import org.xipki.security.SignerConf;
import org.xipki.security.X509Cert;
import org.xipki.security.XiSecurityException;
import org.xipki.security.util.AlgorithmUtil;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.Base64;
import org.xipki.util.CollectionUtil;
import org.xipki.util.ConfPairs;
import org.xipki.util.DateUtil;
import org.xipki.util.FileOrBinary;
import org.xipki.util.FileOrValue;
import org.xipki.util.InvalidConfException;
import org.xipki.util.IoUtil;
import org.xipki.util.LogUtil;
import org.xipki.util.ObjectCreationException;
import org.xipki.util.StringUtil;
import org.xipki.util.http.SslContextConf;

/* loaded from: input_file:org/xipki/ca/server/CaManagerImpl.class */
public class CaManagerImpl implements CaManager, Closeable {
    private static final Logger LOG = LoggerFactory.getLogger(CaManagerImpl.class);
    private static final String EVENT_LOCK = "LOCK";
    private static final String EVENT_CACHAGNE = "CA_CHANGE";
    private final String lockInstanceId;
    private RequestorInfo byCaRequestor;
    private NameId byUserRequestorId;
    private boolean caLockedByMe;
    private boolean masterMode;
    private Map<String, FileOrValue> datasourceNameConfFileMap;
    private ScheduledThreadPoolExecutor persistentScheduledThreadPoolExecutor;
    private ScheduledThreadPoolExecutor scheduledThreadPoolExecutor;
    private final RestResponder restResponder;
    private CaServerConf caServerConf;
    private boolean caSystemSetuped;
    private boolean signerInitialized;
    private boolean requestorsInitialized;
    private boolean caAliasesInitialized;
    private boolean certprofilesInitialized;
    private boolean publishersInitialized;
    private boolean casInitialized;
    private Date lastStartTime;
    private CertprofileFactoryRegister certprofileFactoryRegister;
    private CertPublisherFactoryRegister certPublisherFactoryRegister;
    private DataSourceWrapper datasource;
    private CertStore certstore;
    private SecurityFactory securityFactory;
    private CaManagerQueryExecutor queryExecutor;
    private boolean initializing;
    private final CaIdNameMap idNameMap = new CaIdNameMap();
    private final Map<String, CaInfo> caInfos = new ConcurrentHashMap();
    private Map<String, SignerEntryWrapper> signers = new ConcurrentHashMap();
    private Map<String, MgmtEntry.Signer> signerDbEntries = new ConcurrentHashMap();
    private final Map<String, IdentifiedCertprofile> certprofiles = new ConcurrentHashMap();
    private final Map<String, MgmtEntry.Certprofile> certprofileDbEntries = new ConcurrentHashMap();
    private final Map<String, IdentifiedCertPublisher> publishers = new ConcurrentHashMap();
    private final Map<String, MgmtEntry.Publisher> publisherDbEntries = new ConcurrentHashMap();
    private final Map<String, RequestorEntryWrapper> requestors = new ConcurrentHashMap();
    private final Map<String, MgmtEntry.Requestor> requestorDbEntries = new ConcurrentHashMap();
    private final Map<String, Set<String>> caHasProfiles = new ConcurrentHashMap();
    private final Map<String, Set<String>> caHasPublishers = new ConcurrentHashMap();
    private final Map<String, Set<MgmtEntry.CaHasRequestor>> caHasRequestors = new ConcurrentHashMap();
    private final Map<String, Integer> caAliases = new ConcurrentHashMap();
    private final Map<String, CmpResponder> cmpResponders = new ConcurrentHashMap();
    private final Map<String, ScepResponder> scepResponders = new ConcurrentHashMap();
    private final Map<String, X509Ca> x509cas = new ConcurrentHashMap();
    private final DataSourceFactory datasourceFactory = new DataSourceFactory();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/xipki/ca/server/CaManagerImpl$CaRestarter.class */
    public class CaRestarter implements Runnable {
        private boolean inProcess;

        private CaRestarter() {
        }

        @Override // java.lang.Runnable
        public void run() {
            if (this.inProcess) {
                return;
            }
            this.inProcess = true;
            try {
                try {
                    CaManagerQueryExecutor.SystemEvent systemEvent = CaManagerImpl.this.queryExecutor.getSystemEvent(CaManagerImpl.EVENT_CACHAGNE);
                    long eventTime = systemEvent == null ? 0L : systemEvent.getEventTime();
                    CaManagerImpl.LOG.info("check the restart CA system event: changed at={}, lastStartTime={}", new Date(eventTime * 1000), CaManagerImpl.this.lastStartTime);
                    if (eventTime > CaManagerImpl.this.lastStartTime.getTime() / 1000) {
                        CaManagerImpl.LOG.info("received event to restart CA");
                        CaManagerImpl.this.restartCaSystem();
                    } else {
                        CaManagerImpl.LOG.debug("received no event to restart CA");
                    }
                    this.inProcess = false;
                } catch (Throwable th) {
                    LogUtil.error(CaManagerImpl.LOG, th, "ScheduledCaRestarter");
                    this.inProcess = false;
                }
            } catch (Throwable th2) {
                this.inProcess = false;
                throw th2;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/xipki/ca/server/CaManagerImpl$CertsInQueuePublisher.class */
    public class CertsInQueuePublisher implements Runnable {
        private boolean inProcess;

        private CertsInQueuePublisher() {
        }

        @Override // java.lang.Runnable
        public void run() {
            if (this.inProcess || !CaManagerImpl.this.caSystemSetuped) {
                return;
            }
            this.inProcess = true;
            try {
                try {
                    CaManagerImpl.LOG.debug("publishing certificates in PUBLISHQUEUE");
                    for (String str : CaManagerImpl.this.x509cas.keySet()) {
                        if (((X509Ca) CaManagerImpl.this.x509cas.get(str)).publishCertsInQueue()) {
                            CaManagerImpl.LOG.info(" published certificates of CA {} in PUBLISHQUEUE", str);
                        } else {
                            CaManagerImpl.LOG.error("publishing certificates of CA {} in PUBLISHQUEUE failed", str);
                        }
                    }
                    this.inProcess = false;
                } catch (Throwable th) {
                    LogUtil.error(CaManagerImpl.LOG, th, "could not publish CertsInQueue");
                    this.inProcess = false;
                }
            } catch (Throwable th2) {
                this.inProcess = false;
                throw th2;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/xipki/ca/server/CaManagerImpl$UnreferencedRequstCleaner.class */
    public class UnreferencedRequstCleaner implements Runnable {
        private boolean inProcess;

        private UnreferencedRequstCleaner() {
        }

        @Override // java.lang.Runnable
        public void run() {
            if (this.inProcess) {
                return;
            }
            this.inProcess = true;
            try {
                try {
                    CaManagerImpl.this.certstore.deleteUnreferencedRequests();
                    CaManagerImpl.LOG.info("deleted unreferenced requests");
                } catch (Throwable th) {
                    LogUtil.error(CaManagerImpl.LOG, th, "could not delete unreferenced requests");
                }
            } finally {
                this.inProcess = false;
            }
        }
    }

    public CaManagerImpl() {
        String str = null;
        File file = new File("calock");
        if (file.exists()) {
            try {
                str = new String(IoUtil.read(file));
            } catch (IOException e) {
                LOG.error("could not read {}: {}", file.getName(), e.getMessage());
            }
        }
        if (str == null) {
            str = UUID.randomUUID().toString();
            try {
                IoUtil.save(file, StringUtil.toUtf8Bytes(str));
            } catch (IOException e2) {
                LOG.error("could not save {}: {}", file.getName(), e2.getMessage());
            }
        }
        String str2 = null;
        try {
            str2 = IoUtil.getHostAddress();
        } catch (SocketException e3) {
            LOG.warn("could not get host address: {}", e3.getMessage());
        }
        this.lockInstanceId = str2 == null ? str : str2 + "/" + str;
        this.restResponder = new RestResponder(this);
    }

    public SecurityFactory getSecurityFactory() {
        return this.securityFactory;
    }

    public void setSecurityFactory(SecurityFactory securityFactory) {
        this.securityFactory = securityFactory;
    }

    public DataSourceFactory getDataSourceFactory() {
        return this.datasourceFactory;
    }

    public boolean isMasterMode() {
        return this.masterMode;
    }

    public Set<String> getSupportedSignerTypes() {
        return this.securityFactory.getSupportedSignerTypes();
    }

    public Set<String> getSupportedCertprofileTypes() {
        return this.certprofileFactoryRegister.getSupportedTypes();
    }

    public Set<String> getSupportedPublisherTypes() {
        return this.certPublisherFactoryRegister.getSupportedTypes();
    }

    private void init() throws CaMgmtException {
        if (this.securityFactory == null) {
            throw new IllegalStateException("securityFactory is not set");
        }
        if (this.datasourceFactory == null) {
            throw new IllegalStateException("datasourceFactory is not set");
        }
        if (this.certprofileFactoryRegister == null) {
            throw new IllegalStateException("certprofileFactoryRegister is not set");
        }
        if (this.certPublisherFactoryRegister == null) {
            throw new IllegalStateException("certPublisherFactoryRegister is not set");
        }
        if (this.caServerConf == null) {
            throw new IllegalStateException("caServerConf is not set");
        }
        this.masterMode = this.caServerConf.isMaster();
        LOG.info("ca.masterMode: {}", Boolean.valueOf(this.masterMode));
        int shardId = this.caServerConf.getShardId();
        LOG.info("ca.shardId: {}", Integer.valueOf(shardId));
        if (this.datasourceNameConfFileMap == null) {
            this.datasourceNameConfFileMap = new ConcurrentHashMap();
            for (DataSourceConf dataSourceConf : this.caServerConf.getDatasources()) {
                this.datasourceNameConfFileMap.put(dataSourceConf.getName(), dataSourceConf.getConf());
            }
            FileOrValue remove = this.datasourceNameConfFileMap.remove("ca");
            if (remove == null) {
                throw new CaMgmtException("no datasource named 'ca' configured");
            }
            this.datasource = loadDatasource("ca", remove);
        }
        this.queryExecutor = new CaManagerQueryExecutor(this.datasource);
        if (this.masterMode) {
            lockCa(true);
            this.queryExecutor.addRequestorIfNeeded("BY-CA");
            this.queryExecutor.addRequestorIfNeeded("BY-USER");
        }
        try {
            this.certstore = new CertStore(this.datasource, new UniqueIdGenerator(DateUtil.parseUtcTimeyyyyMMdd("20100101").getTime(), shardId));
            initCaAliases();
            initCertprofiles();
            initPublishers();
            initRequestors();
            initSigners();
            initCas();
        } catch (DataAccessException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    private DataSourceWrapper loadDatasource(String str, FileOrValue fileOrValue) throws CaMgmtException {
        try {
            DataSourceWrapper createDataSource = this.datasourceFactory.createDataSource(str, fileOrValue, this.securityFactory.getPasswordResolver());
            createDataSource.returnConnection(createDataSource.getConnection());
            LOG.info("loaded datasource.{}", str);
            return createDataSource;
        } catch (DataAccessException | PasswordResolverException | IOException | RuntimeException e) {
            throw new CaMgmtException(concat(e.getClass().getName(), " while parsing datasource ", str, ": ", e.getMessage()), e);
        }
    }

    public CaSystemStatus getCaSystemStatus() {
        return this.caSystemSetuped ? this.masterMode ? CaSystemStatus.STARTED_AS_MASTER : CaSystemStatus.STARTED_AS_SLAVE : this.initializing ? CaSystemStatus.INITIALIZING : !this.caLockedByMe ? CaSystemStatus.LOCK_FAILED : CaSystemStatus.ERROR;
    }

    private void lockCa(boolean z) throws CaMgmtException {
        CaManagerQueryExecutor.SystemEvent systemEvent = this.queryExecutor.getSystemEvent(EVENT_LOCK);
        if (systemEvent != null) {
            String owner = systemEvent.getOwner();
            Date date = new Date(systemEvent.getEventTime() * 1000);
            if (!this.lockInstanceId.equals(owner)) {
                throw logAndCreateException(concat("could not lock CA, it has been locked by ", owner, " since ", date.toString(), ". In general this indicates that another CA software in active mode is accessing the database or the last shutdown of CA software in active mode is abnormal."));
            }
            if (z) {
                LOG.info("CA has been locked by me since {}, re-lock it", date);
            }
        }
        this.queryExecutor.changeSystemEvent(new CaManagerQueryExecutor.SystemEvent(EVENT_LOCK, this.lockInstanceId, System.currentTimeMillis() / 1000));
        this.caLockedByMe = true;
    }

    public void unlockCa() throws CaMgmtException {
        if (!this.masterMode) {
            throw logAndCreateException("could not unlock CA in slave mode");
        }
        boolean z = false;
        try {
            this.queryExecutor.unlockCa();
            LOG.info("unlocked CA");
            z = true;
            auditLogPciEvent(true, "UNLOCK");
        } catch (Throwable th) {
            auditLogPciEvent(z, "UNLOCK");
            throw th;
        }
    }

    private void reset() {
        this.caSystemSetuped = false;
        this.signerInitialized = false;
        this.requestorsInitialized = false;
        this.caAliasesInitialized = false;
        this.certprofilesInitialized = false;
        this.publishersInitialized = false;
        this.casInitialized = false;
        shutdownScheduledThreadPoolExecutor();
    }

