package org.xipki.ca.server;

import java.io.Closeable;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Random;
import java.util.Set;
import java.util.TimeZone;
import java.util.concurrent.ConcurrentSkipListSet;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.pkcs.RSAPrivateKey;
import org.bouncycastle.asn1.sec.ECPrivateKey;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.CRLReason;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.IssuingDistributionPoint;
import org.bouncycastle.asn1.x509.ReasonFlags;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.Time;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509v2CRLBuilder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.crypto.RuntimeCryptoException;
import org.bouncycastle.operator.ContentSigner;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.audit.AuditEvent;
import org.xipki.audit.AuditLevel;
import org.xipki.audit.AuditService;
import org.xipki.audit.AuditStatus;
import org.xipki.audit.Audits;
import org.xipki.ca.api.BadCertTemplateException;
import org.xipki.ca.api.BadFormatException;
import org.xipki.ca.api.CertWithDbId;
import org.xipki.ca.api.CertificateInfo;
import org.xipki.ca.api.NameId;
import org.xipki.ca.api.OperationException;
import org.xipki.ca.api.PublicCaInfo;
import org.xipki.ca.api.RequestType;
import org.xipki.ca.api.mgmt.CaMgmtException;
import org.xipki.ca.api.mgmt.CaStatus;
import org.xipki.ca.api.mgmt.CertListInfo;
import org.xipki.ca.api.mgmt.CertListOrderBy;
import org.xipki.ca.api.mgmt.CertWithRevocationInfo;
import org.xipki.ca.api.mgmt.CmpControl;
import org.xipki.ca.api.mgmt.CrlControl;
import org.xipki.ca.api.mgmt.MgmtEntry;
import org.xipki.ca.api.mgmt.RequestorInfo;
import org.xipki.ca.api.mgmt.ValidityMode;
import org.xipki.ca.api.profile.Certprofile;
import org.xipki.ca.api.profile.CertprofileException;
import org.xipki.ca.api.profile.ExtensionValue;
import org.xipki.ca.api.profile.ExtensionValues;
import org.xipki.ca.api.profile.KeypairGenControl;
import org.xipki.ca.server.CaAuditConstants;
import org.xipki.ca.server.CertStore;
import org.xipki.security.CertRevocationInfo;
import org.xipki.security.ConcurrentBagEntrySigner;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.CrlReason;
import org.xipki.security.CtLog;
import org.xipki.security.EdECConstants;
import org.xipki.security.FpIdCalculator;
import org.xipki.security.KeyUsage;
import org.xipki.security.NoIdleSignerException;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.security.X509Cert;
import org.xipki.security.XiSecurityException;
import org.xipki.security.util.KeyUtil;
import org.xipki.security.util.RSABrokenKey;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.CompareUtil;
import org.xipki.util.DateUtil;
import org.xipki.util.HealthCheckResult;
import org.xipki.util.LogUtil;
import org.xipki.util.StringUtil;
import org.xipki.util.TripleState;
import org.xipki.util.Validity;

/* loaded from: input_file:org/xipki/ca/server/X509Ca.class */
public class X509Ca implements Closeable {
    private static final long MS_PER_SECOND = 1000;
    private static final long MS_PER_MINUTE = 60000;
    private static final long MS_PER_10MINUTES = 300000;
    private static final long MS_PER_HOUR = 3600000;
    private static final int MINUTE_PER_DAY = 1440;
    private static final long MS_PER_DAY = 86400000;
    private static final long MS_PER_WEEK = 604800000;
    private static final long MAX_CERT_TIME_MS = 253402300799982L;
    private final CaInfo caInfo;
    private final NameId caIdent;
    private final X509Cert caCert;
    private final CtLogClient ctlogClient;
    private final KeypairGenControl keypairGenControlByImplictCA;
    private final CertStore certstore;
    private final CaIdNameMap caIdNameMap;
    private final boolean masterMode;
    private final CaManagerImpl caManager;
    private ScheduledFuture<?> crlGenerationService;
    private ScheduledFuture<?> expiredCertsRemover;
    private ScheduledFuture<?> suspendedCertsRevoker;
    private static final TimeZone TIMEZONE_UTC = TimeZone.getTimeZone("UTC");
    private static final Logger LOG = LoggerFactory.getLogger(X509Ca.class);
    private SecureRandom random = new SecureRandom();
    private AtomicBoolean crlGenInProcess = new AtomicBoolean(false);
    private final ConcurrentSkipListSet<Long> publicKeyCertsInProcess = new ConcurrentSkipListSet<>();
    private final ConcurrentSkipListSet<Long> subjectCertsInProcess = new ConcurrentSkipListSet<>();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.xipki.ca.server.X509Ca$1, reason: invalid class name */
    /* loaded from: input_file:org/xipki/ca/server/X509Ca$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$util$TripleState;
        static final /* synthetic */ int[] $SwitchMap$org$xipki$security$CrlReason;
        static final /* synthetic */ int[] $SwitchMap$org$xipki$util$Validity$Unit = new int[Validity.Unit.values().length];

        static {
            try {
                $SwitchMap$org$xipki$util$Validity$Unit[Validity.Unit.MINUTE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$util$Validity$Unit[Validity.Unit.HOUR.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$util$Validity$Unit[Validity.Unit.DAY.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$util$Validity$Unit[Validity.Unit.WEEK.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xipki$util$Validity$Unit[Validity.Unit.YEAR.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            $SwitchMap$org$xipki$security$CrlReason = new int[CrlReason.values().length];
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.CA_COMPROMISE.ordinal()] = 1;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.AA_COMPROMISE.ordinal()] = 2;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.REMOVE_FROM_CRL.ordinal()] = 3;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.UNSPECIFIED.ordinal()] = 4;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.KEY_COMPROMISE.ordinal()] = 5;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.AFFILIATION_CHANGED.ordinal()] = 6;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.SUPERSEDED.ordinal()] = 7;
            } catch (NoSuchFieldError e12) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.CESSATION_OF_OPERATION.ordinal()] = 8;
            } catch (NoSuchFieldError e13) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.CERTIFICATE_HOLD.ordinal()] = 9;
            } catch (NoSuchFieldError e14) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.PRIVILEGE_WITHDRAWN.ordinal()] = 10;
            } catch (NoSuchFieldError e15) {
            }
            $SwitchMap$org$xipki$util$TripleState = new int[TripleState.values().length];
            try {
                $SwitchMap$org$xipki$util$TripleState[TripleState.forbidden.ordinal()] = 1;
            } catch (NoSuchFieldError e16) {
            }
            try {
                $SwitchMap$org$xipki$util$TripleState[TripleState.optional.ordinal()] = 2;
            } catch (NoSuchFieldError e17) {
            }
            try {
                $SwitchMap$org$xipki$util$TripleState[TripleState.required.ordinal()] = 3;
            } catch (NoSuchFieldError e18) {
            }
        }
    }

    /* loaded from: input_file:org/xipki/ca/server/X509Ca$CrlGenerationService.class */
    private class CrlGenerationService implements Runnable {
        private CrlGenerationService() {
        }

        @Override // java.lang.Runnable
        public void run() {
            if (X509Ca.this.caInfo.getCrlControl() == null || X509Ca.this.crlGenInProcess.get()) {
                return;
            }
            X509Ca.this.crlGenInProcess.set(true);
            try {
                run0();
            } catch (Throwable th) {
                LogUtil.error(X509Ca.LOG, th);
            } finally {
                X509Ca.this.crlGenInProcess.set(false);
            }
        }

        private void run0() throws OperationException {
            CrlControl crlControl = X509Ca.this.caInfo.getCrlControl();
            long thisUpdateOfCurrentCrl = X509Ca.this.certstore.getThisUpdateOfCurrentCrl(X509Ca.this.caIdent, false);
            Date date = new Date();
            boolean z = false;
            if (thisUpdateOfCurrentCrl == 0) {
                z = true;
            } else if (!new Date(X509Ca.this.getScheduledCrlGenTimeNotAfter(new Date(thisUpdateOfCurrentCrl * X509Ca.MS_PER_SECOND)).getTime() + (crlControl.getFullCrlIntervals() * X509Ca.MS_PER_DAY)).after(date)) {
                z = true;
            }
            boolean z2 = false;
            if (crlControl.getDeltaCrlIntervals() > 0 && !z) {
                if (!new Date(X509Ca.this.getScheduledCrlGenTimeNotAfter(new Date(Math.max(X509Ca.this.certstore.getThisUpdateOfCurrentCrl(X509Ca.this.caIdent, true), thisUpdateOfCurrentCrl) * X509Ca.MS_PER_SECOND)).getTime() + (crlControl.getDeltaCrlIntervals() * X509Ca.MS_PER_DAY)).after(date)) {
                    z2 = true;
                }
            }
            if (!z && !z2) {
                X509Ca.LOG.info("No CRL is needed to be created");
                return;
            }
            Date date2 = new Date(X509Ca.this.getScheduledCrlGenTimeNotAfter(date).getTime() + ((z2 ? crlControl.getDeltaCrlIntervals() : (crlControl.isExtendedNextUpdate() || crlControl.getDeltaCrlIntervals() <= 0) ? crlControl.getFullCrlIntervals() : crlControl.getDeltaCrlIntervals()) * X509Ca.MS_PER_DAY) + (crlControl.getOverlapMinutes() * X509Ca.MS_PER_MINUTE));
            try {
                long maxIdOfDeltaCrlCache = X509Ca.this.certstore.getMaxIdOfDeltaCrlCache(X509Ca.this.caIdent);
                X509Ca.this.generateCrl(z2, date, date2, CaAuditConstants.MSGID_ca_routine);
                try {
                    X509Ca.this.certstore.clearDeltaCrlCache(X509Ca.this.caIdent, maxIdOfDeltaCrlCache);
                } catch (Throwable th) {
                    LogUtil.error(X509Ca.LOG, th, "could not clear DeltaCRLCache of CA " + X509Ca.this.caIdent);
                }
            } catch (Throwable th2) {
                LogUtil.error(X509Ca.LOG, th2);
            }
        }

        /* synthetic */ CrlGenerationService(X509Ca x509Ca, AnonymousClass1 anonymousClass1) {
            this();
        }
    }

    /* loaded from: input_file:org/xipki/ca/server/X509Ca$ExpiredCertsRemover.class */
    private class ExpiredCertsRemover implements Runnable {
        private boolean inProcess;

        private ExpiredCertsRemover() {
        }

        @Override // java.lang.Runnable
        public void run() {
            if (X509Ca.this.caInfo.getKeepExpiredCertInDays() >= 0 && !this.inProcess) {
                this.inProcess = true;
                Date date = new Date(System.currentTimeMillis() - (X509Ca.MS_PER_DAY * (r0 + 1)));
                try {
                    try {
                        X509Ca.LOG.info("removed {} certificates expired at {}", Integer.valueOf(X509Ca.this.removeExpirtedCerts(date, CaAuditConstants.MSGID_ca_routine)), date.toString());
                        this.inProcess = false;
                    } catch (Throwable th) {
                        LogUtil.error(X509Ca.LOG, th, "could not remove expired certificates");
                        this.inProcess = false;
                    }
                } catch (Throwable th2) {
                    this.inProcess = false;
                    throw th2;
                }
            }
        }

        /* synthetic */ ExpiredCertsRemover(X509Ca x509Ca, AnonymousClass1 anonymousClass1) {
            this();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/xipki/ca/server/X509Ca$GrantedCertTemplate.class */
    public static class GrantedCertTemplate {
        private final ConcurrentContentSigner signer;
        private final Extensions extensions;
        private final IdentifiedCertprofile certprofile;
        private final Date grantedNotBefore;
        private final Date grantedNotAfter;
        private final X500Name requestedSubject;
        private final SubjectPublicKeyInfo grantedPublicKey;
        private final PrivateKeyInfo privateKey;
        private final byte[] grantedPublicKeyData;
        private final long fpPublicKey;
        private final String warning;
        private X500Name grantedSubject;
        private String grantedSubjectText;
        private long fpSubject;

        public GrantedCertTemplate(Extensions extensions, IdentifiedCertprofile identifiedCertprofile, Date date, Date date2, X500Name x500Name, SubjectPublicKeyInfo subjectPublicKeyInfo, long j, PrivateKeyInfo privateKeyInfo, byte[] bArr, ConcurrentContentSigner concurrentContentSigner, String str) {
            this.extensions = extensions;
            this.certprofile = identifiedCertprofile;
            this.grantedNotBefore = date;
            this.grantedNotAfter = date2;
            this.requestedSubject = x500Name;
            this.grantedPublicKey = subjectPublicKeyInfo;
            this.grantedPublicKeyData = bArr;
            this.privateKey = privateKeyInfo;
            this.fpPublicKey = j;
            this.signer = concurrentContentSigner;
            this.warning = str;
        }

        public void setGrantedSubject(X500Name x500Name) {
            this.grantedSubject = x500Name;
            this.grantedSubjectText = X509Util.getRfc4519Name(x500Name);
            this.fpSubject = X509Util.fpCanonicalizedName(x500Name);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/xipki/ca/server/X509Ca$OperationExceptionWithIndex.class */
    public static class OperationExceptionWithIndex extends OperationException {
        private static final long serialVersionUID = 1;
        private final int index;

        public OperationExceptionWithIndex(int i, OperationException operationException) {
            super(operationException.getErrorCode(), operationException.getMessage());
            this.index = i;
        }

        public int getIndex() {
            return this.index;
        }
    }

    /* loaded from: input_file:org/xipki/ca/server/X509Ca$SuspendedCertsRevoker.class */
    private class SuspendedCertsRevoker implements Runnable {
        private boolean inProcess;

        private SuspendedCertsRevoker() {
        }

        @Override // java.lang.Runnable
        public void run() {
            if (X509Ca.this.caInfo.revokeSuspendedCertsControl() == null || this.inProcess) {
                return;
            }
            this.inProcess = true;
            try {
                X509Ca.LOG.debug("revoking suspended certificates");
                int revokeSuspendedCerts = X509Ca.this.revokeSuspendedCerts(CaAuditConstants.MSGID_ca_routine);
                if (revokeSuspendedCerts == 0) {
                    X509Ca.LOG.debug("revoked {} suspended certificates of CA '{}'", Integer.valueOf(revokeSuspendedCerts), X509Ca.this.caIdent);
                } else {
                    X509Ca.LOG.info("revoked {} suspended certificates of CA '{}'", Integer.valueOf(revokeSuspendedCerts), X509Ca.this.caIdent);
                }
            } catch (Throwable th) {
                LogUtil.error(X509Ca.LOG, th, "could not revoke suspended certificates");
            } finally {
                this.inProcess = false;
            }
        }

