package org.xipki.ca.server;

import java.io.Closeable;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.sec.SECObjectIdentifiers;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.CertificatePolicies;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.PolicyInformation;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.xipki.ca.api.BadCertTemplateException;
import org.xipki.ca.api.BadFormatException;
import org.xipki.ca.api.CaUris;
import org.xipki.ca.api.NameId;
import org.xipki.ca.api.PublicCaInfo;
import org.xipki.ca.api.mgmt.MgmtEntry;
import org.xipki.ca.api.profile.BaseCertprofile;
import org.xipki.ca.api.profile.Certprofile;
import org.xipki.ca.api.profile.CertprofileException;
import org.xipki.ca.api.profile.ExtensionSpec;
import org.xipki.ca.api.profile.ExtensionValue;
import org.xipki.ca.api.profile.ExtensionValues;
import org.xipki.ca.api.profile.KeyParametersOption;
import org.xipki.ca.api.profile.KeypairGenControl;
import org.xipki.ca.api.profile.SubjectDnSpec;
import org.xipki.security.EdECConstants;
import org.xipki.security.ExtensionExistence;
import org.xipki.security.HashAlgo;
import org.xipki.security.KeyUsage;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.security.util.AlgorithmUtil;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.Validity;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/xipki/ca/server/IdentifiedCertprofile.class */
public class IdentifiedCertprofile implements Closeable {
    private static Validity maxCabEeValidity = new Validity(825, Validity.Unit.DAY);
    private final MgmtEntry.Certprofile dbEntry;
    private final Certprofile certprofile;

    /* JADX INFO: Access modifiers changed from: package-private */
    public IdentifiedCertprofile(MgmtEntry.Certprofile certprofile, Certprofile certprofile2) throws CertprofileException {
        this.dbEntry = (MgmtEntry.Certprofile) Args.notNull(certprofile, "dbEntry");
        this.certprofile = (Certprofile) Args.notNull(certprofile2, CaAuditConstants.NAME_certprofile);
        this.certprofile.initialize(certprofile.getConf());
    }

    public NameId getIdent() {
        return this.dbEntry.getIdent();
    }

    public MgmtEntry.Certprofile getDbEntry() {
        return this.dbEntry;
    }

    public Certprofile.X509CertVersion getVersion() {
        return this.certprofile.getVersion();
    }

    public List<String> getSignatureAlgorithms() {
        return this.certprofile.getSignatureAlgorithms();
    }

    public Date getNotBefore(Date date) {
        return this.certprofile.getNotBefore(date);
    }

    public Validity getValidity() {
        return this.certprofile.getValidity();
    }