    public void restartCa(String str) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name);
        asssertMasterMode();
        if (this.idNameMap.getCa(nonBlankLower) == null) {
            throw new CaMgmtException("Unknown CA " + nonBlankLower);
        }
        if (!createCa(nonBlankLower)) {
            LOG.error("could not create CA {}", nonBlankLower);
            return;
        }
        if (CaStatus.ACTIVE != this.caInfos.get(nonBlankLower).getCaEntry().getStatus()) {
            return;
        }
        if (startCa(nonBlankLower)) {
            LOG.info("started CA {}", nonBlankLower);
        } else {
            LOG.error("could not start CA {}", nonBlankLower);
        }
    }

    public void restartCaSystem() throws CaMgmtException {
        reset();
        boolean startCaSystem0 = startCaSystem0();
        auditLogPciEvent(startCaSystem0, EVENT_CACHAGNE);
        if (!startCaSystem0) {
            throw logAndCreateException("could not restart CA system");
        }
    }

    public void notifyCaChange() throws CaMgmtException {
        try {
            this.queryExecutor.changeSystemEvent(new CaManagerQueryExecutor.SystemEvent(EVENT_CACHAGNE, this.lockInstanceId, System.currentTimeMillis() / 1000));
            LOG.info("notified the change of CA system");
        } catch (CaMgmtException e) {
            LogUtil.warn(LOG, e, "could not notify slave CAs to restart");
            throw e;
        }
    }

    public void startCaSystem() {
        boolean z = false;
        try {
            z = startCaSystem0();
        } catch (Throwable th) {
            LogUtil.error(LOG, th, "could not start CA system");
        }
        if (!z) {
            LOG.error("could not start CA system");
        }
        auditLogPciEvent(z, "START");
    }

    private boolean startCaSystem0() {
        if (this.caSystemSetuped) {
            return true;
        }
        this.initializing = true;
        shutdownScheduledThreadPoolExecutor();
        try {
            LOG.info("starting CA system");
            try {
                init();
            } catch (Exception e) {
                LogUtil.error(LOG, e);
            }
            this.lastStartTime = new Date();
            this.x509cas.clear();
            this.cmpResponders.clear();
            this.scepResponders.clear();
            this.scheduledThreadPoolExecutor = new ScheduledThreadPoolExecutor(10);
            this.scheduledThreadPoolExecutor.setRemoveOnCancelPolicy(true);
            LinkedList linkedList = new LinkedList();
            LinkedList linkedList2 = new LinkedList();
            for (String str : this.caInfos.keySet()) {
                if (CaStatus.ACTIVE == this.caInfos.get(str).getCaEntry().getStatus()) {
                    if (startCa(str)) {
                        linkedList.add(str);
                        LOG.info("started CA {}", str);
                    } else {
                        linkedList2.add(str);
                        LOG.error("could not start CA {}", str);
                    }
                }
            }
            this.caSystemSetuped = true;
            StringBuilder sb = new StringBuilder();
            sb.append("started CA system");
            Set<String> caAliasNames = getCaAliasNames();
            HashSet hashSet = new HashSet(getCaNames());
            if (hashSet.size() > 0) {
                sb.append(" with following CAs: ");
                for (String str2 : caAliasNames) {
                    String caNameForAlias = getCaNameForAlias(str2);
                    hashSet.remove(caNameForAlias);
                    if (caNameForAlias != null) {
                        sb.append(caNameForAlias).append(" (alias ").append(str2).append("), ");
                    }
                }
                Iterator it = hashSet.iterator();
                while (it.hasNext()) {
                    sb.append((String) it.next()).append(", ");
                }
                int length = sb.length();
                sb.delete(length - 2, length);
                this.scheduledThreadPoolExecutor.scheduleAtFixedRate(new CertsInQueuePublisher(), 120L, 120L, TimeUnit.SECONDS);
                this.scheduledThreadPoolExecutor.scheduleAtFixedRate(new UnreferencedRequstCleaner(), 60L, 86400L, TimeUnit.SECONDS);
            } else {
                sb.append(": no CA is configured");
            }
            if (!linkedList2.isEmpty()) {
                sb.append(", and following CAs could not be started: ");
                for (String str3 : caAliasNames) {
                    String caNameForAlias2 = getCaNameForAlias(str3);
                    if (linkedList2.remove(caNameForAlias2)) {
                        sb.append(caNameForAlias2).append(" (alias ").append(str3).append("), ");
                    }
                }
                Iterator it2 = linkedList2.iterator();
                while (it2.hasNext()) {
                    sb.append((String) it2.next()).append(", ");
                }
                int length2 = sb.length();
                sb.delete(length2 - 2, length2);
            }
            LOG.info("{}", sb);
            this.initializing = false;
            if (this.masterMode || this.persistentScheduledThreadPoolExecutor != null) {
                return true;
            }
            this.persistentScheduledThreadPoolExecutor = new ScheduledThreadPoolExecutor(1);
            this.persistentScheduledThreadPoolExecutor.setRemoveOnCancelPolicy(true);
            this.persistentScheduledThreadPoolExecutor.scheduleAtFixedRate(new CaRestarter(), 300L, 300L, TimeUnit.SECONDS);
            return true;
        } catch (Throwable th) {
            this.initializing = false;
            if (!this.masterMode && this.persistentScheduledThreadPoolExecutor == null) {
                this.persistentScheduledThreadPoolExecutor = new ScheduledThreadPoolExecutor(1);
                this.persistentScheduledThreadPoolExecutor.setRemoveOnCancelPolicy(true);
                this.persistentScheduledThreadPoolExecutor.scheduleAtFixedRate(new CaRestarter(), 300L, 300L, TimeUnit.SECONDS);
            }
            throw th;
        }
    }

    private boolean startCa(String str) {
        SslContextConf sslContextConf;
        CaInfo caInfo = this.caInfos.get(str);
        CtlogControl ctlogControl = caInfo.getCaEntry().getCtlogControl();
        CtLogClient ctLogClient = null;
        if (ctlogControl != null && ctlogControl.isEnabled()) {
            String sslContextName = ctlogControl.getSslContextName();
            if (sslContextName == null) {
                sslContextConf = null;
            } else {
                sslContextConf = this.caServerConf.getSslContextConf(sslContextName);
                if (sslContextConf == null) {
                    LOG.error(concat("X509CA.<init> (ca=", str, "): found no SslContext named " + sslContextName));
                    return false;
                }
                try {
                    sslContextConf.getSslContext();
                } catch (ObjectCreationException e) {
                    LOG.error(concat("X509CA.<init> (ca=", str, "): could not initialize SslContext named " + sslContextName));
                    return false;
                }
            }
            ctLogClient = new CtLogClient(ctlogControl.getServers(), sslContextConf);
        }
        try {
            this.x509cas.put(str, new X509Ca(this, caInfo, this.certstore, ctLogClient));
            try {
                this.cmpResponders.put(str, new CmpResponder(this, str));
                if (caInfo.getScepResponderName() == null) {
                    return true;
                }
                try {
                    this.scepResponders.put(str, new ScepResponder(this, caInfo.getCaEntry()));
                    return true;
                } catch (CaMgmtException e2) {
                    LogUtil.error(LOG, e2, concat("X509CA.<init> (scep=", str, ")"));
                    return false;
                }
            } catch (NoSuchAlgorithmException e3) {
                LogUtil.error(LOG, e3, concat("CmpResponderImpl.<init> (ca=", str, ")"));
                return false;
            }
        } catch (OperationException e4) {
            LogUtil.error(LOG, e4, concat("X509CA.<init> (ca=", str, ")"));
            return false;
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        LOG.info("stopping CA system");
        shutdownScheduledThreadPoolExecutor();
        if (this.persistentScheduledThreadPoolExecutor != null) {
            this.persistentScheduledThreadPoolExecutor.shutdown();
            while (!this.persistentScheduledThreadPoolExecutor.isTerminated()) {
                try {
                    Thread.sleep(100L);
                } catch (InterruptedException e) {
                    LOG.error("interrupted: {}", e.getMessage());
                }
            }
            this.persistentScheduledThreadPoolExecutor = null;
        }
        for (String str : this.x509cas.keySet()) {
            try {
                this.x509cas.get(str).close();
            } catch (Throwable th) {
                LogUtil.error(LOG, th, concat("could not call ca.shutdown() for CA ", str));
            }
        }
        if (this.caLockedByMe) {
            try {
                unlockCa();
            } catch (Throwable th2) {
                LogUtil.error(LOG, th2, "could not unlock CA system");
            }
        }
        if (this.datasource != null) {
            try {
                this.datasource.close();
            } catch (Exception e2) {
                LogUtil.warn(LOG, e2, concat("could not close datasource ca", new String[0]));
            }
        }
        if (this.publishers != null) {
            Iterator<String> it = this.publishers.keySet().iterator();
            while (it.hasNext()) {
                shutdownPublisher(this.publishers.get(it.next()));
            }
        }
        if (this.certprofiles != null) {
            Iterator<String> it2 = this.certprofiles.keySet().iterator();
            while (it2.hasNext()) {
                shutdownCertprofile(this.certprofiles.get(it2.next()));
            }
        }
        File file = new File("calock");
        if (file.exists()) {
            file.delete();
        }
        auditLogPciEvent(true, "SHUTDOWN");
        LOG.info("stopped CA system");
    }

    public CmpResponder getX509CaResponder(String str) {
        return this.cmpResponders.get(Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name));
    }

    public ScheduledThreadPoolExecutor getScheduledThreadPoolExecutor() {
        return this.scheduledThreadPoolExecutor;
    }

    public Set<String> getCertprofileNames() {
        return this.certprofileDbEntries.keySet();
    }

    public Set<String> getPublisherNames() {
        return this.publisherDbEntries.keySet();
    }

    public Set<String> getRequestorNames() {
        return this.requestorDbEntries.keySet();
    }

    public Set<String> getSignerNames() {
        return this.signerDbEntries.keySet();
    }

    public Set<String> getCaNames() {
        return this.caInfos.keySet();
    }

    public Set<String> getSuccessfulCaNames() {
        HashSet hashSet = new HashSet();
        for (String str : this.x509cas.keySet()) {
            if (CaStatus.ACTIVE == this.caInfos.get(str).getStatus()) {
                hashSet.add(str);
            }
        }
        return hashSet;
    }

    public Set<String> getFailedCaNames() {
        HashSet hashSet = new HashSet();
        for (String str : this.caInfos.keySet()) {
            if (CaStatus.ACTIVE == this.caInfos.get(str).getStatus() && !this.x509cas.containsKey(str)) {
                hashSet.add(str);
            }
        }
        return hashSet;
    }

    public Set<String> getInactiveCaNames() {
        HashSet hashSet = new HashSet();
        for (String str : this.caInfos.keySet()) {
            if (CaStatus.INACTIVE == this.caInfos.get(str).getStatus()) {
                hashSet.add(str);
            }
        }
        return hashSet;
    }

    private void initRequestors() throws CaMgmtException {
        if (this.requestorsInitialized) {
            return;
        }
        this.idNameMap.clearRequestor();
        this.requestorDbEntries.clear();
        this.requestors.clear();
        for (String str : this.queryExecutor.namesFromTable("REQUESTOR")) {
            if ("BY-CA".equals(str)) {
                NameId nameId = new NameId(this.queryExecutor.getRequestorId(str), str);
                this.byCaRequestor = new RequestorInfo.ByCaRequestorInfo(nameId);
                this.idNameMap.addRequestor(nameId);
            } else if ("BY-USER".equals(str)) {
                this.byUserRequestorId = new NameId(this.queryExecutor.getRequestorId(str), str);
                this.idNameMap.addRequestor(this.byUserRequestorId);
            } else {
                MgmtEntry.Requestor createRequestor = this.queryExecutor.createRequestor(str);
                if (createRequestor == null) {
                    LOG.error("could not load requestor {}", str);
                } else {
                    this.idNameMap.addRequestor(createRequestor.getIdent());
                    this.requestorDbEntries.put(str, createRequestor);
                    RequestorEntryWrapper requestorEntryWrapper = new RequestorEntryWrapper();
                    requestorEntryWrapper.setDbEntry(createRequestor, this.securityFactory.getPasswordResolver());
                    this.requestors.put(str, requestorEntryWrapper);
                }
            }
            LOG.info("loaded requestor {}", str);
        }
        this.requestorsInitialized = true;
    }

    private void initSigners() throws CaMgmtException {
        if (this.signerInitialized) {
            return;
        }
        this.signerDbEntries.clear();
        this.signers.clear();
        for (String str : this.queryExecutor.namesFromTable("SIGNER")) {
            MgmtEntry.Signer createSigner = this.queryExecutor.createSigner(str);
            if (createSigner == null) {
                LOG.error("could not initialize signer '{}'", str);
            } else {
                createSigner.setConfFaulty(true);
                this.signerDbEntries.put(str, createSigner);
                SignerEntryWrapper createSigner2 = createSigner(createSigner);
                if (createSigner2 != null) {
                    createSigner.setConfFaulty(false);
                    this.signers.put(str, createSigner2);
                    LOG.info("loaded signer {}", str);
                } else {
                    LOG.error("could not load signer {}", str);
                }
            }
        }
        this.signerInitialized = true;
    }

    private void initCaAliases() throws CaMgmtException {
        if (this.caAliasesInitialized) {
            return;
        }
        Map<String, Integer> createCaAliases = this.queryExecutor.createCaAliases();
        this.caAliases.clear();
        for (String str : createCaAliases.keySet()) {
            this.caAliases.put(str, createCaAliases.get(str));
        }
        LOG.info("caAliases: {}", this.caAliases);
        this.caAliasesInitialized = true;
    }

