package org.cesecore.certificates.ca;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameStyle;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.CRLNumber;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.IssuingDistributionPoint;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.ReasonFlags;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.CertException;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509v2CRLBuilder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cms.CMSEnvelopedData;
import org.bouncycastle.cms.CMSEnvelopedDataGenerator;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.CMSSignedGenerator;
import org.bouncycastle.cms.RecipientInformation;
import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient;
import org.bouncycastle.operator.BufferingContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.util.encoders.Hex;
import org.cesecore.certificates.ca.catoken.CAToken;
import org.cesecore.certificates.ca.catoken.CATokenConstants;
import org.cesecore.certificates.ca.extendedservices.ExtendedCAService;
import org.cesecore.certificates.ca.extendedservices.ExtendedCAServiceInfo;
import org.cesecore.certificates.ca.internal.CertificateValidity;
import org.cesecore.certificates.ca.internal.SernoGeneratorRandom;
import org.cesecore.certificates.certificate.CertificateCreateException;
import org.cesecore.certificates.certificate.certextensions.CertificateExtension;
import org.cesecore.certificates.certificate.certextensions.CertificateExtensionException;
import org.cesecore.certificates.certificate.certextensions.CertificateExtensionFactory;
import org.cesecore.certificates.certificate.request.RequestMessage;
import org.cesecore.certificates.certificateprofile.CertificatePolicy;
import org.cesecore.certificates.certificateprofile.CertificateProfile;
import org.cesecore.certificates.certificatetransparency.CTLogException;
import org.cesecore.certificates.certificatetransparency.CertificateTransparency;
import org.cesecore.certificates.certificatetransparency.CertificateTransparencyFactory;
import org.cesecore.certificates.crl.RevokedCertInfo;
import org.cesecore.certificates.endentity.EndEntityInformation;
import org.cesecore.certificates.endentity.EndEntityType;
import org.cesecore.certificates.endentity.EndEntityTypes;
import org.cesecore.certificates.endentity.ExtendedInformation;
import org.cesecore.certificates.util.AlgorithmConstants;
import org.cesecore.certificates.util.dn.DNFieldsUtil;
import org.cesecore.config.CesecoreConfiguration;
import org.cesecore.internal.InternalResources;
import org.cesecore.internal.UpgradeableDataHashMap;
import org.cesecore.keys.token.CryptoToken;
import org.cesecore.keys.token.CryptoTokenOfflineException;
import org.cesecore.keys.token.IllegalCryptoTokenException;
import org.cesecore.keys.token.NullCryptoToken;
import org.cesecore.keys.util.KeyTools;
import org.cesecore.util.CeSecoreNameStyle;
import org.cesecore.util.CertTools;
import org.cesecore.util.PrintableStringNameStyle;
import org.cesecore.util.SimpleTime;
import org.cesecore.util.StringTools;

/* loaded from: input_file:org/cesecore/certificates/ca/X509CA.class */
public class X509CA extends CA implements Serializable {
    private static final long serialVersionUID = -2882572653108530258L;
    public static final float LATEST_VERSION = 19.0f;
    protected static final String POLICIES = "policies";
    protected static final String SUBJECTALTNAME = "subjectaltname";
    protected static final String USEAUTHORITYKEYIDENTIFIER = "useauthoritykeyidentifier";
    protected static final String AUTHORITYKEYIDENTIFIERCRITICAL = "authoritykeyidentifiercritical";
    protected static final String AUTHORITY_INFORMATION_ACCESS = "authorityinformationaccess";
    protected static final String USECRLNUMBER = "usecrlnumber";
    protected static final String CRLNUMBERCRITICAL = "crlnumbercritical";
    protected static final String DEFAULTCRLDISTPOINT = "defaultcrldistpoint";
    protected static final String DEFAULTCRLISSUER = "defaultcrlissuer";
    protected static final String DEFAULTOCSPSERVICELOCATOR = "defaultocspservicelocator";
    protected static final String CADEFINEDFRESHESTCRL = "cadefinedfreshestcrl";
    protected static final String USEUTF8POLICYTEXT = "useutf8policytext";
    protected static final String USEPRINTABLESTRINGSUBJECTDN = "useprintablestringsubjectdn";
    protected static final String USELDAPDNORDER = "useldapdnorder";
    protected static final String USECRLDISTRIBUTIONPOINTONCRL = "usecrldistributionpointoncrl";
    protected static final String CRLDISTRIBUTIONPOINTONCRLCRITICAL = "crldistributionpointoncrlcritical";
    protected static final String CMPRAAUTHSECRET = "cmpraauthsecret";
    protected static final String NAMECONSTRAINTSPERMITTED = "nameconstraintspermitted";
    protected static final String NAMECONSTRAINTSEXCLUDED = "nameconstraintsexcluded";
    protected static final String EXTERNALCDP = "externalcdp";
    private static final Logger log = Logger.getLogger(X509CA.class);
    private static final InternalResources intres = InternalResources.getInstance();
    private static final CertificateTransparency ct = CertificateTransparencyFactory.getInstance();

    public X509CA(X509CAInfo x509CAInfo) {
        super(x509CAInfo);
        if (StringUtils.isEmpty(DNFieldsUtil.removeAllEmpties(x509CAInfo.getSubjectDN())) && StringUtils.isEmpty(x509CAInfo.getSubjectAltName())) {
            throw new IllegalArgumentException("Subject DN and Alt Name can't both be blank for an X509 CA.");
        }
        this.data.put(POLICIES, x509CAInfo.getPolicies());
        this.data.put(SUBJECTALTNAME, x509CAInfo.getSubjectAltName());
        setUseAuthorityKeyIdentifier(x509CAInfo.getUseAuthorityKeyIdentifier());
        setAuthorityKeyIdentifierCritical(x509CAInfo.getAuthorityKeyIdentifierCritical());
        setUseCRLNumber(x509CAInfo.getUseCRLNumber());
        setCRLNumberCritical(x509CAInfo.getCRLNumberCritical());
        setDefaultCRLDistPoint(x509CAInfo.getDefaultCRLDistPoint());
        setDefaultCRLIssuer(x509CAInfo.getDefaultCRLIssuer());
        setCADefinedFreshestCRL(x509CAInfo.getCADefinedFreshestCRL());
        setDefaultOCSPServiceLocator(x509CAInfo.getDefaultOCSPServiceLocator());
        setUseUTF8PolicyText(x509CAInfo.getUseUTF8PolicyText());
        setUsePrintableStringSubjectDN(x509CAInfo.getUsePrintableStringSubjectDN());
        setUseLdapDNOrder(x509CAInfo.getUseLdapDnOrder());
        setUseCrlDistributionPointOnCrl(x509CAInfo.getUseCrlDistributionPointOnCrl());
        setCrlDistributionPointOnCrlCritical(x509CAInfo.getCrlDistributionPointOnCrlCritical());
        setCmpRaAuthSecret(x509CAInfo.getCmpRaAuthSecret());
        setAuthorityInformationAccess(x509CAInfo.getAuthorityInformationAccess());
        setNameConstraintsPermitted(x509CAInfo.getNameConstraintsPermitted());
        setNameConstraintsExcluded(x509CAInfo.getNameConstraintsExcluded());
        this.data.put(CA.CATYPE, 1);
        this.data.put(UpgradeableDataHashMap.VERSION, new Float(19.0f));
    }