    public Certprofile.SubjectInfo getSubject(X500Name x500Name) throws CertprofileException, BadCertTemplateException {
        Certprofile.SubjectInfo subject = this.certprofile.getSubject(x500Name);
        if (this.certprofile.getCertDomain() == Certprofile.CertDomain.CABForumBR) {
            X500Name grantedSubject = subject.getGrantedSubject();
            if (getCertLevel() == Certprofile.CertLevel.EndEntity) {
                CertificatePolicies certificatePolicies = this.certprofile.getCertificatePolicies();
                ASN1ObjectIdentifier aSN1ObjectIdentifier = null;
                if (certificatePolicies != null) {
                    for (PolicyInformation policyInformation : certificatePolicies.getPolicyInformation()) {
                        ASN1ObjectIdentifier policyIdentifier = policyInformation.getPolicyIdentifier();
                        if (ObjectIdentifiers.BaseRequirements.id_domain_validated.equals(policyIdentifier) || ObjectIdentifiers.BaseRequirements.id_organization_validated.equals(policyIdentifier) || ObjectIdentifiers.BaseRequirements.id_individual_validated.equals(policyIdentifier)) {
                            aSN1ObjectIdentifier = policyIdentifier;
                            break;
                        }
                    }
                }
                if (containsRdn(grantedSubject, ObjectIdentifiers.DN.street) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.O) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.surname)) {
                    throw new BadCertTemplateException("subject:street is prohibited if the subject:organizationName field, subject:givenName, and subject:surname field are absent.");
                }
                if (containsRdn(grantedSubject, ObjectIdentifiers.DN.localityName)) {
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.O) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.surname)) {
                        throw new BadCertTemplateException("subject:localityName is prohibited if the subject:organizationName field, subject:givenName, and subject:surname field are absent.");
                    }
                } else if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.ST) && (containsRdn(grantedSubject, ObjectIdentifiers.DN.O) || containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) || containsRdn(grantedSubject, ObjectIdentifiers.DN.surname))) {
                    throw new BadCertTemplateException("subject:localityName is required if the subject:organizationName field, subject:givenName field, or subject:surname field are present and the subject:stateOrProvinceName field is absent.");
                }
                if (containsRdn(grantedSubject, ObjectIdentifiers.DN.ST)) {
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.O) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.surname)) {
                        throw new BadCertTemplateException("subject:stateOrProvinceName is prohibited if the subject:organizationName field, subject:givenName, and subject:surname field are absent.");
                    }
                } else if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.localityName) && (containsRdn(grantedSubject, ObjectIdentifiers.DN.O) || containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) || containsRdn(grantedSubject, ObjectIdentifiers.DN.surname))) {
                    throw new BadCertTemplateException("subject:stateOrProvinceName is required if the subject:organizationName field, subject:givenName field, or subject:surname field are present and the subject:localityName field is absent.");
                }
                if (containsRdn(grantedSubject, ObjectIdentifiers.DN.postalCode) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.O) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.surname)) {
                    throw new BadCertTemplateException("subject:postalCode is prohibited if the subject:organizationName field, subject:givenName, and subject:surname field are absent.");
                }
                if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.C) && (containsRdn(grantedSubject, ObjectIdentifiers.DN.O) || containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) || containsRdn(grantedSubject, ObjectIdentifiers.DN.surname))) {
                    throw new BadCertTemplateException("subject:countryCode is required if the subject:organizationName field, subject:givenName, and subject:surname field are present");
                }
                if (ObjectIdentifiers.BaseRequirements.id_domain_validated.equals(aSN1ObjectIdentifier)) {
                    for (ASN1ObjectIdentifier aSN1ObjectIdentifier2 : new ASN1ObjectIdentifier[]{ObjectIdentifiers.DN.O, ObjectIdentifiers.DN.givenName, ObjectIdentifiers.DN.surname, ObjectIdentifiers.DN.street, ObjectIdentifiers.DN.localityName, ObjectIdentifiers.DN.ST, ObjectIdentifiers.DN.postalCode}) {
                        if (containsRdn(grantedSubject, aSN1ObjectIdentifier2)) {
                            throw new BadCertTemplateException("subject " + ObjectIdentifiers.getName(aSN1ObjectIdentifier2) + " is prohibited in domain validated certificate");
                        }
                    }
                } else if (ObjectIdentifiers.BaseRequirements.id_organization_validated.equals(aSN1ObjectIdentifier)) {
                    for (ASN1ObjectIdentifier aSN1ObjectIdentifier3 : new ASN1ObjectIdentifier[]{ObjectIdentifiers.DN.O, ObjectIdentifiers.DN.C}) {
                        if (!containsRdn(grantedSubject, aSN1ObjectIdentifier3)) {
                            throw new BadCertTemplateException("subject " + ObjectIdentifiers.getName(aSN1ObjectIdentifier3) + " is required in organization validated certificate");
                        }
                    }
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.localityName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.ST)) {
                        throw new BadCertTemplateException("at least one of subject:localityName and subject:stateOrProvinceName is required in organization validated certificate");
                    }
                } else if (ObjectIdentifiers.BaseRequirements.id_individual_validated.equals(aSN1ObjectIdentifier)) {
                    for (ASN1ObjectIdentifier aSN1ObjectIdentifier4 : new ASN1ObjectIdentifier[]{ObjectIdentifiers.DN.C}) {
                        if (!containsRdn(grantedSubject, aSN1ObjectIdentifier4)) {
                            throw new BadCertTemplateException("subject " + ObjectIdentifiers.getName(aSN1ObjectIdentifier4) + " is required in individual validated certificate");
                        }
                    }
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.O) && (!containsRdn(grantedSubject, ObjectIdentifiers.DN.givenName) || !containsRdn(grantedSubject, ObjectIdentifiers.DN.surname))) {
                        throw new BadCertTemplateException("at least one of subject:organizationName and (subject:givenName, subject:surName) is required in individual validated certificate");
                    }
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.localityName) && !containsRdn(grantedSubject, ObjectIdentifiers.DN.ST)) {
                        throw new BadCertTemplateException("at least one of subject:localityName and subject:stateOrProvinceName is required in individual validated certificate");
                    }
                }
            } else {
                for (ASN1ObjectIdentifier aSN1ObjectIdentifier5 : new ASN1ObjectIdentifier[]{ObjectIdentifiers.DN.CN, ObjectIdentifiers.DN.O, ObjectIdentifiers.DN.C}) {
                    if (!containsRdn(grantedSubject, ObjectIdentifiers.DN.CN)) {
                        throw new BadCertTemplateException("missing " + ObjectIdentifiers.getName(aSN1ObjectIdentifier5) + " in subject");
                    }
                }
            }
        }
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier6 : new ASN1ObjectIdentifier[]{ObjectIdentifiers.DN.C, ObjectIdentifiers.DN.countryOfCitizenship, ObjectIdentifiers.DN.countryOfResidence, ObjectIdentifiers.DN.jurisdictionOfIncorporationCountryName}) {
            RDN[] rDNs = subject.getGrantedSubject().getRDNs(aSN1ObjectIdentifier6);
            if (rDNs != null) {
                for (RDN rdn : rDNs) {
                    String valueToString = IETFUtils.valueToString(rdn.getFirst().getValue());
                    if (!SubjectDnSpec.isValidCountryAreaCode(valueToString)) {
                        String name = ObjectIdentifiers.getName(aSN1ObjectIdentifier6);
                        if (name == null) {
                            name = aSN1ObjectIdentifier6.getId();
                        }
                        throw new BadCertTemplateException("invalid country/area code '" + valueToString + "' in subject attribute " + name);
                    }
                }
            }
        }
        return subject;
    }