    private void initCertprofiles() throws CaMgmtException {
        if (this.certprofilesInitialized) {
            return;
        }
        Iterator<String> it = this.certprofiles.keySet().iterator();
        while (it.hasNext()) {
            shutdownCertprofile(this.certprofiles.get(it.next()));
        }
        this.certprofileDbEntries.clear();
        this.idNameMap.clearCertprofile();
        this.certprofiles.clear();
        for (String str : this.queryExecutor.namesFromTable("PROFILE")) {
            MgmtEntry.Certprofile createCertprofile = this.queryExecutor.createCertprofile(str);
            if (createCertprofile == null) {
                LOG.error("could not initialize Certprofile '{}'", str);
            } else {
                this.idNameMap.addCertprofile(createCertprofile.getIdent());
                createCertprofile.setFaulty(true);
                this.certprofileDbEntries.put(str, createCertprofile);
                IdentifiedCertprofile createCertprofile2 = createCertprofile(createCertprofile);
                if (createCertprofile2 != null) {
                    createCertprofile.setFaulty(false);
                    this.certprofiles.put(str, createCertprofile2);
                    LOG.info("loaded certprofile {}", str);
                } else {
                    LOG.error("could not load certprofile {}", str);
                }
            }
        }
        this.certprofilesInitialized = true;
    }

    private void initPublishers() throws CaMgmtException {
        if (this.publishersInitialized) {
            return;
        }
        Iterator<String> it = this.publishers.keySet().iterator();
        while (it.hasNext()) {
            shutdownPublisher(this.publishers.get(it.next()));
        }
        this.publishers.clear();
        this.publisherDbEntries.clear();
        this.idNameMap.clearPublisher();
        for (String str : this.queryExecutor.namesFromTable("PUBLISHER")) {
            MgmtEntry.Publisher createPublisher = this.queryExecutor.createPublisher(str);
            if (createPublisher == null) {
                LOG.error("could not initialize publisher '{}'", str);
            } else {
                this.idNameMap.addPublisher(createPublisher.getIdent());
                createPublisher.setFaulty(true);
                this.publisherDbEntries.put(str, createPublisher);
                IdentifiedCertPublisher createPublisher2 = createPublisher(createPublisher);
                if (createPublisher2 != null) {
                    createPublisher.setFaulty(false);
                    this.publishers.put(str, createPublisher2);
                    LOG.info("loaded publisher {}", str);
                } else {
                    LOG.error("could not load publisher {}", str);
                }
            }
        }
        this.publishersInitialized = true;
    }

    private void initCas() throws CaMgmtException {
        if (this.casInitialized) {
            return;
        }
        this.caInfos.clear();
        this.caHasRequestors.clear();
        this.caHasPublishers.clear();
        this.caHasProfiles.clear();
        this.idNameMap.clearCa();
        Iterator<String> it = this.queryExecutor.namesFromTable("CA").iterator();
        while (it.hasNext()) {
            createCa(it.next());
        }
        this.casInitialized = true;
    }

    private boolean createCa(String str) throws CaMgmtException {
        this.caInfos.remove(str);
        this.idNameMap.removeCa(str);
        this.caHasProfiles.remove(str);
        this.caHasPublishers.remove(str);
        this.caHasRequestors.remove(str);
        X509Ca remove = this.x509cas.remove(str);
        this.cmpResponders.remove(str);
        this.scepResponders.remove(str);
        if (remove != null) {
            remove.close();
        }
        CaInfo createCaInfo = this.queryExecutor.createCaInfo(str, this.masterMode, this.certstore);
        LOG.info("created CA {}: {}", str, createCaInfo.toString(false));
        this.caInfos.put(str, createCaInfo);
        this.idNameMap.addCa(createCaInfo.getIdent());
        Set<MgmtEntry.CaHasRequestor> createCaHasRequestors = this.queryExecutor.createCaHasRequestors(createCaInfo.getIdent());
        this.caHasRequestors.put(str, createCaHasRequestors);
        if (LOG.isInfoEnabled()) {
            StringBuilder sb = new StringBuilder();
            Iterator<MgmtEntry.CaHasRequestor> it = createCaHasRequestors.iterator();
            while (it.hasNext()) {
                sb.append("\n    ").append(it.next());
            }
            LOG.info("CA {} is associated with following requestors:{}", str, sb);
        }
        Set<Integer> createCaHasProfiles = this.queryExecutor.createCaHasProfiles(createCaInfo.getIdent());
        HashSet hashSet = new HashSet();
        Iterator<Integer> it2 = createCaHasProfiles.iterator();
        while (it2.hasNext()) {
            hashSet.add(this.idNameMap.getCertprofileName(it2.next().intValue()));
        }
        this.caHasProfiles.put(str, hashSet);
        LOG.info("CA {} is associated with following profiles: {}", str, hashSet);
        Set<Integer> createCaHasPublishers = this.queryExecutor.createCaHasPublishers(createCaInfo.getIdent());
        HashSet hashSet2 = new HashSet();
        Iterator<Integer> it3 = createCaHasPublishers.iterator();
        while (it3.hasNext()) {
            hashSet2.add(this.idNameMap.getPublisherName(it3.next().intValue()));
        }
        this.caHasPublishers.put(str, hashSet2);
        LOG.info("CA {} is associated with following publishers: {}", str, hashSet2);
        return true;
    }

    public void commitNextCrlNo(NameId nameId, long j) throws OperationException {
        try {
            this.queryExecutor.commitNextCrlNoIfLess(nameId, j);
        } catch (CaMgmtException e) {
            if (!(e.getCause() instanceof DataAccessException)) {
                throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e.getMessage());
            }
            throw new OperationException(OperationException.ErrorCode.DATABASE_FAILURE, e.getMessage());
        } catch (RuntimeException e2) {
            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e2.getMessage());
        }
    }

    public RequestorInfo.ByUserRequestorInfo createByUserRequestor(MgmtEntry.CaHasUser caHasUser) {
        return new RequestorInfo.ByUserRequestorInfo(this.byUserRequestorId, caHasUser);
    }

    public void addCa(MgmtEntry.Ca ca) throws CaMgmtException {
        Args.notNull(ca, "caEntry");
        asssertMasterMode();
        String name = ca.getIdent().getName();
        if (this.caInfos.containsKey(name)) {
            throw new CaMgmtException(concat("CA named ", name, " exists"));
        }
        String signerConf = ca.getSignerConf();
        String canonicalizeSignerConf = canonicalizeSignerConf(ca.getSignerType(), signerConf, null, this.securityFactory);
        if (!signerConf.equals(canonicalizeSignerConf)) {
            ca.setSignerConf(canonicalizeSignerConf);
        }
        try {
            Iterator it = MgmtEntry.Ca.splitCaSignerConfs(ca.getSignerConf()).iterator();
            while (it.hasNext()) {
                ConcurrentContentSigner createSigner = this.securityFactory.createSigner(ca.getSignerType(), new SignerConf(((String[]) it.next())[1]), ca.getCert());
                if (ca.getCert() == null) {
                    if (createSigner.getCertificate() == null) {
                        throw new CaMgmtException("CA signer without certificate is not allowed");
                    }
                    ca.setCert(createSigner.getCertificate());
                }
            }
            this.queryExecutor.addCa(ca);
            if (!createCa(name)) {
                LOG.error("could not create CA {}", name);
            } else if (startCa(name)) {
                LOG.info("started CA {}", name);
            } else {
                LOG.error("could not start CA {}", name);
            }
        } catch (XiSecurityException | ObjectCreationException e) {
            throw new CaMgmtException(concat("could not create signer for new CA ", name, ": ", e.getMessage()), e);
        }
    }

    public MgmtEntry.Ca getCa(String str) {
        CaInfo caInfo = this.caInfos.get(Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name));
        if (caInfo == null) {
            return null;
        }
        return caInfo.getCaEntry();
    }

    public void changeCa(MgmtEntry.ChangeCa changeCa) throws CaMgmtException {
        Args.notNull(changeCa, "entry");
        asssertMasterMode();
        String name = changeCa.getIdent().getName();
        NameId ca = this.idNameMap.getCa(name);
        if (ca == null) {
            throw new CaMgmtException("Unknown CA " + name);
        }
        changeCa.getIdent().setId(ca.getId());
        this.queryExecutor.changeCa(changeCa, this.caInfos.get(name).getCaEntry(), this.securityFactory);
        if (!createCa(name)) {
            LOG.error("could not create CA {}", name);
            return;
        }
        if (CaStatus.ACTIVE != this.caInfos.get(name).getCaEntry().getStatus()) {
            return;
        }
        if (startCa(name)) {
            LOG.info("started CA {}", name);
        } else {
            LOG.error("could not start CA {}", name);
        }
    }

    public void removeCertprofileFromCa(String str, String str2) throws CaMgmtException {
        Set<String> set;
        String nonBlankLower = Args.toNonBlankLower(str, "profileName");
        String nonBlankLower2 = Args.toNonBlankLower(str2, "caName");
        asssertMasterMode();
        this.queryExecutor.removeCertprofileFromCa(nonBlankLower, nonBlankLower2);
        if (!this.caHasProfiles.containsKey(nonBlankLower2) || (set = this.caHasProfiles.get(nonBlankLower2)) == null) {
            return;
        }
        set.remove(nonBlankLower);
    }

    public void addCertprofileToCa(String str, String str2) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "profileName");
        String nonBlankLower2 = Args.toNonBlankLower(str2, "caName");
        asssertMasterMode();
        NameId certprofile = this.idNameMap.getCertprofile(nonBlankLower);
        if (certprofile == null) {
            throw logAndCreateException(concat("unknown Certprofile ", nonBlankLower));
        }
        NameId ca = this.idNameMap.getCa(nonBlankLower2);
        if (ca == null) {
            throw logAndCreateException(concat("unknown CA ", nonBlankLower2));
        }
        Set<String> set = this.caHasProfiles.get(nonBlankLower2);
        if (set == null) {
            set = new HashSet();
            this.caHasProfiles.put(nonBlankLower2, set);
        } else if (set.contains(nonBlankLower)) {
            throw logAndCreateException(concat("Certprofile ", nonBlankLower, " already associated with CA ", nonBlankLower2));
        }
        if (!this.certprofiles.containsKey(nonBlankLower)) {
            throw new CaMgmtException(concat("certprofile '", nonBlankLower, "' is faulty"));
        }
        this.queryExecutor.addCertprofileToCa(certprofile, ca);
        set.add(nonBlankLower);
    }

    public void removePublisherFromCa(String str, String str2) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "publisherName");
        String nonBlankLower2 = Args.toNonBlankLower(str2, "caName");
        asssertMasterMode();
        this.queryExecutor.removePublisherFromCa(nonBlankLower, nonBlankLower2);
        Set<String> set = this.caHasPublishers.get(nonBlankLower2);
        if (set != null) {
            set.remove(nonBlankLower);
        }
    }

    public void addPublisherToCa(String str, String str2) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "publisherName");
        String nonBlankLower2 = Args.toNonBlankLower(str2, "caName");
        asssertMasterMode();
        if (this.idNameMap.getPublisher(nonBlankLower) == null) {
            throw logAndCreateException(concat("unknown publisher ", nonBlankLower));
        }
        NameId ca = this.idNameMap.getCa(nonBlankLower2);
        if (ca == null) {
            throw logAndCreateException(concat("unknown CA ", nonBlankLower2));
        }
        Set<String> set = this.caHasPublishers.get(nonBlankLower2);
        if (set == null) {
            set = new HashSet();
            this.caHasPublishers.put(nonBlankLower2, set);
        } else if (set.contains(nonBlankLower)) {
            throw logAndCreateException(concat("publisher ", nonBlankLower, " already associated with CA ", nonBlankLower2));
        }
        IdentifiedCertPublisher identifiedCertPublisher = this.publishers.get(nonBlankLower);
        if (identifiedCertPublisher == null) {
            throw new CaMgmtException(concat("publisher '", nonBlankLower, "' is faulty"));
        }
        this.queryExecutor.addPublisherToCa(this.idNameMap.getPublisher(nonBlankLower), ca);
        set.add(nonBlankLower);
        this.caHasPublishers.get(nonBlankLower2).add(nonBlankLower);
        identifiedCertPublisher.caAdded(this.caInfos.get(nonBlankLower2).getCert());
    }

    public Set<String> getCertprofilesForCa(String str) {
        return this.caHasProfiles.get(Args.toNonBlankLower(str, "caName"));
    }

    public Set<MgmtEntry.CaHasRequestor> getRequestorsForCa(String str) {
        return this.caHasRequestors.get(Args.toNonBlankLower(str, "caName"));
    }

    public MgmtEntry.Requestor getRequestor(String str) {
        return this.requestorDbEntries.get(Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name));
    }

    public RequestorEntryWrapper getRequestorWrapper(String str) {
        return this.requestors.get(Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name));
    }

    public void addRequestor(MgmtEntry.Requestor requestor) throws CaMgmtException {
        Args.notNull(requestor, "requestorEntry");
        asssertMasterMode();
        String name = requestor.getIdent().getName();
        if (this.requestorDbEntries.containsKey(name)) {
            throw new CaMgmtException(concat("Requestor named ", name, " exists"));
        }
        PasswordResolver passwordResolver = this.securityFactory.getPasswordResolver();
        if ("pbm".equalsIgnoreCase(requestor.getType())) {
            String conf = requestor.getConf();
            if (!StringUtil.startsWithIgnoreCase(conf, "PBE:")) {
                try {
                    requestor = new MgmtEntry.Requestor(requestor.getIdent(), requestor.getType(), passwordResolver.protectPassword("PBE", conf.toCharArray()));
                } catch (PasswordResolverException e) {
                    throw new CaMgmtException("could not encrypt requestor " + name, e);
                }
            }
        }
        RequestorEntryWrapper requestorEntryWrapper = new RequestorEntryWrapper();
        requestorEntryWrapper.setDbEntry(requestor, passwordResolver);
        this.queryExecutor.addRequestor(requestor);
        this.idNameMap.addRequestor(requestor.getIdent());
        this.requestorDbEntries.put(name, requestor);
        this.requestors.put(name, requestorEntryWrapper);
    }