    public X509CA(HashMap<Object, Object> hashMap, int i, String str, String str2, int i2, Date date, Date date2) {
        super(hashMap);
        ExtendedCAServiceInfo extendedCAServiceInfo;
        setExpireTime(date2);
        ArrayList arrayList = new ArrayList();
        for (Integer num : getExternalCAServiceTypes()) {
            if (num.intValue() != 1 && (extendedCAServiceInfo = getExtendedCAServiceInfo(num.intValue())) != null) {
                arrayList.add(extendedCAServiceInfo);
            }
        }
        X509CAInfo x509CAInfo = new X509CAInfo(str, str2, i2, date, getSubjectAltName(), getCertificateProfileId(), getValidity(), getExpireTime(), getCAType(), getSignedBy(), getCertificateChain(), getCAToken(), getDescription(), getRevocationReason(), getRevocationDate(), getPolicies(), getCRLPeriod(), getCRLIssueInterval(), getCRLOverlapTime(), getDeltaCRLPeriod(), getCRLPublishers(), getUseAuthorityKeyIdentifier(), getAuthorityKeyIdentifierCritical(), getUseCRLNumber(), getCRLNumberCritical(), getDefaultCRLDistPoint(), getDefaultCRLIssuer(), getDefaultOCSPServiceLocator(), getAuthorityInformationAccess(), getNameConstraintsPermitted(), getNameConstraintsExcluded(), getCADefinedFreshestCRL(), getFinishUser(), arrayList, getUseUTF8PolicyText(), getApprovalSettings(), getNumOfRequiredApprovals(), getUsePrintableStringSubjectDN(), getUseLdapDNOrder(), getUseCrlDistributionPointOnCrl(), getCrlDistributionPointOnCrlCritical(), getIncludeInHealthCheck(), isDoEnforceUniquePublicKeys(), isDoEnforceUniqueDistinguishedName(), isDoEnforceUniqueSubjectDNSerialnumber(), isUseCertReqHistory(), isUseUserStorage(), isUseCertificateStorage(), getCmpRaAuthSecret());
        x509CAInfo.setExternalCdp(getExternalCdp());
        super.setCAInfo(x509CAInfo);
        setCAId(i);
    }

    public List<CertificatePolicy> getPolicies() {
        return (List) this.data.get(POLICIES);
    }

    public void setPolicies(List<CertificatePolicy> list) {
        this.data.put(POLICIES, list);
    }

    public String getSubjectAltName() {
        return (String) this.data.get(SUBJECTALTNAME);
    }

    public boolean getUseAuthorityKeyIdentifier() {
        return ((Boolean) this.data.get(USEAUTHORITYKEYIDENTIFIER)).booleanValue();
    }

    public void setUseAuthorityKeyIdentifier(boolean z) {
        this.data.put(USEAUTHORITYKEYIDENTIFIER, Boolean.valueOf(z));
    }

    public boolean getAuthorityKeyIdentifierCritical() {
        return ((Boolean) this.data.get(AUTHORITYKEYIDENTIFIERCRITICAL)).booleanValue();
    }

    public void setAuthorityKeyIdentifierCritical(boolean z) {
        this.data.put(AUTHORITYKEYIDENTIFIERCRITICAL, Boolean.valueOf(z));
    }

    public List<String> getAuthorityInformationAccess() {
        return (List) this.data.get(AUTHORITY_INFORMATION_ACCESS);
    }

    public void setAuthorityInformationAccess(Collection<String> collection) {
        this.data.put(AUTHORITY_INFORMATION_ACCESS, collection);
    }

    public boolean getUseCRLNumber() {
        return ((Boolean) this.data.get(USECRLNUMBER)).booleanValue();
    }

    public void setUseCRLNumber(boolean z) {
        this.data.put(USECRLNUMBER, Boolean.valueOf(z));
    }

    public boolean getCRLNumberCritical() {
        return ((Boolean) this.data.get(CRLNUMBERCRITICAL)).booleanValue();
    }

    public void setCRLNumberCritical(boolean z) {
        this.data.put(CRLNUMBERCRITICAL, Boolean.valueOf(z));
    }

    public String getDefaultCRLDistPoint() {
        return (String) this.data.get(DEFAULTCRLDISTPOINT);
    }

    public void setDefaultCRLDistPoint(String str) {
        if (str == null) {
            this.data.put(DEFAULTCRLDISTPOINT, "");
        } else {
            this.data.put(DEFAULTCRLDISTPOINT, str);
        }
    }

    public String getDefaultCRLIssuer() {
        return (String) this.data.get(DEFAULTCRLISSUER);
    }

    public void setDefaultCRLIssuer(String str) {
        if (str == null) {
            this.data.put(DEFAULTCRLISSUER, "");
        } else {
            this.data.put(DEFAULTCRLISSUER, str);
        }
    }

    public String getCADefinedFreshestCRL() {
        return (String) this.data.get(CADEFINEDFRESHESTCRL);
    }

    public void setCADefinedFreshestCRL(String str) {
        if (str == null) {
            this.data.put(CADEFINEDFRESHESTCRL, "");
        } else {
            this.data.put(CADEFINEDFRESHESTCRL, str);
        }
    }

    public String getDefaultOCSPServiceLocator() {
        return (String) this.data.get(DEFAULTOCSPSERVICELOCATOR);
    }

    public void setDefaultOCSPServiceLocator(String str) {
        if (str == null) {
            this.data.put(DEFAULTOCSPSERVICELOCATOR, "");
        } else {
            this.data.put(DEFAULTOCSPSERVICELOCATOR, str);
        }
    }

    public boolean getUseUTF8PolicyText() {
        return ((Boolean) this.data.get(USEUTF8POLICYTEXT)).booleanValue();
    }

    public void setUseUTF8PolicyText(boolean z) {
        this.data.put(USEUTF8POLICYTEXT, Boolean.valueOf(z));
    }

    public boolean getUsePrintableStringSubjectDN() {
        return ((Boolean) this.data.get(USEPRINTABLESTRINGSUBJECTDN)).booleanValue();
    }

    public void setUsePrintableStringSubjectDN(boolean z) {
        this.data.put(USEPRINTABLESTRINGSUBJECTDN, Boolean.valueOf(z));
    }

    public boolean getUseLdapDNOrder() {
        return ((Boolean) this.data.get(USELDAPDNORDER)).booleanValue();
    }

    public void setUseLdapDNOrder(boolean z) {
        this.data.put(USELDAPDNORDER, Boolean.valueOf(z));
    }

    public boolean getUseCrlDistributionPointOnCrl() {
        return ((Boolean) this.data.get(USECRLDISTRIBUTIONPOINTONCRL)).booleanValue();
    }

    public void setUseCrlDistributionPointOnCrl(boolean z) {
        this.data.put(USECRLDISTRIBUTIONPOINTONCRL, Boolean.valueOf(z));
    }

    public boolean getCrlDistributionPointOnCrlCritical() {
        return ((Boolean) this.data.get(CRLDISTRIBUTIONPOINTONCRLCRITICAL)).booleanValue();
    }

    public void setCrlDistributionPointOnCrlCritical(boolean z) {
        this.data.put(CRLDISTRIBUTIONPOINTONCRLCRITICAL, Boolean.valueOf(z));
    }

