package com.ibm.etools.zos.server;

import com.ibm.security.x509.X509CertImpl;
import java.security.PublicKey;
import java.security.cert.CRL;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.LDAPCertStoreParameters;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLSelector;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;

/* loaded from: input_file:lib/zosserver.jar:com/ibm/etools/zos/server/ZosCertificateValidator.class */
public class ZosCertificateValidator extends AbstractCertificateValidator implements IDaemonConstants {
    public static final String COPY_RIGHT = "  Licensed Materials - Property of IBM, 5724-T07, Copyright IBM Corp. 2005 All rights reserved.  US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.";
    private static boolean _enableCertificateMapping = true;
    private int _keystoreType;
    private int _LDAPport;
    private String _LDAPserver;
    private boolean _checkCRL;
    private String _userId;
    private String _applId;
    private String _errorMsg;
    private String VALID = "VALID";
    private String INVALID = "INVALID";
    private String NOCERT = "NOCERT";
    private List _trustedKey = new ArrayList(30);

    /* loaded from: input_file:lib/zosserver.jar:com/ibm/etools/zos/server/ZosCertificateValidator$UseridValidator.class */
    public class UseridValidator implements Runnable {
        boolean done = false;
        private String msg;
        private byte[] _certificate;
        final ZosCertificateValidator this$0;

        public UseridValidator(ZosCertificateValidator zosCertificateValidator, byte[] bArr) {
            this.this$0 = zosCertificateValidator;
            this._certificate = bArr;
        }

        @Override // java.lang.Runnable
        public void run() {
            if (ZosCertificateValidator._enableCertificateMapping) {
                String checkCertificate = CoreJNI.checkCertificate(this._certificate);
                if (checkCertificate != null && checkCertificate.startsWith("ERROR")) {
                    this.this$0._errorMsg = checkCertificate;
                    this.msg = this.this$0.INVALID;
                } else if (checkCertificate.length() == 0) {
                    this.this$0._errorMsg = "UserId mapping error by RACF";
                    this.msg = this.this$0.INVALID;
                } else if (checkCertificate != null) {
                    this.this$0._userId = checkCertificate;
                    this.msg = this.this$0.VALID;
                    try {
                        String upperCase = this.this$0._userId.toUpperCase();
                        if (CoreJNI.pThreadSecurity(upperCase, ZosSystemService.generatePassTicket(upperCase, this.this$0._applId), this.this$0._applId) != 0) {
                            this.this$0._errorMsg = new StringBuffer("UserId, ").append(this.this$0._userId).append(" validation error by RACF").toString();
                            this.msg = this.this$0.INVALID;
                        }
                    } catch (Throwable th) {
                        this.msg = this.this$0.INVALID;
                    }
                } else {
                    this.msg = this.this$0.NOCERT;
                }
            } else {
                try {
                    this.msg = this.this$0.VALID;
                    String upperCase2 = this.this$0._userId.toUpperCase();
                    if (CoreJNI.pThreadSecurity(upperCase2, ZosSystemService.generatePassTicket(upperCase2, this.this$0._applId), this.this$0._applId) != 0) {
                        this.this$0._errorMsg = new StringBuffer("UserId, ").append(this.this$0._userId).append(" validation error by RACF").toString();
                        this.msg = this.this$0.INVALID;
                    }
                } catch (Throwable th2) {
                    this.msg = this.this$0.INVALID;
                }
            }
            setMessage(this.msg);
        }

        public synchronized void setMessage(String str) {
            this.msg = str;
            this.done = true;
            notifyAll();
        }

        public synchronized String getMessage() {
            while (!this.done) {
                try {
                    wait();
                } catch (InterruptedException e) {
                }
            }
            return this.msg;
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:46:0x025a A[Catch: Throwable -> 0x02b5, LOOP:1: B:44:0x0284->B:46:0x025a, LOOP_END, TryCatch #3 {Throwable -> 0x02b5, blocks: (B:43:0x0238, B:44:0x0284, B:46:0x025a, B:48:0x028e, B:50:0x029a, B:51:0x02af), top: B:42:0x0238 }] */
    /* JADX WARN: Removed duplicated region for block: B:50:0x029a A[Catch: Throwable -> 0x02b5, TryCatch #3 {Throwable -> 0x02b5, blocks: (B:43:0x0238, B:44:0x0284, B:46:0x025a, B:48:0x028e, B:50:0x029a, B:51:0x02af), top: B:42:0x0238 }] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public ZosCertificateValidator() {
        /*
            Method dump skipped, instructions count: 696
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.etools.zos.server.ZosCertificateValidator.<init>():void");
    }