    public void removeRequestor(String str) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name);
        asssertMasterMode();
        for (String str2 : this.caHasRequestors.keySet()) {
            boolean z = false;
            Iterator<MgmtEntry.CaHasRequestor> it = this.caHasRequestors.get(str2).iterator();
            while (true) {
                if (it.hasNext()) {
                    if (it.next().getRequestorIdent().getName().equals(nonBlankLower)) {
                        z = true;
                        break;
                    }
                } else {
                    break;
                }
            }
            if (z) {
                removeRequestorFromCa(nonBlankLower, str2);
            }
        }
        if (!this.queryExecutor.deleteRowWithName(nonBlankLower, "REQUESTOR")) {
            throw new CaMgmtException("unknown requestor " + nonBlankLower);
        }
        this.idNameMap.removeRequestor(this.requestorDbEntries.get(nonBlankLower).getIdent().getId().intValue());
        this.requestorDbEntries.remove(nonBlankLower);
        this.requestors.remove(nonBlankLower);
        LOG.info("removed requestor '{}'", nonBlankLower);
    }

    public void changeRequestor(String str, String str2, String str3) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name);
        Args.notBlank(str2, "type");
        Args.notBlank(str3, "conf");
        asssertMasterMode();
        NameId requestor = this.idNameMap.getRequestor(nonBlankLower);
        if (requestor == null) {
            throw logAndCreateException(concat("unknown requestor ", nonBlankLower));
        }
        RequestorEntryWrapper changeRequestor = this.queryExecutor.changeRequestor(requestor, str2, str3, this.securityFactory.getPasswordResolver());
        this.requestorDbEntries.remove(nonBlankLower);
        this.requestors.remove(nonBlankLower);
        this.requestorDbEntries.put(nonBlankLower, changeRequestor.getDbEntry());
        this.requestors.put(nonBlankLower, changeRequestor);
    }

    public void removeRequestorFromCa(String str, String str2) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "requestorName");
        String nonBlankLower2 = Args.toNonBlankLower(str2, "caName");
        asssertMasterMode();
        if (nonBlankLower.equals("BY-CA") || nonBlankLower.equals("BY-USER")) {
            throw new CaMgmtException(concat("removing requestor ", nonBlankLower, " is not permitted"));
        }
        this.queryExecutor.removeRequestorFromCa(nonBlankLower, nonBlankLower2);
        if (this.caHasRequestors.containsKey(nonBlankLower2)) {
            Set<MgmtEntry.CaHasRequestor> set = this.caHasRequestors.get(nonBlankLower2);
            MgmtEntry.CaHasRequestor caHasRequestor = null;
            for (MgmtEntry.CaHasRequestor caHasRequestor2 : set) {
                if (caHasRequestor2.getRequestorIdent().getName().equals(nonBlankLower)) {
                    caHasRequestor = caHasRequestor2;
                }
            }
            set.remove(caHasRequestor);
        }
    }

    public void addRequestorToCa(MgmtEntry.CaHasRequestor caHasRequestor, String str) throws CaMgmtException {
        Args.notNull(caHasRequestor, CaAuditConstants.NAME_requestor);
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        asssertMasterMode();
        NameId requestorIdent = caHasRequestor.getRequestorIdent();
        NameId requestor = this.idNameMap.getRequestor(requestorIdent.getName());
        if (requestor == null) {
            throw logAndCreateException(concat("unknown requestor ", requestorIdent.getName()));
        }
        NameId ca = this.idNameMap.getCa(nonBlankLower);
        if (ca == null) {
            String concat = concat("unknown CA ", nonBlankLower);
            LOG.warn(concat);
            throw new CaMgmtException(concat);
        }
        requestorIdent.setId(requestor.getId());
        Set<MgmtEntry.CaHasRequestor> set = this.caHasRequestors.get(nonBlankLower);
        if (set == null) {
            set = new HashSet();
            this.caHasRequestors.put(nonBlankLower, set);
        } else {
            for (MgmtEntry.CaHasRequestor caHasRequestor2 : set) {
                String name = requestorIdent.getName();
                if (caHasRequestor2.getRequestorIdent().getName().equals(name)) {
                    throw logAndCreateException(concat("Requestor ", name, " already associated with CA ", nonBlankLower));
                }
            }
        }
        set.add(caHasRequestor);
        this.queryExecutor.addRequestorToCa(caHasRequestor, ca);
        this.caHasRequestors.get(nonBlankLower).add(caHasRequestor);
    }

    public void removeUserFromCa(String str, String str2) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "userName");
        String nonBlankLower2 = Args.toNonBlankLower(str2, "caName");
        asssertMasterMode();
        this.queryExecutor.removeUserFromCa(nonBlankLower, nonBlankLower2);
    }

    public void addUserToCa(MgmtEntry.CaHasUser caHasUser, String str) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        asssertMasterMode();
        X509Ca x509Ca = getX509Ca(nonBlankLower);
        if (x509Ca == null) {
            throw logAndCreateException(concat("unknown CA ", nonBlankLower));
        }
        this.queryExecutor.addUserToCa(caHasUser, x509Ca.getCaIdent());
    }

    public Map<String, MgmtEntry.CaHasUser> getCaHasUsersForUser(String str) throws CaMgmtException {
        Args.notBlank(str, CaAuditConstants.NAME_user);
        return this.queryExecutor.getCaHasUsersForUser(str, this.idNameMap);
    }

    public MgmtEntry.Certprofile getCertprofile(String str) {
        return this.certprofileDbEntries.get(str.toLowerCase());
    }

    public void removeCertprofile(String str) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name);
        asssertMasterMode();
        for (String str2 : this.caHasProfiles.keySet()) {
            if (this.caHasProfiles.get(str2).contains(nonBlankLower)) {
                removeCertprofileFromCa(nonBlankLower, str2);
            }
        }
        if (!this.queryExecutor.deleteRowWithName(nonBlankLower, "PROFILE")) {
            throw new CaMgmtException("unknown profile " + nonBlankLower);
        }
        LOG.info("removed profile '{}'", nonBlankLower);
        this.idNameMap.removeCertprofile(this.certprofileDbEntries.get(nonBlankLower).getIdent().getId().intValue());
        this.certprofileDbEntries.remove(nonBlankLower);
        shutdownCertprofile(this.certprofiles.remove(nonBlankLower));
    }

    public void changeCertprofile(String str, String str2, String str3) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name);
        if (str2 == null && str3 == null) {
            throw new IllegalArgumentException("type and conf cannot be both null");
        }
        NameId certprofile = this.idNameMap.getCertprofile(nonBlankLower);
        if (certprofile == null) {
            throw logAndCreateException(concat("unknown Certprofile ", nonBlankLower));
        }
        if (str2 != null) {
            str2 = str2.toLowerCase();
        }
        asssertMasterMode();
        IdentifiedCertprofile changeCertprofile = this.queryExecutor.changeCertprofile(certprofile, str2, str3, this);
        this.certprofileDbEntries.remove(nonBlankLower);
        IdentifiedCertprofile remove = this.certprofiles.remove(nonBlankLower);
        this.certprofileDbEntries.put(nonBlankLower, changeCertprofile.getDbEntry());
        this.certprofiles.put(nonBlankLower, changeCertprofile);
        if (remove != null) {
            shutdownCertprofile(remove);
        }
    }

    public void addCertprofile(MgmtEntry.Certprofile certprofile) throws CaMgmtException {
        Args.notNull(certprofile, "certprofileEntry");
        asssertMasterMode();
        String name = certprofile.getIdent().getName();
        if (this.certprofileDbEntries.containsKey(name)) {
            throw new CaMgmtException(concat("Certprofile named ", name, " exists"));
        }
        certprofile.setFaulty(true);
        IdentifiedCertprofile createCertprofile = createCertprofile(certprofile);
        if (createCertprofile == null) {
            throw new CaMgmtException("could not create Certprofile object");
        }
        certprofile.setFaulty(false);
        this.certprofiles.put(name, createCertprofile);
        this.queryExecutor.addCertprofile(certprofile);
        this.idNameMap.addCertprofile(certprofile.getIdent());
        this.certprofileDbEntries.put(name, certprofile);
    }

    public void addSigner(MgmtEntry.Signer signer) throws CaMgmtException {
        Args.notNull(signer, "signerEntry");
        asssertMasterMode();
        String name = signer.getName();
        if (this.signerDbEntries.containsKey(name)) {
            throw new CaMgmtException(concat("Signer named ", name, " exists"));
        }
        String conf = signer.getConf();
        if (conf != null) {
            String canonicalizeSignerConf = canonicalizeSignerConf(signer.getType(), conf, null, this.securityFactory);
            if (!conf.equals(canonicalizeSignerConf)) {
                signer.setConf(canonicalizeSignerConf);
            }
        }
        SignerEntryWrapper createSigner = createSigner(signer);
        this.queryExecutor.addSigner(signer);
        this.signers.put(name, createSigner);
        this.signerDbEntries.put(name, signer);
    }

    public void removeSigner(String str) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name);
        asssertMasterMode();
        if (!this.queryExecutor.deleteRowWithName(nonBlankLower, "SIGNER")) {
            throw new CaMgmtException("unknown signer " + nonBlankLower);
        }
        Iterator<String> it = this.caInfos.keySet().iterator();
        while (it.hasNext()) {
            CaInfo caInfo = this.caInfos.get(it.next());
            if (nonBlankLower.equals(caInfo.getCmpResponderName())) {
                caInfo.setCmpResponderName(null);
            }
            if (nonBlankLower.equals(caInfo.getScepResponderName())) {
                caInfo.setScepResponderName(null);
            }
            if (nonBlankLower.equals(caInfo.getCrlSignerName())) {
                caInfo.setCrlSignerName(null);
            }
        }
        this.signerDbEntries.remove(nonBlankLower);
        this.signers.remove(nonBlankLower);
        LOG.info("removed signer '{}'", nonBlankLower);
    }

    public void changeSigner(String str, String str2, String str3, String str4) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name);
        asssertMasterMode();
        if (str2 == null && str3 == null && str4 == null) {
            throw new IllegalArgumentException("nothing to change");
        }
        if (str2 != null) {
            str2 = str2.toLowerCase();
        }
        SignerEntryWrapper changeSigner = this.queryExecutor.changeSigner(nonBlankLower, str2, str3, str4, this, this.securityFactory);
        this.signers.remove(nonBlankLower);
        this.signerDbEntries.remove(nonBlankLower);
        this.signerDbEntries.put(nonBlankLower, changeSigner.getDbEntry());
        this.signers.put(nonBlankLower, changeSigner);
        for (String str5 : this.scepResponders.keySet()) {
            if (getCa(str5).getScepResponderName().equals(nonBlankLower)) {
                this.scepResponders.get(str5).setResponder(changeSigner);
            }
        }
    }

    public MgmtEntry.Signer getSigner(String str) {
        return this.signerDbEntries.get(Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name));
    }

    public SignerEntryWrapper getSignerWrapper(String str) {
        return this.signers.get(Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name));
    }

    public void addPublisher(MgmtEntry.Publisher publisher) throws CaMgmtException {
        Args.notNull(publisher, "entry");
        asssertMasterMode();
        String name = publisher.getIdent().getName();
        if (this.publisherDbEntries.containsKey(name)) {
            throw new CaMgmtException(concat("Publisher named ", name, " exists"));
        }
        publisher.setFaulty(true);
        IdentifiedCertPublisher createPublisher = createPublisher(publisher);
        publisher.setFaulty(false);
        this.queryExecutor.addPublisher(publisher);
        this.publishers.put(name, createPublisher);
        this.idNameMap.addPublisher(publisher.getIdent());
        this.publisherDbEntries.put(name, publisher);
    }

    public List<MgmtEntry.Publisher> getPublishersForCa(String str) {
        Set<String> set = this.caHasPublishers.get(Args.toNonBlankLower(str, "caName"));
        if (set == null) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList(set.size());
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            arrayList.add(this.publisherDbEntries.get(it.next()));
        }
        return arrayList;
    }

    public MgmtEntry.Publisher getPublisher(String str) {
        return this.publisherDbEntries.get(Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name));
    }

    public void removePublisher(String str) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name);
        asssertMasterMode();
        for (String str2 : this.caHasPublishers.keySet()) {
            if (this.caHasPublishers.get(str2).contains(nonBlankLower)) {
                removePublisherFromCa(nonBlankLower, str2);
            }
        }
        if (!this.queryExecutor.deleteRowWithName(nonBlankLower, "PUBLISHER")) {
            throw new CaMgmtException("unknown publisher " + nonBlankLower);
        }
        LOG.info("removed publisher '{}'", nonBlankLower);
        this.publisherDbEntries.remove(nonBlankLower);
        shutdownPublisher(this.publishers.remove(nonBlankLower));
    }

    public void changePublisher(String str, String str2, String str3) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name);
        asssertMasterMode();
        if (str2 == null && str3 == null) {
            throw new IllegalArgumentException("nothing to change");
        }
        if (str2 != null) {
            str2 = str2.toLowerCase();
        }
        IdentifiedCertPublisher changePublisher = this.queryExecutor.changePublisher(nonBlankLower, str2, str3, this);
        shutdownPublisher(this.publishers.remove(nonBlankLower));
        this.publisherDbEntries.put(nonBlankLower, changePublisher.getDbEntry());
        this.publishers.put(nonBlankLower, changePublisher);
    }