    /* JADX WARN: Type inference failed for: r1v120, types: [byte[], byte[][]] */
    public ExtensionValues getExtensions(X500Name x500Name, X500Name x500Name2, Extensions extensions, SubjectPublicKeyInfo subjectPublicKeyInfo, PublicCaInfo publicCaInfo, X509Certificate x509Certificate, Date date, Date date2) throws CertprofileException, BadCertTemplateException {
        Extension extension;
        Args.notNull(subjectPublicKeyInfo, "publicKeyInfo");
        ExtensionValues extensionValues = new ExtensionValues();
        HashMap hashMap = new HashMap(this.certprofile.getExtensionControls());
        hashMap.remove(ObjectIdentifiers.Extn.id_SCTs);
        HashSet<ASN1ObjectIdentifier> hashSet = new HashSet(2);
        HashSet hashSet2 = new HashSet(2);
        if (extensions != null) {
            Extension extension2 = extensions.getExtension(ObjectIdentifiers.Xipki.id_xipki_ext_cmpRequestExtensions);
            if (extension2 != null) {
                ExtensionExistence extensionExistence = ExtensionExistence.getInstance(extension2.getParsedValue());
                hashSet.addAll(extensionExistence.getNeedExtensions());
                hashSet2.addAll(extensionExistence.getWantExtensions());
            }
            for (ASN1ObjectIdentifier aSN1ObjectIdentifier : hashSet) {
                if (hashSet2.contains(aSN1ObjectIdentifier)) {
                    hashSet2.remove(aSN1ObjectIdentifier);
                }
                if (!hashMap.containsKey(aSN1ObjectIdentifier)) {
                    throw new BadCertTemplateException("could not add needed extension " + aSN1ObjectIdentifier.getId());
                }
            }
        }
        HashMap hashMap2 = new HashMap();
        if (extensions != null) {
            for (ASN1ObjectIdentifier aSN1ObjectIdentifier2 : extensions.getExtensionOIDs()) {
                Certprofile.ExtensionControl extensionControl = (Certprofile.ExtensionControl) hashMap.get(aSN1ObjectIdentifier2);
                if (extensionControl == null || extensionControl.isRequest()) {
                    hashMap2.put(aSN1ObjectIdentifier2, extensions.getExtension(aSN1ObjectIdentifier2));
                }
            }
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier3 = Extension.subjectKeyIdentifier;
        Certprofile.ExtensionControl extensionControl2 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier3);
        if (extensionControl2 != null && addMe(aSN1ObjectIdentifier3, extensionControl2, hashSet, hashSet2)) {
            addExtension(extensionValues, aSN1ObjectIdentifier3, (ASN1Encodable) new SubjectKeyIdentifier(HashAlgo.SHA1.hash((byte[][]) new byte[]{subjectPublicKeyInfo.getPublicKeyData().getBytes()})), extensionControl2, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier4 = Extension.authorityKeyIdentifier;
        Certprofile.ExtensionControl extensionControl3 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier4);
        if (extensionControl3 != null && addMe(aSN1ObjectIdentifier4, extensionControl3, hashSet, hashSet2)) {
            AuthorityKeyIdentifier authorityKeyIdentifier = null;
            if (this.certprofile.useIssuerAndSerialInAki()) {
                authorityKeyIdentifier = new AuthorityKeyIdentifier(new GeneralNames(new GeneralName(publicCaInfo.getX500Subject())), publicCaInfo.getSerialNumber());
            } else {
                byte[] subjectKeyIdentifer = publicCaInfo.getSubjectKeyIdentifer();
                if (subjectKeyIdentifer != null) {
                    authorityKeyIdentifier = new AuthorityKeyIdentifier(subjectKeyIdentifer);
                }
            }
            addExtension(extensionValues, aSN1ObjectIdentifier4, (ASN1Encodable) authorityKeyIdentifier, extensionControl3, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier5 = Extension.issuerAlternativeName;
        Certprofile.ExtensionControl extensionControl4 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier5);
        if (extensionControl4 != null && addMe(aSN1ObjectIdentifier5, extensionControl4, hashSet, hashSet2)) {
            addExtension(extensionValues, aSN1ObjectIdentifier5, (ASN1Encodable) publicCaInfo.getSubjectAltName(), extensionControl4, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier6 = Extension.authorityInfoAccess;
        Certprofile.ExtensionControl extensionControl5 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier6);
        CaUris caUris = publicCaInfo.getCaUris();
        if (extensionControl5 != null && addMe(aSN1ObjectIdentifier6, extensionControl5, hashSet, hashSet2)) {
            Certprofile.AuthorityInfoAccessControl aiaControl = this.certprofile.getAiaControl();
            List cacertUris = (aiaControl == null || aiaControl.isIncludesCaIssuers()) ? caUris.getCacertUris() : null;
            List ocspUris = (aiaControl == null || aiaControl.isIncludesOcsp()) ? caUris.getOcspUris() : null;
            addExtension(extensionValues, aSN1ObjectIdentifier6, (CollectionUtil.isNotEmpty(cacertUris) || CollectionUtil.isNotEmpty(ocspUris)) ? CaUtil.createAuthorityInformationAccess(cacertUris, ocspUris) : null, extensionControl5, hashSet, hashSet2);
        }
        if (hashMap.containsKey(Extension.cRLDistributionPoints) || hashMap.containsKey(Extension.freshestCRL)) {
            X500Name x500Name3 = x509Certificate == null ? null : X500Name.getInstance(x509Certificate.getSubjectX500Principal().getEncoded());
            X500Name x500Subject = publicCaInfo.getX500Subject();
            ASN1ObjectIdentifier aSN1ObjectIdentifier7 = Extension.cRLDistributionPoints;
            Certprofile.ExtensionControl extensionControl6 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier7);
            if (extensionControl6 != null && addMe(aSN1ObjectIdentifier7, extensionControl6, hashSet, hashSet2)) {
                addExtension(extensionValues, aSN1ObjectIdentifier7, (ASN1Encodable) (CollectionUtil.isNotEmpty(caUris.getCrlUris()) ? CaUtil.createCrlDistributionPoints(caUris.getCrlUris(), x500Subject, x500Name3) : null), extensionControl6, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
            }
            ASN1ObjectIdentifier aSN1ObjectIdentifier8 = Extension.freshestCRL;
            Certprofile.ExtensionControl extensionControl7 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier8);
            if (extensionControl7 != null && addMe(aSN1ObjectIdentifier8, extensionControl7, hashSet, hashSet2)) {
                addExtension(extensionValues, aSN1ObjectIdentifier8, (ASN1Encodable) (CollectionUtil.isNotEmpty(caUris.getDeltaCrlUris()) ? CaUtil.createCrlDistributionPoints(caUris.getDeltaCrlUris(), x500Subject, x500Name3) : null), extensionControl7, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
            }
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier9 = Extension.basicConstraints;
        Certprofile.ExtensionControl extensionControl8 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier9);
        if (extensionControl8 != null && addMe(aSN1ObjectIdentifier9, extensionControl8, hashSet, hashSet2)) {
            addExtension(extensionValues, aSN1ObjectIdentifier9, (ASN1Encodable) CaUtil.createBasicConstraints(this.certprofile.getCertLevel(), this.certprofile.getPathLenBasicConstraint()), extensionControl8, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier10 = Extension.keyUsage;
        Certprofile.ExtensionControl extensionControl9 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier10);
        if (extensionControl9 != null && addMe(aSN1ObjectIdentifier10, extensionControl9, hashSet, hashSet2)) {
            HashSet hashSet3 = new HashSet();
            Set<Certprofile.KeyUsageControl> keyUsage = this.certprofile.getKeyUsage();
            for (Certprofile.KeyUsageControl keyUsageControl : keyUsage) {