        /* synthetic */ SuspendedCertsRevoker(X509Ca x509Ca, AnonymousClass1 anonymousClass1) {
            this();
        }
    }

    public X509Ca(CaManagerImpl caManagerImpl, CaInfo caInfo, CertStore certStore, CtLogClient ctLogClient) throws OperationException {
        this.caManager = (CaManagerImpl) Args.notNull(caManagerImpl, "caManager");
        this.masterMode = caManagerImpl.isMasterMode();
        this.caIdNameMap = caManagerImpl.idNameMap();
        this.caInfo = (CaInfo) Args.notNull(caInfo, "caInfo");
        this.ctlogClient = ctLogClient;
        this.caIdent = caInfo.getIdent();
        this.caCert = caInfo.getCert();
        this.certstore = (CertStore) Args.notNull(certStore, "certstore");
        SubjectPublicKeyInfo subjectPublicKeyInfo = this.caCert.getCertHolder().getSubjectPublicKeyInfo();
        ASN1ObjectIdentifier algorithm = subjectPublicKeyInfo.getAlgorithm().getAlgorithm();
        if (algorithm.equals(PKCSObjectIdentifiers.rsaEncryption)) {
            RSAPublicKey rSAPublicKey = (RSAPublicKey) this.caCert.getCert().getPublicKey();
            this.keypairGenControlByImplictCA = new KeypairGenControl.RSAKeypairGenControl(rSAPublicKey.getModulus().bitLength(), rSAPublicKey.getPublicExponent(), algorithm);
        } else if (algorithm.equals(X9ObjectIdentifiers.id_ecPublicKey)) {
            this.keypairGenControlByImplictCA = new KeypairGenControl.ECKeypairGenControl(ASN1ObjectIdentifier.getInstance(subjectPublicKeyInfo.getAlgorithm().getParameters()), algorithm);
        } else if (algorithm.equals(X9ObjectIdentifiers.id_dsa)) {
            ASN1Sequence dERSequence = DERSequence.getInstance(subjectPublicKeyInfo.getAlgorithm().getParameters());
            this.keypairGenControlByImplictCA = new KeypairGenControl.DSAKeypairGenControl(ASN1Integer.getInstance(dERSequence.getObjectAt(0)).getValue(), ASN1Integer.getInstance(dERSequence.getObjectAt(1)).getValue(), ASN1Integer.getInstance(dERSequence.getObjectAt(2)).getValue(), algorithm);
        } else if (algorithm.equals(EdECConstants.id_Ed25519) || algorithm.equals(EdECConstants.id_Ed448)) {
            this.keypairGenControlByImplictCA = new KeypairGenControl.EDDSAKeypairGenControl(algorithm);
        } else {
            this.keypairGenControlByImplictCA = null;
        }
        try {
            caInfo.initDhpocControl(caManagerImpl.getSecurityFactory());
            if (caInfo.isSignerRequired()) {
                try {
                    caInfo.initSigner(caManagerImpl.getSecurityFactory());
                } catch (XiSecurityException e) {
                    LogUtil.error(LOG, e, "security.createSigner caSigner for CA " + this.caIdent);
                    throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e);
                }
            }
            if (caInfo.getCrlControl() != null) {
                if (!X509Util.hasKeyusage(caInfo.getCrlSignerName() != null ? getCrlSigner().getDbEntry().getCertificate() : this.caCert.getCert(), KeyUsage.cRLSign)) {
                    LOG.error("CRL signer does not have keyusage cRLSign");
                    throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, "CRL signer does not have keyusage cRLSign");
                }
            }
            if (this.masterMode) {
                Iterator<IdentifiedCertPublisher> it = publishers().iterator();
                while (it.hasNext()) {
                    it.next().caAdded(this.caCert);
                }
                Random random = new Random();
                ScheduledThreadPoolExecutor scheduledThreadPoolExecutor = caManagerImpl.getScheduledThreadPoolExecutor();
                this.crlGenerationService = scheduledThreadPoolExecutor.scheduleAtFixedRate(new CrlGenerationService(this, null), 60 + random.nextInt(60), 60L, TimeUnit.SECONDS);
                this.expiredCertsRemover = scheduledThreadPoolExecutor.scheduleAtFixedRate(new ExpiredCertsRemover(this, null), MINUTE_PER_DAY + random.nextInt(60), 1440L, TimeUnit.MINUTES);
                this.suspendedCertsRevoker = scheduledThreadPoolExecutor.scheduleAtFixedRate(new SuspendedCertsRevoker(this, null), random.nextInt(60), 60L, TimeUnit.MINUTES);
            }
        } catch (XiSecurityException e2) {
            LogUtil.error(LOG, e2, "initDhpocControl for CA " + this.caIdent);
            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e2);
        }
    }

    public CaInfo getCaInfo() {
        return this.caInfo;
    }

    public CmpControl getCmpControl() {
        return this.caInfo.getCmpControl();
    }

    public X509Certificate getCert(BigInteger bigInteger) throws CertificateException, OperationException {
        CertificateInfo certInfo = this.certstore.getCertInfo(this.caIdent, this.caCert, bigInteger, this.caIdNameMap);
        if (certInfo == null) {
            return null;
        }
        return certInfo.getCert().getCert();
    }

    public List<X509Certificate> getCert(X500Name x500Name, byte[] bArr) throws OperationException {
        return this.certstore.getCert(x500Name, bArr);
    }

    public CertStore.KnowCertResult knowsCert(X509Certificate x509Certificate) throws OperationException {
        Args.notNull(x509Certificate, "cert");
        return !this.caInfo.getSubject().equals(X509Util.getRfc4519Name(x509Certificate.getIssuerX500Principal())) ? CertStore.KnowCertResult.UNKNOWN : this.certstore.knowsCertForSerial(this.caIdent, x509Certificate.getSerialNumber());
    }

    public CertWithRevocationInfo getCertWithRevocationInfo(BigInteger bigInteger) throws CertificateException, OperationException {
        return this.certstore.getCertWithRevocationInfo(this.caIdent.getId().intValue(), bigInteger, this.caIdNameMap);
    }

    public byte[] getCertRequest(BigInteger bigInteger) throws OperationException {
        return this.certstore.getCertRequest(this.caIdent, bigInteger);
    }

    public boolean verifyCsr(CertificationRequest certificationRequest) {
        Args.notNull(certificationRequest, "csr");
        return CaUtil.verifyCsr(certificationRequest, this.caManager.getSecurityFactory(), getCmpControl().getPopoAlgoValidator(), this.caInfo.getDhpocControl());
    }

    public List<CertListInfo> listCerts(X500Name x500Name, Date date, Date date2, CertListOrderBy certListOrderBy, int i) throws OperationException {
        return this.certstore.listCerts(this.caIdent, x500Name, date, date2, certListOrderBy, i);
    }

    public NameId authenticateUser(String str, byte[] bArr) throws OperationException {
        return this.certstore.authenticateUser(str.toLowerCase(), bArr);
    }

    public NameId getUserIdent(int i) throws OperationException {
        String username = this.certstore.getUsername(i);
        if (username == null) {
            return null;
        }
        return new NameId(Integer.valueOf(i), username);
    }

    public RequestorInfo.ByUserRequestorInfo getByUserRequestor(NameId nameId) throws OperationException {
        MgmtEntry.CaHasUser caHasUser = this.certstore.getCaHasUser(this.caIdent, nameId);
        if (caHasUser == null) {
            return null;
        }
        return this.caManager.createByUserRequestor(caHasUser);
    }

    public X509CRL getCurrentCrl() throws OperationException {
        return getCrl(null);
    }

    public X509CRL getCrl(BigInteger bigInteger) throws OperationException {
        LOG.info("     START getCrl: ca={}, crlNumber={}", this.caIdent.getName(), bigInteger);
        boolean z = false;
        try {
            byte[] encodedCrl = this.certstore.getEncodedCrl(this.caIdent, bigInteger);
            if (encodedCrl == null) {
                if (0 == 0) {
                    LOG.info("    FAILED getCrl: ca={}", this.caIdent.getName());
                }
                return null;
            }
            try {
                try {
                    X509CRL parseCrl = X509Util.parseCrl(encodedCrl);
                    z = true;
                    if (LOG.isInfoEnabled()) {
                        LOG.info("SUCCESSFUL getCrl: ca={}, thisUpdate={}", this.caIdent.getName(), new Time(parseCrl.getThisUpdate()).getTime());
                    }
                    if (1 == 0) {
                        LOG.info("    FAILED getCrl: ca={}", this.caIdent.getName());
                    }
                    return parseCrl;
                } catch (RuntimeException e) {
                    throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e);
                }
            } catch (CRLException | CertificateException e2) {
                throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e2);
            }
        } catch (Throwable th) {
            if (!z) {
                LOG.info("    FAILED getCrl: ca={}", this.caIdent.getName());
            }
            throw th;
        }
    }

    public CertificateList getBcCurrentCrl() throws OperationException {
        return getBcCrl(null);
    }

    public CertificateList getBcCrl(BigInteger bigInteger) throws OperationException {
        LOG.info("     START getCrl: ca={}, crlNumber={}", this.caIdent.getName(), bigInteger);
        boolean z = false;
        try {
            byte[] encodedCrl = this.certstore.getEncodedCrl(this.caIdent, bigInteger);
            if (encodedCrl == null) {
                if (0 == 0) {
                    LOG.info("    FAILED getCrl: ca={}", this.caIdent.getName());
                }
                return null;
            }
            try {
                CertificateList certificateList = CertificateList.getInstance(encodedCrl);
                z = true;
                if (LOG.isInfoEnabled()) {
                    LOG.info("SUCCESSFUL getCrl: ca={}, thisUpdate={}", this.caIdent.getName(), certificateList.getThisUpdate().getTime());
                }
                if (1 == 0) {
                    LOG.info("    FAILED getCrl: ca={}", this.caIdent.getName());
                }
                return certificateList;
            } catch (RuntimeException e) {
                throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e);
            }
        } catch (Throwable th) {
            if (!z) {
                LOG.info("    FAILED getCrl: ca={}", this.caIdent.getName());
            }
            throw th;
        }
    }

    private void cleanupCrlsWithoutException(String str) throws OperationException {
        try {
            cleanupCrls(str);
        } catch (Throwable th) {
            LOG.warn("could not cleanup CRLs.{}: {}", th.getClass().getName(), th.getMessage());
        }
    }

    private void cleanupCrls(String str) throws OperationException {
        int cleanupCrls;
        int numCrls = this.caInfo.getNumCrls();
        LOG.info("     START cleanupCrls: ca={}, numCrls={}", this.caIdent.getName(), Integer.valueOf(numCrls));
        boolean z = false;
        AuditEvent newPerfAuditEvent = newPerfAuditEvent(CaAuditConstants.TYPE_cleanup_crl, str);
        if (numCrls <= 0) {
            cleanupCrls = 0;
        } else {
            try {
                try {
                    cleanupCrls = this.certstore.cleanupCrls(this.caIdent, this.caInfo.getNumCrls());
                } catch (RuntimeException e) {
                    throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e);
                }
            } catch (Throwable th) {
                if (!z) {
                    LOG.info("    FAILED cleanupCrls: ca={}", this.caIdent.getName());
                }
                finish(newPerfAuditEvent, z);
                throw th;
            }
        }
        int i = cleanupCrls;
        z = true;
        newPerfAuditEvent.addEventData(CaAuditConstants.NAME_num, Integer.valueOf(i));
        LOG.info("SUCCESSFUL cleanupCrls: ca={}, num={}", this.caIdent.getName(), Integer.valueOf(i));
        if (1 == 0) {
            LOG.info("    FAILED cleanupCrls: ca={}", this.caIdent.getName());
        }
        finish(newPerfAuditEvent, true);
    }

