package org.eclipse.kura.core.keystore;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.math.BigInteger;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.Security;
import java.security.UnrecoverableEntryException;
import java.security.cert.CRL;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.bouncycastle.util.io.pem.PemObject;
import org.eclipse.kura.KuraErrorCode;
import org.eclipse.kura.KuraException;
import org.eclipse.kura.KuraRuntimeException;
import org.eclipse.kura.configuration.ConfigurableComponent;
import org.eclipse.kura.configuration.ConfigurationService;
import org.eclipse.kura.configuration.Password;
import org.eclipse.kura.core.keystore.crl.CRLManager;
import org.eclipse.kura.core.keystore.crl.CRLManagerOptions;
import org.eclipse.kura.crypto.CryptoService;
import org.eclipse.kura.security.keystore.KeystoreChangedEvent;
import org.eclipse.kura.security.keystore.KeystoreService;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.event.EventAdmin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/kura/core/keystore/FilesystemKeystoreServiceImpl.class */
public class FilesystemKeystoreServiceImpl implements KeystoreService, ConfigurableComponent {
    private static final String KURA_SERVICE_PID = "kura.service.pid";
    private static final String PEM_CERTIFICATE_REQUEST_TYPE = "CERTIFICATE REQUEST";
    private static final Logger logger = LoggerFactory.getLogger(FilesystemKeystoreServiceImpl.class);
    private ComponentContext componentContext;
    private CryptoService cryptoService;
    private ConfigurationService configurationService;
    private EventAdmin eventAdmin;
    private KeystoreServiceOptions keystoreServiceOptions;
    private CRLManagerOptions crlManagerOptions;
    private Optional<CRLManager> crlManager = Optional.empty();
    private ScheduledExecutorService selfUpdaterExecutor;
    private ScheduledFuture<?> selfUpdaterFuture;
    private String ownPid;

    public void setCryptoService(CryptoService cryptoService) {
        this.cryptoService = cryptoService;
    }

    public void setConfigurationService(ConfigurationService configurationService) {
        this.configurationService = configurationService;
    }

    public void setEventAdmin(EventAdmin eventAdmin) {
        this.eventAdmin = eventAdmin;
    }

    public void activate(ComponentContext componentContext, Map<String, Object> map) {
        logger.info("Bundle {} is starting!", map.get(KURA_SERVICE_PID));
        this.componentContext = componentContext;
        this.ownPid = (String) map.get(KURA_SERVICE_PID);
        this.keystoreServiceOptions = new KeystoreServiceOptions(map, this.cryptoService);
        this.selfUpdaterExecutor = Executors.newSingleThreadScheduledExecutor();
        if (keystoreExists(this.keystoreServiceOptions.getKeystorePath()) && this.keystoreServiceOptions.needsRandomPassword()) {
            changeDefaultKeystorePassword();
        }
        this.crlManagerOptions = new CRLManagerOptions(map);
        updateCRLManager(this.crlManagerOptions);
        logger.info("Bundle {} has started!", map.get(KURA_SERVICE_PID));
    }

    public void updated(Map<String, Object> map) {
        logger.info("Bundle {} is updating!", map.get(KURA_SERVICE_PID));
        KeystoreServiceOptions keystoreServiceOptions = new KeystoreServiceOptions(map, this.cryptoService);
        if (!this.keystoreServiceOptions.equals(keystoreServiceOptions)) {
            logger.info("Perform update...");
            if (!this.keystoreServiceOptions.getKeystorePath().equals(keystoreServiceOptions.getKeystorePath())) {
                updateKeystorePath(keystoreServiceOptions);
            } else if (!Arrays.equals(this.keystoreServiceOptions.getKeystorePassword(this.cryptoService), keystoreServiceOptions.getKeystorePassword(this.cryptoService))) {
                updateKeystorePassword(this.keystoreServiceOptions, keystoreServiceOptions);
            }
            this.keystoreServiceOptions = new KeystoreServiceOptions(map, this.cryptoService);
        }
        CRLManagerOptions cRLManagerOptions = new CRLManagerOptions(map);
        if (!this.crlManagerOptions.equals(cRLManagerOptions)) {
            this.crlManagerOptions = cRLManagerOptions;
            updateCRLManager(cRLManagerOptions);
        }
        logger.info("Bundle {} has updated!", map.get(KURA_SERVICE_PID));
    }