    public int getKeystoreType() {
        return this._keystoreType;
    }

    @Override // com.ibm.etools.zos.server.AbstractCertificateValidator
    public int checkCertificate(String str, byte[] bArr, boolean z) {
        String str2 = " ";
        this._errorMsg = " ";
        if (_enableCertificateMapping) {
            try {
                X509CertImpl x509CertImpl = new X509CertImpl(bArr);
                if (z && validate(x509CertImpl) == -1) {
                    RseLogger.logError("CertificateValidator", new StringBuffer("subjectDN=(").append(x509CertImpl.getSubjectDN()).append(")").toString(), null);
                    return -1;
                }
                UseridValidator useridValidator = new UseridValidator(this, bArr);
                new Thread(useridValidator).start();
                String message = useridValidator.getMessage();
                if (message.equals(this.INVALID)) {
                    RseLogger.logError("CertificateValidator", new StringBuffer("subjectDN=(").append(x509CertImpl.getSubjectDN()).append(")").toString(), null);
                    return -1;
                }
                if (message.equals(this.NOCERT)) {
                    return 0;
                }
                RseLogger.logInfo("CertificateValidator", new StringBuffer("subjectDN=(").append(x509CertImpl.getSubjectDN()).append(")").toString());
                return 1;
            } catch (CertificateException e) {
                RseLogger.logError("CertificateValidator", " ", e);
                return -1;
            }
        }
        try {
            X509CertImpl x509CertImpl2 = new X509CertImpl(bArr);
            if (validate(x509CertImpl2) == -1) {
                RseLogger.logError("CertificateValidator", new StringBuffer("subjectDN=(").append(x509CertImpl2.getSubjectDN()).append(")").toString(), null);
                return -1;
            }
            byte[] extensionValue = x509CertImpl2.getExtensionValue(str);
            if (extensionValue == null) {
                RseLogger.logError("CertificateValidator", new StringBuffer("subjectDN=(").append(x509CertImpl2.getSubjectDN()).append(")").toString(), null);
                this._errorMsg = new StringBuffer("The OID, ").append(str).append(" is not included.").toString();
                return -1;
            }
            CertificateParser certificateParser = new CertificateParser(extensionValue);
            String hostId = certificateParser.getHostId();
            while (hostId != null) {
                this._userId = certificateParser.getUserId();
                String checkRacfResource = CoreJNI.checkRacfResource("SERVAUTH", new StringBuffer("IRR.HOST.").append(hostId).toString());
                if (checkRacfResource == null || !checkRacfResource.contains("ERROR")) {
                    str2 = hostId;
                    hostId = null;
                } else {
                    RseLogger.logError("CertificateValidator", new StringBuffer("host=").append(hostId).append(", userid=").append(this._userId).append(": racfRC(RACROUTE REQUEST=AUTH)=").append(checkRacfResource).toString(), null);
                    this._errorMsg = "SERVAUTH Definition Error";
                    hostId = certificateParser.getHostId();
                    this._userId = null;
                }
            }
            if (this._userId == null) {
                RseLogger.logError("CertificateValidator", new StringBuffer("subjectDN=(").append(x509CertImpl2.getSubjectDN()).append(")").toString(), null);
                return -1;
            }
            UseridValidator useridValidator2 = new UseridValidator(this, null);
            new Thread(useridValidator2).start();
            if (useridValidator2.getMessage().equals(this.INVALID)) {
                RseLogger.logError("CertificateValidator", new StringBuffer("subjectDN=(").append(x509CertImpl2.getSubjectDN()).append(")").toString(), null);
                RseLogger.logError("CertificateValidator", new StringBuffer("host=").append(str2).append(", userid=").append(this._userId).toString(), null);
                return -1;
            }
            RseLogger.logInfo("CertificateValidator", new StringBuffer("subjectDN=(").append(x509CertImpl2.getSubjectDN()).append(")").toString());
            RseLogger.logInfo("CertificateValidator", new StringBuffer("host=").append(str2).append(", userid=").append(this._userId).toString());
            return 1;
        } catch (Throwable th) {
            RseLogger.logError("CertificateValidator", " ", th);
            return -1;
        }
    }

    @Override // com.ibm.etools.zos.server.AbstractCertificateValidator
    public String getErrorMessage() {
        return this._errorMsg;
    }

    public int validate(X509CertImpl x509CertImpl) {
        try {
            boolean z = false;
            if (this._trustedKey.size() > 0) {
                for (int i = 0; i < this._trustedKey.size() && !z; i++) {
                    try {
                        x509CertImpl.verify((PublicKey) this._trustedKey.get(i));
                        z = true;
                    } catch (Exception e) {
                    }
                }
            }
            if (!z) {
                this._errorMsg = "Certificate validation error by keystore";
                return -1;
            }
            try {
                x509CertImpl.checkValidity();
                if (validateByCRLs(x509CertImpl) == 1) {
                    return 1;
                }
                this._errorMsg = "Certificate validation error by CRLs";
                return -1;
            } catch (Exception e2) {
                this._errorMsg = "Certificate expired or not yet valid";
                return -1;
            }
        } catch (Throwable th) {
            RseLogger.logError("CertificateValidator", " ", th);
            return -1;
        }
    }

    public int validateByCRLs(X509CertImpl x509CertImpl) {
        if (!this._checkCRL) {
            return 1;
        }
        try {
            CertStore certStore = CertStore.getInstance(IDaemonConstants.LDAP_TYPE, new LDAPCertStoreParameters(this._LDAPserver, this._LDAPport));
            X509CRLSelector x509CRLSelector = new X509CRLSelector();
            x509CRLSelector.addIssuerName(x509CertImpl.getIssuerX500Principal().getEncoded());
            Iterator<? extends CRL> it = certStore.getCRLs(x509CRLSelector).iterator();
            while (it.hasNext()) {
                if (((X509CRL) it.next()).isRevoked(x509CertImpl)) {
                    return -1;
                }
            }
            return 1;
        } catch (Throwable th) {
            RseLogger.logError("CertificateValidator", " ", th);
            return 1;
        }
    }

    @Override // com.ibm.etools.zos.server.AbstractCertificateValidator
    public String getUserIdInCertificate() {
        return this._userId;
    }
}