    public X509CRL generateCrlOnDemand(String str) throws OperationException {
        CrlControl crlControl = this.caInfo.getCrlControl();
        if (crlControl == null) {
            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, "CA could not generate CRL");
        }
        if (this.crlGenInProcess.get()) {
            throw new OperationException(OperationException.ErrorCode.SYSTEM_UNAVAILABLE, "TRY_LATER");
        }
        this.crlGenInProcess.set(true);
        try {
            Date date = new Date();
            Date date2 = new Date(getScheduledCrlGenTimeNotAfter(date).getTime() + (((crlControl.isExtendedNextUpdate() || crlControl.getDeltaCrlIntervals() <= 0) ? crlControl.getFullCrlIntervals() : crlControl.getDeltaCrlIntervals()) * MS_PER_DAY));
            long maxIdOfDeltaCrlCache = this.certstore.getMaxIdOfDeltaCrlCache(this.caIdent);
            X509CRL generateCrl = generateCrl(false, date, date2, str);
            if (generateCrl == null) {
                return null;
            }
            try {
                this.certstore.clearDeltaCrlCache(this.caIdent, maxIdOfDeltaCrlCache);
            } catch (Throwable th) {
                LogUtil.error(LOG, th, "could not clear DeltaCRLCache of CA " + this.caIdent);
            }
            this.crlGenInProcess.set(false);
            return generateCrl;
        } finally {
            this.crlGenInProcess.set(false);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public X509CRL generateCrl(boolean z, Date date, Date date2, String str) throws OperationException {
        boolean z2 = false;
        AuditEvent newPerfAuditEvent = newPerfAuditEvent(CaAuditConstants.TYPE_gen_crl, str);
        try {
            X509CRL generateCrl0 = generateCrl0(z, date, date2, newPerfAuditEvent, str);
            z2 = true;
            finish(newPerfAuditEvent, true);
            return generateCrl0;
        } catch (Throwable th) {
            finish(newPerfAuditEvent, z2);
            throw th;
        }
    }

    private X509CRL generateCrl0(boolean z, Date date, Date date2, AuditEvent auditEvent, String str) throws OperationException {
        List<CertRevInfoWithSerial> certsForDeltaCrl;
        CrlControl crlControl = this.caInfo.getCrlControl();
        if (crlControl == null) {
            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, "CRL generation is not allowed");
        }
        LOG.info("     START generateCrl: ca={}, deltaCRL={}, nextUpdate={}", new Object[]{this.caIdent.getName(), Boolean.valueOf(z), date2});
        auditEvent.addEventData(CaAuditConstants.NAME_crl_type, z ? "DELTA_CRL" : "FULL_CRL");
        if (date2 == null) {
            auditEvent.addEventData(CaAuditConstants.NAME_next_update, "null");
        } else {
            auditEvent.addEventData(CaAuditConstants.NAME_next_update, DateUtil.toUtcTimeyyyyMMddhhmmss(date2));
            if (date2.getTime() - date.getTime() < 600000) {
                throw new OperationException(OperationException.ErrorCode.CRL_FAILURE, "nextUpdate and thisUpdate are too close");
            }
        }
        boolean z2 = false;
        try {
            SignerEntryWrapper crlSigner = getCrlSigner();
            PublicCaInfo publicCaInfo = this.caInfo.getPublicCaInfo();
            boolean z3 = crlSigner != null;
            X500Name subjectAsX500Name = z3 ? crlSigner.getSubjectAsX500Name() : publicCaInfo.getX500Subject();
            X509v2CRLBuilder x509v2CRLBuilder = new X509v2CRLBuilder(subjectAsX500Name, date);
            if (date2 != null) {
                x509v2CRLBuilder.setNextUpdate(date2);
            }
            Date date3 = crlControl.isIncludeExpiredCerts() ? new Date(0L) : new Date(date.getTime() - 600000);
            long j = 1;
            LinkedList<CertRevInfoWithSerial> linkedList = new LinkedList();
            do {
                certsForDeltaCrl = z ? this.certstore.getCertsForDeltaCrl(this.caIdent, j, 100, crlControl.isOnlyContainsCaCerts(), crlControl.isOnlyContainsUserCerts()) : this.certstore.getRevokedCerts(this.caIdent, date3, j, 100, crlControl.isOnlyContainsCaCerts(), crlControl.isOnlyContainsUserCerts());
                linkedList.addAll(certsForDeltaCrl);
                long j2 = 1;
                for (CertRevInfoWithSerial certRevInfoWithSerial : certsForDeltaCrl) {
                    if (certRevInfoWithSerial.getId() > j2) {
                        j2 = certRevInfoWithSerial.getId();
                    }
                }
                j = j2 + 1;
            } while (certsForDeltaCrl.size() >= 100);
            if (certsForDeltaCrl != null) {
                certsForDeltaCrl.clear();
            }
            Collections.sort(linkedList);
            boolean z4 = true;
            CrlControl crlControl2 = this.caInfo.getCrlControl();
            for (CertRevInfoWithSerial certRevInfoWithSerial2 : linkedList) {
                CrlReason reason = certRevInfoWithSerial2.getReason();
                if (crlControl2.isExcludeReason() && reason != CrlReason.REMOVE_FROM_CRL) {
                    reason = CrlReason.UNSPECIFIED;
                }
                Date revocationTime = certRevInfoWithSerial2.getRevocationTime();
                Date invalidityTime = certRevInfoWithSerial2.getInvalidityTime();
                switch (AnonymousClass1.$SwitchMap$org$xipki$util$TripleState[crlControl2.getInvalidityDateMode().ordinal()]) {
                    case PasswordHash.SALT_INDEX /* 1 */:
                        invalidityTime = null;
                        break;
                    case PasswordHash.PBKDF2_INDEX /* 2 */:
                        break;
                    case 3:
                        if (invalidityTime == null) {
                            invalidityTime = revocationTime;
                            break;
                        }
                        break;
                    default:
                        throw new IllegalStateException("unknown TripleState " + crlControl2.getInvalidityDateMode());
                }
                BigInteger serial = certRevInfoWithSerial2.getSerial();
                LOG.debug("added cert ca={} serial={} to CRL", this.caIdent, serial);
                if (z3 && z4) {
                    ArrayList arrayList = new ArrayList(3);
                    if (reason != CrlReason.UNSPECIFIED) {
                        arrayList.add(createReasonExtension(reason.getCode()));
                    }
                    if (invalidityTime != null) {
                        arrayList.add(createInvalidityDateExtension(invalidityTime));
                    }
                    arrayList.add(createCertificateIssuerExtension(publicCaInfo.getX500Subject()));
                    x509v2CRLBuilder.addCRLEntry(serial, revocationTime, new Extensions((Extension[]) arrayList.toArray(new Extension[0])));
                    z4 = false;
                } else if (invalidityTime != null) {
                    x509v2CRLBuilder.addCRLEntry(serial, revocationTime, reason.getCode(), invalidityTime);
                } else {
                    x509v2CRLBuilder.addCRLEntry(serial, revocationTime, reason.getCode());
                }
            }
            linkedList.clear();
            BigInteger nextCrlNumber = this.caInfo.nextCrlNumber();
            auditEvent.addEventData(CaAuditConstants.NAME_crl_number, nextCrlNumber);
            boolean isOnlyContainsUserCerts = crlControl2.isOnlyContainsUserCerts();
            boolean isOnlyContainsCaCerts = crlControl2.isOnlyContainsCaCerts();
            if (isOnlyContainsUserCerts && isOnlyContainsCaCerts) {
                throw new IllegalStateException("should not reach here, onlyUserCerts and onlyCACerts are both true");
            }
            try {
                x509v2CRLBuilder.addExtension(Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifier(z3 ? X509Util.extractSki(crlSigner.getSigner().getCertificate()) : publicCaInfo.getSubjectKeyIdentifer()));
                x509v2CRLBuilder.addExtension(Extension.cRLNumber, false, new ASN1Integer(nextCrlNumber));
                if (isOnlyContainsUserCerts || isOnlyContainsCaCerts || z3) {
                    x509v2CRLBuilder.addExtension(Extension.issuingDistributionPoint, true, new IssuingDistributionPoint((DistributionPointName) null, isOnlyContainsUserCerts, isOnlyContainsCaCerts, (ReasonFlags) null, z3, false));
                }
                List deltaCrlUris = publicCaInfo.getCaUris().getDeltaCrlUris();
                if (crlControl.getDeltaCrlIntervals() > 0 && CollectionUtil.isNotEmpty(deltaCrlUris)) {
                    x509v2CRLBuilder.addExtension(Extension.freshestCRL, false, CaUtil.createCrlDistributionPoints(deltaCrlUris, publicCaInfo.getX500Subject(), subjectAsX500Name));
                }
                addXipkiCertset(x509v2CRLBuilder, z, crlControl, date3, isOnlyContainsCaCerts, isOnlyContainsUserCerts);
                ConcurrentContentSigner signer = crlSigner == null ? this.caInfo.getSigner(null) : crlSigner.getSigner();
                try {
                    ConcurrentBagEntrySigner borrowSigner = signer.borrowSigner();
                    try {
                        X509CRLHolder build = x509v2CRLBuilder.build((ContentSigner) borrowSigner.value());
                        signer.requiteSigner(borrowSigner);
                        try {
                            X509CRL x509Crl = X509Util.toX509Crl(build.toASN1Structure());
                            this.caInfo.getCaEntry().setNextCrlNumber(nextCrlNumber.longValue() + 1);
                            this.caManager.commitNextCrlNo(this.caIdent, this.caInfo.getCaEntry().getNextCrlNumber());
                            publishCrl(x509Crl);
                            z2 = true;
                            LOG.info("SUCCESSFUL generateCrl: ca={}, crlNumber={}, thisUpdate={}", new Object[]{this.caIdent.getName(), nextCrlNumber, x509Crl.getThisUpdate()});
                            if (!z) {
                                cleanupCrlsWithoutException(str);
                            }
                            if (1 == 0) {
                                LOG.info("    FAILED generateCrl: ca={}", this.caIdent.getName());
                            }
                            return x509Crl;
                        } catch (CRLException | CertificateException e) {
                            throw new OperationException(OperationException.ErrorCode.CRL_FAILURE, e);
                        }
                    } catch (Throwable th) {
                        signer.requiteSigner(borrowSigner);
                        throw th;
                    }
                } catch (NoIdleSignerException e2) {
                    throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, "NoIdleSignerException: " + e2.getMessage());
                }
            } catch (CertIOException | CertificateEncodingException e3) {
                LogUtil.error(LOG, e3, "crlBuilder.addExtension");
                throw new OperationException(OperationException.ErrorCode.INVALID_EXTENSION, e3);
            }
        } catch (Throwable th2) {
            if (!z2) {
                LOG.info("    FAILED generateCrl: ca={}", this.caIdent.getName());
            }
            throw th2;
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:35:0x015f, code lost:
    
        r22 = move-exception;
     */
    /* JADX WARN: Code restructure failed: missing block: B:37:0x0183, code lost:
    
        throw new org.xipki.ca.api.OperationException(org.xipki.ca.api.OperationException.ErrorCode.INVALID_EXTENSION, "CertIOException: " + r22.getMessage());
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void addXipkiCertset(org.bouncycastle.cert.X509v2CRLBuilder r11, boolean r12, org.xipki.ca.api.mgmt.CrlControl r13, java.util.Date r14, boolean r15, boolean r16) throws org.xipki.ca.api.OperationException {
        /*
            Method dump skipped, instructions count: 389
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.xipki.ca.server.X509Ca.addXipkiCertset(org.bouncycastle.cert.X509v2CRLBuilder, boolean, org.xipki.ca.api.mgmt.CrlControl, java.util.Date, boolean, boolean):void");
    }

    public CertificateInfo regenerateCert(CertTemplateData certTemplateData, RequestorInfo requestorInfo, RequestType requestType, byte[] bArr, String str) throws OperationException {
        return regenerateCerts(Arrays.asList(certTemplateData), requestorInfo, requestType, bArr, str).get(0);
    }

    public List<CertificateInfo> regenerateCerts(List<CertTemplateData> list, RequestorInfo requestorInfo, RequestType requestType, byte[] bArr, String str) throws OperationException {
        return generateCerts(list, requestorInfo, true, requestType, bArr, str);
    }

    public boolean publishCert(CertificateInfo certificateInfo) {
        return publishCert0(certificateInfo) == 0;
    }

    private int publishCert0(CertificateInfo certificateInfo) {
        boolean z;
        Args.notNull(certificateInfo, "certInfo");
        if (certificateInfo.isAlreadyIssued()) {
            return 0;
        }
        if (!this.certstore.addCert(certificateInfo)) {
            return 1;
        }
        for (IdentifiedCertPublisher identifiedCertPublisher : publishers()) {
            try {
                if (!identifiedCertPublisher.isAsyn()) {
                    try {
                        z = identifiedCertPublisher.certificateAdded(certificateInfo);
                    } catch (RuntimeException e) {
                        z = false;
                        LogUtil.warn(LOG, e, "could not publish certificate to the publisher " + identifiedCertPublisher.getIdent());
                    }
                    if (z) {
                        continue;
                    }
                }
                this.certstore.addToPublishQueue(identifiedCertPublisher.getIdent(), certificateInfo.getCert().getCertId().longValue(), this.caIdent);
            } catch (Throwable th) {
                LogUtil.error(LOG, th, "could not add entry to PublishQueue");
                return 2;
            }
        }
        return 0;
    }