    public List<String> getNameConstraintsPermitted() {
        return (List) this.data.get(NAMECONSTRAINTSPERMITTED);
    }

    public void setNameConstraintsPermitted(List<String> list) {
        this.data.put(NAMECONSTRAINTSPERMITTED, list);
    }

    public List<String> getNameConstraintsExcluded() {
        return (List) this.data.get(NAMECONSTRAINTSEXCLUDED);
    }

    public void setNameConstraintsExcluded(List<String> list) {
        this.data.put(NAMECONSTRAINTSEXCLUDED, list);
    }

    public String getCmpRaAuthSecret() {
        return (String) getMapValueWithDefault(CMPRAAUTHSECRET, "");
    }

    public void setCmpRaAuthSecret(String str) {
        this.data.put(CMPRAAUTHSECRET, str);
    }

    public String getExternalCdp() {
        return (String) getMapValueWithDefault(EXTERNALCDP, "");
    }

    public void setExternalCdp(String str) {
        this.data.put(EXTERNALCDP, str);
    }

    private Object getMapValueWithDefault(String str, Object obj) {
        Object obj2 = this.data.get(str);
        return obj2 == null ? obj : obj2;
    }

    @Override // org.cesecore.certificates.ca.CA
    public void updateCA(CryptoToken cryptoToken, CAInfo cAInfo) throws InvalidAlgorithmException {
        super.updateCA(cryptoToken, cAInfo);
        X509CAInfo x509CAInfo = (X509CAInfo) cAInfo;
        setPolicies(x509CAInfo.getPolicies());
        setAuthorityInformationAccess(x509CAInfo.getAuthorityInformationAccess());
        setUseAuthorityKeyIdentifier(x509CAInfo.getUseAuthorityKeyIdentifier());
        setAuthorityKeyIdentifierCritical(x509CAInfo.getAuthorityKeyIdentifierCritical());
        setUseCRLNumber(x509CAInfo.getUseCRLNumber());
        setCRLNumberCritical(x509CAInfo.getCRLNumberCritical());
        setDefaultCRLDistPoint(x509CAInfo.getDefaultCRLDistPoint());
        setDefaultCRLIssuer(x509CAInfo.getDefaultCRLIssuer());
        setCADefinedFreshestCRL(x509CAInfo.getCADefinedFreshestCRL());
        setDefaultOCSPServiceLocator(x509CAInfo.getDefaultOCSPServiceLocator());
        setUseUTF8PolicyText(x509CAInfo.getUseUTF8PolicyText());
        setUsePrintableStringSubjectDN(x509CAInfo.getUsePrintableStringSubjectDN());
        setUseLdapDNOrder(x509CAInfo.getUseLdapDnOrder());
        setUseCrlDistributionPointOnCrl(x509CAInfo.getUseCrlDistributionPointOnCrl());
        setCrlDistributionPointOnCrlCritical(x509CAInfo.getCrlDistributionPointOnCrlCritical());
        setCmpRaAuthSecret(x509CAInfo.getCmpRaAuthSecret());
        setNameConstraintsPermitted(x509CAInfo.getNameConstraintsPermitted());
        setNameConstraintsExcluded(x509CAInfo.getNameConstraintsExcluded());
        setExternalCdp(x509CAInfo.getExternalCdp());
    }

    @Override // org.cesecore.certificates.ca.CA
    public void updateUninitializedCA(CAInfo cAInfo) {
        super.updateUninitializedCA(cAInfo);
        X509CAInfo x509CAInfo = (X509CAInfo) cAInfo;
        this.data.put(SUBJECTALTNAME, x509CAInfo.getSubjectAltName());
        this.data.put(POLICIES, x509CAInfo.getPolicies());
    }

    @Override // org.cesecore.certificates.ca.CA
    public byte[] createPKCS7(CryptoToken cryptoToken, Certificate certificate, boolean z) throws SignRequestSignatureException {
        if (certificate != null) {
            try {
                X509Certificate x509Certificate = (X509Certificate) getCACertificate();
                certificate.verify(x509Certificate != null ? x509Certificate.getPublicKey() : cryptoToken.getPublicKey(getCAToken().getAliasFromPurpose(1)));
            } catch (Exception e) {
                throw new SignRequestSignatureException("Cannot verify certificate in createPKCS7(), did I sign this?");
            }
        }
        Collection<Certificate> certificateChain = getCertificateChain();
        ArrayList arrayList = new ArrayList();
        if (certificate != null) {
            arrayList.add(certificate);
        }
        if (z) {
            arrayList.addAll(certificateChain);
        }
        try {
            CMSProcessableByteArray cMSProcessableByteArray = new CMSProcessableByteArray("EJBCA".getBytes());
            CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(arrayList), "BC");
            CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
            PrivateKey privateKey = cryptoToken.getPrivateKey(getCAToken().getAliasFromPurpose(1));
            if (privateKey == null) {
                log.debug("createPKCS7: Private key does not exist!");
                throw new SignRequestSignatureException("createPKCS7: Private key does not exist!");
            }
            cMSSignedDataGenerator.addSigner(privateKey, (X509Certificate) getCACertificate(), CMSSignedGenerator.DIGEST_SHA1);
            cMSSignedDataGenerator.addCertificatesAndCRLs(certStore);
            if (getCAToken() == null || (cryptoToken instanceof NullCryptoToken)) {
                log.debug(cMSProcessableByteArray);
                throw new SignRequestSignatureException("CA Token does not exist!");
            }
            log.debug("createPKCS7: Provider=" + cryptoToken.getSignProviderName() + " using algorithm " + privateKey.getAlgorithm());
            return cMSSignedDataGenerator.generate(cMSProcessableByteArray, true, cryptoToken.getSignProviderName()).getEncoded();
        } catch (CryptoTokenOfflineException e2) {
            throw new RuntimeException(e2);
        } catch (Exception e3) {
            throw new RuntimeException(e3);
        }
    }

    @Override // org.cesecore.certificates.ca.CA
    public byte[] createRequest(CryptoToken cryptoToken, Collection<ASN1Encodable> collection, String str, Certificate certificate, int i) throws CryptoTokenOfflineException {
        log.trace(">createRequest: " + str + ", " + CertTools.getSubjectDN(certificate) + ", " + i);
        DERSet dERSet = new DERSet();
        if (collection != null) {
            log.debug("Adding attributes in the request");
            Iterator<ASN1Encodable> it = collection.iterator();
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            while (it.hasNext()) {
                aSN1EncodableVector.add(it.next());
            }
            dERSet = new DERSet(aSN1EncodableVector);
        }
        X500Name stringToBcX500Name = CertTools.stringToBcX500Name(getSubjectDN(), getUsePrintableStringSubjectDN() ? PrintableStringNameStyle.INSTANCE : CeSecoreNameStyle.INSTANCE, getUseLdapDNOrder());
        try {
            String aliasFromPurpose = getCAToken().getAliasFromPurpose(i);
            KeyPair keyPair = new KeyPair(cryptoToken.getPublicKey(aliasFromPurpose), cryptoToken.getPrivateKey(aliasFromPurpose));
            PKCS10CertificationRequest genPKCS10CertificationRequest = CertTools.genPKCS10CertificationRequest(str, stringToBcX500Name, keyPair.getPublic(), dERSet, keyPair.getPrivate(), cryptoToken.getSignProviderName());
            log.trace("<createRequest");
            return genPKCS10CertificationRequest.getEncoded();
        } catch (CryptoTokenOfflineException e) {
            throw e;
        } catch (Exception e2) {
            throw new RuntimeException(e2);
        }
    }