    public void deactivate() {
        logger.info("Bundle {} is deactivating!", this.keystoreServiceOptions.getProperties().get(KURA_SERVICE_PID));
        if (this.selfUpdaterFuture != null && !this.selfUpdaterFuture.isDone()) {
            logger.info("Self updater task running. Stopping it");
            this.selfUpdaterFuture.cancel(true);
        }
        shutdownCRLManager();
    }

    private boolean keystoreExists(String str) {
        boolean z = false;
        if (new File(str).exists()) {
            z = true;
        }
        return z;
    }

    private void updateKeystorePath(KeystoreServiceOptions keystoreServiceOptions) {
        if (keystoreExists(keystoreServiceOptions.getKeystorePath()) && !isKeyStoreAccessible(keystoreServiceOptions.getKeystorePath(), keystoreServiceOptions.getKeystorePassword(this.cryptoService))) {
            logger.warn("Keystore {} not accessible!", keystoreServiceOptions.getKeystorePath());
        }
    }

    private void changeDefaultKeystorePassword() {
        char[] keystorePassword = this.keystoreServiceOptions.getKeystorePassword(this.cryptoService);
        if (isDefaultFromCrypto()) {
            keystorePassword = this.cryptoService.getKeyStorePassword(this.keystoreServiceOptions.getKeystorePath());
        }
        char[] charArray = new BigInteger(160, new SecureRandom()).toString(32).toCharArray();
        try {
            changeKeyStorePassword(this.keystoreServiceOptions.getKeystorePath(), keystorePassword, charArray);
            HashMap hashMap = new HashMap(this.keystoreServiceOptions.getProperties());
            hashMap.put("keystore.password", new String(this.cryptoService.encryptAes(charArray)));
            this.keystoreServiceOptions = new KeystoreServiceOptions(hashMap, this.cryptoService);
            updatePasswordInConfigService(charArray);
        } catch (Exception e) {
            logger.warn("Keystore password change failed", e);
        }
    }

    private synchronized void changeKeyStorePassword(String str, char[] cArr, char[] cArr2) throws IOException, NoSuchAlgorithmException, CertificateException, KeyStoreException, UnrecoverableEntryException {
        KeyStore loadKeystore = loadKeystore(str, cArr);
        updateKeyEntriesPasswords(loadKeystore, cArr, cArr2);
        saveKeystore(str, cArr2, loadKeystore);
    }

    private void saveKeystore(String str, char[] cArr, KeyStore keyStore) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        Throwable th = null;
        try {
            FileOutputStream fileOutputStream = new FileOutputStream(str);
            try {
                keyStore.store(fileOutputStream, cArr);
                if (fileOutputStream != null) {
                    fileOutputStream.close();
                }
            } catch (Throwable th2) {
                if (fileOutputStream != null) {
                    fileOutputStream.close();
                }
                throw th2;
            }
        } catch (Throwable th3) {
            if (0 == 0) {
                th = th3;
            } else if (null != th3) {
                th.addSuppressed(th3);
            }
            throw th;
        }
    }

    private void updatePasswordInConfigService(char[] cArr) {
        String pid = this.keystoreServiceOptions.getPid();
        HashMap hashMap = new HashMap();
        hashMap.putAll(this.keystoreServiceOptions.getProperties());
        hashMap.put("keystore.path", this.keystoreServiceOptions.getKeystorePath());
        hashMap.put("keystore.password", new Password(cArr));
        hashMap.put("randomize.password", false);
        this.selfUpdaterFuture = this.selfUpdaterExecutor.scheduleAtFixedRate(() -> {
            try {
                if (this.componentContext.getServiceReference() == null || this.configurationService.getComponentConfiguration(pid) == null || this.configurationService.getComponentConfiguration(pid).getDefinition() == null) {
                    logger.info("No service or configuration available yet.");
                } else {
                    this.configurationService.updateConfiguration(pid, hashMap);
                    throw new KuraRuntimeException(KuraErrorCode.CONFIGURATION_SNAPSHOT_TAKING, new Object[]{"Updated. The task will be terminated."});
                }
            } catch (KuraException e) {
                logger.warn("Cannot get/update configuration for pid: {}", pid, e);
            }
        }, 1000L, 1000L, TimeUnit.MILLISECONDS);
    }