    public boolean republishCerts(List<String> list, int i) {
        List<IdentifiedCertPublisher> arrayList;
        if (list == null) {
            arrayList = publishers();
        } else {
            arrayList = new ArrayList(list.size());
            for (String str : list) {
                IdentifiedCertPublisher identifiedCertPublisher = null;
                Iterator<IdentifiedCertPublisher> it = publishers().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    IdentifiedCertPublisher next = it.next();
                    if (next.getIdent().getName().equals(str)) {
                        identifiedCertPublisher = next;
                        break;
                    }
                }
                if (identifiedCertPublisher == null) {
                    throw new IllegalArgumentException("could not find publisher " + str + " for CA " + this.caIdent.getName());
                }
                arrayList.add(identifiedCertPublisher);
            }
        }
        if (CollectionUtil.isEmpty(arrayList)) {
            return true;
        }
        CaStatus status = this.caInfo.getStatus();
        this.caInfo.setStatus(CaStatus.INACTIVE);
        boolean z = true;
        for (IdentifiedCertPublisher identifiedCertPublisher2 : arrayList) {
            if (identifiedCertPublisher2.publishsGoodCert()) {
                z = false;
            }
            NameId ident = identifiedCertPublisher2.getIdent();
            String name = ident.getName();
            try {
                LOG.info("clearing PublishQueue for publisher {}", name);
                this.certstore.clearPublishQueue(this.caIdent, ident);
                LOG.info(" cleared PublishQueue for publisher {}", name);
            } catch (OperationException e) {
                LogUtil.error(LOG, e, "could not clear PublishQueue for publisher " + name);
            }
        }
        try {
            for (IdentifiedCertPublisher identifiedCertPublisher3 : arrayList) {
                if (!identifiedCertPublisher3.caAdded(this.caCert)) {
                    LOG.error("republish CA certificate {} to publisher {} failed", this.caIdent.getName(), identifiedCertPublisher3.getIdent().getName());
                    this.caInfo.setStatus(status);
                    return false;
                }
            }
            if (this.caInfo.getRevocationInfo() != null) {
                for (IdentifiedCertPublisher identifiedCertPublisher4 : arrayList) {
                    if (!identifiedCertPublisher4.caRevoked(this.caCert, this.caInfo.getRevocationInfo())) {
                        LOG.error("republishing CA revocation to publisher {} failed", identifiedCertPublisher4.getIdent().getName());
                        this.caInfo.setStatus(status);
                        return false;
                    }
                }
            }
            boolean republish = new CertRepublisher(this.caIdent, this.caCert, this.caIdNameMap, this.certstore, arrayList, z, i).republish();
            this.caInfo.setStatus(status);
            return republish;
        } catch (Throwable th) {
            this.caInfo.setStatus(status);
            throw th;
        }
    }

    public void clearPublishQueue(List<String> list) throws CaMgmtException {
        if (list == null) {
            try {
                this.certstore.clearPublishQueue(this.caIdent, null);
                return;
            } catch (OperationException e) {
                throw new CaMgmtException("could not clear publish queue of CA " + this.caIdent + ": " + e.getMessage(), e);
            }
        }
        for (String str : list) {
            try {
                this.certstore.clearPublishQueue(this.caIdent, this.caIdNameMap.getPublisher(str));
            } catch (OperationException e2) {
                throw new CaMgmtException("could not clear publish queue of CA " + this.caIdent + ": " + e2.getMessage() + " for publisher " + str, e2);
            }
        }
    }

    public boolean publishCertsInQueue() {
        boolean z = true;
        Iterator<IdentifiedCertPublisher> it = publishers().iterator();
        while (it.hasNext()) {
            if (!publishCertsInQueue(it.next())) {
                z = false;
            }
        }
        return z;
    }

    private boolean publishCertsInQueue(IdentifiedCertPublisher identifiedCertPublisher) {
        Args.notNull(identifiedCertPublisher, "publisher");
        while (true) {
            try {
                List<Long> publishQueueEntries = this.certstore.getPublishQueueEntries(this.caIdent, identifiedCertPublisher.getIdent(), 500);
                if (CollectionUtil.isEmpty(publishQueueEntries)) {
                    return true;
                }
                for (Long l : publishQueueEntries) {
                    try {
                        if (!identifiedCertPublisher.certificateAdded(this.certstore.getCertForId(this.caIdent, this.caCert, l.longValue(), this.caIdNameMap))) {
                            LOG.error("republishing certificate id={} failed", l);
                            return false;
                        }
                        try {
                            this.certstore.removeFromPublishQueue(identifiedCertPublisher.getIdent(), l.longValue());
                        } catch (OperationException e) {
                            LogUtil.warn(LOG, e, "could not remove republished cert id=" + l + " and publisher=" + identifiedCertPublisher.getIdent().getName());
                        }
                    } catch (OperationException | CertificateException e2) {
                        LogUtil.error(LOG, e2);
                        return false;
                    }
                }
            } catch (OperationException e3) {
                LogUtil.error(LOG, e3);
                return false;
            }
        }
    }

    private boolean publishCrl(X509CRL x509crl) {
        try {
            this.certstore.addCrl(this.caIdent, x509crl);
            for (IdentifiedCertPublisher identifiedCertPublisher : publishers()) {
                try {
                    identifiedCertPublisher.crlAdded(this.caCert, x509crl);
                } catch (RuntimeException e) {
                    LogUtil.error(LOG, e, "could not publish CRL to the publisher " + identifiedCertPublisher.getIdent());
                }
            }
            return true;
        } catch (Exception e2) {
            LOG.error("could not add CRL ca={}, thisUpdate={}: {}, ", new Object[]{this.caIdent.getName(), x509crl.getThisUpdate(), e2.getMessage()});
            LOG.debug("Exception", e2);
            return false;
        }
    }

    public CertWithRevocationInfo revokeCert(BigInteger bigInteger, CrlReason crlReason, Date date, String str) throws OperationException {
        if (this.caInfo.isSelfSigned() && this.caInfo.getSerialNumber().equals(bigInteger)) {
            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, "insufficient permission to revoke CA certificate");
        }
        if (crlReason == null) {
            crlReason = CrlReason.UNSPECIFIED;
        }
        switch (AnonymousClass1.$SwitchMap$org$xipki$security$CrlReason[crlReason.ordinal()]) {
            case PasswordHash.SALT_INDEX /* 1 */:
            case PasswordHash.PBKDF2_INDEX /* 2 */:
            case 3:
                throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, "insufficient permission to revoke certificate with reason " + crlReason.getDescription());
            case 4:
            case 5:
            case 6:
            case 7:
            case 8:
            case 9:
            case 10:
                AuditEvent newPerfAuditEvent = newPerfAuditEvent(CaAuditConstants.TYPE_revoke_cert, str);
                try {
                    CertWithRevocationInfo revokeCertificate0 = revokeCertificate0(bigInteger, crlReason, date, false, newPerfAuditEvent);
                    finish(newPerfAuditEvent, revokeCertificate0 != null);
                    return revokeCertificate0;
                } catch (Throwable th) {
                    finish(newPerfAuditEvent, true);
                    throw th;
                }
            default:
                throw new IllegalStateException("unknown CRL reason " + crlReason);
        }
    }

    public CertWithDbId unrevokeCert(BigInteger bigInteger, String str) throws OperationException {
        if (this.caInfo.isSelfSigned() && this.caInfo.getSerialNumber().equals(bigInteger)) {
            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, "insufficient permission to unrevoke CA certificate");
        }
        AuditEvent newPerfAuditEvent = newPerfAuditEvent(CaAuditConstants.TYPE_unrevoke_cert, str);
        boolean z = true;
        try {
            CertWithDbId unrevokeCert0 = unrevokeCert0(bigInteger, false, newPerfAuditEvent);
            z = true;
            finish(newPerfAuditEvent, true);
            return unrevokeCert0;
        } catch (Throwable th) {
            finish(newPerfAuditEvent, z);
            throw th;
        }
    }

    public CertWithDbId removeCert(BigInteger bigInteger, String str) throws OperationException {
        if (this.caInfo.isSelfSigned() && this.caInfo.getSerialNumber().equals(bigInteger)) {
            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, "insufficient permission to remove CA certificate");
        }
        AuditEvent newPerfAuditEvent = newPerfAuditEvent(CaAuditConstants.TYPE_remove_cert, str);
        try {
            CertWithDbId removeCert0 = removeCert0(bigInteger, newPerfAuditEvent);
            finish(newPerfAuditEvent, removeCert0 != null);
            return removeCert0;
        } catch (Throwable th) {
            finish(newPerfAuditEvent, true);
            throw th;
        }
    }

    private CertWithDbId removeCert0(BigInteger bigInteger, AuditEvent auditEvent) throws OperationException {
        boolean z;
        auditEvent.addEventData(CaAuditConstants.NAME_serial, LogUtil.formatCsn(bigInteger));
        CertWithRevocationInfo certWithRevocationInfo = this.certstore.getCertWithRevocationInfo(this.caIdent.getId().intValue(), bigInteger, this.caIdNameMap);
        if (certWithRevocationInfo == null) {
            return null;
        }
        boolean z2 = true;
        CertWithDbId cert = certWithRevocationInfo.getCert();
        for (IdentifiedCertPublisher identifiedCertPublisher : publishers()) {
            try {
                z = identifiedCertPublisher.certificateRemoved(this.caCert, cert);
            } catch (RuntimeException e) {
                z = false;
                LogUtil.warn(LOG, e, "could not remove certificate from the publisher " + identifiedCertPublisher.getIdent());
            }
            if (!z) {
                z2 = false;
                X509Certificate cert2 = cert.getCert();
                if (LOG.isErrorEnabled()) {
                    LOG.error("removing certificate issuer='{}', serial={}, subject='{}' from publisher {} failed.", new Object[]{X509Util.getRfc4519Name(cert2.getIssuerX500Principal()), LogUtil.formatCsn(cert2.getSerialNumber()), X509Util.getRfc4519Name(cert2.getSubjectX500Principal()), identifiedCertPublisher.getIdent()});
                }
            }
        }
        if (!z2) {
            return null;
        }
        this.certstore.removeCert(this.caIdent, bigInteger);
        return cert;
    }

    /* JADX WARN: Can't wrap try/catch for region: R(8:11|(4:13|14|15|(2:27|23)(1:17))(1:31)|18|19|20|22|23|9) */
    /* JADX WARN: Code restructure failed: missing block: B:24:0x0123, code lost:
    
        r20 = move-exception;
     */
    /* JADX WARN: Code restructure failed: missing block: B:25:0x0125, code lost:
    
        org.xipki.util.LogUtil.error(org.xipki.ca.server.X509Ca.LOG, r20, "could not add entry to PublishQueue");
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private org.xipki.ca.api.mgmt.CertWithRevocationInfo revokeCertificate0(java.math.BigInteger r9, org.xipki.security.CrlReason r10, java.util.Date r11, boolean r12, org.xipki.audit.AuditEvent r13) throws org.xipki.ca.api.OperationException {
        /*
            Method dump skipped, instructions count: 362
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.xipki.ca.server.X509Ca.revokeCertificate0(java.math.BigInteger, org.xipki.security.CrlReason, java.util.Date, boolean, org.xipki.audit.AuditEvent):org.xipki.ca.api.mgmt.CertWithRevocationInfo");
    }

    private CertWithRevocationInfo revokeSuspendedCert(BigInteger bigInteger, CrlReason crlReason, String str) throws OperationException {
        AuditEvent newPerfAuditEvent = newPerfAuditEvent(CaAuditConstants.TYPE_revoke_suspendedCert, str);
        try {
            CertWithRevocationInfo revokeSuspendedCert0 = revokeSuspendedCert0(bigInteger, crlReason, newPerfAuditEvent);
            finish(newPerfAuditEvent, revokeSuspendedCert0 != null);
            return revokeSuspendedCert0;
        } catch (Throwable th) {
            finish(newPerfAuditEvent, false);
            throw th;
        }
    }

    /* JADX WARN: Can't wrap try/catch for region: R(8:11|(4:13|14|15|(2:27|23)(1:17))(1:31)|18|19|20|22|23|9) */
    /* JADX WARN: Code restructure failed: missing block: B:24:0x0102, code lost:
    
        r16 = move-exception;
     */
    /* JADX WARN: Code restructure failed: missing block: B:25:0x0104, code lost:
    
        org.xipki.util.LogUtil.error(org.xipki.ca.server.X509Ca.LOG, r16, "could not add entry to PublishQueue");
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private org.xipki.ca.api.mgmt.CertWithRevocationInfo revokeSuspendedCert0(java.math.BigInteger r8, org.xipki.security.CrlReason r9, org.xipki.audit.AuditEvent r10) throws org.xipki.ca.api.OperationException {
        /*
            Method dump skipped, instructions count: 325
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.xipki.ca.server.X509Ca.revokeSuspendedCert0(java.math.BigInteger, org.xipki.security.CrlReason, org.xipki.audit.AuditEvent):org.xipki.ca.api.mgmt.CertWithRevocationInfo");
    }