    @Override // org.cesecore.certificates.ca.CA
    public byte[] createAuthCertSignRequest(CryptoToken cryptoToken, byte[] bArr) throws CryptoTokenOfflineException {
        throw new UnsupportedOperationException("Creation of authenticated CSRs is not supported for X509 CAs.");
    }

    @Override // org.cesecore.certificates.ca.CA
    public void createOrRemoveLinkCertificate(CryptoToken cryptoToken, boolean z, CertificateProfile certificateProfile) throws CryptoTokenOfflineException {
        byte[] bArr = null;
        if (z) {
            try {
                CAToken cAToken = getCAToken();
                X509Certificate x509Certificate = (X509Certificate) getCACertificate();
                if (log.isDebugEnabled()) {
                    log.debug("We will create a link certificate.");
                }
                X509CAInfo x509CAInfo = (X509CAInfo) getCAInfo();
                EndEntityInformation endEntityInformation = new EndEntityInformation("nobody", x509CAInfo.getSubjectDN(), x509CAInfo.getSubjectDN().hashCode(), x509CAInfo.getSubjectAltName(), null, 0, new EndEntityType(EndEntityTypes.INVALID), 0, x509CAInfo.getCertificateProfileId(), null, null, 0, 0, null);
                Certificate generateCertificate = generateCertificate(endEntityInformation, null, x509Certificate.getPublicKey(), -1, x509Certificate.getNotBefore(), x509Certificate.getNotAfter(), certificateProfile, null, cAToken.getProperties().getProperty(CATokenConstants.PREVIOUS_SEQUENCE_PROPERTY), cryptoToken.getPublicKey(cAToken.getAliasFromPurpose(6)), cryptoToken.getPrivateKey(cAToken.getAliasFromPurpose(6)), cryptoToken.getSignProviderName(), null);
                log.info(intres.getLocalizedMessage("cvc.info.createlinkcert", endEntityInformation.getDN(), endEntityInformation.getDN()));
                bArr = generateCertificate.getEncoded();
            } catch (CryptoTokenOfflineException e) {
                throw e;
            } catch (Exception e2) {
                throw new RuntimeException("Bad CV CA certificate.", e2);
            }
        }
        updateLatestLinkCertificate(bArr);
    }

    @Override // org.cesecore.certificates.ca.CA
    public Certificate generateCertificate(CryptoToken cryptoToken, EndEntityInformation endEntityInformation, RequestMessage requestMessage, PublicKey publicKey, int i, Date date, Date date2, CertificateProfile certificateProfile, Extensions extensions, String str, CertificateGenerationParams certificateGenerationParams) throws CryptoTokenOfflineException, CAOfflineException, InvalidAlgorithmException, IllegalValidityException, IllegalNameException, OperatorCreationException, CertificateCreateException, CertificateExtensionException, SignatureException {
        CAToken cAToken = getCAToken();
        return generateCertificate(endEntityInformation, requestMessage, publicKey, i, date, date2, certificateProfile, extensions, str, cryptoToken.getPublicKey(cAToken.getAliasFromPurpose(1)), cryptoToken.getPrivateKey(cAToken.getAliasFromPurpose(1)), cryptoToken.getSignProviderName(), certificateGenerationParams);
    }