    private boolean isDefaultFromCrypto() {
        char[] keyStorePassword = this.cryptoService.getKeyStorePassword(this.keystoreServiceOptions.getKeystorePath());
        if (keyStorePassword == null) {
            return false;
        }
        return isKeyStoreAccessible(this.keystoreServiceOptions.getKeystorePath(), keyStorePassword);
    }

    private boolean isKeyStoreAccessible(String str, char[] cArr) {
        try {
            loadKeystore(str, cArr);
            return true;
        } catch (Exception unused) {
            return false;
        }
    }

    private KeyStore loadKeystore(String str, char[] cArr) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        Throwable th = null;
        try {
            FileInputStream fileInputStream = new FileInputStream(str);
            try {
                keyStore.load(fileInputStream, cArr);
                if (fileInputStream != null) {
                    fileInputStream.close();
                }
                return keyStore;
            } catch (Throwable th2) {
                if (fileInputStream != null) {
                    fileInputStream.close();
                }
                throw th2;
            }
        } catch (Throwable th3) {
            if (0 == 0) {
                th = th3;
            } else if (null != th3) {
                th.addSuppressed(th3);
            }
            throw th;
        }
    }

    private void updateKeystorePassword(KeystoreServiceOptions keystoreServiceOptions, KeystoreServiceOptions keystoreServiceOptions2) {
        try {
            changeKeyStorePassword(keystoreServiceOptions.getKeystorePassword(this.cryptoService), keystoreServiceOptions2.getKeystorePassword(this.cryptoService));
            this.cryptoService.setKeyStorePassword(this.keystoreServiceOptions.getKeystorePath(), keystoreServiceOptions2.getKeystorePassword(this.cryptoService));
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException unused) {
            logger.warn("Failed to change keystore password");
        } catch (KuraException unused2) {
            logger.warn("Failed to persist keystore password");
        } catch (GeneralSecurityException unused3) {
            logger.warn("Failed to load keystore");
        }
    }

    private void changeKeyStorePassword(char[] cArr, char[] cArr2) throws IOException, GeneralSecurityException, KuraException {
        KeyStore keyStore = getKeyStore();
        updateKeyEntriesPasswords(keyStore, cArr, cArr2);
        saveKeystore(keyStore, cArr2);
    }

    private static void updateKeyEntriesPasswords(KeyStore keyStore, char[] cArr, char[] cArr2) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableEntryException {
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            if (keyStore.isKeyEntry(nextElement)) {
                keyStore.setEntry(nextElement, keyStore.getEntry(nextElement, new KeyStore.PasswordProtection(cArr)), new KeyStore.PasswordProtection(cArr2));
            }
        }
    }

    public synchronized KeyStore getKeyStore() throws KuraException {
        Throwable th = null;
        try {
            try {
                FileInputStream fileInputStream = new FileInputStream(this.keystoreServiceOptions.getKeystorePath());
                try {
                    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                    keyStore.load(fileInputStream, this.keystoreServiceOptions.getKeystorePassword(this.cryptoService));
                    if (fileInputStream != null) {
                        fileInputStream.close();
                    }
                    return keyStore;
                } catch (Throwable th2) {
                    if (fileInputStream != null) {
                        fileInputStream.close();
                    }
                    throw th2;
                }
            } catch (Throwable th3) {
                if (0 == 0) {
                    th = th3;
                } else if (null != th3) {
                    th.addSuppressed(th3);
                }
                throw th;
            }
        } catch (IOException | GeneralSecurityException e) {
            logger.warn("Failed to get the KeyStore {}", this.keystoreServiceOptions.getKeystorePath());
            throw new KuraException(KuraErrorCode.BAD_REQUEST, e, new Object[]{"Failed to get the KeyStore"});
        }
    }

    public KeyStore.Entry getEntry(String str) throws KuraException {
        if (Objects.isNull(str)) {
            throw new IllegalArgumentException("Key Pair alias cannot be null!");
        }
        KeyStore keyStore = getKeyStore();
        try {
            return (keyStore.entryInstanceOf(str, KeyStore.PrivateKeyEntry.class) || keyStore.entryInstanceOf(str, KeyStore.SecretKeyEntry.class)) ? keyStore.getEntry(str, new KeyStore.PasswordProtection(this.keystoreServiceOptions.getKeystorePassword(this.cryptoService))) : keyStore.getEntry(str, null);
        } catch (GeneralSecurityException e) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST, e, new Object[]{"Failed to get the entry " + str});
        }
    }