    public CaServerConf getCaServerConf() {
        return this.caServerConf;
    }

    public void setCaServerConf(CaServerConf caServerConf) {
        this.caServerConf = (CaServerConf) Args.notNull(caServerConf, "caServerConf");
    }

    public void addCaAlias(String str, String str2) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "aliasName");
        String nonBlankLower2 = Args.toNonBlankLower(str2, "caName");
        asssertMasterMode();
        X509Ca x509Ca = this.x509cas.get(nonBlankLower2);
        if (x509Ca == null) {
            throw new CaMgmtException("unknown CA " + nonBlankLower2);
        }
        if (this.caAliases.get(nonBlankLower) != null) {
            throw new CaMgmtException("unknown CA alias " + nonBlankLower);
        }
        this.queryExecutor.addCaAlias(nonBlankLower, x509Ca.getCaIdent());
        this.caAliases.put(nonBlankLower, x509Ca.getCaIdent().getId());
    }

    public void removeCaAlias(String str) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name);
        asssertMasterMode();
        this.queryExecutor.removeCaAlias(nonBlankLower);
        this.caAliases.remove(nonBlankLower);
    }

    public String getCaNameForAlias(String str) {
        Integer num = this.caAliases.get(Args.toNonBlankLower(str, "aliasName"));
        Iterator<String> it = this.x509cas.keySet().iterator();
        while (it.hasNext()) {
            X509Ca x509Ca = this.x509cas.get(it.next());
            if (x509Ca.getCaIdent().getId().equals(num)) {
                return x509Ca.getCaIdent().getName();
            }
        }
        return null;
    }

    public Set<String> getAliasesForCa(String str) {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        HashSet hashSet = new HashSet();
        X509Ca x509Ca = this.x509cas.get(nonBlankLower);
        if (x509Ca == null) {
            return hashSet;
        }
        NameId caIdent = x509Ca.getCaIdent();
        for (String str2 : this.caAliases.keySet()) {
            if (caIdent.getId().equals(this.caAliases.get(str2))) {
                hashSet.add(str2);
            }
        }
        return hashSet;
    }

    public Set<String> getCaAliasNames() {
        return this.caAliases.keySet();
    }

    public X509Cert getCaCert(String str) {
        X509Ca x509Ca = this.x509cas.get(Args.toNonBlankLower(str, "caName"));
        if (x509Ca == null) {
            return null;
        }
        return x509Ca.getCaInfo().getCert();
    }

    public List<X509Cert> getCaCertchain(String str) {
        X509Ca x509Ca = this.x509cas.get(Args.toNonBlankLower(str, "caName"));
        if (x509Ca == null) {
            return null;
        }
        return x509Ca.getCaInfo().getCertchain();
    }

    public void removeCa(String str) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name);
        asssertMasterMode();
        this.queryExecutor.removeCa(nonBlankLower);
        LOG.info("removed CA '{}'", nonBlankLower);
        this.caInfos.remove(nonBlankLower);
        this.idNameMap.removeCa(nonBlankLower);
        this.idNameMap.removeCa(nonBlankLower);
        this.caHasProfiles.remove(nonBlankLower);
        this.caHasPublishers.remove(nonBlankLower);
        this.caHasRequestors.remove(nonBlankLower);
        X509Ca remove = this.x509cas.remove(nonBlankLower);
        this.cmpResponders.remove(nonBlankLower);
        this.scepResponders.remove(nonBlankLower);
        if (remove != null) {
            remove.close();
        }
    }

    public void republishCertificates(String str, List<String> list, int i) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        Args.positive(i, "numThreads");
        asssertMasterMode();
        X509Ca x509Ca = this.x509cas.get(nonBlankLower);
        if (x509Ca == null) {
            throw new CaMgmtException(concat("could not find CA named ", nonBlankLower));
        }
        if (!x509Ca.republishCerts(CollectionUtil.toLowerCaseList(list), i)) {
            throw new CaMgmtException(concat("republishing certificates of CA ", nonBlankLower, " failed"));
        }
    }

    public void revokeCa(String str, CertRevocationInfo certRevocationInfo) throws CaMgmtException {
        CrlReason reason;
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        Args.notNull(certRevocationInfo, "revocationInfo");
        asssertMasterMode();
        if (!this.x509cas.containsKey(nonBlankLower)) {
            throw new CaMgmtException(concat("unkown CA ", nonBlankLower));
        }
        LOG.info("revoking CA '{}'", nonBlankLower);
        X509Ca x509Ca = this.x509cas.get(nonBlankLower);
        CertRevocationInfo revocationInfo = x509Ca.getCaInfo().getRevocationInfo();
        if (revocationInfo != null && (reason = revocationInfo.getReason()) != CrlReason.CERTIFICATE_HOLD) {
            throw new CaMgmtException(concat("CA ", nonBlankLower, " has been revoked with reason ", reason.name()));
        }
        this.queryExecutor.revokeCa(nonBlankLower, certRevocationInfo);
        try {
            x509Ca.revokeCa(certRevocationInfo, CaAuditConstants.MSGID_ca_mgmt);
            LOG.info("revoked CA '{}'", nonBlankLower);
            auditLogPciEvent(true, concat("REVOKE CA ", nonBlankLower));
        } catch (OperationException e) {
            throw new CaMgmtException(concat("could not revoke CA ", e.getMessage()), e);
        }
    }

    public void unrevokeCa(String str) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        asssertMasterMode();
        if (!this.x509cas.containsKey(nonBlankLower)) {
            throw new CaMgmtException(concat("could not find CA named ", nonBlankLower));
        }
        LOG.info("unrevoking of CA '{}'", nonBlankLower);
        this.queryExecutor.unrevokeCa(nonBlankLower);
        try {
            this.x509cas.get(nonBlankLower).unrevokeCa(CaAuditConstants.MSGID_ca_mgmt);
            LOG.info("unrevoked CA '{}'", nonBlankLower);
            auditLogPciEvent(true, concat("UNREVOKE CA ", nonBlankLower));
        } catch (OperationException e) {
            throw new CaMgmtException(concat("could not unrevoke CA " + nonBlankLower + ": ", e.getMessage()), e);
        }
    }

    public void setCertprofileFactoryRegister(CertprofileFactoryRegister certprofileFactoryRegister) {
        this.certprofileFactoryRegister = certprofileFactoryRegister;
    }

    public void setCertPublisherFactoryRegister(CertPublisherFactoryRegister certPublisherFactoryRegister) {
        this.certPublisherFactoryRegister = certPublisherFactoryRegister;
    }

    private void auditLogPciEvent(boolean z, String str) {
        PciAuditEvent pciAuditEvent = new PciAuditEvent(new Date());
        pciAuditEvent.setUserId("CA-SYSTEM");
        pciAuditEvent.setEventType(str);
        pciAuditEvent.setAffectedResource("CORE");
        if (z) {
            pciAuditEvent.setStatus(AuditStatus.SUCCESSFUL.name());
            pciAuditEvent.setLevel(AuditLevel.INFO);
        } else {
            pciAuditEvent.setStatus(AuditStatus.FAILED.name());
            pciAuditEvent.setLevel(AuditLevel.ERROR);
        }
        Audits.getAuditService().logEvent(pciAuditEvent);
    }

    public void clearPublishQueue(String str, List<String> list) throws CaMgmtException {
        asssertMasterMode();
        List<String> lowerCaseList = CollectionUtil.toLowerCaseList(list);
        if (str == null) {
            if (CollectionUtil.isNotEmpty(lowerCaseList)) {
                throw new IllegalArgumentException("non-empty publisherNames is not allowed");
            }
            try {
                this.certstore.clearPublishQueue((NameId) null, (NameId) null);
                return;
            } catch (OperationException e) {
                throw new CaMgmtException(e.getMessage(), e);
            }
        }
        String lowerCase = str.toLowerCase();
        X509Ca x509Ca = this.x509cas.get(lowerCase);
        if (x509Ca == null) {
            throw new CaMgmtException(concat("could not find CA named ", lowerCase));
        }
        x509Ca.clearPublishQueue(lowerCaseList);
    }

    private void shutdownScheduledThreadPoolExecutor() {
        if (this.scheduledThreadPoolExecutor == null) {
            return;
        }
        this.scheduledThreadPoolExecutor.shutdown();
        while (!this.scheduledThreadPoolExecutor.isTerminated()) {
            try {
                Thread.sleep(100L);
            } catch (InterruptedException e) {
                LOG.error("interrupted: {}", e.getMessage());
            }
        }
        this.scheduledThreadPoolExecutor = null;
    }

    public void revokeCertificate(String str, BigInteger bigInteger, CrlReason crlReason, Date date) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        Args.notNull(bigInteger, "serialNumber");
        asssertMasterMode();
        try {
            if (getX509Ca(nonBlankLower).revokeCert(bigInteger, crlReason, date, CaAuditConstants.MSGID_ca_mgmt) == null) {
                throw new CaMgmtException("could not revoke non-existing certificate");
            }
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    public void unrevokeCertificate(String str, BigInteger bigInteger) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        Args.notNull(bigInteger, "serialNumber");
        try {
            if (getX509Ca(nonBlankLower).unrevokeCert(bigInteger, CaAuditConstants.MSGID_ca_mgmt) == null) {
                throw new CaMgmtException("could not unrevoke non-existing certificate");
            }
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    public void removeCertificate(String str, BigInteger bigInteger) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        Args.notNull(bigInteger, "serialNumber");
        asssertMasterMode();
        X509Ca x509Ca = getX509Ca(nonBlankLower);
        if (x509Ca == null) {
            throw logAndCreateException(concat("unknown CA ", nonBlankLower));
        }
        try {
            if (x509Ca.removeCert(bigInteger, CaAuditConstants.MSGID_ca_mgmt) == null) {
                throw new CaMgmtException("could not remove certificate");
            }
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    public X509Certificate generateCertificate(String str, String str2, byte[] bArr, Date date, Date date2) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        String nonBlankLower2 = Args.toNonBlankLower(str2, "profileName");
        Args.notNull(bArr, "encodedCsr");
        AuditEvent auditEvent = new AuditEvent(new Date());
        auditEvent.setApplicationName("ca");
        auditEvent.setName(CaAuditConstants.NAME_perf);
        auditEvent.addEventType("CAMGMT_CRL_GEN_ONDEMAND");
        X509Ca x509Ca = getX509Ca(nonBlankLower);
        try {
            CertificationRequest parseCsr = X509Util.parseCsr(bArr);
            if (!x509Ca.verifyCsr(parseCsr)) {
                throw new CaMgmtException("could not validate POP for the CSR");
            }
            CertificationRequestInfo certificationRequestInfo = parseCsr.getCertificationRequestInfo();
            Extensions extensions = null;
            ASN1Set attributes = certificationRequestInfo.getAttributes();
            for (int i = 0; i < attributes.size(); i++) {
                Attribute attribute = Attribute.getInstance(attributes.getObjectAt(i));
                if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attribute.getAttrType())) {
                    extensions = Extensions.getInstance(attribute.getAttributeValues()[0]);
                }
            }
            try {
                CertificateInfo generateCert = x509Ca.generateCert(new CertTemplateData(certificationRequestInfo.getSubject(), certificationRequestInfo.getSubjectPublicKeyInfo(), date, date2, extensions, nonBlankLower2), this.byCaRequestor, RequestType.CA, (byte[]) null, CaAuditConstants.MSGID_ca_mgmt);
                if (x509Ca.getCaInfo().isSaveRequest()) {
                    try {
                        x509Ca.addRequestCert(x509Ca.addRequest(bArr), generateCert.getCert().getCertId().longValue());
                    } catch (OperationException e) {
                        LogUtil.warn(LOG, e, "could not save request");
                    }
                }
                return generateCert.getCert().getCert();
            } catch (OperationException e2) {
                throw new CaMgmtException(e2.getMessage(), e2);
            }
        } catch (Exception e3) {
            throw new CaMgmtException(concat("invalid CSR request. ERROR: ", e3.getMessage()));
        }
    }

    public X509Ca getX509Ca(String str) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name);
        X509Ca x509Ca = this.x509cas.get(nonBlankLower);
        if (x509Ca == null) {
            throw new CaMgmtException("unknown CA " + nonBlankLower);
        }
        return x509Ca;
    }

    public X509Ca getX509Ca(NameId nameId) throws CaMgmtException {
        Args.notNull(nameId, "ident");
        X509Ca x509Ca = this.x509cas.get(nameId.getName());
        if (x509Ca == null) {
            throw new CaMgmtException("unknown CA " + nameId);
        }
        return x509Ca;
    }

    public IdentifiedCertprofile getIdentifiedCertprofile(String str) {
        return this.certprofiles.get(Args.toNonBlankLower(str, "profileName"));
    }

    public List<IdentifiedCertPublisher> getIdentifiedPublishersForCa(String str) {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        LinkedList linkedList = new LinkedList();
        Set<String> set = this.caHasPublishers.get(nonBlankLower);
        if (set == null) {
            return linkedList;
        }
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            linkedList.add(this.publishers.get(it.next()));
        }
        return linkedList;
    }