    private Certificate generateCertificate(EndEntityInformation endEntityInformation, RequestMessage requestMessage, PublicKey publicKey, int i, Date date, Date date2, CertificateProfile certificateProfile, Extensions extensions, String str, PublicKey publicKey2, PrivateKey privateKey, String str2, CertificateGenerationParams certificateGenerationParams) throws CAOfflineException, InvalidAlgorithmException, IllegalValidityException, IllegalNameException, CertificateExtensionException, OperatorCreationException, CertificateCreateException, SignatureException {
        BigInteger serno;
        X500Name stringToBcX500Name;
        X500Name x500Name;
        String str3;
        String str4;
        byte[] valueEncoded;
        if (getStatus() != 1 && getStatus() != 3) {
            String localizedMessage = intres.getLocalizedMessage("error.caoffline", getName(), Integer.valueOf(getStatus()));
            if (log.isDebugEnabled()) {
                log.debug(localizedMessage);
            }
            throw new CAOfflineException(localizedMessage);
        }
        String signatureAlgorithm = certificateProfile.getSignatureAlgorithm() == null ? getCAToken().getSignatureAlgorithm() : certificateProfile.getSignatureAlgorithm();
        if (!ArrayUtils.contains(AlgorithmConstants.AVAILABLE_SIGALGS, signatureAlgorithm)) {
            throw new InvalidAlgorithmException(intres.getLocalizedMessage("createcert.invalidsignaturealg", signatureAlgorithm));
        }
        boolean z = certificateProfile.getType() == 8;
        X509Certificate x509Certificate = (X509Certificate) getCACertificate();
        CertificateValidity.checkPrivateKeyUsagePeriod(x509Certificate);
        CertificateValidity certificateValidity = new CertificateValidity(endEntityInformation, certificateProfile, date, date2, x509Certificate, z);
        ExtendedInformation extendedinformation = endEntityInformation.getExtendedinformation();
        if (certificateProfile.getAllowCertSerialNumberOverride()) {
            serno = extendedinformation != null ? extendedinformation.certificateSerialNumber() : SernoGeneratorRandom.instance().getSerno();
        } else {
            serno = SernoGeneratorRandom.instance().getSerno();
            if (extendedinformation != null && extendedinformation.certificateSerialNumber() != null) {
                log.info(intres.getLocalizedMessage("createcert.certprof_not_allowing_cert_sn_override_using_normal", extendedinformation.certificateSerialNumber().toString(16)));
            }
        }
        String certificateDN = endEntityInformation.getCertificateDN();
        if (certificateProfile.getUseSubjectDNSubSet()) {
            certificateDN = certificateProfile.createSubjectDNSubSet(certificateDN);
        }
        X500NameStyle x500NameStyle = getUsePrintableStringSubjectDN() ? PrintableStringNameStyle.INSTANCE : CeSecoreNameStyle.INSTANCE;
        if (certificateProfile.getUseCNPostfix()) {
            certificateDN = CertTools.insertCNPostfix(certificateDN, certificateProfile.getCNPostfix(), x500NameStyle);
        }
        boolean z2 = getUseLdapDNOrder() && certificateProfile.getUseLdapDnOrder();
        if (!certificateProfile.getAllowDNOverride() || requestMessage == null || requestMessage.getRequestX500Name() == null) {
            stringToBcX500Name = CertTools.stringToBcX500Name(certificateDN, x500NameStyle, z2);
        } else {
            stringToBcX500Name = requestMessage.getRequestX500Name();
            if (log.isDebugEnabled()) {
                log.debug("Using X509Name from request instead of user's registered.");
            }
        }
        if (StringTools.hasStripChars(stringToBcX500Name.toString())) {
            if (log.isTraceEnabled()) {
                log.trace("DN with illegal name: " + stringToBcX500Name);
            }
            throw new IllegalNameException(intres.getLocalizedMessage("createcert.illegalname", new Object[0]));
        }
        if (log.isDebugEnabled()) {
            log.debug("Using subjectDN: " + stringToBcX500Name.toString());
        }
        if (z) {
            if (log.isDebugEnabled()) {
                log.debug("Using subject DN also as issuer DN, because it is a root CA");
            }
            x500Name = stringToBcX500Name;
        } else {
            x500Name = X500Name.getInstance(x509Certificate.getSubjectX500Principal().getEncoded());
            if (log.isDebugEnabled()) {
                log.debug("Using issuer DN directly from the CA certificate: " + x500Name.toString());
            }
        }
        try {
            SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo(ASN1Primitive.fromByteArray(publicKey.getEncoded()));
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(x500Name, serno, certificateValidity.getNotBefore(), certificateValidity.getNotAfter(), stringToBcX500Name, subjectPublicKeyInfo);
            X509v3CertificateBuilder x509v3CertificateBuilder2 = certificateProfile.isUseCertificateTransparencyInCerts() ? new X509v3CertificateBuilder(x500Name, serno, certificateValidity.getNotBefore(), certificateValidity.getNotAfter(), stringToBcX500Name, subjectPublicKeyInfo) : null;
            if (x509Certificate instanceof X509Certificate) {
                GeneralNames generalNames = null;
                String subjectAltName = endEntityInformation.getSubjectAltName();
                if (certificateProfile.getUseSubjectAltNameSubSet()) {
                    subjectAltName = certificateProfile.createSubjectAltNameSubSet(subjectAltName);
                }
                if (subjectAltName != null && subjectAltName.length() > 0) {
                    generalNames = CertTools.getGeneralNamesFromAltName(subjectAltName);
                }
                CertTools.checkNameConstraints(x509Certificate, stringToBcX500Name, generalNames);
            }
            if (endEntityInformation.getExtendedinformation() != null) {
                ExtendedInformation extendedinformation2 = endEntityInformation.getExtendedinformation();
                List<String> nameConstraintsPermitted = extendedinformation2.getNameConstraintsPermitted();
                List<String> nameConstraintsExcluded = extendedinformation2.getNameConstraintsExcluded();
                if (((nameConstraintsPermitted != null && !nameConstraintsPermitted.isEmpty()) || (nameConstraintsExcluded != null && !nameConstraintsExcluded.isEmpty())) && !certificateProfile.getUseNameConstraints()) {
                    throw new CertificateCreateException("Tried to issue a certificate with Name Constraints without having enabled NC in the certificate profile.");
                }
            }
            ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
            if (certificateProfile.getAllowExtensionOverride() && extensions != null) {
                for (ASN1ObjectIdentifier aSN1ObjectIdentifier : extensions.getExtensionOIDs()) {
                    Extension extension = extensions.getExtension(aSN1ObjectIdentifier);
                    if (log.isDebugEnabled()) {
                        log.debug("Overriding extension with oid: " + aSN1ObjectIdentifier);
                    }
                    try {
                        extensionsGenerator.addExtension(aSN1ObjectIdentifier, extension.isCritical(), extension.getParsedValue());
                    } catch (IOException e) {
                        throw new IllegalStateException("Caught unexpected IOException.", e);
                    }
                }
            }
            Extensions generate = extensionsGenerator.generate();
            if (certificateProfile.getAllowKeyUsageOverride() && i >= 0) {
                if (log.isDebugEnabled()) {
                    log.debug("AllowKeyUsageOverride=true. Using KeyUsage from parameter: " + i);
                }
                if (certificateProfile.getUseKeyUsage() && i >= 0) {
                    KeyUsage keyUsage = new KeyUsage(i);
                    if (generate.getExtension(Extension.keyUsage) == null) {
                        try {
                            extensionsGenerator.addExtension(Extension.keyUsage, certificateProfile.getKeyUsageCritical(), keyUsage);
                        } catch (IOException e2) {
                            throw new IllegalStateException("Caught unexpected IOException.", e2);
                        }
                    } else if (log.isDebugEnabled()) {
                        log.debug("KeyUsage was already overridden by an extension, not using KeyUsage from parameter.");
                    }
                }
            }
            CertificateExtensionFactory certificateExtensionFactory = CertificateExtensionFactory.getInstance();
            Extensions generate2 = extensionsGenerator.generate();
            for (String str5 : certificateProfile.getUsedStandardCertificateExtensions()) {
                if (generate2.getExtension(new ASN1ObjectIdentifier(str5)) == null) {
                    CertificateExtension standardCertificateExtension = certificateExtensionFactory.getStandardCertificateExtension(str5, certificateProfile);