                if (keyUsageControl.isRequired()) {
                    hashSet3.add(keyUsageControl.getKeyUsage());
                }
            }
            addRequestedKeyusage(hashSet3, hashMap2, keyUsage);
            addExtension(extensionValues, aSN1ObjectIdentifier10, (ASN1Encodable) X509Util.createKeyUsage(hashSet3), extensionControl9, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier11 = Extension.extendedKeyUsage;
        Certprofile.ExtensionControl extensionControl10 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier11);
        if (extensionControl10 != null && addMe(aSN1ObjectIdentifier11, extensionControl10, hashSet, hashSet2)) {
            LinkedList linkedList = new LinkedList();
            Set<Certprofile.ExtKeyUsageControl> extendedKeyUsages = this.certprofile.getExtendedKeyUsages();
            for (Certprofile.ExtKeyUsageControl extKeyUsageControl : extendedKeyUsages) {
                if (extKeyUsageControl.isRequired()) {
                    linkedList.add(extKeyUsageControl.getExtKeyUsage());
                }
            }
            addRequestedExtKeyusage(linkedList, hashMap2, extendedKeyUsages);
            if (extensionControl10.isCritical() && linkedList.contains(ObjectIdentifiers.XKU.id_kp_anyExtendedKeyUsage)) {
                extensionControl10 = new Certprofile.ExtensionControl(false, extensionControl10.isRequired(), extensionControl10.isRequest());
            }
            addExtension(extensionValues, aSN1ObjectIdentifier11, (ASN1Encodable) X509Util.createExtendedUsage(linkedList), extensionControl10, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier12 = ObjectIdentifiers.Extn.id_extension_pkix_ocsp_nocheck;
        Certprofile.ExtensionControl extensionControl11 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier12);
        if (extensionControl11 != null && addMe(aSN1ObjectIdentifier12, extensionControl11, hashSet, hashSet2)) {
            addExtension(extensionValues, aSN1ObjectIdentifier12, (ASN1Encodable) DERNull.INSTANCE, extensionControl11, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier13 = Extension.subjectInfoAccess;
        Certprofile.ExtensionControl extensionControl12 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier13);
        if (extensionControl12 != null && addMe(aSN1ObjectIdentifier13, extensionControl12, hashSet, hashSet2)) {
            addExtension(extensionValues, aSN1ObjectIdentifier13, (ASN1Encodable) createSubjectInfoAccess(hashMap2, this.certprofile.getSubjectInfoAccessModes()), extensionControl12, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier14 = Extension.certificatePolicies;
        Certprofile.ExtensionControl extensionControl13 = (Certprofile.ExtensionControl) hashMap.remove(aSN1ObjectIdentifier14);
        if (extensionControl13 != null && addMe(aSN1ObjectIdentifier14, extensionControl13, hashSet, hashSet2)) {
            addExtension(extensionValues, aSN1ObjectIdentifier14, (ASN1Encodable) this.certprofile.getCertificatePolicies(), extensionControl13, (Set<ASN1ObjectIdentifier>) hashSet, (Set<ASN1ObjectIdentifier>) hashSet2);
        }
        LinkedList linkedList2 = null;
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier15 : hashMap.keySet()) {
            if (!((Certprofile.ExtensionControl) hashMap.get(aSN1ObjectIdentifier15)).isRequired() && !hashSet.contains(aSN1ObjectIdentifier15) && !hashSet2.contains(aSN1ObjectIdentifier15) && hashMap2.get(aSN1ObjectIdentifier15) == null) {
                if (linkedList2 == null) {
                    linkedList2 = new LinkedList();
                }
                linkedList2.add(aSN1ObjectIdentifier15);
            }
        }
        if (linkedList2 != null) {
            Iterator it = linkedList2.iterator();
            while (it.hasNext()) {
                hashMap.remove((ASN1ObjectIdentifier) it.next());
            }
        }
        ExtensionValues extensions2 = this.certprofile.getExtensions(Collections.unmodifiableMap(hashMap), x500Name, x500Name2, hashMap2, date, date2, publicCaInfo);
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier16 : new HashSet(hashMap.keySet())) {
            Certprofile.ExtensionControl extensionControl14 = (Certprofile.ExtensionControl) hashMap.get(aSN1ObjectIdentifier16);
            if (addMe(aSN1ObjectIdentifier16, extensionControl14, hashSet, hashSet2)) {
                ExtensionValue extensionValue = extensions2.getExtensionValue(aSN1ObjectIdentifier16);
                if (extensionValue == null && hashMap2 != null && extensionControl14.isRequest() && (extension = (Extension) hashMap2.get(aSN1ObjectIdentifier16)) != null) {
                    extensionValue = new ExtensionValue(extensionControl14.isCritical(), extension.getParsedValue());
                }
                if (extensionValue != null) {
                    addExtension(extensionValues, aSN1ObjectIdentifier16, extensionValue, extensionControl14, hashSet, hashSet2);
                    hashMap.remove(aSN1ObjectIdentifier16);
                }
            } else {
                hashMap.remove(aSN1ObjectIdentifier16);
            }
        }
        HashSet hashSet4 = new HashSet();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier17 : hashMap.keySet()) {
            if (((Certprofile.ExtensionControl) hashMap.get(aSN1ObjectIdentifier17)).isRequired()) {
                hashSet4.add(aSN1ObjectIdentifier17);
            }
        }
        if (CollectionUtil.isNotEmpty(hashSet4)) {
            throw new CertprofileException("could not add required extensions " + toString(hashSet4));
        }
        if (CollectionUtil.isNotEmpty(hashSet)) {
            throw new BadCertTemplateException("could not add requested extensions " + toString(hashSet));
        }
        if (this.certprofile.getCertDomain() == Certprofile.CertDomain.CABForumBR && getCertLevel() == Certprofile.CertLevel.EndEntity) {
            String commonName = X509Util.getCommonName(x500Name2);
            boolean z = commonName == null;
            for (GeneralName generalName : GeneralNames.getInstance(extensionValues.getExtensionValue(Extension.subjectAlternativeName).getValue()).getNames()) {
                if (2 == generalName.getTagNo()) {
                    String string = DERIA5String.getInstance(generalName.getName()).getString();
                    if (!z && string.equals(commonName)) {
                        z = true;
                    }
                    if (string.indexOf(95) != -1) {
                        throw new BadCertTemplateException("invalid DNSName " + string);
                    }
                    if (!ExtensionSpec.isValidPublicDomain(string)) {
                        throw new BadCertTemplateException("invalid DNSName " + string);
                    }
                } else if (7 == generalName.getTagNo()) {
                    byte[] octets = DEROctetString.getInstance(generalName.getName()).getOctets();
                    if (octets.length == 4) {
                        String str = (255 & octets[0]) + "." + (255 & octets[1]) + "." + (255 & octets[2]) + "." + (255 & octets[3]);
                        if (!z && str.equals(commonName)) {
                            z = true;
                        }
                        if (!ExtensionSpec.isValidPublicIPv4Address(octets)) {
                            throw new BadCertTemplateException("invalid IPv4Address " + str);
                        }
                    } else {
                        continue;
                    }
                } else {
                    continue;
                }
            }
            if (!z) {
                throw new BadCertTemplateException("content of subject:commonName is not included in extension:SubjectAlternativeNames");
            }
        }
        return extensionValues;
    }