    /* JADX WARN: Can't wrap try/catch for region: R(8:8|(4:10|11|12|(2:24|20)(1:14))(1:28)|15|16|17|19|20|6) */
    /* JADX WARN: Code restructure failed: missing block: B:21:0x00ca, code lost:
    
        r16 = move-exception;
     */
    /* JADX WARN: Code restructure failed: missing block: B:22:0x00cc, code lost:
    
        org.xipki.util.LogUtil.error(org.xipki.ca.server.X509Ca.LOG, r16, "could not add entry to PublishQueue");
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private org.xipki.ca.api.CertWithDbId unrevokeCert0(java.math.BigInteger r8, boolean r9, org.xipki.audit.AuditEvent r10) throws org.xipki.ca.api.OperationException {
        /*
            r7 = this;
            r0 = r8
            java.lang.String r0 = org.xipki.util.LogUtil.formatCsn(r0)
            r11 = r0
            r0 = r10
            java.lang.String r1 = "serial"
            r2 = r11
            org.xipki.audit.AuditEventData r0 = r0.addEventData(r1, r2)
            org.slf4j.Logger r0 = org.xipki.ca.server.X509Ca.LOG
            java.lang.String r1 = "     START unrevokeCertificate: ca={}, serialNumber={}"
            r2 = r7
            org.xipki.ca.api.NameId r2 = r2.caIdent
            java.lang.String r2 = r2.getName()
            r3 = r11
            r0.info(r1, r2, r3)
            r0 = r7
            org.xipki.ca.server.CertStore r0 = r0.certstore
            r1 = r7
            org.xipki.ca.api.NameId r1 = r1.caIdent
            r2 = r8
            r3 = r9
            r4 = r7
            boolean r4 = r4.shouldPublishToDeltaCrlCache()
            r5 = r7
            org.xipki.ca.server.CaIdNameMap r5 = r5.caIdNameMap
            org.xipki.ca.api.CertWithDbId r0 = r0.unrevokeCert(r1, r2, r3, r4, r5)
            r12 = r0
            r0 = r12
            if (r0 != 0) goto L42
            r0 = 0
            return r0
        L42:
            r0 = r7
            java.util.List r0 = r0.publishers()
            java.util.Iterator r0 = r0.iterator()
            r13 = r0
        L4d:
            r0 = r13
            boolean r0 = r0.hasNext()
            if (r0 == 0) goto Lda
            r0 = r13
            java.lang.Object r0 = r0.next()
            org.xipki.ca.server.IdentifiedCertPublisher r0 = (org.xipki.ca.server.IdentifiedCertPublisher) r0
            r14 = r0
            r0 = r14
            boolean r0 = r0.isAsyn()
            if (r0 != 0) goto Lab
            r0 = r14
            r1 = r7
            org.xipki.security.X509Cert r1 = r1.caCert     // Catch: java.lang.RuntimeException -> L7b
            r2 = r12
            boolean r0 = r0.certificateUnrevoked(r1, r2)     // Catch: java.lang.RuntimeException -> L7b
            r15 = r0
            goto La3
        L7b:
            r16 = move-exception
            r0 = 0
            r15 = r0
            org.slf4j.Logger r0 = org.xipki.ca.server.X509Ca.LOG
            r1 = r16
            java.lang.StringBuilder r2 = new java.lang.StringBuilder
            r3 = r2
            r3.<init>()
            java.lang.String r3 = "could not publish unrevocation of certificate to the publisher "
            java.lang.StringBuilder r2 = r2.append(r3)
            r3 = r14
            org.xipki.ca.api.NameId r3 = r3.getIdent()
            java.lang.String r3 = r3.getName()
            java.lang.StringBuilder r2 = r2.append(r3)
            java.lang.String r2 = r2.toString()
            org.xipki.util.LogUtil.error(r0, r1, r2)
        La3:
            r0 = r15
            if (r0 == 0) goto Lab
            goto L4d
        Lab:
            r0 = r12
            java.lang.Long r0 = r0.getCertId()
            r15 = r0
            r0 = r7
            org.xipki.ca.server.CertStore r0 = r0.certstore     // Catch: java.lang.Throwable -> Lca
            r1 = r14
            org.xipki.ca.api.NameId r1 = r1.getIdent()     // Catch: java.lang.Throwable -> Lca
            r2 = r15
            long r2 = r2.longValue()     // Catch: java.lang.Throwable -> Lca
            r3 = r7
            org.xipki.ca.api.NameId r3 = r3.caIdent     // Catch: java.lang.Throwable -> Lca
            r0.addToPublishQueue(r1, r2, r3)     // Catch: java.lang.Throwable -> Lca
            goto Ld7
        Lca:
            r16 = move-exception
            org.slf4j.Logger r0 = org.xipki.ca.server.X509Ca.LOG
            r1 = r16
            java.lang.String r2 = "could not add entry to PublishQueue"
            org.xipki.util.LogUtil.error(r0, r1, r2)
        Ld7:
            goto L4d
        Lda:
            org.slf4j.Logger r0 = org.xipki.ca.server.X509Ca.LOG
            java.lang.String r1 = "SUCCESSFUL unrevokeCertificate: ca={}, serialNumber={}, revocationResult=UNREVOKED"
            r2 = r7
            org.xipki.ca.api.NameId r2 = r2.caIdent
            java.lang.String r2 = r2.getName()
            r3 = r11
            r0.info(r1, r2, r3)
            r0 = r12
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: org.xipki.ca.server.X509Ca.unrevokeCert0(java.math.BigInteger, boolean, org.xipki.audit.AuditEvent):org.xipki.ca.api.CertWithDbId");
    }

    private boolean shouldPublishToDeltaCrlCache() {
        int deltaCrlIntervals;
        CrlControl crlControl = this.caInfo.getCrlControl();
        return (crlControl == null || (deltaCrlIntervals = crlControl.getDeltaCrlIntervals()) == 0 || deltaCrlIntervals >= crlControl.getFullCrlIntervals()) ? false : true;
    }

    public void revokeCa(CertRevocationInfo certRevocationInfo, String str) throws OperationException {
        Args.notNull(certRevocationInfo, "revocationInfo");
        this.caInfo.setRevocationInfo(certRevocationInfo);
        if (this.caInfo.isSelfSigned()) {
            AuditEvent newPerfAuditEvent = newPerfAuditEvent(CaAuditConstants.TYPE_revoke_cert, str);
            try {
                finish(newPerfAuditEvent, revokeCertificate0(this.caInfo.getSerialNumber(), certRevocationInfo.getReason(), certRevocationInfo.getInvalidityTime(), true, newPerfAuditEvent) != null);
            } catch (Throwable th) {
                finish(newPerfAuditEvent, true);
                throw th;
            }
        }
        boolean z = false;
        for (IdentifiedCertPublisher identifiedCertPublisher : publishers()) {
            NameId ident = identifiedCertPublisher.getIdent();
            if (identifiedCertPublisher.caRevoked(this.caCert, certRevocationInfo)) {
                LOG.info("published event caRevoked of CA {} to publisher {}", this.caIdent.getName(), ident.getName());
            } else {
                z = true;
                LOG.error("could not publish event caRevoked of CA {} to publisher {}", this.caIdent.getName(), ident.getName());
            }
        }
        if (z) {
            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, "could not publish event caRevoked of CA " + this.caIdent + " to at least one publisher");
        }
    }

    public void unrevokeCa(String str) throws OperationException {
        this.caInfo.setRevocationInfo(null);
        if (this.caInfo.isSelfSigned()) {
            AuditEvent newPerfAuditEvent = newPerfAuditEvent(CaAuditConstants.TYPE_unrevoke_cert, str);
            boolean z = true;
            try {
                unrevokeCert0(this.caInfo.getSerialNumber(), true, newPerfAuditEvent);
                z = true;
                finish(newPerfAuditEvent, true);
            } catch (Throwable th) {
                finish(newPerfAuditEvent, z);
                throw th;
            }
        }
        boolean z2 = false;
        for (IdentifiedCertPublisher identifiedCertPublisher : publishers()) {
            NameId ident = identifiedCertPublisher.getIdent();
            if (identifiedCertPublisher.caUnrevoked(this.caCert)) {
                LOG.info("published event caUnrevoked of CA {} to publisher {}", this.caIdent.getName(), ident.getName());
            } else {
                z2 = true;
                LOG.error("could not publish event caUnrevoked of CA {} to publisher {}", this.caIdent.getName(), ident.getName());
            }
        }
        if (z2) {
            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, "could not event caUnrevoked of CA " + this.caIdent + " to at least one publisher");
        }
    }

    public long addRequest(byte[] bArr) throws OperationException {
        return this.certstore.addRequest(bArr);
    }

    public void addRequestCert(long j, long j2) throws OperationException {
        this.certstore.addRequestCert(j, j2);
    }

    private List<IdentifiedCertPublisher> publishers() {
        return this.caManager.getIdentifiedPublishersForCa(this.caIdent.getName());
    }

    public List<CertificateInfo> generateCerts(List<CertTemplateData> list, RequestorInfo requestorInfo, RequestType requestType, byte[] bArr, String str) throws OperationException {
        return generateCerts(list, requestorInfo, false, requestType, bArr, str);
    }

    /* JADX WARN: Finally extract failed */
    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v19, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r1v6, types: [java.lang.Throwable] */
    private List<CertificateInfo> generateCerts(List<CertTemplateData> list, RequestorInfo requestorInfo, boolean z, RequestType requestType, byte[] bArr, String str) throws OperationExceptionWithIndex {
        Args.notEmpty(list, "certTemplates");
        int size = list.size();
        ArrayList arrayList = new ArrayList(size);
        for (int i = 0; i < size; i++) {
            CertTemplateData certTemplateData = list.get(i);
            try {
                arrayList.add(createGrantedCertTemplate(certTemplateData, requestorInfo, z));
            } catch (OperationException e) {
                LOG.error("     FAILED createGrantedCertTemplate: CA={}, profile={}, subject='{}'", new Object[]{this.caIdent.getName(), certTemplateData.getCertprofileName(), certTemplateData.getSubject()});
                throw new OperationExceptionWithIndex(i, e);
            }
        }
        ArrayList arrayList2 = new ArrayList(size);
        OperationExceptionWithIndex operationExceptionWithIndex = null;
        for (int i2 = 0; i2 < size && operationExceptionWithIndex == null; i2++) {
            GrantedCertTemplate grantedCertTemplate = (GrantedCertTemplate) arrayList.get(i2);
            NameId ident = grantedCertTemplate.certprofile.getIdent();
            String str2 = grantedCertTemplate.grantedSubjectText;
            LOG.info("     START generateCertificate: CA={}, profile={}, subject='{}'", new Object[]{this.caIdent.getName(), ident.getName(), str2});
            boolean z2 = false;
            try {
                try {
                    try {
                        CertificateInfo generateCert = generateCert(grantedCertTemplate, requestorInfo, requestType, bArr, str);
                        z2 = true;
                        arrayList2.add(generateCert);
                        if (LOG.isInfoEnabled()) {
                            String str3 = generateCert.isAlreadyIssued() ? "RETURN_OLD_CERT" : "SUCCESSFUL";
                            CertWithDbId cert = generateCert.getCert();
                            LOG.info("{} generateCertificate: CA={}, profile={}, subject='{}', serialNumber={}", new Object[]{str3, this.caIdent.getName(), ident.getName(), cert.getSubject(), LogUtil.formatCsn(cert.getCert().getSerialNumber())});
                        }
                        if (1 == 0) {
                            LOG.error("    FAILED generateCertificate: CA={}, profile={}, subject='{}'", new Object[]{this.caIdent.getName(), ident.getName(), str2});
                        }
                    } catch (Throwable th) {
                        operationExceptionWithIndex = new OperationExceptionWithIndex(i2, new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, th));
                        if (!z2) {
                            LOG.error("    FAILED generateCertificate: CA={}, profile={}, subject='{}'", new Object[]{this.caIdent.getName(), ident.getName(), str2});
                        }
                    }
                } catch (OperationException e2) {
                    operationExceptionWithIndex = new OperationExceptionWithIndex(i2, e2);
                    if (!z2) {
                        LOG.error("    FAILED generateCertificate: CA={}, profile={}, subject='{}'", new Object[]{this.caIdent.getName(), ident.getName(), str2});
                    }
                }
            } catch (Throwable th2) {
                if (!z2) {
                    LOG.error("    FAILED generateCertificate: CA={}, profile={}, subject='{}'", new Object[]{this.caIdent.getName(), ident.getName(), str2});
                }
                throw th2;
            }
        }
        if (operationExceptionWithIndex == null) {
            return arrayList2;
        }
        LOG.error("could not generate certificate for request[{}], reverted all generated certificates", Integer.valueOf(operationExceptionWithIndex.getIndex()));
        Iterator it = arrayList2.iterator();
        while (it.hasNext()) {
            BigInteger serialNumber = ((CertificateInfo) it.next()).getCert().getCert().getSerialNumber();
            try {
                removeCert(serialNumber, str);
            } catch (Throwable th3) {
                LogUtil.error(LOG, th3, "could not delete certificate serial=" + serialNumber);
            }
        }
        LogUtil.warn(LOG, operationExceptionWithIndex);
        throw operationExceptionWithIndex;
    }