                    if (standardCertificateExtension != null && (valueEncoded = standardCertificateExtension.getValueEncoded(endEntityInformation, this, certificateProfile, publicKey, publicKey2, certificateValidity)) != null) {
                        extensionsGenerator.addExtension(new ASN1ObjectIdentifier(standardCertificateExtension.getOID()), standardCertificateExtension.isCriticalFlag(), valueEncoded);
                    }
                } else if (log.isDebugEnabled()) {
                    log.debug("Extension with oid " + str5 + " has been overridden, standard extension will not be added.");
                }
            }
            Iterator<Integer> it = certificateProfile.getUsedCertificateExtensions().iterator();
            while (it.hasNext()) {
                CertificateExtension certificateExtensions = certificateExtensionFactory.getCertificateExtensions(it.next());
                if (certificateExtensions != null) {
                    if (generate2.getExtension(new ASN1ObjectIdentifier(certificateExtensions.getOID())) == null) {
                        byte[] valueEncoded2 = certificateExtensions.getValueEncoded(endEntityInformation, this, certificateProfile, publicKey, publicKey2, certificateValidity);
                        if (valueEncoded2 != null) {
                            extensionsGenerator.addExtension(new ASN1ObjectIdentifier(certificateExtensions.getOID()), certificateExtensions.isCriticalFlag(), valueEncoded2);
                        }
                    } else if (log.isDebugEnabled()) {
                        log.debug("Extension with oid " + certificateExtensions.getOID() + " has been overridden, custom extension will not be added.");
                    }
                }
            }
            Extensions generate3 = extensionsGenerator.generate();
            try {
                for (ASN1ObjectIdentifier aSN1ObjectIdentifier2 : generate3.getExtensionOIDs()) {
                    Extension extension2 = generate3.getExtension(aSN1ObjectIdentifier2);
                    boolean isCritical = extension2.isCritical();
                    ASN1Encodable parsedValue = extension2.getParsedValue();
                    x509v3CertificateBuilder.addExtension(aSN1ObjectIdentifier2, isCritical, parsedValue);
                    if (x509v3CertificateBuilder2 != null) {
                        x509v3CertificateBuilder2.addExtension(aSN1ObjectIdentifier2, isCritical, parsedValue);
                    }
                }
                if (ct != null && certificateProfile.isUseCertificateTransparencyInCerts() && certificateGenerationParams.getConfiguredCTLogs() != null && certificateGenerationParams.getCTAuditLogCallback() != null) {
                    ct.addPreCertPoison(x509v3CertificateBuilder2);
                    X509Certificate x509Certificate2 = (X509Certificate) CertTools.getCertfromByteArray(x509v3CertificateBuilder2.build(new BufferingContentSigner(new JcaContentSignerBuilder(signatureAlgorithm).setProvider(str2).build(privateKey), 20480)).getEncoded());
                    ArrayList arrayList = new ArrayList();
                    arrayList.add(x509Certificate2);
                    arrayList.addAll(getCertificateChain());
                    byte[] bArr = null;
                    try {
                        bArr = ct.fetchSCTList(arrayList, certificateProfile, certificateGenerationParams.getConfiguredCTLogs());
                        certificateGenerationParams.getCTAuditLogCallback().logPreCertSubmission(this, endEntityInformation, x509Certificate2, bArr != null);
                        if (bArr != null) {
                            x509v3CertificateBuilder.addExtension(new ASN1ObjectIdentifier(CertificateTransparency.SCTLIST_OID), false, new DEROctetString(bArr));
                        }
                    } catch (Throwable th) {
                        certificateGenerationParams.getCTAuditLogCallback().logPreCertSubmission(this, endEntityInformation, x509Certificate2, bArr != null);
                        throw th;
                    }
                } else if (log.isDebugEnabled()) {
                    str3 = "";
                    if (ct == null) {
                        str4 = str3 + "CT is not available in this version of EJBCA.";
                    } else {
                        str3 = certificateProfile.isUseCertificateTransparencyInCerts() ? "" : str3 + "CT is not enabled in the certificate profile. ";
                        str4 = certificateGenerationParams == null ? str3 + "Certificate generation parameters was null." : certificateGenerationParams.getCTAuditLogCallback() == null ? str3 + "No CT audit logging callback was passed to X509CA." : certificateGenerationParams.getConfiguredCTLogs() == null ? str3 + "There are no CT logs configured in System Configuration." : str3 + "Internal error, should not happen.";
                    }
                    log.debug("Not logging to CT. " + str4);
                }
                if (log.isTraceEnabled()) {
                    log.trace(">certgen.generate");
                }
                try {
                    X509Certificate x509Certificate3 = (X509Certificate) CertTools.getCertfromByteArray(x509v3CertificateBuilder.build(new BufferingContentSigner(new JcaContentSignerBuilder(signatureAlgorithm).setProvider(str2).build(privateKey), 20480)).getEncoded());
                    if (log.isTraceEnabled()) {
                        log.trace("<certgen.generate");
                    }
                    try {
                        x509Certificate3.verify((x509Certificate == null || z) ? publicKey2 : x509Certificate.getPublicKey());
                        if (x509Certificate != null) {
                            byte[] authorityKeyId = CertTools.getAuthorityKeyId(x509Certificate3);
                            byte[] subjectKeyId = CertTools.getSubjectKeyId(z ? x509Certificate3 : x509Certificate);
                            if (authorityKeyId != null && subjectKeyId != null && !Arrays.equals(authorityKeyId, subjectKeyId)) {
                                log.error(intres.getLocalizedMessage("createcert.errorpathverifykeyid", new String(Hex.encode(authorityKeyId)), new String(Hex.encode(subjectKeyId))));
                            }
                            X500Principal issuerX500Principal = x509Certificate3.getIssuerX500Principal();
                            X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
                            if (issuerX500Principal != null && subjectX500Principal != null && !issuerX500Principal.equals(subjectX500Principal)) {
                                String localizedMessage2 = intres.getLocalizedMessage("createcert.errorpathverifydn", issuerX500Principal.getName(), subjectX500Principal.getName());
                                log.error(localizedMessage2);
                                throw new CertificateCreateException(localizedMessage2);
                            }
                        }
                        if (requestMessage != null) {
                            requestMessage.setResponseKeyInfo(privateKey, str2);
                        }
                        if (log.isDebugEnabled()) {
                            log.debug("X509CA: generated certificate, CA " + getCAId() + " for DN: " + endEntityInformation.getCertificateDN());
                        }
                        return x509Certificate3;
                    } catch (InvalidKeyException e3) {
                        throw new CertificateCreateException("CA's public key was invalid,", e3);
                    } catch (NoSuchAlgorithmException e4) {
                        throw new CertificateCreateException(e4);
                    } catch (NoSuchProviderException e5) {
                        throw new IllegalStateException("Provider was unknown", e5);
                    } catch (CertificateException e6) {
                        throw new CertificateCreateException(e6);
                    }
                } catch (IOException e7) {
                    throw new IllegalStateException("Unexpected IOException caught when parsing certificate holder.", e7);
                } catch (CertificateException e8) {
                    throw new CertificateCreateException("Could not create certificate from CA's private key,", e8);
                }
            } catch (IOException e9) {
                throw new CertificateCreateException("IOException was caught when parsing Certificate Transparency extension.", e9);
            } catch (CertificateException e10) {
                throw new CertificateCreateException("Could not process CA's private key when parsing Certificate Transparency extension.", e10);
            } catch (CTLogException e11) {
                throw new CertificateCreateException("An exception occurred because too many CT servers were down to satisfy the certificate profile.", e11);
            }
        } catch (IOException e12) {
            throw new IllegalStateException("Caught unexpected IOException.", e12);
        }
    }