    public Certprofile.CertLevel getCertLevel() {
        return this.certprofile.getCertLevel();
    }

    public KeypairGenControl getKeypairGenControl() {
        return this.certprofile.getKeypairGenControl();
    }

    public boolean isOnlyForRa() {
        return this.certprofile.isOnlyForRa();
    }

    public SubjectPublicKeyInfo checkPublicKey(SubjectPublicKeyInfo subjectPublicKeyInfo) throws CertprofileException, BadCertTemplateException {
        return this.certprofile.checkPublicKey((SubjectPublicKeyInfo) Args.notNull(subjectPublicKeyInfo, "publicKey"));
    }

    public boolean incSerialNumberIfSubjectExists() {
        return this.certprofile.incSerialNumberIfSubjectExists();
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.certprofile != null) {
            this.certprofile.close();
        }
    }

    public boolean useIssuerAndSerialInAki() {
        return this.certprofile.useIssuerAndSerialInAki();
    }

    public String incSerialNumber(String str) throws BadFormatException {
        return this.certprofile.incSerialNumber(str);
    }

    public boolean isSerialNumberInReqPermitted() {
        return this.certprofile.isSerialNumberInReqPermitted();
    }

    public Map<ASN1ObjectIdentifier, Certprofile.ExtensionControl> getExtensionControls() {
        return this.certprofile.getExtensionControls();
    }

    public Set<Certprofile.KeyUsageControl> getKeyUsage() {
        return this.certprofile.getKeyUsage();
    }

    public Integer getPathLenBasicConstraint() {
        return this.certprofile.getPathLenBasicConstraint();
    }

    public Set<Certprofile.ExtKeyUsageControl> getExtendedKeyUsages() {
        return this.certprofile.getExtendedKeyUsages();
    }

    public int getMaxCertSize() {
        return this.certprofile.getMaxCertSize();
    }

    public void validate() throws CertprofileException {
        List asList;
        StringBuilder sb = new StringBuilder();
        Map<ASN1ObjectIdentifier, Certprofile.ExtensionControl> extensionControls = getExtensionControls();
        HashSet<ASN1ObjectIdentifier> hashSet = new HashSet(extensionControls.keySet());
        Certprofile.CertLevel certLevel = getCertLevel();
        Certprofile.CertDomain certDomain = this.certprofile.getCertDomain();
        ExtensionSpec extensionSpec = ExtensionSpec.getExtensionSpec(certDomain, certLevel);
        HashSet hashSet2 = new HashSet();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : hashSet) {
            if (extensionControls.get(aSN1ObjectIdentifier).isRequest() && extensionSpec.isNonRequest(aSN1ObjectIdentifier)) {
                hashSet2.add(aSN1ObjectIdentifier);
            }
        }
        if (CollectionUtil.isNotEmpty(hashSet2)) {
            sb.append("extensions ").append(toString(hashSet2)).append(" must not be contained in request, ");
        }
        hashSet2.clear();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier2 : hashSet) {
            if (extensionSpec.isNotPermitted(aSN1ObjectIdentifier2)) {
                hashSet2.add(aSN1ObjectIdentifier2);
            }
        }
        if (CollectionUtil.isNotEmpty(hashSet2)) {
            sb.append("extensions ").append(toString(hashSet2)).append(" must not be contained, ");
        }
        hashSet2.clear();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier3 : hashSet) {
            if (extensionControls.get(aSN1ObjectIdentifier3).isCritical() && extensionSpec.isNonCriticalOnly(aSN1ObjectIdentifier3)) {
                hashSet2.add(aSN1ObjectIdentifier3);
            }
        }
        if (CollectionUtil.isNotEmpty(hashSet2)) {
            sb.append("critical only extensions are marked as non-critical ").append(toString(hashSet2)).append(", ");
        }
        hashSet2.clear();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier4 : hashSet) {
            if (!extensionControls.get(aSN1ObjectIdentifier4).isCritical() && extensionSpec.isCriticalOnly(aSN1ObjectIdentifier4)) {
                hashSet2.add(aSN1ObjectIdentifier4);
            }
        }
        if (CollectionUtil.isNotEmpty(hashSet2)) {
            sb.append("non-critical only extensions are marked as critical ").append(toString(hashSet2)).append(", ");
        }
        hashSet2.clear();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier5 : extensionSpec.getRequiredExtensions()) {
            Certprofile.ExtensionControl extensionControl = extensionControls.get(aSN1ObjectIdentifier5);
            if (extensionControl == null || !extensionControl.isRequired()) {
                hashSet2.add(aSN1ObjectIdentifier5);
            }
        }
        if (!hashSet2.isEmpty()) {
            sb.append("required extensions are not configured or not marked as required ").append(toString(hashSet2)).append(", ");
        }
        Set<Certprofile.KeyUsageControl> keyUsage = getKeyUsage();
        if (certLevel == Certprofile.CertLevel.SubCA || certLevel == Certprofile.CertLevel.RootCA) {
            for (KeyUsage keyUsage2 : new KeyUsage[]{KeyUsage.keyCertSign, KeyUsage.cRLSign}) {
                if (!containsKeyusage(keyUsage, keyUsage2)) {
                    sb.append("CA profile does not contain keyUsage ").append(keyUsage2).append(", ");
                }
            }
        } else {
            KeyUsage[] keyUsageArr = {KeyUsage.keyCertSign};
            HashSet hashSet3 = new HashSet();
            for (KeyUsage keyUsage3 : keyUsageArr) {
                if (containsKeyusage(keyUsage, keyUsage3)) {
                    hashSet3.add(keyUsage3);
                }
            }
            if (CollectionUtil.isNotEmpty(hashSet2)) {
                sb.append("EndEntity profile must not contain CA-only keyUsage ").append(hashSet3).append(", ");
            }
        }
        if (certLevel == Certprofile.CertLevel.RootCA && getPathLenBasicConstraint() != null) {
            sb.append("Root CA must not set PathLen, ");
        }
        if (certDomain == Certprofile.CertDomain.CABForumBR) {
            validateCABForumBR(sb);
        }
        Map keyAlgorithms = this.certprofile.getKeyAlgorithms();
        boolean z = keyAlgorithms.containsKey(EdECConstants.id_Ed25519) || keyAlgorithms.containsKey(EdECConstants.id_Ed448);
        boolean z2 = keyAlgorithms.containsKey(EdECConstants.id_X25519) || keyAlgorithms.containsKey(EdECConstants.id_X448);
        if (z || z2) {
            HashSet hashSet4 = new HashSet();
            HashSet hashSet5 = new HashSet();
            if (keyUsage != null) {
                for (Certprofile.KeyUsageControl keyUsageControl : keyUsage) {
                    if (keyUsageControl.isRequired()) {
                        hashSet4.add(keyUsageControl.getKeyUsage());
                    } else {
                        hashSet5.add(keyUsageControl.getKeyUsage());
                    }
                }
            }
            if (z2) {
                if (certLevel != Certprofile.CertLevel.EndEntity) {
                    sb.append("montgomery curves are not permitted in CA certificates, ");
                }
                if (!hashSet4.contains(KeyUsage.keyAgreement)) {
                    sb.append("required KeyUsage KeyAgreement is not marked as 'required', ");
                }
                asList = Arrays.asList(KeyUsage.keyAgreement, KeyUsage.encipherOnly, KeyUsage.decipherOnly);
            } else if (certLevel == Certprofile.CertLevel.EndEntity) {
                if (!hashSet4.contains(KeyUsage.digitalSignature) && !hashSet4.contains(KeyUsage.contentCommitment)) {
                    sb.append("required KeyUsage digitalSignature or contentCommitment is not marked as 'required', ");
                }
                asList = Arrays.asList(KeyUsage.digitalSignature, KeyUsage.contentCommitment);
            } else {
                asList = Arrays.asList(KeyUsage.digitalSignature, KeyUsage.contentCommitment, KeyUsage.keyCertSign, KeyUsage.cRLSign);
            }
            hashSet4.removeAll(asList);
            hashSet5.removeAll(asList);
            if (!hashSet4.isEmpty()) {
                sb.append("Required KeyUsage items ").append(hashSet4).append(" are not permitted, ");
            }
            if (!hashSet5.isEmpty()) {
                sb.append("Optional KeyUsage items ").append(hashSet4).append(" are not permitted, ");
            }
        }
        int length = sb.length();
        if (length > 2) {
            sb.delete(length - 2, length);
            throw new CertprofileException(sb.toString());
        }
    }