    public X509Certificate generateRootCa(MgmtEntry.Ca ca, String str, byte[] bArr, BigInteger bigInteger) throws CaMgmtException {
        Args.notNull(ca, "caEntry");
        String nonBlankLower = Args.toNonBlankLower(str, "profileName");
        Args.notNull(bArr, "encodedCsr");
        int numCrls = ca.getNumCrls();
        String signerType = ca.getSignerType();
        asssertMasterMode();
        if (numCrls < 0) {
            System.err.println("invalid numCrls: " + numCrls);
            return null;
        }
        int expirationPeriod = ca.getExpirationPeriod();
        if (expirationPeriod < 0) {
            System.err.println("invalid expirationPeriod: " + expirationPeriod);
            return null;
        }
        try {
            CertificationRequest parseCsr = X509Util.parseCsr(bArr);
            IdentifiedCertprofile identifiedCertprofile = getIdentifiedCertprofile(nonBlankLower);
            if (identifiedCertprofile == null) {
                throw new CaMgmtException(concat("unknown certprofile ", nonBlankLower));
            }
            try {
                SelfSignedCertBuilder.GenerateSelfSignedResult generateSelfSigned = SelfSignedCertBuilder.generateSelfSigned(this.securityFactory, signerType, ca.getSignerConf(), identifiedCertprofile, parseCsr, bigInteger != null ? bigInteger : RandomSerialNumberGenerator.getInstance().nextSerialNumber(ca.getSerialNoBitLen()), ca.getCaUris(), ca.getExtraControl());
                String signerConf = generateSelfSigned.getSignerConf();
                X509Certificate cert = generateSelfSigned.getCert();
                if ("PKCS12".equalsIgnoreCase(signerType) || "JKS".equalsIgnoreCase(signerType)) {
                    try {
                        signerConf = canonicalizeSignerConf(signerType, signerConf, new X509Certificate[]{cert}, this.securityFactory);
                    } catch (Exception e) {
                        throw new CaMgmtException(concat(e.getClass().getName(), ": ", e.getMessage()), e);
                    }
                }
                MgmtEntry.Ca ca2 = new MgmtEntry.Ca(new NameId((Integer) null, ca.getIdent().getName()), ca.getSerialNoBitLen(), ca.getNextCrlNumber(), signerType, signerConf, ca.getCaUris(), numCrls, expirationPeriod);
                ca2.setCert(cert);
                ca2.setCmpControl(ca.getCmpControl());
                ca2.setCrlControl(ca.getCrlControl());
                ca2.setScepControl(ca.getScepControl());
                ca2.setCmpResponderName(ca.getCmpResponderName());
                ca2.setScepResponderName(ca.getScepResponderName());
                ca2.setCrlSignerName(ca.getCrlSignerName());
                ca2.setDuplicateKeyPermitted(ca.isDuplicateKeyPermitted());
                ca2.setDuplicateSubjectPermitted(ca.isDuplicateSubjectPermitted());
                ca2.setExtraControl(ca.getExtraControl());
                ca2.setKeepExpiredCertInDays(ca.getKeepExpiredCertInDays());
                ca2.setMaxValidity(ca.getMaxValidity());
                ca2.setPermission(ca.getPermission());
                ca2.setProtocolSupport(ca.getProtocoSupport());
                ca2.setSaveRequest(ca.isSaveRequest());
                ca2.setStatus(ca.getStatus());
                ca2.setValidityMode(ca.getValidityMode());
                addCa(ca2);
                return cert;
            } catch (OperationException | InvalidConfException e2) {
                throw new CaMgmtException(concat(e2.getClass().getName(), ": ", e2.getMessage()), e2);
            }
        } catch (Exception e3) {
            System.err.println("invalid encodedCsr");
            return null;
        }
    }

    private void asssertMasterMode() throws CaMgmtException {
        if (!this.masterMode) {
            throw new CaMgmtException("operation not allowed in slave mode");
        }
    }

    void shutdownCertprofile(IdentifiedCertprofile identifiedCertprofile) {
        if (identifiedCertprofile == null) {
            return;
        }
        try {
            identifiedCertprofile.close();
        } catch (Exception e) {
            LogUtil.warn(LOG, e, "could not shutdown Certprofile " + identifiedCertprofile.getIdent());
        }
    }

    void shutdownPublisher(IdentifiedCertPublisher identifiedCertPublisher) {
        if (identifiedCertPublisher == null) {
            return;
        }
        try {
            identifiedCertPublisher.close();
        } catch (Exception e) {
            LogUtil.warn(LOG, e, "could not shutdown CertPublisher " + identifiedCertPublisher.getIdent());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SignerEntryWrapper createSigner(MgmtEntry.Signer signer) throws CaMgmtException {
        Args.notNull(signer, "entry");
        SignerEntryWrapper signerEntryWrapper = new SignerEntryWrapper();
        signerEntryWrapper.setDbEntry(signer);
        try {
            signerEntryWrapper.initSigner(this.securityFactory);
            return signerEntryWrapper;
        } catch (ObjectCreationException e) {
            LOG.debug("createSigner", e);
            throw new CaMgmtException(e.getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public IdentifiedCertprofile createCertprofile(MgmtEntry.Certprofile certprofile) throws CaMgmtException {
        Args.notNull(certprofile, "entry");
        String type = certprofile.getType();
        if (!this.certprofileFactoryRegister.canCreateProfile(type)) {
            throw new CaMgmtException("unsupported cert profile type " + type);
        }
        try {
            return new IdentifiedCertprofile(certprofile, this.certprofileFactoryRegister.newCertprofile(type));
        } catch (ObjectCreationException | CertprofileException e) {
            String str = "could not initialize Certprofile " + certprofile.getIdent();
            LogUtil.error(LOG, e, str);
            throw new CaMgmtException(str, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public IdentifiedCertPublisher createPublisher(MgmtEntry.Publisher publisher) throws CaMgmtException {
        Args.notNull(publisher, "entry");
        String type = publisher.getType();
        try {
            if (!this.certPublisherFactoryRegister.canCreatePublisher(type)) {
                throw new CaMgmtException("unsupported publisher type " + type);
            }
            IdentifiedCertPublisher identifiedCertPublisher = new IdentifiedCertPublisher(publisher, this.certPublisherFactoryRegister.newPublisher(type));
            identifiedCertPublisher.initialize(this.securityFactory.getPasswordResolver(), this.datasourceNameConfFileMap);
            return identifiedCertPublisher;
        } catch (ObjectCreationException | CertPublisherException | RuntimeException e) {
            String str = "invalid configuration for the publisher " + publisher.getIdent();
            LogUtil.error(LOG, e, str);
            throw new CaMgmtException(str, e);
        }
    }

    public void addUser(MgmtEntry.AddUser addUser) throws CaMgmtException {
        asssertMasterMode();
        this.queryExecutor.addUser(addUser);
    }

    public void changeUser(MgmtEntry.ChangeUser changeUser) throws CaMgmtException {
        asssertMasterMode();
        this.queryExecutor.changeUser(changeUser);
    }

    public void removeUser(String str) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "username");
        asssertMasterMode();
        if (!this.queryExecutor.deleteRowWithName(nonBlankLower, "TUSER")) {
            throw new CaMgmtException("unknown user " + nonBlankLower);
        }
    }

    public MgmtEntry.User getUser(String str) throws CaMgmtException {
        return this.queryExecutor.getUser(str.toLowerCase());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CaIdNameMap idNameMap() {
        return this.idNameMap;
    }

    public X509CRL generateCrlOnDemand(String str) throws CaMgmtException {
        try {
            return getX509Ca(Args.toNonBlankLower(str, "caName")).generateCrlOnDemand(CaAuditConstants.MSGID_ca_mgmt);
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    public X509CRL getCrl(String str, BigInteger bigInteger) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        Args.notNull(bigInteger, "crlNumber");
        try {
            X509CRL crl = getX509Ca(nonBlankLower).getCrl(bigInteger);
            if (crl == null) {
                LOG.warn("found no CRL for CA {} and crlNumber {}", nonBlankLower, bigInteger);
            }
            return crl;
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    public X509CRL getCurrentCrl(String str) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        try {
            X509CRL currentCrl = getX509Ca(nonBlankLower).getCurrentCrl();
            if (currentCrl == null) {
                LOG.warn("found no CRL for CA {}", nonBlankLower);
            }
            return currentCrl;
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    public ScepResponder getScepResponder(String str) {
        String nonBlankLower = Args.toNonBlankLower(str, CaAuditConstants.Scep.NAME_name);
        if (this.scepResponders == null) {
            return null;
        }
        return this.scepResponders.get(nonBlankLower);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String canonicalizeSignerConf(String str, String str2, X509Certificate[] x509CertificateArr, SecurityFactory securityFactory) throws CaMgmtException {
        byte[] decode;
        if (!str2.contains("file:") && !str2.contains("base64:")) {
            return str2;
        }
        ConfPairs confPairs = new ConfPairs(str2);
        String value = confPairs.value("algo");
        if (value != null) {
            try {
                confPairs.putPair("algo", AlgorithmUtil.canonicalizeSignatureAlgo(value));
            } catch (NoSuchAlgorithmException e) {
                throw new CaMgmtException("Unknown signature algo: " + e.getMessage(), e);
            }
        }
        String value2 = confPairs.value("keystore");
        String value3 = confPairs.value("password");
        String value4 = confPairs.value("key-label");
        if (StringUtil.startsWithIgnoreCase(value2, "file:")) {
            try {
                decode = IoUtil.read(value2.substring("file:".length()));
            } catch (IOException e2) {
                throw new CaMgmtException("IOException: " + e2.getMessage(), e2);
            }
        } else {
            if (!StringUtil.startsWithIgnoreCase(value2, "base64:")) {
                return str2;
            }
            decode = Base64.decode(value2.substring("base64:".length()));
        }
        try {
            confPairs.putPair("keystore", "base64:" + Base64.encodeToString(securityFactory.extractMinimalKeyStore(str, decode, value4, securityFactory.getPasswordResolver().resolvePassword(value3), x509CertificateArr)));
            return confPairs.getEncoded();
        } catch (PasswordResolverException e3) {
            throw new CaMgmtException("PasswordResolverException: " + e3.getMessage(), e3);
        } catch (KeyStoreException e4) {
            throw new CaMgmtException("KeyStoreException: " + e4.getMessage(), e4);
        }
    }

    public CertWithRevocationInfo getCert(String str, BigInteger bigInteger) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        Args.notNull(bigInteger, "serialNumber");
        try {
            return getX509Ca(nonBlankLower).getCertWithRevocationInfo(bigInteger);
        } catch (CertificateException | OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    public CertWithRevocationInfo getCert(X500Name x500Name, BigInteger bigInteger) throws CaMgmtException {
        Args.notNull(x500Name, CaAuditConstants.NAME_issuer);
        Args.notNull(bigInteger, "serialNumber");
        NameId nameId = null;
        Iterator<String> it = this.caInfos.keySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            String next = it.next();
            CaInfo caInfo = this.caInfos.get(next);
            if (x500Name.equals(this.caInfos.get(next).getCert().getSubjectAsX500Name())) {
                nameId = caInfo.getIdent();
                break;
            }
        }
        if (nameId == null) {
            return null;
        }
        try {
            return this.certstore.getCertWithRevocationInfo(nameId.getId().intValue(), bigInteger, this.idNameMap);
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    public byte[] getCertRequest(String str, BigInteger bigInteger) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        Args.notNull(bigInteger, "serialNumber");
        try {
            return getX509Ca(nonBlankLower).getCertRequest(bigInteger);
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    public List<CertListInfo> listCertificates(String str, X500Name x500Name, Date date, Date date2, CertListOrderBy certListOrderBy, int i) throws CaMgmtException {
        String nonBlankLower = Args.toNonBlankLower(str, "caName");
        Args.range(i, "numEntries", 1, 1000);
        try {
            return getX509Ca(nonBlankLower).listCerts(x500Name, date, date2, certListOrderBy, i);
        } catch (OperationException e) {
            throw new CaMgmtException(e.getMessage(), e);
        }
    }

    public void refreshTokenForSignerType(String str) throws CaMgmtException {
        try {
            this.securityFactory.refreshTokenForSignerType(str);
        } catch (XiSecurityException e) {
            throw new CaMgmtException("could not refresh token for signer type " + str + ": " + e.getMessage(), e);
        }
    }