    public CertificateInfo generateCert(CertTemplateData certTemplateData, RequestorInfo requestorInfo, RequestType requestType, byte[] bArr, String str) throws OperationException {
        Args.notNull(certTemplateData, "certTemplate");
        return generateCerts(Arrays.asList(certTemplateData), requestorInfo, requestType, bArr, str).get(0);
    }

    private CertificateInfo generateCert(GrantedCertTemplate grantedCertTemplate, RequestorInfo requestorInfo, RequestType requestType, byte[] bArr, String str) throws OperationException {
        AuditEvent newPerfAuditEvent = newPerfAuditEvent(CaAuditConstants.TYPE_gen_cert, str);
        try {
            CertificateInfo generateCert0 = generateCert0(grantedCertTemplate, requestorInfo, requestType, bArr, newPerfAuditEvent);
            finish(newPerfAuditEvent, generateCert0 != null);
            return generateCert0;
        } catch (Throwable th) {
            finish(newPerfAuditEvent, false);
            throw th;
        }
    }

    private CertificateInfo generateCert0(GrantedCertTemplate grantedCertTemplate, RequestorInfo requestorInfo, RequestType requestType, byte[] bArr, AuditEvent auditEvent) throws OperationException {
        ConcurrentBagEntrySigner borrowSigner;
        int length;
        Args.notNull(grantedCertTemplate, "gct");
        auditEvent.addEventData(CaAuditConstants.NAME_req_subject, X509Util.getRfc4519Name(grantedCertTemplate.requestedSubject));
        auditEvent.addEventData(CaAuditConstants.NAME_certprofile, grantedCertTemplate.certprofile.getIdent().getName());
        auditEvent.addEventData(CaAuditConstants.NAME_not_before, DateUtil.toUtcTimeyyyyMMddhhmmss(grantedCertTemplate.grantedNotBefore));
        auditEvent.addEventData(CaAuditConstants.NAME_not_after, DateUtil.toUtcTimeyyyyMMddhhmmss(grantedCertTemplate.grantedNotAfter));
        adaptGrantedSubejct(grantedCertTemplate);
        IdentifiedCertprofile identifiedCertprofile = grantedCertTemplate.certprofile;
        boolean z = !this.caInfo.isDuplicateKeyPermitted();
        boolean z2 = !this.caInfo.isDuplicateSubjectPermitted();
        if (z && !this.publicKeyCertsInProcess.add(Long.valueOf(grantedCertTemplate.fpPublicKey))) {
            throw new OperationException(OperationException.ErrorCode.ALREADY_ISSUED, "certificate with the given public key already in process");
        }
        if (z2 && !this.subjectCertsInProcess.add(Long.valueOf(grantedCertTemplate.fpSubject))) {
            if (z) {
                this.publicKeyCertsInProcess.remove(Long.valueOf(grantedCertTemplate.fpPublicKey));
            }
            throw new OperationException(OperationException.ErrorCode.ALREADY_ISSUED, "certificate with the given subject " + grantedCertTemplate.grantedSubjectText + " already in process");
        }
        Certprofile.ExtensionControl extensionControl = identifiedCertprofile.getExtensionControls().get(ObjectIdentifiers.Extn.id_SCTs);
        boolean z3 = this.caInfo.getCtlogControl() != null && this.caInfo.getCtlogControl().isEnabled();
        if (!z3 && extensionControl != null && extensionControl.isRequired()) {
            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, "extension " + ObjectIdentifiers.getName(ObjectIdentifiers.Extn.id_SCTs) + " is required but CTLog of the CA is not activated");
        }
        try {
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(this.caInfo.getPublicCaInfo().getX500Subject(), this.caInfo.nextSerial(), grantedCertTemplate.grantedNotBefore, grantedCertTemplate.grantedNotAfter, grantedCertTemplate.grantedSubject, grantedCertTemplate.grantedPublicKey);
            try {
                try {
                    SignerEntryWrapper crlSigner = getCrlSigner();
                    ExtensionValues extensions = identifiedCertprofile.getExtensions(grantedCertTemplate.requestedSubject, grantedCertTemplate.grantedSubject, grantedCertTemplate.extensions, grantedCertTemplate.grantedPublicKey, this.caInfo.getPublicCaInfo(), crlSigner == null ? null : crlSigner.getSigner().getCertificate(), grantedCertTemplate.grantedNotBefore, grantedCertTemplate.grantedNotAfter);
                    if (extensions != null) {
                        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : extensions.getExtensionTypes()) {
                            ExtensionValue extensionValue = extensions.getExtensionValue(aSN1ObjectIdentifier);
                            x509v3CertificateBuilder.addExtension(aSN1ObjectIdentifier, extensionValue.isCritical(), extensionValue.getValue());
                        }
                    }
                    if (z3 && extensionControl != null) {
                        x509v3CertificateBuilder.addExtension(ObjectIdentifiers.Extn.id_precertificate, true, DERNull.INSTANCE);
                        try {
                            borrowSigner = grantedCertTemplate.signer.borrowSigner();
                            try {
                                Certificate aSN1Structure = x509v3CertificateBuilder.build((ContentSigner) borrowSigner.value()).toASN1Structure();
                                grantedCertTemplate.signer.requiteSigner(borrowSigner);
                                try {
                                    CtLog.SignedCertificateTimestampList ctlogScts = getCtlogScts(aSN1Structure.getEncoded());
                                    x509v3CertificateBuilder.removeExtension(ObjectIdentifiers.Extn.id_precertificate);
                                    try {
                                        x509v3CertificateBuilder.addExtension(new Extension(ObjectIdentifiers.Extn.id_SCTs, extensionControl.isCritical(), new DEROctetString(new DEROctetString(ctlogScts.getEncoded()).getEncoded())));
                                    } catch (IOException e) {
                                        throw new CertIOException("could not encode SCT extension", e);
                                    }
                                } catch (IOException e2) {
                                    throw new CertIOException("could not encode PreCert", e2);
                                }
                            } finally {
                            }
                        } catch (NoIdleSignerException e3) {
                            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e3);
                        }
                    }
                    try {
                        borrowSigner = grantedCertTemplate.signer.borrowSigner();
                        try {
                            Certificate aSN1Structure2 = x509v3CertificateBuilder.build((ContentSigner) borrowSigner.value()).toASN1Structure();
                            grantedCertTemplate.signer.requiteSigner(borrowSigner);
                            byte[] encoded = aSN1Structure2.getEncoded();
                            int maxCertSize = grantedCertTemplate.certprofile.getMaxCertSize();
                            if (maxCertSize > 0 && (length = encoded.length) > maxCertSize) {
                                throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, String.format("certificate exceeds the maximal allowed size: %d > %d", Integer.valueOf(length), Integer.valueOf(maxCertSize)));
                            }
                            try {
                                X509Certificate x509Cert = X509Util.toX509Cert(aSN1Structure2);
                                if (!verifySignature(x509Cert)) {
                                    throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, "could not verify the signature of generated certificate");
                                }
                                CertificateInfo certificateInfo = new CertificateInfo(new CertWithDbId(x509Cert, encoded), grantedCertTemplate.privateKey, this.caIdent, this.caCert, grantedCertTemplate.grantedPublicKeyData, grantedCertTemplate.certprofile.getIdent(), requestorInfo.getIdent());
                                if (requestorInfo instanceof RequestorInfo.ByUserRequestorInfo) {
                                    certificateInfo.setUser(Integer.valueOf(((RequestorInfo.ByUserRequestorInfo) requestorInfo).getUserId()));
                                }
                                certificateInfo.setReqType(requestType);
                                certificateInfo.setTransactionId(bArr);
                                certificateInfo.setRequestedSubject(grantedCertTemplate.requestedSubject);
                                if (publishCert0(certificateInfo) == 1) {
                                    throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, "could not save certificate");
                                }
                                if (grantedCertTemplate.warning != null) {
                                    certificateInfo.setWarningMessage(grantedCertTemplate.warning);
                                }
                                return certificateInfo;
                            } catch (CertificateException e4) {
                                LOG.error("should not happen, could not parse generated certificate", e4);
                                throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e4);
                            }
                        } finally {
                        }
                    } catch (NoIdleSignerException e5) {
                        throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e5);
                    }
                } catch (BadCertTemplateException e6) {
                    throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, e6);
                }
            } catch (OperationException e7) {
                throw e7;
            } catch (Throwable th) {
                LogUtil.error(LOG, th, "could not generate certificate");
                throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, th);
            }
        } finally {
            if (z) {
                this.publicKeyCertsInProcess.remove(Long.valueOf(grantedCertTemplate.fpPublicKey));
            }
            if (z2) {
                this.subjectCertsInProcess.remove(Long.valueOf(grantedCertTemplate.fpSubject));
            }
        }
    }

    private void adaptGrantedSubejct(GrantedCertTemplate grantedCertTemplate) throws OperationException {
        if (this.caInfo.isDuplicateSubjectPermitted()) {
            return;
        }
        long fpCanonicalizedName = X509Util.fpCanonicalizedName(grantedCertTemplate.grantedSubject);
        String rfc4519Name = X509Util.getRfc4519Name(grantedCertTemplate.grantedSubject);
        boolean incSerialNumberIfSubjectExists = grantedCertTemplate.certprofile.incSerialNumberIfSubjectExists();
        boolean isCertForSubjectIssued = this.certstore.isCertForSubjectIssued(this.caIdent, fpCanonicalizedName);
        if (isCertForSubjectIssued && !incSerialNumberIfSubjectExists) {
            throw new OperationException(OperationException.ErrorCode.ALREADY_ISSUED, "certificate for the given subject " + rfc4519Name + " already issued");
        }
        if (isCertForSubjectIssued) {
            X500Name x500Name = grantedCertTemplate.grantedSubject;
            try {
                String latestSerialNumber = this.certstore.getLatestSerialNumber((X500Name) incSerialNumber(grantedCertTemplate.certprofile, x500Name, null)[0]);
                boolean z = false;
                for (int i = 0; i < 100; i++) {
                    try {
                        Object[] incSerialNumber = incSerialNumber(grantedCertTemplate.certprofile, x500Name, latestSerialNumber);
                        x500Name = (X500Name) incSerialNumber[0];
                        if (CompareUtil.equalsObject(latestSerialNumber, incSerialNumber[1])) {
                            break;
                        }
                        latestSerialNumber = (String) incSerialNumber[1];
                        z = !this.certstore.isCertForSubjectIssued(this.caIdent, X509Util.fpCanonicalizedName(x500Name));
                        if (z) {
                            break;
                        }
                    } catch (BadFormatException e) {
                        throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e);
                    }
                }
                if (!z) {
                    throw new OperationException(OperationException.ErrorCode.ALREADY_ISSUED, "certificate for the given subject " + rfc4519Name + " and profile " + grantedCertTemplate.certprofile.getIdent().getName() + " already issued, and could not create new unique serial number");
                }
                grantedCertTemplate.setGrantedSubject(x500Name);
            } catch (BadFormatException e2) {
                throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e2);
            }
        }
    }