    private void validateCABForumBR(StringBuilder sb) {
        Certprofile.SubjectControl subjectControl = this.certprofile.getSubjectControl();
        if (CollectionUtil.isNotEmpty(subjectControl.getGroups())) {
            sb.append("multiple AttributeAndTypes in one RDN is not permitted, ");
        }
        Iterator it = subjectControl.getTypes().iterator();
        while (it.hasNext()) {
            if (subjectControl.getControl((ASN1ObjectIdentifier) it.next()).getMaxOccurs() > 1) {
                sb.append("multiple RDNs of the same type are not permitted, ");
            }
        }
        Certprofile.CertLevel certLevel = getCertLevel();
        if (certLevel == Certprofile.CertLevel.EndEntity && this.certprofile.getValidity().compareTo(maxCabEeValidity) == 1) {
            sb.append("validity exceeds the maximal validity of subscriber certificate, ");
        }
        List<String> signatureAlgorithms = getSignatureAlgorithms();
        if (signatureAlgorithms == null) {
            sb.append("signature algorithms not defined, ");
        } else {
            List asList = Arrays.asList(HashAlgo.SHA256, HashAlgo.SHA384, HashAlgo.SHA512);
            for (String str : signatureAlgorithms) {
                try {
                    HashAlgo nonNullInstance = HashAlgo.getNonNullInstance(AlgorithmUtil.extractDigesetAlgFromSigAlg(AlgorithmUtil.getSigAlgId(str)).getAlgorithm());
                    if (!asList.contains(nonNullInstance)) {
                        sb.append("unpermitted hash algorithm ").append(nonNullInstance).append(", ");
                    }
                } catch (IllegalArgumentException | NoSuchAlgorithmException e) {
                    sb.append("unknown signature algorithm ").append(str).append(", ");
                }
            }
        }
        Map keyAlgorithms = this.certprofile.getKeyAlgorithms();
        if (CollectionUtil.isEmpty(keyAlgorithms)) {
            sb.append("keyAlgorithms is not configured, ");
        } else {
            for (ASN1ObjectIdentifier aSN1ObjectIdentifier : keyAlgorithms.keySet()) {
                KeyParametersOption.DSAParametersOption dSAParametersOption = (KeyParametersOption) keyAlgorithms.get(aSN1ObjectIdentifier);
                if (aSN1ObjectIdentifier.equals(PKCSObjectIdentifiers.rsaEncryption)) {
                    if (!(dSAParametersOption instanceof KeyParametersOption.RSAParametersOption)) {
                        sb.append("unpermitted RSA modulus are configured, ");
                    } else if (((KeyParametersOption.RSAParametersOption) dSAParametersOption).allowsModulusLength(2047)) {
                        sb.append("minimum RSA modulus size 2048 bit not satisfied, ");
                    }
                } else if (aSN1ObjectIdentifier.equals(X9ObjectIdentifiers.id_ecPublicKey)) {
                    if (dSAParametersOption instanceof KeyParametersOption.ECParamatersOption) {
                        HashSet hashSet = new HashSet(((KeyParametersOption.ECParamatersOption) dSAParametersOption).getCurveOids());
                        hashSet.remove(SECObjectIdentifiers.secp256r1);
                        hashSet.remove(SECObjectIdentifiers.secp384r1);
                        hashSet.remove(SECObjectIdentifiers.secp521r1);
                        if (!hashSet.isEmpty()) {
                            sb.append("EC curves ").append(hashSet).append(" are not permitted, ");
                        }
                    } else {
                        sb.append("unpermitted EC curves are configured, ");
                    }
                } else if (!aSN1ObjectIdentifier.equals(X9ObjectIdentifiers.id_dsa)) {
                    sb.append("keyAlgorithm ").append(aSN1ObjectIdentifier.getId() + " is not permitted, ");
                } else if (dSAParametersOption instanceof KeyParametersOption.DSAParametersOption) {
                    KeyParametersOption.DSAParametersOption dSAParametersOption2 = dSAParametersOption;
                    if (dSAParametersOption2.allowsPlength(2047)) {
                        sb.append("minimum L (2048) not satisfied, ");
                    }
                    if (dSAParametersOption2.allowsQlength(223)) {
                        sb.append("minimum N (224) not satisfied, ");
                    }
                } else {
                    sb.append("unpermitted DSA (p,q) are configured, ");
                }
            }
        }
        Certprofile.CrlDistributionPointsControl crlDpControl = this.certprofile.getCrlDpControl();
        if (crlDpControl == null) {
            sb.append("restriction of CRLDistributionPoints is not configured, ");
        } else {
            Set protocols = crlDpControl.getProtocols();
            if (protocols == null || protocols.size() != 1 || !protocols.contains("http")) {
                sb.append("CRLDistributionPoints allows protocol other than http, ");
            }
        }
        Certprofile.CrlDistributionPointsControl freshestCrlControl = this.certprofile.getFreshestCrlControl();