    public Map<String, X509Certificate> loadConf(InputStream inputStream) throws CaMgmtException {
        Args.notNull(inputStream, "zippedConfStream");
        if (!this.caSystemSetuped) {
            throw new CaMgmtException("CA system is not initialized yet.");
        }
        try {
            CaConf caConf = new CaConf(inputStream, this.securityFactory);
            HashMap hashMap = new HashMap(2);
            for (String str : caConf.getSignerNames()) {
                MgmtEntry.Signer signer = caConf.getSigner(str);
                MgmtEntry.Signer signer2 = this.signerDbEntries.get(str);
                if (signer2 == null) {
                    try {
                        addSigner(signer);
                        LOG.info("added signer {}", str);
                    } catch (CaMgmtException e) {
                        String concat = concat("could not add signer ", str);
                        LogUtil.error(LOG, e, concat);
                        throw new CaMgmtException(concat);
                    }
                } else {
                    if (!signer.equals(signer2)) {
                        throw logAndCreateException(concat("signer ", str, " existed, could not re-added it"));
                    }
                    LOG.info("ignore existed signer {}", str);
                }
            }
            for (String str2 : caConf.getRequestorNames()) {
                MgmtEntry.Requestor requestor = caConf.getRequestor(str2);
                MgmtEntry.Requestor requestor2 = this.requestorDbEntries.get(str2);
                if (requestor2 == null) {
                    try {
                        addRequestor(requestor);
                        LOG.info("added CMP requestor {}", str2);
                    } catch (CaMgmtException e2) {
                        String concat2 = concat("could not add CMP requestor ", str2);
                        LogUtil.error(LOG, e2, concat2);
                        throw new CaMgmtException(concat2);
                    }
                } else {
                    if (!requestor.equals(requestor2, true)) {
                        throw logAndCreateException(concat("CMP requestor ", str2, " existed, could not re-added it"));
                    }
                    LOG.info("ignore existed CMP requestor {}", str2);
                }
            }
            for (String str3 : caConf.getPublisherNames()) {
                MgmtEntry.Publisher publisher = caConf.getPublisher(str3);
                MgmtEntry.Publisher publisher2 = this.publisherDbEntries.get(str3);
                if (publisher2 == null) {
                    try {
                        addPublisher(publisher);
                        LOG.info("added publisher {}", str3);
                    } catch (CaMgmtException e3) {
                        String str4 = "could not add publisher " + str3;
                        LogUtil.error(LOG, e3, str4);
                        throw new CaMgmtException(str4);
                    }
                } else {
                    if (!publisher.equals(publisher2, true)) {
                        throw logAndCreateException(concat("publisher ", str3, " existed, could not re-added it"));
                    }
                    LOG.info("ignore existed publisher {}", str3);
                }
            }
            for (String str5 : caConf.getCertprofileNames()) {
                MgmtEntry.Certprofile certprofile = caConf.getCertprofile(str5);
                MgmtEntry.Certprofile certprofile2 = this.certprofileDbEntries.get(str5);
                if (certprofile2 == null) {
                    try {
                        addCertprofile(certprofile);
                        LOG.info("added certprofile {}", str5);
                    } catch (CaMgmtException e4) {
                        String concat3 = concat("could not add certprofile ", str5);
                        LogUtil.error(LOG, e4, concat3);
                        throw new CaMgmtException(concat3);
                    }
                } else {
                    if (!certprofile.equals(certprofile2, true)) {
                        throw logAndCreateException(concat("certprofile ", str5, " existed, could not re-added it"));
                    }
                    LOG.info("ignore existed certprofile {}", str5);
                }
            }
            for (String str6 : caConf.getUserNames()) {
                Object user = caConf.getUser(str6);
                MgmtEntry.User user2 = this.queryExecutor.getUser(str6, true);
                if (user2 != null) {
                    if (!(user instanceof MgmtEntry.User ? ((MgmtEntry.User) user).equals(user2, true) : PasswordHash.validatePassword(((MgmtEntry.AddUser) user).getPassword(), user2.getHashedPassword()))) {
                        throw logAndCreateException(concat("user ", str6, " existed, could not re-added it"));
                    }
                    LOG.info("ignore existed user {}", str6);
                } else {
                    try {
                        if (user instanceof MgmtEntry.User) {
                            this.queryExecutor.addUser((MgmtEntry.User) user);
                        } else {
                            this.queryExecutor.addUser((MgmtEntry.AddUser) user);
                        }
                        LOG.info("added user {}", str6);
                    } catch (CaMgmtException e5) {
                        String concat4 = concat("could not add user ", str6);
                        LogUtil.error(LOG, e5, concat4);
                        throw new CaMgmtException(concat4);
                    }
                }
            }
            for (String str7 : caConf.getCaNames()) {
                CaConf.SingleCa ca = caConf.getCa(str7);
                CaConf.GenSelfIssued genSelfIssued = ca.getGenSelfIssued();
                MgmtEntry.Ca caEntry = ca.getCaEntry();
                if (caEntry != null) {
                    if (this.caInfos.containsKey(str7)) {
                        MgmtEntry.Ca caEntry2 = this.caInfos.get(str7).getCaEntry();
                        if (caEntry.getCert() == null && genSelfIssued != null) {
                            try {
                                caEntry.setCert(this.securityFactory.createSigner(caEntry.getSignerType(), new SignerConf(caEntry.getSignerConf()), (X509Certificate) null).getCertificate());
                            } catch (ObjectCreationException e6) {
                                throw new CaMgmtException(concat("could not create signer for CA ", str7), e6);
                            }
                        }
                        if (!caEntry.equals(caEntry2, true, true)) {
                            throw logAndCreateException(concat("CA ", str7, " existed, could not re-added it"));
                        }
                        LOG.info("ignore existing CA {}", str7);
                    } else if (genSelfIssued != null) {
                        X509Certificate generateRootCa = generateRootCa(caEntry, genSelfIssued.getProfile(), genSelfIssued.getCsr(), genSelfIssued.getSerialNumber());
                        LOG.info("generated root CA {}", str7);
                        hashMap.put(str7, generateRootCa);
                    } else {
                        try {
                            addCa(caEntry);
                            LOG.info("added CA {}", str7);
                        } catch (CaMgmtException e7) {
                            String concat5 = concat("could not add CA ", str7);
                            LogUtil.error(LOG, e7, concat5);
                            throw new CaMgmtException(concat5);
                        }
                    }
                }
                if (ca.getAliases() != null) {
                    Set<String> aliasesForCa = getAliasesForCa(str7);
                    for (String str8 : ca.getAliases()) {
                        if (aliasesForCa == null || !aliasesForCa.contains(str8)) {
                            try {
                                addCaAlias(str8, str7);
                                LOG.info("associated alias {} to CA {}", str8, str7);
                            } catch (CaMgmtException e8) {
                                String concat6 = concat("could not associate alias ", str8, " to CA ", str7);
                                LogUtil.error(LOG, e8, concat6);
                                throw new CaMgmtException(concat6);
                            }
                        } else {
                            LOG.info("ignored adding existing CA alias {} to CA {}", str8, str7);
                        }
                    }
                }
                if (ca.getProfileNames() != null) {
                    Set<String> set = this.caHasProfiles.get(str7);
                    for (String str9 : ca.getProfileNames()) {
                        if (set == null || !set.contains(str9)) {
                            try {
                                addCertprofileToCa(str9, str7);
                                LOG.info("added certprofile {} to CA {}", str9, str7);
                            } catch (CaMgmtException e9) {
                                String concat7 = concat("could not add certprofile ", str9, " to CA ", str7);
                                LogUtil.error(LOG, e9, concat7);
                                throw new CaMgmtException(concat7);
                            }
                        } else {
                            LOG.info("ignored adding certprofile {} to CA {}", str9, str7);
                        }
                    }
                }
                if (ca.getPublisherNames() != null) {
                    Set<String> set2 = this.caHasPublishers.get(str7);
                    for (String str10 : ca.getPublisherNames()) {
                        if (set2 == null || !set2.contains(str10)) {
                            try {
                                addPublisherToCa(str10, str7);
                                LOG.info("added publisher {} to CA {}", str10, str7);
                            } catch (CaMgmtException e10) {
                                String concat8 = concat("could not add publisher ", str10, " to CA ", str7);
                                LogUtil.error(LOG, e10, concat8);
                                throw new CaMgmtException(concat8);
                            }
                        } else {
                            LOG.info("ignored adding publisher {} to CA {}", str10, str7);
                        }
                    }
                }
                if (ca.getRequestors() != null) {
                    Set<MgmtEntry.CaHasRequestor> set3 = this.caHasRequestors.get(str7);
                    for (MgmtEntry.CaHasRequestor caHasRequestor : ca.getRequestors()) {
                        String name = caHasRequestor.getRequestorIdent().getName();
                        MgmtEntry.CaHasRequestor caHasRequestor2 = null;
                        if (set3 != null) {
                            Iterator<MgmtEntry.CaHasRequestor> it = set3.iterator();
                            while (true) {
                                if (!it.hasNext()) {
                                    break;
                                }
                                MgmtEntry.CaHasRequestor next = it.next();
                                if (next.getRequestorIdent().getName().equals(name)) {
                                    caHasRequestor2 = next;
                                    break;
                                }
                            }
                        }
                        if (caHasRequestor2 == null) {
                            try {
                                addRequestorToCa(caHasRequestor, str7);
                                LOG.info("added publisher {} to CA {}", name, str7);
                            } catch (CaMgmtException e11) {
                                String concat9 = concat("could not add requestor ", name, " to CA ", str7);
                                LogUtil.error(LOG, e11, concat9);
                                throw new CaMgmtException(concat9);
                            }
                        } else {
                            if (!caHasRequestor.equals(caHasRequestor2, true)) {
                                throw logAndCreateException(concat("could not add requestor ", name, " to CA", str7));
                            }
                            LOG.info("ignored adding requestor {} to CA {}", name, str7);
                        }
                    }
                }
                if (ca.getUsers() != null) {
                    List<MgmtEntry.CaHasUser> caHasUsersForCa = this.queryExecutor.getCaHasUsersForCa(str7, this.idNameMap);
                    for (MgmtEntry.CaHasUser caHasUser : ca.getUsers()) {
                        String name2 = caHasUser.getUserIdent().getName();
                        MgmtEntry.CaHasUser caHasUser2 = null;
                        if (caHasUsersForCa != null) {
                            Iterator<MgmtEntry.CaHasUser> it2 = caHasUsersForCa.iterator();
                            while (true) {
                                if (!it2.hasNext()) {
                                    break;
                                }
                                MgmtEntry.CaHasUser next2 = it2.next();
                                if (next2.getUserIdent().getName().equals(name2)) {
                                    caHasUser2 = next2;
                                    break;
                                }
                            }
                        }
                        if (caHasUser2 == null) {
                            try {
                                addUserToCa(caHasUser, str7);
                                LOG.info("added user {} to CA {}", name2, str7);
                            } catch (CaMgmtException e12) {
                                String concat10 = concat("could not add user ", name2, " to CA ", str7);
                                LogUtil.error(LOG, e12, concat10);
                                throw new CaMgmtException(concat10);
                            }
                        } else {
                            if (!caHasUser.equals(caHasUser2, true)) {
                                throw logAndCreateException(concat("could not add user ", name2, " to CA", str7));
                            }
                            LOG.info("ignored adding user {} to CA {}", name2, str7);
                        }
                    }
                }
            }
            if (hashMap.isEmpty()) {
                return null;
            }
            return hashMap;
        } catch (IOException | InvalidConfException e13) {
            throw new CaMgmtException("could not parse the CA configuration", e13);
        } catch (RuntimeException e14) {
            throw new CaMgmtException("caught RuntimeException while parsing the CA configuration", e14);
        }
    }

