package org.xipki.scep.message;

import java.security.cert.X509Certificate;
import org.xipki.scep.crypto.KeyUsage;
import org.xipki.scep.util.ScepUtil;

/* loaded from: input_file:org/xipki/scep/message/AuthorityCertStore.class */
public class AuthorityCertStore {
    private final X509Certificate caCert;
    private final X509Certificate signatureCert;
    private final X509Certificate encryptionCert;

    private AuthorityCertStore(X509Certificate x509Certificate, X509Certificate x509Certificate2, X509Certificate x509Certificate3) {
        this.caCert = x509Certificate;
        this.signatureCert = x509Certificate2;
        this.encryptionCert = x509Certificate3;
    }

    public X509Certificate getSignatureCert() {
        return this.signatureCert;
    }

    public X509Certificate getEncryptionCert() {
        return this.encryptionCert;
    }

    public X509Certificate getCaCert() {
        return this.caCert;
    }

    public static AuthorityCertStore getInstance(X509Certificate x509Certificate, X509Certificate... x509CertificateArr) {
        ScepUtil.requireNonNull("caCert", x509Certificate);
        X509Certificate x509Certificate2 = null;
        X509Certificate x509Certificate3 = null;
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            x509Certificate3 = x509Certificate;
            x509Certificate2 = x509Certificate;
        } else {
            for (X509Certificate x509Certificate4 : x509CertificateArr) {
                boolean[] keyUsage = x509Certificate4.getKeyUsage();
                if (hasKeyusage(keyUsage, KeyUsage.keyEncipherment)) {
                    if (x509Certificate2 != null) {
                        throw new IllegalArgumentException("Could not determine RA certificate for encryption");
                    }
                    x509Certificate2 = x509Certificate4;
                }
                if (hasKeyusage(keyUsage, KeyUsage.digitalSignature) || hasKeyusage(keyUsage, KeyUsage.contentCommitment)) {
                    if (x509Certificate3 != null) {
                        throw new IllegalArgumentException("Could not determine RA certificate for signature");
                    }
                    x509Certificate3 = x509Certificate4;
                }
            }
            if (x509Certificate2 == null) {
                throw new IllegalArgumentException("Could not determine RA certificate for encryption");
            }
            if (x509Certificate3 == null) {
                throw new IllegalArgumentException("Could not determine RA certificate for signature");
            }
        }
        return new AuthorityCertStore(x509Certificate, x509Certificate3, x509Certificate2);
    }

    private static boolean hasKeyusage(boolean[] zArr, KeyUsage keyUsage) {
        if (zArr == null || zArr.length <= keyUsage.getBit()) {
            return false;
        }
        return zArr[keyUsage.getBit()];
    }
}