        if (freshestCrlControl == null) {
            sb.append("restriction of FreshestCRL is not configured, ");
        } else {
            Set protocols2 = freshestCrlControl.getProtocols();
            if (protocols2 == null || protocols2.size() != 1 || !protocols2.contains("http")) {
                sb.append("FreshestCRL allows protocol other than http, ");
            }
        }
        Certprofile.AuthorityInfoAccessControl aiaControl = this.certprofile.getAiaControl();
        if (aiaControl == null) {
            sb.append("restriction of AuthorityInfoAccess is not configured, ");
        } else {
            if (aiaControl.isIncludesOcsp()) {
                Set ocspProtocols = aiaControl.getOcspProtocols();
                if (ocspProtocols == null || ocspProtocols.size() != 1 || !ocspProtocols.contains("http")) {
                    sb.append("AIA OCSP allows protocol other than http, ");
                }
            } else {
                sb.append("access method id-ad-ocsp is not configured, ");
            }
            if (aiaControl.isIncludesCaIssuers()) {
                Set caIssuersProtocols = aiaControl.getCaIssuersProtocols();
                if (caIssuersProtocols == null || caIssuersProtocols.size() != 1 || !caIssuersProtocols.contains("http")) {
                    sb.append("AIA CAIssuers allows protocol other than http, ");
                }
            } else {
                sb.append("access method id-ad-caIssuers is not configured, ");
            }
        }
        if ((certLevel == Certprofile.CertLevel.SubCA || certLevel == Certprofile.CertLevel.EndEntity) && this.certprofile.getCertificatePolicies() == null) {
            sb.append("CertificatePolicies is not configured, ");
        }
        if (certLevel == Certprofile.CertLevel.EndEntity) {
            Set<Certprofile.GeneralNameMode> subjectAltNameModes = this.certprofile.getSubjectAltNameModes();
            if (subjectAltNameModes == null) {
                sb.append("Restriction of SubjectAltNames is not configured, ");
            } else {
                HashSet hashSet2 = new HashSet(subjectAltNameModes);
                for (Certprofile.GeneralNameMode generalNameMode : subjectAltNameModes) {
                    if (generalNameMode.getTag() != Certprofile.GeneralNameTag.uniformResourceIdentifier && generalNameMode.getTag() == Certprofile.GeneralNameTag.IPAddress) {
                        hashSet2.add(generalNameMode);
                    }
                }
                if (!hashSet2.isEmpty()) {
                    sb.append("SubjectAltNames ").append(hashSet2).append(" is not configured, ");
                }
            }
        }
        Set<Certprofile.KeyUsageControl> keyUsage = getKeyUsage();
        if (certLevel == Certprofile.CertLevel.RootCA || certLevel == Certprofile.CertLevel.SubCA) {
            if (!containsKeyusage(keyUsage, KeyUsage.cRLSign)) {
                sb.append("RootCA profile does contain keyUsage ").append(KeyUsage.cRLSign).append(", ");
            }
        } else if (certLevel == Certprofile.CertLevel.EndEntity && containsKeyusage(keyUsage, KeyUsage.cRLSign)) {
            sb.append("EndEntity profile must not contain keyUsage ").append(KeyUsage.cRLSign).append(", ");
        }
        Set<Certprofile.ExtKeyUsageControl> extendedKeyUsages = getExtendedKeyUsages();
        if (certLevel != Certprofile.CertLevel.EndEntity) {
            if (extendedKeyUsages != null) {
                Iterator<Certprofile.ExtKeyUsageControl> it2 = extendedKeyUsages.iterator();
                while (it2.hasNext()) {
                    if (it2.next().getExtKeyUsage().equals(ObjectIdentifiers.XKU.id_kp_anyExtendedKeyUsage)) {
                        sb.append(ObjectIdentifiers.XKU.id_kp_clientAuth).append(" is not allowed, ");
                    }
                }
                return;
            }
            return;
        }
        boolean z = false;
        boolean z2 = false;
        for (Certprofile.ExtKeyUsageControl extKeyUsageControl : extendedKeyUsages) {
            ASN1ObjectIdentifier extKeyUsage = extKeyUsageControl.getExtKeyUsage();
            if (extKeyUsageControl.isRequired()) {
                if (ObjectIdentifiers.XKU.id_kp_serverAuth.equals(extKeyUsage)) {
                    z = true;
                } else if (ObjectIdentifiers.XKU.id_kp_clientAuth.equals(extKeyUsage)) {
                    z2 = true;
                }
            }
            if (!ObjectIdentifiers.XKU.id_kp_serverAuth.equals(extKeyUsage) && !ObjectIdentifiers.XKU.id_kp_clientAuth.equals(extKeyUsage) && !ObjectIdentifiers.XKU.id_kp_emailProtection.equals(extKeyUsage)) {
                sb.append("extendedKeyUsage ").append(extKeyUsage.getId() + " is not permitted, ");
            }
        }
        if (!z2 && !z) {
            sb.append("none of ").append(ObjectIdentifiers.XKU.id_kp_clientAuth).append(" and ").append(ObjectIdentifiers.XKU.id_kp_serverAuth).append(" is not configured, ");
        }
    }