    public InputStream exportConf(List<String> list) throws CaMgmtException, IOException {
        ArrayList arrayList;
        if (!this.caSystemSetuped) {
            throw new CaMgmtException("CA system is not initialized yet.");
        }
        if (list != null) {
            ArrayList arrayList2 = new ArrayList(list.size());
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                String lowerCase = it.next().toLowerCase();
                if (this.x509cas.containsKey(lowerCase)) {
                    arrayList2.add(lowerCase);
                }
            }
            arrayList = arrayList2;
        } else {
            ArrayList arrayList3 = new ArrayList(this.x509cas.size());
            Iterator<String> it2 = this.x509cas.keySet().iterator();
            while (it2.hasNext()) {
                arrayList3.add(it2.next());
            }
            arrayList = arrayList3;
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(1048576);
        ZipOutputStream zipOutputStream = new ZipOutputStream(byteArrayOutputStream);
        zipOutputStream.setLevel(1);
        CaConfType.CaSystem caSystem = new CaConfType.CaSystem();
        try {
            HashSet hashSet = new HashSet();
            HashSet hashSet2 = new HashSet();
            HashSet hashSet3 = new HashSet();
            HashSet hashSet4 = new HashSet();
            HashSet hashSet5 = new HashSet();
            HashSet hashSet6 = new HashSet();
            LinkedList linkedList = new LinkedList();
            caSystem.setUsers(linkedList);
            if (CollectionUtil.isNotEmpty(arrayList)) {
                LinkedList linkedList2 = new LinkedList();
                for (String str : this.x509cas.keySet()) {
                    if (arrayList.contains(str)) {
                        CaConfType.Ca ca = new CaConfType.Ca();
                        ca.setName(str);
                        Set<String> aliasesForCa = getAliasesForCa(str);
                        if (CollectionUtil.isNotEmpty(aliasesForCa)) {
                            ca.setAliases(new ArrayList(aliasesForCa));
                        }
                        Set<MgmtEntry.CaHasRequestor> set = this.caHasRequestors.get(str);
                        if (CollectionUtil.isNotEmpty(set)) {
                            ca.setRequestors(new ArrayList());
                            for (MgmtEntry.CaHasRequestor caHasRequestor : set) {
                                String name = caHasRequestor.getRequestorIdent().getName();
                                hashSet2.add(name);
                                CaConfType.CaHasRequestor caHasRequestor2 = new CaConfType.CaHasRequestor();
                                caHasRequestor2.setRequestorName(name);
                                caHasRequestor2.setRa(caHasRequestor.isRa());
                                caHasRequestor2.setProfiles(new ArrayList(caHasRequestor.getProfiles()));
                                caHasRequestor2.setPermissions(getPermissions(caHasRequestor.getPermission()));
                                ca.getRequestors().add(caHasRequestor2);
                            }
                        }
                        List<MgmtEntry.CaHasUser> caHasUsersForCa = this.queryExecutor.getCaHasUsersForCa(str, this.idNameMap);
                        if (CollectionUtil.isNotEmpty(caHasUsersForCa)) {
                            ca.setUsers(new ArrayList());
                            for (MgmtEntry.CaHasUser caHasUser : caHasUsersForCa) {
                                String name2 = caHasUser.getUserIdent().getName();
                                CaConfType.CaHasUser caHasUser2 = new CaConfType.CaHasUser();
                                caHasUser2.setUserName(name2);
                                caHasUser2.setProfiles(new ArrayList(caHasUser.getProfiles()));
                                caHasUser2.setPermissions(getPermissions(caHasUser.getPermission()));
                                ca.getUsers().add(caHasUser2);
                                if (!hashSet6.contains(name2)) {
                                    MgmtEntry.User user = this.queryExecutor.getUser(name2);
                                    CaConfType.User user2 = new CaConfType.User();
                                    if (!user.isActive()) {
                                        user2.setActive(Boolean.FALSE);
                                    }
                                    user2.setName(name2);
                                    user2.setHashedPassword(user.getHashedPassword());
                                    linkedList.add(user2);
                                    hashSet6.add(name2);
                                }
                            }
                        }
                        Set<String> set2 = this.caHasProfiles.get(str);
                        if (CollectionUtil.isNotEmpty(set2)) {
                            hashSet3.addAll(set2);
                            ca.setProfiles(new ArrayList(set2));
                        }
                        Set<String> set3 = this.caHasPublishers.get(str);
                        if (CollectionUtil.isNotEmpty(set3)) {
                            hashSet4.addAll(set3);
                            ca.setPublishers(new ArrayList(set3));
                        }
                        CaConfType.CaInfo caInfo = new CaConfType.CaInfo();
                        ca.setCaInfo(caInfo);
                        MgmtEntry.Ca caEntry = this.x509cas.get(str).getCaInfo().getCaEntry();
                        CaUris caUris = caEntry.getCaUris();
                        if (caUris != null) {
                            CaConfType.CaUris caUris2 = new CaConfType.CaUris();
                            caUris2.setCacertUris(caUris.getCacertUris());
                            caUris2.setOcspUris(caUris.getOcspUris());
                            caUris2.setCrlUris(caUris.getCrlUris());
                            caUris2.setDeltacrlUris(caUris.getDeltaCrlUris());
                            caInfo.setCaUris(caUris2);
                        }
                        try {
                            caInfo.setCert(createFileOrBinary(zipOutputStream, caEntry.getCert().getEncoded(), concat("files/ca-", str, "-cert.der")));
                            List certchain = caEntry.getCertchain();
                            if (CollectionUtil.isNotEmpty(certchain)) {
                                LinkedList linkedList3 = new LinkedList();
                                for (int i = 0; i < certchain.size(); i++) {
                                    try {
                                        linkedList3.add(createFileOrBinary(zipOutputStream, ((X509Certificate) certchain.get(i)).getEncoded(), concat("files/ca-", str, "-certchain-" + i + ".der")));
                                    } catch (CertificateEncodingException e) {
                                        throw new CaMgmtException(concat("could not encode CA certchain [", Integer.toString(i), "] of CA", str));
                                    }
                                }
                                caInfo.setCertchain(linkedList3);
                            }
                            if (caEntry.getCmpControl() != null) {
                                caInfo.setCmpControl(new HashMap(new ConfPairs(caEntry.getCmpControl().getConf()).asMap()));
                            }
                            if (caEntry.getCmpResponderName() != null) {
                                hashSet.add(caEntry.getCmpResponderName());
                                caInfo.setCmpResponderName(caEntry.getCmpResponderName());
                            }
                            if (caEntry.getCrlControl() != null) {
                                caInfo.setCrlControl(new HashMap(new ConfPairs(caEntry.getCrlControl().getConf()).asMap()));
                            }
                            if (caEntry.getCrlSignerName() != null) {
                                hashSet5.add(caEntry.getCrlSignerName());
                                caInfo.setCrlSignerName(caEntry.getCrlSignerName());
                            }
                            if (caEntry.getCtlogControl() != null) {
                                caInfo.setCtlogControl(new HashMap(new ConfPairs(caEntry.getCtlogControl().getConf()).asMap()));
                            }
                            if (caEntry.getDhpocControl() != null) {
                                caInfo.setDhpocControl(createFileOrValue(zipOutputStream, caEntry.getDhpocControl(), concat("files/ca-", str, "-dhpoc.conf")));
                            }
                            caInfo.setDuplicateKey(caEntry.isDuplicateKeyPermitted());
                            caInfo.setDuplicateSubject(caEntry.isDuplicateSubjectPermitted());
                            caInfo.setExpirationPeriod(Integer.valueOf(caEntry.getExpirationPeriod()));
                            if (caEntry.getExtraControl() != null) {
                                caInfo.setExtraControl(caEntry.getExtraControl().asMap());
                            }
                            caInfo.setKeepExpiredCertDays(Integer.valueOf(caEntry.getKeepExpiredCertInDays()));
                            caInfo.setMaxValidity(caEntry.getMaxValidity().toString());
                            caInfo.setNextCrlNo(caEntry.getNextCrlNumber());
                            caInfo.setNumCrls(Integer.valueOf(caEntry.getNumCrls()));
                            caInfo.setPermissions(getPermissions(caEntry.getPermission()));
                            caInfo.setProtocolSupport(StringUtil.splitAsSet(caEntry.getProtocoSupport().getEncoded(), ","));
                            if (caEntry.getRevokeSuspendedControl() != null) {
                                caInfo.setRevokeSuspendedControl(new HashMap(new ConfPairs(caEntry.getRevokeSuspendedControl().getConf()).asMap()));
                            }
                            caInfo.setSaveReq(caEntry.isSaveRequest());
                            if (caEntry.getScepControl() != null) {
                                caInfo.setScepControl(new HashMap(new ConfPairs(caEntry.getScepControl().getConf()).asMap()));
                            }
                            if (caEntry.getScepResponderName() != null) {
                                hashSet.add(caEntry.getScepResponderName());
                                caInfo.setScepResponderName(caEntry.getScepResponderName());
                            }
                            caInfo.setSignerConf(createFileOrValue(zipOutputStream, caEntry.getSignerConf(), concat("files/ca-", str, "-signerconf.conf")));
                            caInfo.setSignerType(caEntry.getSignerType());
                            caInfo.setSnSize(caEntry.getSerialNoBitLen());
                            caInfo.setStatus(caEntry.getStatus().getStatus());
                            caInfo.setValidityMode(caEntry.getValidityMode().name());
                            linkedList2.add(ca);
                        } catch (CertificateEncodingException e2) {
                            throw new CaMgmtException(concat("could not encode CA certificate ", str));
                        }
                    }
                }
                if (!linkedList2.isEmpty()) {
                    caSystem.setCas(linkedList2);
                }
            }
            if (linkedList.isEmpty()) {
                caSystem.setUsers((List) null);
            }
            if (CollectionUtil.isNotEmpty(this.requestorDbEntries)) {
                LinkedList linkedList4 = new LinkedList();
                for (String str2 : this.requestorDbEntries.keySet()) {
                    if (hashSet2.contains(str2)) {
                        MgmtEntry.Requestor requestor = this.requestorDbEntries.get(str2);
                        CaConfType.Requestor requestor2 = new CaConfType.Requestor();
                        requestor2.setName(str2);
                        requestor2.setType(requestor.getType());
                        if ("cert".equalsIgnoreCase(requestor.getType())) {
                            requestor2.setBinaryConf(createFileOrBinary(zipOutputStream, Base64.decode(requestor.getConf()), concat("files/requestor-", str2, ".der")));
                        } else {
                            requestor2.setConf(createFileOrValue(zipOutputStream, requestor.getConf(), concat("files/requestor-", str2, ".conf")));
                        }
                        linkedList4.add(requestor2);
                    }
                }
                if (!linkedList4.isEmpty()) {
                    caSystem.setRequestors(linkedList4);
                }
            }
            if (CollectionUtil.isNotEmpty(this.publisherDbEntries)) {
                LinkedList linkedList5 = new LinkedList();
                for (String str3 : this.publisherDbEntries.keySet()) {
                    if (hashSet4.contains(str3)) {
                        MgmtEntry.Publisher publisher = this.publisherDbEntries.get(str3);
                        CaConfType.NameTypeConf nameTypeConf = new CaConfType.NameTypeConf();
                        nameTypeConf.setName(str3);
                        nameTypeConf.setType(publisher.getType());
                        nameTypeConf.setConf(createFileOrValue(zipOutputStream, publisher.getConf(), concat("files/publisher-", str3, ".conf")));
                        linkedList5.add(nameTypeConf);
                    }
                }
                if (!linkedList5.isEmpty()) {
                    caSystem.setPublishers(linkedList5);
                }
            }
            if (CollectionUtil.isNotEmpty(this.certprofileDbEntries)) {
                LinkedList linkedList6 = new LinkedList();
                for (String str4 : this.certprofileDbEntries.keySet()) {
                    if (hashSet3.contains(str4)) {
                        MgmtEntry.Certprofile certprofile = this.certprofileDbEntries.get(str4);
                        CaConfType.NameTypeConf nameTypeConf2 = new CaConfType.NameTypeConf();
                        nameTypeConf2.setName(str4);
                        nameTypeConf2.setType(certprofile.getType());
                        nameTypeConf2.setConf(createFileOrValue(zipOutputStream, certprofile.getConf(), concat("files/certprofile-", str4, ".conf")));
                        linkedList6.add(nameTypeConf2);
                    }
                }
                if (!linkedList6.isEmpty()) {
                    caSystem.setProfiles(linkedList6);
                }
            }
            if (CollectionUtil.isNotEmpty(this.signerDbEntries)) {
                LinkedList linkedList7 = new LinkedList();
                for (String str5 : this.signerDbEntries.keySet()) {
                    if (hashSet.contains(str5)) {
                        MgmtEntry.Signer signer = this.signerDbEntries.get(str5);
                        CaConfType.Signer signer2 = new CaConfType.Signer();
                        signer2.setName(str5);
                        signer2.setType(signer.getType());
                        signer2.setConf(createFileOrValue(zipOutputStream, signer.getConf(), concat("files/signer-", str5, ".conf")));
                        signer2.setCert(createFileOrBase64Value(zipOutputStream, signer.getBase64Cert(), concat("files/signer-", str5, ".der")));
                        linkedList7.add(signer2);
                    }
                }
                if (!linkedList7.isEmpty()) {
                    caSystem.setSigners(linkedList7);
                }
            }
            ByteArrayOutputStream byteArrayOutputStream2 = new ByteArrayOutputStream();
            try {
                try {
                    caSystem.validate();
                    JSON.writeJSONString(byteArrayOutputStream2, caSystem, new SerializerFeature[]{SerializerFeature.PrettyFormat});
                    byteArrayOutputStream2.flush();
                    zipOutputStream.putNextEntry(new ZipEntry("caconf.json"));
                    try {
                        zipOutputStream.write(byteArrayOutputStream2.toByteArray());
                        zipOutputStream.closeEntry();
                        return new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
                    } catch (Throwable th) {
                        zipOutputStream.closeEntry();
                        throw th;
                    }
                } catch (Throwable th2) {
                    byteArrayOutputStream2.flush();
                    throw th2;
                }
            } catch (InvalidConfException e3) {
                LogUtil.error(LOG, e3, "could not marshal CAConf");
                throw new CaMgmtException(concat("could not marshal CAConf: ", e3.getMessage()), e3);
            }
        } finally {
            zipOutputStream.flush();
            zipOutputStream.close();
        }
    }

    private static FileOrValue createFileOrValue(ZipOutputStream zipOutputStream, String str, String str2) throws IOException {
        if (StringUtil.isBlank(str)) {
            return null;
        }
        FileOrValue fileOrValue = new FileOrValue();
        if (str.length() < 256) {
            fileOrValue.setValue(str);
        } else {
            fileOrValue.setFile(str2);
            zipOutputStream.putNextEntry(new ZipEntry(str2));
            try {
                zipOutputStream.write(StringUtil.toUtf8Bytes(str));
                zipOutputStream.closeEntry();
            } catch (Throwable th) {
                zipOutputStream.closeEntry();
                throw th;
            }
        }
        return fileOrValue;
    }

    private static FileOrBinary createFileOrBase64Value(ZipOutputStream zipOutputStream, String str, String str2) throws IOException {
        if (StringUtil.isBlank(str)) {
            return null;
        }
        return createFileOrBinary(zipOutputStream, Base64.decode(str), str2);
    }

    private static FileOrBinary createFileOrBinary(ZipOutputStream zipOutputStream, byte[] bArr, String str) throws IOException {
        if (bArr == null || bArr.length == 0) {
            return null;
        }
        FileOrBinary fileOrBinary = new FileOrBinary();
        if (bArr.length < 256) {
            fileOrBinary.setBinary(bArr);
        } else {
            fileOrBinary.setFile(str);
            zipOutputStream.putNextEntry(new ZipEntry(str));
            try {
                zipOutputStream.write(bArr);
                zipOutputStream.closeEntry();
            } catch (Throwable th) {
                zipOutputStream.closeEntry();
                throw th;
            }
        }
        return fileOrBinary;
    }

    public RestResponder getRestResponder() {
        return this.restResponder;
    }

    private static String concat(String str, String... strArr) {
        return StringUtil.concat(str, strArr);
    }

    private static CaMgmtException logAndCreateException(String str) {
        LOG.error(str);
        return new CaMgmtException(str);
    }

    private static List<String> getPermissions(int i) {
        LinkedList linkedList = new LinkedList();
        if (511 == i) {
            linkedList.add(PermissionConstants.getTextForCode(i));
        } else {
            for (Integer num : PermissionConstants.getPermissions()) {
                if ((i & num.intValue()) != 0) {
                    linkedList.add(PermissionConstants.getTextForCode(num.intValue()));
                }
            }
        }
        return linkedList;
    }
}