    private GrantedCertTemplate createGrantedCertTemplate(CertTemplateData certTemplateData, RequestorInfo requestorInfo, boolean z) throws OperationException {
        SubjectPublicKeyInfo createSubjectPublicKeyInfo;
        PrivateKeyInfo privateKeyInfo;
        RDN[] rDNs;
        Args.notNull(certTemplateData, "certTemplate");
        if (this.caInfo.getRevocationInfo() != null) {
            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, "CA is revoked");
        }
        IdentifiedCertprofile x509Certprofile = getX509Certprofile(certTemplateData.getCertprofileName());
        if (x509Certprofile == null) {
            throw new OperationException(OperationException.ErrorCode.UNKNOWN_CERT_PROFILE, "unknown cert profile " + certTemplateData.getCertprofileName());
        }
        ConcurrentContentSigner signer = this.caInfo.getSigner(x509Certprofile.getSignatureAlgorithms());
        if (signer == null) {
            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, "CA does not support any signature algorithm restricted by the cert profile");
        }
        NameId ident = x509Certprofile.getIdent();
        if (x509Certprofile.getVersion() != Certprofile.X509CertVersion.v3) {
            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, "unknown cert version " + x509Certprofile.getVersion());
        }
        if (x509Certprofile.isOnlyForRa() && (requestorInfo == null || !requestorInfo.isRa())) {
            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, "profile " + ident + " not applied to non-RA");
        }
        X500Name removeEmptyRdns = removeEmptyRdns(certTemplateData.getSubject());
        if (!x509Certprofile.isSerialNumberInReqPermitted() && (rDNs = removeEmptyRdns.getRDNs(ObjectIdentifiers.DN.SN)) != null && rDNs.length > 0) {
            throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, "subjectDN SerialNumber in request is not permitted");
        }
        Date notBefore = x509Certprofile.getNotBefore(certTemplateData.getNotBefore());
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis - notBefore.getTime() > MS_PER_10MINUTES) {
            notBefore = new Date(currentTimeMillis - MS_PER_10MINUTES);
        }
        long noNewCertificateAfter = this.caInfo.getNoNewCertificateAfter();
        if (notBefore.getTime() > noNewCertificateAfter) {
            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, "CA is not permitted to issue certifate after " + new Date(noNewCertificateAfter));
        }
        if (notBefore.before(this.caInfo.getNotBefore())) {
            notBefore = this.caInfo.getNotBefore();
        }
        if (certTemplateData.getPublicKeyInfo() != null) {
            privateKeyInfo = null;
            try {
                createSubjectPublicKeyInfo = X509Util.toRfc3279Style(certTemplateData.getPublicKeyInfo());
                if (createSubjectPublicKeyInfo.getAlgorithm().getAlgorithm().equals(PKCSObjectIdentifiers.rsaEncryption)) {
                    try {
                        ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(createSubjectPublicKeyInfo.getPublicKeyData().getOctets());
                        if (aSN1Sequence.size() != 2) {
                            throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, "invalid format of RSA public key");
                        }
                        if (RSABrokenKey.isAffected(ASN1Integer.getInstance(aSN1Sequence.getObjectAt(0)).getPositiveValue())) {
                            throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, "RSA public key is too weak");
                        }
                    } catch (IllegalArgumentException e) {
                        throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, "invalid format of RSA public key");
                    }
                }
            } catch (InvalidKeySpecException e2) {
                LogUtil.warn(LOG, e2, "invalid SubjectPublicKeyInfo");
                throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, "invalid SubjectPublicKeyInfo");
            }
        } else {
            if (!certTemplateData.isCaGenerateKeypair()) {
                throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, "no public key is specified  genkey");
            }
            KeypairGenControl keypairGenControl = x509Certprofile.getKeypairGenControl();
            try {
                if (keypairGenControl instanceof KeypairGenControl.InheritCAKeypairGenControl) {
                    keypairGenControl = this.keypairGenControlByImplictCA;
                }
                if (keypairGenControl == null || (keypairGenControl instanceof KeypairGenControl.ForbiddenKeypairGenControl)) {
                    throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, "no public key is specified");
                }
                if (keypairGenControl instanceof KeypairGenControl.RSAKeypairGenControl) {
                    KeypairGenControl.RSAKeypairGenControl rSAKeypairGenControl = (KeypairGenControl.RSAKeypairGenControl) keypairGenControl;
                    int keysize = rSAKeypairGenControl.getKeysize();
                    if (keysize > 4096) {
                        throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, "keysize too large");
                    }
                    KeyPair generateRSAKeypair = KeyUtil.generateRSAKeypair(keysize, rSAKeypairGenControl.getPublicExponent(), this.random);
                    RSAPublicKey rSAPublicKey = (RSAPublicKey) generateRSAKeypair.getPublic();
                    createSubjectPublicKeyInfo = new SubjectPublicKeyInfo(rSAKeypairGenControl.getKeyAlgorithm(), new org.bouncycastle.asn1.pkcs.RSAPublicKey(rSAPublicKey.getModulus(), rSAPublicKey.getPublicExponent()));
                    RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) generateRSAKeypair.getPrivate();
                    privateKeyInfo = new PrivateKeyInfo(rSAKeypairGenControl.getKeyAlgorithm(), new RSAPrivateKey(rSAPrivateCrtKey.getModulus(), rSAPrivateCrtKey.getPublicExponent(), rSAPrivateCrtKey.getPrivateExponent(), rSAPrivateCrtKey.getPrimeP(), rSAPrivateCrtKey.getPrimeQ(), rSAPrivateCrtKey.getPrimeExponentP(), rSAPrivateCrtKey.getPrimeExponentQ(), rSAPrivateCrtKey.getCrtCoefficient()));
                } else if (keypairGenControl instanceof KeypairGenControl.ECKeypairGenControl) {
                    KeypairGenControl.ECKeypairGenControl eCKeypairGenControl = (KeypairGenControl.ECKeypairGenControl) keypairGenControl;
                    KeyPair generateECKeypair = KeyUtil.generateECKeypair(eCKeypairGenControl.getCurveOid(), this.random);
                    ECPublicKey eCPublicKey = (ECPublicKey) generateECKeypair.getPublic();
                    int bitLength = eCPublicKey.getParams().getOrder().bitLength();
                    createSubjectPublicKeyInfo = new SubjectPublicKeyInfo(eCKeypairGenControl.getKeyAlgorithm(), KeyUtil.getUncompressedEncodedECPoint(eCPublicKey.getW(), bitLength));
                    privateKeyInfo = new PrivateKeyInfo(eCKeypairGenControl.getKeyAlgorithm(), new ECPrivateKey(bitLength, ((java.security.interfaces.ECPrivateKey) generateECKeypair.getPrivate()).getS()));
                } else if (keypairGenControl instanceof KeypairGenControl.DSAKeypairGenControl) {
                    KeypairGenControl.DSAKeypairGenControl dSAKeypairGenControl = (KeypairGenControl.DSAKeypairGenControl) keypairGenControl;
                    KeyPair generateDSAKeypair = KeyUtil.generateDSAKeypair(dSAKeypairGenControl.getParameterSpec(), this.random);
                    createSubjectPublicKeyInfo = new SubjectPublicKeyInfo(dSAKeypairGenControl.getKeyAlgorithm(), new ASN1Integer(((DSAPublicKey) generateDSAKeypair.getPublic()).getY()));
                    privateKeyInfo = new PrivateKeyInfo(createSubjectPublicKeyInfo.getAlgorithm(), new ASN1Integer(((DSAPrivateKey) generateDSAKeypair.getPrivate()).getX()));
                } else {
                    if (!(keypairGenControl instanceof KeypairGenControl.EDDSAKeypairGenControl)) {
                        throw new RuntimeCryptoException("unknown KeyPairGenControl " + keypairGenControl);
                    }
                    KeypairGenControl.EDDSAKeypairGenControl eDDSAKeypairGenControl = (KeypairGenControl.EDDSAKeypairGenControl) keypairGenControl;
                    KeyPair generateEdECKeypair = KeyUtil.generateEdECKeypair(eDDSAKeypairGenControl.getKeyAlgorithm().getAlgorithm(), this.random);
                    createSubjectPublicKeyInfo = KeyUtil.createSubjectPublicKeyInfo(generateEdECKeypair.getPublic());
                    if (!createSubjectPublicKeyInfo.getAlgorithm().equals(eDDSAKeypairGenControl.getKeyAlgorithm())) {
                        throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, "invalid SubjectPublicKeyInfo.algorithm");
                    }
                    privateKeyInfo = PrivateKeyInfo.getInstance(generateEdECKeypair.getPrivate().getEncoded());
                }
            } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException e3) {
                throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e3);
            }
        }
        try {
            SubjectPublicKeyInfo checkPublicKey = x509Certprofile.checkPublicKey(createSubjectPublicKeyInfo);
            try {
                Certprofile.SubjectInfo subject = x509Certprofile.getSubject(removeEmptyRdns);
                X500Name grantedSubject = subject.getGrantedSubject();
                ASN1ObjectIdentifier[] attributeTypes = grantedSubject.getAttributeTypes();
                if (attributeTypes == null || attributeTypes.length == 0) {
                    throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, "empty subject is not permitted");
                }
                if (X509Util.canonicalizName(grantedSubject).equals(this.caInfo.getPublicCaInfo().getC14nSubject())) {
                    throw new OperationException(OperationException.ErrorCode.ALREADY_ISSUED, "certificate with the same subject as CA is not allowed");
                }
                boolean isDuplicateKeyPermitted = this.caInfo.isDuplicateKeyPermitted();
                byte[] bytes = checkPublicKey.getPublicKeyData().getBytes();
                long hash = FpIdCalculator.hash(bytes);
                if (z) {
                    CertStore.CertStatus certStatusForSubject = this.certstore.getCertStatusForSubject(this.caIdent, grantedSubject);
                    if (certStatusForSubject == CertStore.CertStatus.REVOKED) {
                        throw new OperationException(OperationException.ErrorCode.CERT_REVOKED);
                    }
                    if (certStatusForSubject == CertStore.CertStatus.UNKNOWN) {
                        throw new OperationException(OperationException.ErrorCode.UNKNOWN_CERT);
                    }
                } else if (!isDuplicateKeyPermitted && this.certstore.isCertForKeyIssued(this.caIdent, hash)) {
                    throw new OperationException(OperationException.ErrorCode.ALREADY_ISSUED, "certificate for the given public key already issued");
                }
                StringBuilder sb = new StringBuilder();
                if (subject.getWarning() != null) {
                    sb.append(", ").append(subject.getWarning());
                }
                Validity validity = x509Certprofile.getValidity();
                if (validity == null) {
                    validity = this.caInfo.getMaxValidity();
                } else if (validity.compareTo(this.caInfo.getMaxValidity()) > 0) {
                    validity = this.caInfo.getMaxValidity();
                }
                Date add = validity.add(notBefore);
                if (add.getTime() > MAX_CERT_TIME_MS) {
                    add = new Date(MAX_CERT_TIME_MS);
                }
                Date notAfter = certTemplateData.getNotAfter();
                if (notAfter == null) {
                    notAfter = add;
                } else if (notAfter.after(add)) {
                    notAfter = add;
                    sb.append(", notAfter modified");
                }
                if (notAfter.after(this.caInfo.getNotAfter())) {
                    ValidityMode validityMode = this.caInfo.getValidityMode();
                    if (validityMode == ValidityMode.CUTOFF) {
                        notAfter = this.caInfo.getNotAfter();
                    } else {
                        if (validityMode == ValidityMode.STRICT) {
                            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, "notAfter outside of CA's validity is not permitted");
                        }
                        if (validityMode != ValidityMode.LAX) {
                            throw new IllegalStateException("should not reach here, unknown CA ValidityMode " + validityMode);
                        }
                    }
                }
                String str = null;
                if (sb.length() > 2) {
                    str = sb.substring(2);
                }
                GrantedCertTemplate grantedCertTemplate = new GrantedCertTemplate(certTemplateData.getExtensions(), x509Certprofile, notBefore, notAfter, removeEmptyRdns, checkPublicKey, hash, privateKeyInfo, bytes, signer, str);
                grantedCertTemplate.setGrantedSubject(grantedSubject);
                return grantedCertTemplate;
            } catch (BadCertTemplateException e4) {
                throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, e4);
            } catch (CertprofileException e5) {
                throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, "exception in cert profile " + ident);
            }
        } catch (BadCertTemplateException e6) {
            throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, e6);
        } catch (CertprofileException e7) {
            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, "exception in cert profile " + ident);
        }
    }

    public IdentifiedCertprofile getX509Certprofile(String str) {
        Set<String> certprofilesForCa;
        if (str == null || (certprofilesForCa = this.caManager.getCertprofilesForCa(this.caIdent.getName())) == null || !certprofilesForCa.contains(str)) {
            return null;
        }
        return this.caManager.getIdentifiedCertprofile(str);
    }

    public boolean supportsCertprofile(String str) {
        Args.notNull(str, "certprofileName");
        return this.caManager.getCertprofilesForCa(this.caIdent.getName()).contains(str.toLowerCase());
    }

    public RequestorInfo.CmpRequestorInfo getRequestor(X500Name x500Name) {
        Set<MgmtEntry.CaHasRequestor> requestorsForCa = this.caManager.getRequestorsForCa(this.caIdent.getName());
        if (CollectionUtil.isEmpty(requestorsForCa)) {
            return null;
        }
        for (MgmtEntry.CaHasRequestor caHasRequestor : requestorsForCa) {
            RequestorEntryWrapper requestorWrapper = this.caManager.getRequestorWrapper(caHasRequestor.getRequestorIdent().getName());
            if (!requestorWrapper.getDbEntry().isFaulty() && "cert".equals(requestorWrapper.getDbEntry().getType()) && requestorWrapper.getCert().getSubjectAsX500Name().equals(x500Name)) {
                return new RequestorInfo.CmpRequestorInfo(caHasRequestor, requestorWrapper.getCert());
            }
        }
        return null;
    }

    public RequestorInfo.CmpRequestorInfo getRequestor(X509Certificate x509Certificate) {
        Set<MgmtEntry.CaHasRequestor> requestorsForCa = this.caManager.getRequestorsForCa(this.caIdent.getName());
        if (CollectionUtil.isEmpty(requestorsForCa)) {
            return null;
        }
        for (MgmtEntry.CaHasRequestor caHasRequestor : requestorsForCa) {
            RequestorEntryWrapper requestorWrapper = this.caManager.getRequestorWrapper(caHasRequestor.getRequestorIdent().getName());
            if ("cert".equals(requestorWrapper.getDbEntry().getType()) && requestorWrapper.getCert().getCert().equals(x509Certificate)) {
                return new RequestorInfo.CmpRequestorInfo(caHasRequestor, requestorWrapper.getCert());
            }
        }
        return null;
    }

    public RequestorInfo.CmpRequestorInfo getMacRequestor(X500Name x500Name, byte[] bArr) {
        Set<MgmtEntry.CaHasRequestor> requestorsForCa = this.caManager.getRequestorsForCa(this.caIdent.getName());
        if (CollectionUtil.isEmpty(requestorsForCa)) {
            return null;
        }
        for (MgmtEntry.CaHasRequestor caHasRequestor : requestorsForCa) {
            RequestorEntryWrapper requestorWrapper = this.caManager.getRequestorWrapper(caHasRequestor.getRequestorIdent().getName());
            if ("pbm".equals(requestorWrapper.getDbEntry().getType()) && requestorWrapper.matchKeyId(bArr)) {
                return new RequestorInfo.CmpRequestorInfo(caHasRequestor, requestorWrapper.getPassword(), bArr);
            }
        }
        return null;
    }