    private static boolean containsRdn(X500Name x500Name, ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        RDN[] rDNs = x500Name.getRDNs(aSN1ObjectIdentifier);
        return rDNs != null && rDNs.length > 0;
    }

    private static String toString(Set<ASN1ObjectIdentifier> set) {
        if (set == null) {
            return "null";
        }
        StringBuilder sb = new StringBuilder();
        sb.append("[");
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : set) {
            String name = ObjectIdentifiers.getName(aSN1ObjectIdentifier);
            if (name != null) {
                sb.append(name);
                sb.append(" (").append(aSN1ObjectIdentifier.getId()).append(")");
            } else {
                sb.append(aSN1ObjectIdentifier.getId());
            }
            sb.append(", ");
        }
        if (CollectionUtil.isNotEmpty(set)) {
            int length = sb.length();
            sb.delete(length - 2, length);
        }
        sb.append("]");
        return sb.toString();
    }

    private static boolean containsKeyusage(Set<Certprofile.KeyUsageControl> set, KeyUsage keyUsage) {
        Iterator<Certprofile.KeyUsageControl> it = set.iterator();
        while (it.hasNext()) {
            if (keyUsage == it.next().getKeyUsage()) {
                return true;
            }
        }
        return false;
    }

    private static boolean addMe(ASN1ObjectIdentifier aSN1ObjectIdentifier, Certprofile.ExtensionControl extensionControl, Set<ASN1ObjectIdentifier> set, Set<ASN1ObjectIdentifier> set2) {
        return extensionControl.isRequired() || set.contains(aSN1ObjectIdentifier) || set2.contains(aSN1ObjectIdentifier);
    }

    private static void addRequestedKeyusage(Set<KeyUsage> set, Map<ASN1ObjectIdentifier, Extension> map, Set<Certprofile.KeyUsageControl> set2) {
        Extension extension = map.get(Extension.keyUsage);
        if (extension == null) {
            return;
        }
        org.bouncycastle.asn1.x509.KeyUsage keyUsage = org.bouncycastle.asn1.x509.KeyUsage.getInstance(extension.getParsedValue());
        for (Certprofile.KeyUsageControl keyUsageControl : set2) {
            if (!keyUsageControl.isRequired() && keyUsage.hasUsages(keyUsageControl.getKeyUsage().getBcUsage())) {
                set.add(keyUsageControl.getKeyUsage());
            }
        }
    }

    private static void addRequestedExtKeyusage(List<ASN1ObjectIdentifier> list, Map<ASN1ObjectIdentifier, Extension> map, Set<Certprofile.ExtKeyUsageControl> set) {
        Extension extension = map.get(Extension.extendedKeyUsage);
        if (extension == null) {
            return;
        }
        ExtendedKeyUsage extendedKeyUsage = ExtendedKeyUsage.getInstance(extension.getParsedValue());
        for (Certprofile.ExtKeyUsageControl extKeyUsageControl : set) {
            if (!extKeyUsageControl.isRequired() && extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.getInstance(extKeyUsageControl.getExtKeyUsage()))) {
                list.add(extKeyUsageControl.getExtKeyUsage());
            }
        }
    }

    private static ASN1Sequence createSubjectInfoAccess(Map<ASN1ObjectIdentifier, Extension> map, Map<ASN1ObjectIdentifier, Set<Certprofile.GeneralNameMode>> map2) throws BadCertTemplateException {
        Extension extension;
        ASN1Encodable parsedValue;
        if (map2 == null || (extension = map.get(Extension.subjectInfoAccess)) == null || (parsedValue = extension.getParsedValue()) == null) {
            return null;
        }
        ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(parsedValue);
        int size = aSN1Sequence.size();
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        for (int i = 0; i < size; i++) {
            AccessDescription accessDescription = AccessDescription.getInstance(aSN1Sequence.getObjectAt(i));
            ASN1ObjectIdentifier accessMethod = accessDescription.getAccessMethod();
            Set<Certprofile.GeneralNameMode> set = map2.get(accessMethod);
            if (set == null) {
                throw new BadCertTemplateException("subjectInfoAccess.accessMethod " + accessMethod.getId() + " is not allowed");
            }
            aSN1EncodableVector.add(new AccessDescription(accessMethod, BaseCertprofile.createGeneralName(accessDescription.getAccessLocation(), set)));
        }
        if (aSN1EncodableVector.size() > 0) {
            return new DERSequence(aSN1EncodableVector);
        }
        return null;
    }

    private static void addExtension(ExtensionValues extensionValues, ASN1ObjectIdentifier aSN1ObjectIdentifier, ExtensionValue extensionValue, Certprofile.ExtensionControl extensionControl, Set<ASN1ObjectIdentifier> set, Set<ASN1ObjectIdentifier> set2) throws CertprofileException {
        if (extensionValue != null) {
            extensionValues.addExtension(aSN1ObjectIdentifier, extensionValue);
            set.remove(aSN1ObjectIdentifier);
            set2.remove(aSN1ObjectIdentifier);
        } else if (extensionControl.isRequired()) {
            String name = ObjectIdentifiers.getName(aSN1ObjectIdentifier);
            if (name == null) {
                name = aSN1ObjectIdentifier.getId();
            }
            throw new CertprofileException("could not add required extension " + name);
        }
    }

    private static void addExtension(ExtensionValues extensionValues, ASN1ObjectIdentifier aSN1ObjectIdentifier, ASN1Encodable aSN1Encodable, Certprofile.ExtensionControl extensionControl, Set<ASN1ObjectIdentifier> set, Set<ASN1ObjectIdentifier> set2) throws CertprofileException {
        if (aSN1Encodable != null) {
            extensionValues.addExtension(aSN1ObjectIdentifier, extensionControl.isCritical(), aSN1Encodable);
            set.remove(aSN1ObjectIdentifier);
            set2.remove(aSN1ObjectIdentifier);
        } else if (extensionControl.isRequired()) {
            String name = ObjectIdentifiers.getName(aSN1ObjectIdentifier);
            if (name == null) {
                name = aSN1ObjectIdentifier.getId();
            }
            throw new CertprofileException("could not add required extension " + name);
        }
    }
}