    @Override // org.cesecore.certificates.ca.CA
    public X509CRLHolder generateCRL(CryptoToken cryptoToken, Collection<RevokedCertInfo> collection, int i) throws CryptoTokenOfflineException, IllegalCryptoTokenException, IOException, SignatureException, NoSuchProviderException, InvalidKeyException, CRLException, NoSuchAlgorithmException {
        return generateCRL(cryptoToken, collection, getCRLPeriod(), i, false, 0);
    }

    @Override // org.cesecore.certificates.ca.CA
    public X509CRLHolder generateDeltaCRL(CryptoToken cryptoToken, Collection<RevokedCertInfo> collection, int i, int i2) throws CryptoTokenOfflineException, IllegalCryptoTokenException, IOException, SignatureException, NoSuchProviderException, InvalidKeyException, CRLException, NoSuchAlgorithmException {
        return generateCRL(cryptoToken, collection, getDeltaCRLPeriod(), i, true, i2);
    }

    private X509CRLHolder generateCRL(CryptoToken cryptoToken, Collection<RevokedCertInfo> collection, long j, int i, boolean z, int i2) throws CryptoTokenOfflineException, IllegalCryptoTokenException, IOException, SignatureException, NoSuchProviderException, InvalidKeyException, CRLException, NoSuchAlgorithmException {
        PublicKey publicKey;
        String signatureAlgorithm = getCAInfo().getCAToken().getSignatureAlgorithm();
        if (log.isDebugEnabled()) {
            log.debug("generateCRL(" + collection.size() + ", " + j + ", " + i + ", " + z + ", " + i2);
        }
        X509Certificate x509Certificate = (X509Certificate) getCACertificate();
        X500Name stringToBcX500Name = x509Certificate == null ? CertTools.stringToBcX500Name(getSubjectDN(), getUsePrintableStringSubjectDN() ? PrintableStringNameStyle.INSTANCE : CeSecoreNameStyle.INSTANCE, getUseLdapDNOrder()) : X500Name.getInstance(x509Certificate.getSubjectX500Principal().getEncoded());
        Date date = new Date();
        Date date2 = new Date();
        date2.setTime(date2.getTime() + j);
        X509v2CRLBuilder x509v2CRLBuilder = new X509v2CRLBuilder(stringToBcX500Name, date);
        x509v2CRLBuilder.setNextUpdate(date2);
        if (collection != null) {
            if (log.isDebugEnabled()) {
                log.debug("Adding " + collection.size() + " revoked certificates to CRL. Free memory=" + Runtime.getRuntime().freeMemory());
            }
            for (RevokedCertInfo revokedCertInfo : collection) {
                x509v2CRLBuilder.addCRLEntry(revokedCertInfo.getUserCertificate(), revokedCertInfo.getRevocationDate(), revokedCertInfo.getReason());
            }
            if (log.isDebugEnabled()) {
                log.debug("Finished adding " + collection.size() + " revoked certificates to CRL. Free memory=" + Runtime.getRuntime().freeMemory());
            }
        }
        if (getUseAuthorityKeyIdentifier()) {
            ASN1InputStream aSN1InputStream = new ASN1InputStream(new ByteArrayInputStream(cryptoToken.getPublicKey(getCAToken().getAliasFromPurpose(2)).getEncoded()));
            try {
                x509v2CRLBuilder.addExtension(Extension.authorityKeyIdentifier, getAuthorityKeyIdentifierCritical(), new AuthorityKeyIdentifier(new SubjectPublicKeyInfo(aSN1InputStream.readObject())));
                aSN1InputStream.close();
            } catch (Throwable th) {
                aSN1InputStream.close();
                throw th;
            }
        }
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        if (getAuthorityInformationAccess() != null) {
            for (String str : getAuthorityInformationAccess()) {
                if (StringUtils.isNotEmpty(str)) {
                    aSN1EncodableVector.add(new AccessDescription(AccessDescription.id_ad_caIssuers, new GeneralName(6, new DERIA5String(str))));
                }
            }
        }
        if (aSN1EncodableVector.size() > 0) {
            x509v2CRLBuilder.addExtension(Extension.authorityInfoAccess, false, AuthorityInformationAccess.getInstance(new DERSequence(aSN1EncodableVector)));
        }
        if (getUseCRLNumber()) {
            x509v2CRLBuilder.addExtension(Extension.cRLNumber, getCRLNumberCritical(), new CRLNumber(BigInteger.valueOf(i)));
        }
        if (z) {
            x509v2CRLBuilder.addExtension(Extension.deltaCRLIndicator, true, new CRLNumber(BigInteger.valueOf(i2)));
        }
        if (getUseCrlDistributionPointOnCrl()) {
            List<DistributionPoint> generateDistributionPoints = generateDistributionPoints(getDefaultCRLDistPoint());
            if (generateDistributionPoints.size() > 0) {
                x509v2CRLBuilder.addExtension(Extension.issuingDistributionPoint, getCrlDistributionPointOnCrlCritical(), new IssuingDistributionPoint(generateDistributionPoints.get(0).getDistributionPoint(), false, false, (ReasonFlags) null, false, false));
            }
            if (!z) {
                List<DistributionPoint> generateDistributionPoints2 = generateDistributionPoints(getCADefinedFreshestCRL());
                if (generateDistributionPoints2.size() > 0) {
                    x509v2CRLBuilder.addExtension(Extension.freshestCRL, false, new CRLDistPoint((DistributionPoint[]) generateDistributionPoints2.toArray(new DistributionPoint[generateDistributionPoints2.size()])));
                }
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("Signing CRL. Free memory=" + Runtime.getRuntime().freeMemory());
        }
        String aliasFromPurpose = getCAToken().getAliasFromPurpose(2);
        try {
            X509CRLHolder build = x509v2CRLBuilder.build(new BufferingContentSigner(new JcaContentSignerBuilder(signatureAlgorithm).setProvider(cryptoToken.getSignProviderName()).build(cryptoToken.getPrivateKey(aliasFromPurpose)), 20480));
            if (log.isDebugEnabled()) {
                log.debug("Finished signing CRL. Free memory=" + Runtime.getRuntime().freeMemory());
            }
            if (x509Certificate != null) {
                publicKey = x509Certificate.getPublicKey();
                if (log.isTraceEnabled()) {
                    log.trace("Got the verify key from the CA certificate.");
                }
            } else {
                publicKey = cryptoToken.getPublicKey(aliasFromPurpose);
                if (log.isTraceEnabled()) {
                    log.trace("Got the verify key from the CA token.");
                }
            }
            try {
                if (!build.isSignatureValid(new JcaContentVerifierProviderBuilder().build(publicKey))) {
                    throw new SignatureException("Error verifying CRL to be returned.");
                }
                if (log.isDebugEnabled()) {
                    log.debug("Returning CRL. Free memory=" + Runtime.getRuntime().freeMemory());
                }
                return build;
            } catch (CertException e) {
                throw new SignatureException(e.getMessage(), e);
            } catch (OperatorCreationException e2) {
                throw new RuntimeException("Can not create Jca content signer: ", e2);
            }
        } catch (OperatorCreationException e3) {
            throw new RuntimeException("Can not create Jca content signer: ", e3);
        }
    }

    private List<DistributionPoint> generateDistributionPoints(String str) {
        if (str == null) {
            str = "";
        }
        ArrayList arrayList = new ArrayList();
        for (String str2 : StringTools.splitURIs(str)) {
            GeneralName generalName = new GeneralName(6, new DERIA5String(str2));
            if (log.isDebugEnabled()) {
                log.debug("Added CRL distpoint: " + str2);
            }
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            aSN1EncodableVector.add(generalName);
            arrayList.add(new DistributionPoint(new DistributionPointName(0, GeneralNames.getInstance(new DERSequence(aSN1EncodableVector))), (ReasonFlags) null, (GeneralNames) null));
        }
        return arrayList;
    }

    @Override // org.cesecore.internal.UpgradeableDataHashMap, org.cesecore.internal.IUpgradeableData
    public float getLatestVersion() {
        return 19.0f;
    }

