package fi.protonode.certy;

import java.io.BufferedWriter;
import java.io.IOException;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.time.Duration;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509v2CRLBuilder;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: input_file:fi/protonode/certy/CertificateRevocationList.class */
public class CertificateRevocationList {
    private Credential issuer;
    private List<Credential> revoked = new ArrayList();
    private Date thisUpdate;
    private Date nextUpdate;

    public CertificateRevocationList thisUpdate(Date date) {
        this.thisUpdate = date;
        return this;
    }

    public CertificateRevocationList nextUpdate(Date date) {
        this.nextUpdate = date;
        return this;
    }

    public CertificateRevocationList issuer(Credential credential) {
        this.issuer = credential;
        return this;
    }

    public CertificateRevocationList add(Credential credential) {
        this.revoked.add(credential);
        return this;
    }

    public byte[] getAsDer() throws CertificateException, NoSuchAlgorithmException, IOException {
        return generateCrl().getEncoded();
    }

    public String getAsPem() throws CertificateException, NoSuchAlgorithmException, IOException {
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        jcaPEMWriter.writeObject(generateCrl());
        jcaPEMWriter.flush();
        jcaPEMWriter.close();
        return stringWriter.toString();
    }

    public CertificateRevocationList writeAsPem(Path path) throws IOException, CertificateException, NoSuchAlgorithmException {
        BufferedWriter newBufferedWriter = Files.newBufferedWriter(path, StandardCharsets.UTF_8, new OpenOption[0]);
        try {
            newBufferedWriter.write(getAsPem());
            if (newBufferedWriter != null) {
                newBufferedWriter.close();
            }
            return this;
        } catch (Throwable th) {
            if (newBufferedWriter != null) {
                try {
                    newBufferedWriter.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private X509CRLHolder generateCrl() throws CertificateException, NoSuchAlgorithmException {
        if (this.issuer == null) {
            if (this.revoked.isEmpty()) {
                throw new IllegalArgumentException("issuer not known: either set issuer or add certificates to the CRL");
            }
            this.issuer = this.revoked.get(0).issuer;
        }
        Date date = new Date();
        if (this.thisUpdate != null) {
            date = this.thisUpdate;
        }
        Date from = Date.from(date.toInstant().plus((TemporalAmount) Duration.ofDays(7L)));
        if (this.nextUpdate != null) {
            from = this.nextUpdate;
        }
        X509v2CRLBuilder x509v2CRLBuilder = new X509v2CRLBuilder(this.issuer.subject, date);
        x509v2CRLBuilder.setNextUpdate(from);
        for (Credential credential : this.revoked) {
            credential.ensureGenerated();
            if (credential.issuer == null) {
                throw new IllegalArgumentException("cannot revoke self-signed certificate: " + credential.subject);
            }
            if (!credential.issuer.equals(this.issuer)) {
                throw new IllegalArgumentException("revoked certificates added from several issuers, or certificate does not match explicitly set Issuer");
            }
            x509v2CRLBuilder.addCRLEntry(credential.serial, date, 0, from);
        }
        try {
            return x509v2CRLBuilder.build(new JcaContentSignerBuilder(Credential.signatureAlgorithm(this.issuer.keyPair.getPublic())).build(this.issuer.keyPair.getPrivate()));
        } catch (OperatorCreationException e) {
            throw new CertificateException("failed to create content signer", e);
        }
    }
}