    public Map<String, KeyStore.Entry> getEntries() throws KuraException {
        HashMap hashMap = new HashMap();
        try {
            for (String str : Collections.list(getKeyStore().aliases())) {
                hashMap.put(str, getEntry(str));
            }
            return hashMap;
        } catch (GeneralSecurityException e) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST, e, new Object[]{"Failed to get the entries"});
        }
    }

    public String getCSR(KeyPair keyPair, X500Principal x500Principal, String str) throws KuraException {
        if (Objects.isNull(x500Principal) || Objects.isNull(keyPair) || Objects.isNull(str) || str.trim().isEmpty()) {
            throw new IllegalArgumentException("Input parameters cannot be null!");
        }
        try {
            PKCS10CertificationRequest build = new JcaPKCS10CertificationRequestBuilder(x500Principal, keyPair.getPublic()).build(new JcaContentSignerBuilder(str).build(keyPair.getPrivate()));
            Throwable th = null;
            try {
                try {
                    StringWriter stringWriter = new StringWriter();
                    try {
                        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
                        try {
                            jcaPEMWriter.writeObject(new PemObject(PEM_CERTIFICATE_REQUEST_TYPE, build.getEncoded()));
                            jcaPEMWriter.flush();
                            String stringWriter2 = stringWriter.toString();
                            if (jcaPEMWriter != null) {
                                jcaPEMWriter.close();
                            }
                            if (stringWriter != null) {
                                stringWriter.close();
                            }
                            return stringWriter2;
                        } catch (Throwable th2) {
                            if (jcaPEMWriter != null) {
                                jcaPEMWriter.close();
                            }
                            throw th2;
                        }
                    } catch (Throwable th3) {
                        if (0 == 0) {
                            th = th3;
                        } else if (null != th3) {
                            th.addSuppressed(th3);
                        }
                        if (stringWriter != null) {
                            stringWriter.close();
                        }
                        throw th;
                    }
                } catch (Throwable th4) {
                    if (0 == 0) {
                        th = th4;
                    } else if (null != th4) {
                        th.addSuppressed(th4);
                    }
                    throw th;
                }
            } catch (IOException e) {
                throw new KuraException(KuraErrorCode.ENCODE_ERROR, e, new Object[]{"Failed to get CSR"});
            }
        } catch (OperatorCreationException e2) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST, e2, new Object[]{"Failed to get CSR"});
        }
    }

    public String getCSR(String str, X500Principal x500Principal, String str2) throws KuraException {
        if (Objects.isNull(x500Principal) || Objects.isNull(str) || str.trim().isEmpty() || Objects.isNull(str2) || str2.trim().isEmpty()) {
            throw new IllegalArgumentException("Input parameters cannot be null!");
        }
        KeyStore.Entry entry = getEntry(str);
        if (entry == null) {
            throw new KuraException(KuraErrorCode.NOT_FOUND);
        }
        if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST);
        }
        return getCSR(new KeyPair(((KeyStore.PrivateKeyEntry) entry).getCertificate().getPublicKey(), ((KeyStore.PrivateKeyEntry) entry).getPrivateKey()), x500Principal, str2);
    }

    public List<KeyManager> getKeyManagers(String str) throws KuraException {
        if (Objects.isNull(str)) {
            throw new IllegalArgumentException("Algorithm cannot be null!");
        }
        KeyStore keyStore = getKeyStore();
        try {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(str);
            keyManagerFactory.init(keyStore, this.keystoreServiceOptions.getKeystorePassword(this.cryptoService));
            return Arrays.asList(keyManagerFactory.getKeyManagers());
        } catch (GeneralSecurityException e) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST, e, new Object[]{"Failed to get the key managers for algorithm " + str});
        }
    }

    public void deleteEntry(String str) throws KuraException {
        if (Objects.isNull(str)) {
            throw new IllegalArgumentException("Alias cannot be null!");
        }
        Optional ofNullable = Optional.ofNullable(getEntry(str));
        if (ofNullable.isPresent()) {
            KeyStore keyStore = getKeyStore();
            try {
                keyStore.deleteEntry(str);
                saveKeystore(keyStore);
                if (tryRemoveFromCrlManagement((KeyStore.Entry) ofNullable.get())) {
                    return;
                }
                postChangedEvent();
            } catch (IOException | GeneralSecurityException e) {
                throw new KuraException(KuraErrorCode.BAD_REQUEST, e, new Object[]{"Failed to delete entry " + str});
            }
        }
    }