    @Override // org.cesecore.internal.UpgradeableDataHashMap, org.cesecore.internal.IUpgradeableData
    public void upgrade() {
        if (Float.compare(19.0f, getVersion()) != 0) {
            log.info("Upgrading X509CA with version " + getVersion());
            if (this.data.get(DEFAULTOCSPSERVICELOCATOR) == null) {
                setDefaultCRLDistPoint("");
                setDefaultOCSPServiceLocator("");
            }
            if (this.data.get("crlIssueInterval") == null) {
                setCRLIssueInterval(0L);
            }
            if (this.data.get("crlOverlapTime") == null) {
                setCRLOverlapTime(10L);
            }
            boolean z = true;
            if (this.data.get("alwaysuseutf8subjectdn") != null) {
                boolean booleanValue = ((Boolean) this.data.get("alwaysuseutf8subjectdn")).booleanValue();
                if (this.data.get(USEUTF8POLICYTEXT) == null) {
                    setUseUTF8PolicyText(booleanValue);
                }
                z = !booleanValue;
            } else if (this.data.get(USEUTF8POLICYTEXT) == null) {
                setUseUTF8PolicyText(false);
            }
            if (this.data.get(USEPRINTABLESTRINGSUBJECTDN) == null) {
                setUsePrintableStringSubjectDN(z);
            }
            if (this.data.get(DEFAULTCRLISSUER) == null) {
                setDefaultCRLIssuer(null);
            }
            if (this.data.get(USELDAPDNORDER) == null) {
                setUseLdapDNOrder(true);
            }
            if (this.data.get("deltacrlperiod") == null) {
                setDeltaCRLPeriod(0L);
            }
            if (this.data.get(USECRLDISTRIBUTIONPOINTONCRL) == null) {
                setUseCrlDistributionPointOnCrl(false);
            }
            if (this.data.get(CRLDISTRIBUTIONPOINTONCRLCRITICAL) == null) {
                setCrlDistributionPointOnCrlCritical(false);
            }
            if (this.data.get("includeinhealthcheck") == null) {
                setIncludeInHealthCheck(true);
            }
            Object obj = this.data.get("crlperiod");
            if (obj instanceof Integer) {
                setCRLPeriod(((Integer) obj).longValue() * SimpleTime.MILLISECONDS_PER_HOUR);
            }
            Object obj2 = this.data.get("crlIssueInterval");
            if (obj2 instanceof Integer) {
                setCRLIssueInterval(((Integer) obj2).longValue() * SimpleTime.MILLISECONDS_PER_HOUR);
            }
            Object obj3 = this.data.get("crlOverlapTime");
            if (obj3 instanceof Integer) {
                setCRLOverlapTime(((Integer) obj3).longValue() * SimpleTime.MILLISECONDS_PER_MINUTE);
            }
            Object obj4 = this.data.get("deltacrlperiod");
            if (obj4 instanceof Integer) {
                setDeltaCRLPeriod(((Integer) obj4).longValue() * SimpleTime.MILLISECONDS_PER_HOUR);
            }
            this.data.put(UpgradeableDataHashMap.VERSION, new Float(19.0f));
        }
    }

    @Override // org.cesecore.certificates.ca.CA
    public boolean upgradeExtendedCAServices() {
        boolean z = false;
        Collection<Integer> externalCAServiceTypes = getExternalCAServiceTypes();
        if (!CesecoreConfiguration.getCaKeepOcspExtendedService() && externalCAServiceTypes.contains(1)) {
            externalCAServiceTypes.remove(1);
            this.data.put("extendedcaservices", externalCAServiceTypes);
            z = true;
        }
        for (Integer num : externalCAServiceTypes) {
            ExtendedCAService extendedCAService = getExtendedCAService(num.intValue());
            if (extendedCAService == null) {
                log.error("Extended service is null, can not upgrade service of type: " + num);
            } else if (Float.compare(extendedCAService.getLatestVersion(), extendedCAService.getVersion()) != 0) {
                z = true;
                extendedCAService.upgrade();
                setExtendedCAServiceData(extendedCAService.getExtendedCAServiceInfo().getType(), (HashMap) extendedCAService.saveData());
            } else if (extendedCAService.isUpgraded()) {
                z = true;
                setExtendedCAServiceData(extendedCAService.getExtendedCAServiceInfo().getType(), (HashMap) extendedCAService.saveData());
            }
        }
        return z;
    }

    @Override // org.cesecore.certificates.ca.CA
    public byte[] encryptKeys(CryptoToken cryptoToken, String str, KeyPair keyPair) throws IOException, CMSException, CryptoTokenOfflineException, NoSuchAlgorithmException, NoSuchProviderException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        new ObjectOutputStream(byteArrayOutputStream).writeObject(keyPair);
        CMSEnvelopedDataGenerator cMSEnvelopedDataGenerator = new CMSEnvelopedDataGenerator();
        PublicKey publicKey = cryptoToken.getPublicKey(str);
        cMSEnvelopedDataGenerator.addKeyTransRecipient(publicKey, KeyTools.createSubjectKeyId(publicKey).getKeyIdentifier());
        CMSEnvelopedData generate = cMSEnvelopedDataGenerator.generate(new CMSProcessableByteArray(byteArrayOutputStream.toByteArray()), CMSEnvelopedDataGenerator.AES256_CBC, "BC");
        log.info("Encrypted keys using key alias '" + str + "' from Crypto Token " + cryptoToken.getId());
        return generate.getEncoded();
    }

    @Override // org.cesecore.certificates.ca.CA
    public KeyPair decryptKeys(CryptoToken cryptoToken, String str, byte[] bArr) throws IOException, CMSException, CryptoTokenOfflineException, ClassNotFoundException {
        RecipientInformation recipientInformation = (RecipientInformation) new CMSEnvelopedData(bArr).getRecipientInfos().getRecipients().iterator().next();
        JceKeyTransEnvelopedRecipient jceKeyTransEnvelopedRecipient = new JceKeyTransEnvelopedRecipient(cryptoToken.getPrivateKey(str));
        jceKeyTransEnvelopedRecipient.setProvider(cryptoToken.getEncProviderName());
        jceKeyTransEnvelopedRecipient.setContentProvider("BC");
        ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(recipientInformation.getContent(jceKeyTransEnvelopedRecipient)));
        log.info("Decrypted keys using key alias '" + str + "' from Crypto Token " + cryptoToken.getId());
        return (KeyPair) objectInputStream.readObject();
    }

    @Override // org.cesecore.certificates.ca.CA
    public byte[] decryptData(CryptoToken cryptoToken, byte[] bArr, int i) throws CMSException, CryptoTokenOfflineException {
        RecipientInformation recipientInformation = (RecipientInformation) new CMSEnvelopedData(bArr).getRecipientInfos().getRecipients().iterator().next();
        String aliasFromPurpose = getCAToken().getAliasFromPurpose(i);
        JceKeyTransEnvelopedRecipient jceKeyTransEnvelopedRecipient = new JceKeyTransEnvelopedRecipient(cryptoToken.getPrivateKey(aliasFromPurpose));
        jceKeyTransEnvelopedRecipient.setProvider(cryptoToken.getSignProviderName());
        jceKeyTransEnvelopedRecipient.setContentProvider("BC");
        byte[] content = recipientInformation.getContent(jceKeyTransEnvelopedRecipient);
        log.info("Decrypted data using key alias '" + aliasFromPurpose + "' from Crypto Token " + cryptoToken.getId());
        return content;
    }

    @Override // org.cesecore.certificates.ca.CA
    public byte[] encryptData(CryptoToken cryptoToken, byte[] bArr, int i) throws IOException, CMSException, CryptoTokenOfflineException, NoSuchAlgorithmException, NoSuchProviderException {
        CMSEnvelopedDataGenerator cMSEnvelopedDataGenerator = new CMSEnvelopedDataGenerator();
        String aliasFromPurpose = getCAToken().getAliasFromPurpose(i);
        PublicKey publicKey = cryptoToken.getPublicKey(aliasFromPurpose);
        cMSEnvelopedDataGenerator.addKeyTransRecipient(publicKey, KeyTools.createSubjectKeyId(publicKey).getKeyIdentifier());
        CMSEnvelopedData generate = cMSEnvelopedDataGenerator.generate(new CMSProcessableByteArray(bArr), CMSEnvelopedDataGenerator.AES256_CBC, "BC");
        log.info("Encrypted data using key alias '" + aliasFromPurpose + "' from Crypto Token " + cryptoToken.getId());
        return generate.getEncoded();
    }
}