    public CaManagerImpl getCaManager() {
        return this.caManager;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Date getScheduledCrlGenTimeNotAfter(Date date) {
        Calendar calendar = Calendar.getInstance(TIMEZONE_UTC);
        calendar.setTime(date);
        CrlControl.HourMinute intervalDayTime = this.caInfo.getCrlControl().getIntervalDayTime();
        calendar.set(10, intervalDayTime.getHour());
        calendar.set(12, intervalDayTime.getMinute());
        calendar.set(13, 0);
        calendar.set(14, 0);
        return date.getTime() / MS_PER_SECOND >= calendar.getTimeInMillis() / MS_PER_SECOND ? calendar.getTime() : new Date(calendar.getTimeInMillis() - MS_PER_DAY);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public int removeExpirtedCerts(Date date, String str) throws OperationException {
        LOG.debug("revoking suspended certificates");
        AuditEvent newPerfAuditEvent = newPerfAuditEvent(CaAuditConstants.TYPE_remove_expired_certs, str);
        boolean z = false;
        try {
            int removeExpirtedCerts0 = removeExpirtedCerts0(date, newPerfAuditEvent, str);
            LOG.info("removed {} expired certificates of CA {}", Integer.valueOf(removeExpirtedCerts0), this.caIdent);
            z = true;
            finish(newPerfAuditEvent, true);
            return removeExpirtedCerts0;
        } catch (Throwable th) {
            finish(newPerfAuditEvent, z);
            throw th;
        }
    }

    private int removeExpirtedCerts0(Date date, AuditEvent auditEvent, String str) throws OperationException {
        Args.notNull(date, "expiredtime");
        if (!this.masterMode) {
            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, "CA could not remove expired certificates in slave mode");
        }
        auditEvent.addEventData(CaAuditConstants.NAME_expired_at, date);
        long time = date.getTime() / MS_PER_SECOND;
        int i = 0;
        while (true) {
            List<BigInteger> expiredSerialNumbers = this.certstore.getExpiredSerialNumbers(this.caIdent, time, 100);
            if (CollectionUtil.isEmpty(expiredSerialNumbers)) {
                return i;
            }
            for (BigInteger bigInteger : expiredSerialNumbers) {
                if (!this.caInfo.isSelfSigned() || !this.caInfo.getSerialNumber().equals(bigInteger)) {
                    try {
                        if (removeCert(bigInteger, str) != null) {
                            i++;
                        }
                    } catch (OperationException e) {
                        LOG.info("removed {} expired certificates of CA {}", Integer.valueOf(i), this.caIdent.getName());
                        LogUtil.error(LOG, e, "could not remove expired certificate with serial" + bigInteger);
                        throw e;
                    }
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public int revokeSuspendedCerts(String str) throws OperationException {
        LOG.debug("revoking suspended certificates");
        AuditEvent newPerfAuditEvent = newPerfAuditEvent(CaAuditConstants.TYPE_revoke_suspendedCert, str);
        boolean z = false;
        try {
            int revokeSuspendedCerts0 = revokeSuspendedCerts0(newPerfAuditEvent, str);
            LOG.info("revoked {} suspended certificates of CA {}", Integer.valueOf(revokeSuspendedCerts0), this.caIdent.getName());
            z = true;
            finish(newPerfAuditEvent, true);
            return revokeSuspendedCerts0;
        } catch (Throwable th) {
            finish(newPerfAuditEvent, z);
            throw th;
        }
    }

    private int revokeSuspendedCerts0(AuditEvent auditEvent, String str) throws OperationException {
        long validity;
        if (!this.masterMode) {
            throw new OperationException(OperationException.ErrorCode.NOT_PERMITTED, "CA could not remove expired certificates in slave mode");
        }
        Validity unchangedSince = this.caInfo.revokeSuspendedCertsControl().getUnchangedSince();
        switch (AnonymousClass1.$SwitchMap$org$xipki$util$Validity$Unit[unchangedSince.getUnit().ordinal()]) {
            case PasswordHash.SALT_INDEX /* 1 */:
                validity = unchangedSince.getValidity() * MS_PER_MINUTE;
                break;
            case PasswordHash.PBKDF2_INDEX /* 2 */:
                validity = unchangedSince.getValidity() * MS_PER_HOUR;
                break;
            case 3:
                validity = unchangedSince.getValidity() * MS_PER_DAY;
                break;
            case 4:
                validity = unchangedSince.getValidity() * MS_PER_WEEK;
                break;
            case 5:
                validity = unchangedSince.getValidity() * 365 * MS_PER_DAY;
                break;
            default:
                throw new IllegalStateException("should not reach here, unknown Validity Unit " + unchangedSince.getUnit());
        }
        long currentTimeMillis = (System.currentTimeMillis() - validity) / MS_PER_SECOND;
        CrlReason targetReason = this.caInfo.revokeSuspendedCertsControl().getTargetReason();
        int i = 0;
        while (true) {
            List<BigInteger> suspendedCertSerials = this.certstore.getSuspendedCertSerials(this.caIdent, currentTimeMillis, 100);
            if (CollectionUtil.isEmpty(suspendedCertSerials)) {
                return i;
            }
            for (BigInteger bigInteger : suspendedCertSerials) {
                try {
                    if (revokeSuspendedCert(bigInteger, targetReason, str) != null) {
                        i++;
                    }
                } catch (OperationException e) {
                    LOG.info("revoked {} suspended certificates of CA {}", Integer.valueOf(i), this.caIdent.getName());
                    LogUtil.error(LOG, e, "could not revoke suspended certificate with serial" + bigInteger);
                    throw e;
                }
            }
        }
    }

    public HealthCheckResult healthCheck() {
        HealthCheckResult healthCheckResult = new HealthCheckResult();
        healthCheckResult.setName("X509CA");
        boolean z = true;
        ConcurrentContentSigner signer = this.caInfo.getSigner(null);
        if (signer != null) {
            boolean isHealthy = signer.isHealthy();
            z = true & isHealthy;
            HealthCheckResult healthCheckResult2 = new HealthCheckResult();
            healthCheckResult2.setName("Signer");
            healthCheckResult2.setHealthy(isHealthy);
            healthCheckResult.addChildCheck(healthCheckResult2);
        }
        boolean isHealthy2 = this.certstore.isHealthy();
        boolean z2 = z & isHealthy2;
        HealthCheckResult healthCheckResult3 = new HealthCheckResult();
        healthCheckResult3.setName("Database");
        healthCheckResult3.setHealthy(isHealthy2);
        healthCheckResult.addChildCheck(healthCheckResult3);
        SignerEntryWrapper crlSigner = getCrlSigner();
        if (crlSigner != null && crlSigner.getSigner() != null) {
            boolean isHealthy3 = crlSigner.getSigner().isHealthy();
            z2 &= isHealthy3;
            HealthCheckResult healthCheckResult4 = new HealthCheckResult();
            healthCheckResult4.setName("CRLSigner");
            healthCheckResult4.setHealthy(isHealthy3);
            healthCheckResult.addChildCheck(healthCheckResult4);
        }
        for (IdentifiedCertPublisher identifiedCertPublisher : publishers()) {
            z2 &= identifiedCertPublisher.isHealthy();
            HealthCheckResult healthCheckResult5 = new HealthCheckResult();
            healthCheckResult5.setName("Publisher");
            healthCheckResult5.setHealthy(identifiedCertPublisher.isHealthy());
            healthCheckResult.addChildCheck(healthCheckResult5);
        }
        healthCheckResult.setHealthy(z2);
        return healthCheckResult;
    }

    private AuditService auditService() {
        return Audits.getAuditService();
    }

    private AuditEvent newPerfAuditEvent(String str, String str2) {
        return newAuditEvent(CaAuditConstants.NAME_perf, str, str2);
    }

    private AuditEvent newAuditEvent(String str, String str2, String str3) {
        Args.notNull(str, CaAuditConstants.Scep.NAME_name);
        Args.notNull(str2, "eventType");
        Args.notNull(str3, "msgId");
        AuditEvent auditEvent = new AuditEvent(new Date());
        auditEvent.setApplicationName("ca");
        auditEvent.setName(str);
        auditEvent.addEventData("ca", this.caIdent.getName());
        auditEvent.addEventType(str2);
        auditEvent.addEventData(CaAuditConstants.NAME_mid, str3);
        return auditEvent;
    }

    private boolean verifySignature(X509Certificate x509Certificate) {
        Args.notNull(x509Certificate, "cert");
        try {
            x509Certificate.verify(this.caCert.getCert().getPublicKey());
            return true;
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            LOG.debug("{} while verifying signature: {}", e.getClass().getName(), e.getMessage());
            return false;
        }
    }

    private SignerEntryWrapper getCrlSigner() {
        String crlSignerName;
        if (this.caInfo.getCrlControl() == null || (crlSignerName = this.caInfo.getCrlSignerName()) == null) {
            return null;
        }
        return this.caManager.getSignerWrapper(crlSignerName);
    }

    public NameId getCaIdent() {
        return this.caIdent;
    }

    public String getHexSha1OfCert() {
        return this.caInfo.getCaEntry().getHexSha1OfCert();
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.crlGenerationService != null) {
            this.crlGenerationService.cancel(false);
            this.crlGenerationService = null;
        }
        if (this.expiredCertsRemover != null) {
            this.expiredCertsRemover.cancel(false);
            this.expiredCertsRemover = null;
        }
        if (this.suspendedCertsRevoker != null) {
            this.suspendedCertsRevoker.cancel(false);
            this.suspendedCertsRevoker = null;
        }
        ScheduledThreadPoolExecutor scheduledThreadPoolExecutor = this.caManager.getScheduledThreadPoolExecutor();
        if (scheduledThreadPoolExecutor != null) {
            scheduledThreadPoolExecutor.purge();
        }
    }

    private static Extension createReasonExtension(int i) {
        try {
            return new Extension(Extension.reasonCode, false, CRLReason.lookup(i).getEncoded());
        } catch (IOException e) {
            throw new IllegalArgumentException("error encoding reason: " + e.getMessage(), e);
        }
    }

    private static Extension createInvalidityDateExtension(Date date) {
        try {
            return new Extension(Extension.invalidityDate, false, new ASN1GeneralizedTime(date).getEncoded());
        } catch (IOException e) {
            throw new IllegalArgumentException("error encoding reason: " + e.getMessage(), e);
        }
    }

    private static Extension createCertificateIssuerExtension(X500Name x500Name) {
        try {
            return new Extension(Extension.certificateIssuer, true, new GeneralNames(new GeneralName(x500Name)).getEncoded());
        } catch (IOException e) {
            throw new IllegalArgumentException("error encoding reason: " + e.getMessage(), e);
        }
    }

    private static X500Name removeEmptyRdns(X500Name x500Name) {
        RDN[] rDNs = x500Name.getRDNs();
        ArrayList arrayList = new ArrayList(rDNs.length);
        boolean z = false;
        for (RDN rdn : rDNs) {
            if (StringUtil.isBlank(X509Util.rdnValueToString(rdn.getFirst().getValue()))) {
                z = true;
            } else {
                arrayList.add(rdn);
            }
        }
        return z ? new X500Name((RDN[]) arrayList.toArray(new RDN[0])) : x500Name;
    }

    private static Object[] incSerialNumber(IdentifiedCertprofile identifiedCertprofile, X500Name x500Name, String str) throws BadFormatException {
        X500Name x500Name2;
        RDN[] rDNs = x500Name.getRDNs();
        int i = -1;
        int i2 = -1;
        for (int i3 = 0; i3 < rDNs.length; i3++) {
            ASN1ObjectIdentifier type = rDNs[i3].getFirst().getType();
            if (ObjectIdentifiers.DN.CN.equals(type)) {
                i = i3;
            } else if (ObjectIdentifiers.DN.serialNumber.equals(type)) {
                i2 = i3;
            }
        }
        String incSerialNumber = identifiedCertprofile.incSerialNumber(str);
        RDN rdn = new RDN(ObjectIdentifiers.DN.serialNumber, new DERPrintableString(incSerialNumber));
        if (i2 != -1) {
            rDNs[i2] = rdn;
            x500Name2 = new X500Name(rDNs);
        } else {
            ArrayList arrayList = new ArrayList(rDNs.length + 1);
            if (i == -1) {
                arrayList.add(rdn);
            }
            for (int i4 = 0; i4 < rDNs.length; i4++) {
                arrayList.add(rDNs[i4]);
                if (i4 == i) {
                    arrayList.add(rdn);
                }
            }
            x500Name2 = new X500Name((RDN[]) arrayList.toArray(new RDN[0]));
        }
        return new Object[]{x500Name2, incSerialNumber};
    }

    private void finish(AuditEvent auditEvent, boolean z) {
        auditEvent.finish();
        auditEvent.setLevel(z ? AuditLevel.INFO : AuditLevel.ERROR);
        auditEvent.setStatus(z ? AuditStatus.SUCCESSFUL : AuditStatus.FAILED);
        auditService().logEvent(auditEvent);
    }

    private CtLog.SignedCertificateTimestampList getCtlogScts(byte[] bArr) throws OperationException {
        return this.ctlogClient.getCtLogScts(bArr, this.caCert, this.caInfo.getCertchain());
    }
}