    private void saveKeystore(KeyStore keyStore) throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException {
        saveKeystore(keyStore, this.keystoreServiceOptions.getKeystorePassword(this.cryptoService));
    }

    private void saveKeystore(KeyStore keyStore, char[] cArr) throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException {
        Throwable th = null;
        try {
            FileOutputStream fileOutputStream = new FileOutputStream(this.keystoreServiceOptions.getKeystorePath());
            try {
                keyStore.store(fileOutputStream, cArr);
                if (fileOutputStream != null) {
                    fileOutputStream.close();
                }
            } catch (Throwable th2) {
                if (fileOutputStream != null) {
                    fileOutputStream.close();
                }
                throw th2;
            }
        } catch (Throwable th3) {
            if (0 == 0) {
                th = th3;
            } else if (null != th3) {
                th.addSuppressed(th3);
            }
            throw th;
        }
    }

    public void setEntry(String str, KeyStore.Entry entry) throws KuraException {
        if (Objects.isNull(str) || str.trim().isEmpty() || Objects.isNull(entry)) {
            throw new IllegalArgumentException("Input cannot be null or empty!");
        }
        KeyStore keyStore = getKeyStore();
        try {
            keyStore.setEntry(str, entry, entry instanceof KeyStore.TrustedCertificateEntry ? null : new KeyStore.PasswordProtection(this.keystoreServiceOptions.getKeystorePassword(this.cryptoService)));
            saveKeystore(keyStore);
            if (tryAddToCrlManagement(entry)) {
                return;
            }
            postChangedEvent();
        } catch (IOException | GeneralSecurityException e) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST, e, new Object[]{"Failed to set the entry " + str});
        }
    }

    public List<String> getAliases() throws KuraException {
        try {
            return Collections.list(getKeyStore().aliases());
        } catch (GeneralSecurityException e) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST, e, new Object[]{"Failed to get aliases"});
        }
    }

    public void createKeyPair(String str, String str2, int i, String str3, String str4) throws KuraException {
        createKeyPair(str, str2, i, str3, str4, new SecureRandom());
    }

    public void createKeyPair(String str, String str2, int i, String str3, String str4, SecureRandom secureRandom) throws KuraException {
        if (Objects.isNull(str2) || str2.trim().isEmpty() || Objects.isNull(secureRandom) || Objects.isNull(str) || Objects.isNull(str4) || str4.trim().isEmpty() || Objects.isNull(str3) || str3.trim().isEmpty()) {
            throw new IllegalArgumentException("Parameters cannot be null or empty!");
        }
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str2);
            keyPairGenerator.initialize(i, secureRandom);
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            setEntry(str, new KeyStore.PrivateKeyEntry(generateKeyPair.getPrivate(), generateCertificateChain(generateKeyPair, str3, str4)));
        } catch (GeneralSecurityException | OperatorCreationException unused) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST);
        }
    }

    public X509Certificate[] generateCertificateChain(KeyPair keyPair, String str, String str2) throws OperatorCreationException, CertificateException {
        BouncyCastleProvider bouncyCastleProvider = new BouncyCastleProvider();
        Security.addProvider(bouncyCastleProvider);
        long currentTimeMillis = System.currentTimeMillis();
        Date date = new Date(currentTimeMillis);
        X500Name x500Name = new X500Name(str2);
        BigInteger bigInteger = new BigInteger(Long.toString(currentTimeMillis));
        Calendar calendar = Calendar.getInstance();
        calendar.setTime(date);
        calendar.add(1, 1);
        return new X509Certificate[]{new JcaX509CertificateConverter().getCertificate(new X509v3CertificateBuilder(x500Name, bigInteger, date, calendar.getTime(), x500Name, SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())).build(new JcaContentSignerBuilder(str).setProvider(bouncyCastleProvider).build(keyPair.getPrivate())))};
    }

    private void updateCRLManager(CRLManagerOptions cRLManagerOptions) {
        shutdownCRLManager();
        if (this.crlManagerOptions.isCrlManagementEnabled()) {
            CRLManager cRLManager = new CRLManager(this.crlManagerOptions.getStoreFile().orElseGet(() -> {
                return new File(String.valueOf(this.keystoreServiceOptions.getKeystorePath()) + ".crl");
            }), 5000L, cRLManagerOptions.getCrlCheckIntervalMs(), cRLManagerOptions.getCrlUpdateIntervalMs(), getCRLVerifier(cRLManagerOptions));
            cRLManager.setListener(Optional.of(this::postChangedEvent));
            Iterator<URI> it = cRLManagerOptions.getCrlURIs().iterator();
            while (it.hasNext()) {
                cRLManager.addDistributionPoint(Collections.singleton(it.next()));
            }
            try {
                for (KeyStore.Entry entry : getEntries().values()) {
                    if (entry instanceof KeyStore.TrustedCertificateEntry) {
                        Certificate trustedCertificate = ((KeyStore.TrustedCertificateEntry) entry).getTrustedCertificate();
                        if (trustedCertificate instanceof X509Certificate) {
                            cRLManager.addTrustedCertificate((X509Certificate) trustedCertificate);
                        }
                    }
                }
            } catch (Exception e) {
                logger.warn("failed to add current trusted certificates to CRL manager", e);
            }
            this.crlManager = Optional.of(cRLManager);
        }
    }

    private CRLManager.CRLVerifier getCRLVerifier(CRLManagerOptions cRLManagerOptions) {
        return !cRLManagerOptions.isCRLVerificationEnabled() ? x509crl -> {
            return true;
        } : x509crl2 -> {
            try {
                for (KeyStore.Entry entry : getEntries().values()) {
                    if ((entry instanceof KeyStore.TrustedCertificateEntry) && verifyCRL(x509crl2, (KeyStore.TrustedCertificateEntry) entry)) {
                        return true;
                    }
                }
                return false;
            } catch (Exception e) {
                logger.warn("Exception verifying CRL", e);
                return false;
            }
        };
    }

    private Optional<X509Certificate> extractCertificate(KeyStore.Entry entry) {
        if (!(entry instanceof KeyStore.TrustedCertificateEntry)) {
            return Optional.empty();
        }
        Certificate trustedCertificate = ((KeyStore.TrustedCertificateEntry) entry).getTrustedCertificate();
        return !(trustedCertificate instanceof X509Certificate) ? Optional.empty() : Optional.of((X509Certificate) trustedCertificate);
    }

    private boolean tryAddToCrlManagement(KeyStore.Entry entry) {
        Optional<X509Certificate> extractCertificate = extractCertificate(entry);
        Optional<CRLManager> optional = this.crlManager;
        if (extractCertificate.isPresent() && optional.isPresent()) {
            return optional.get().addTrustedCertificate(extractCertificate.get());
        }
        return false;
    }

    private boolean tryRemoveFromCrlManagement(KeyStore.Entry entry) {
        Optional<X509Certificate> extractCertificate = extractCertificate(entry);
        Optional<CRLManager> optional = this.crlManager;
        if (extractCertificate.isPresent() && this.crlManager.isPresent()) {
            return optional.get().removeTrustedCertificate(extractCertificate.get());
        }
        return false;
    }

    private boolean verifyCRL(X509CRL x509crl, KeyStore.TrustedCertificateEntry trustedCertificateEntry) {
        try {
            x509crl.verify(trustedCertificateEntry.getTrustedCertificate().getPublicKey());
            return true;
        } catch (Exception unused) {
            return false;
        }
    }

    private void shutdownCRLManager() {
        if (this.crlManager.isPresent()) {
            this.crlManager.get().close();
            this.crlManager = Optional.empty();
        }
    }

    public Collection<CRL> getCRLs() {
        Optional<CRLManager> optional = this.crlManager;
        return !optional.isPresent() ? Collections.emptyList() : new ArrayList(optional.get().getCrls());
    }

    public CertStore getCRLStore() throws KuraException {
        Optional<CRLManager> optional = this.crlManager;
        try {
            return !optional.isPresent() ? CertStore.getInstance("Collection", new CollectionCertStoreParameters()) : optional.get().getCertStore();
        } catch (Exception e) {
            throw new KuraException(KuraErrorCode.CONFIGURATION_ERROR, e, new Object[0]);
        }
    }

    private void postChangedEvent() {
        this.eventAdmin.postEvent(new KeystoreChangedEvent(this.ownPid));
    }
}
