package com.ibm.etools.zos.server;

import com.ibm.etools.zos.server.ssl.SslResourceBundle;
import com.ibm.security.cmskeystore.CMSProvider;
import com.ibm.security.x509.X509CertImpl;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.CRL;
import java.security.cert.CertStore;
import java.security.cert.LDAPCertStoreParameters;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.MissingResourceException;

/* loaded from: input_file:lib/zosserver.jar:com/ibm/etools/zos/server/CertificateValidator.class */
public class CertificateValidator extends AbstractCertificateValidator implements IDaemonConstants {
    public static final String COPY_RIGHT = "  Licensed Materials - Property of IBM, 5724-T07, Copyright IBM Corp. 2005 All rights reserved.  US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.";
    private int _LDAPport;
    private String _LDAPserver;
    private boolean _checkCRL;
    private String _userId;
    private List _trustedKey;
    private String _errorMsg;

    public CertificateValidator() {
        SslResourceBundle bundle = SslResourceBundle.getBundle("ssl");
        String str = " ";
        this._trustedKey = new ArrayList(30);
        try {
            String string = bundle.getString(IDaemonConstants.SSL_DAEMON_KEYSTORE_FILE);
            try {
                str = bundle.getString(IDaemonConstants.SSL_DAEMON_KEYSTORE_PASSWORD);
            } catch (MissingResourceException e) {
            }
            try {
                this._LDAPserver = bundle.getString(IDaemonConstants.LDAP_SERVER);
                this._LDAPport = Integer.parseInt(bundle.getString(IDaemonConstants.LDAP_PORT));
                this._checkCRL = true;
            } catch (Throwable th) {
                this._checkCRL = false;
            }
            try {
                KeyStore keyStore = KeyStore.getInstance("JKS");
                keyStore.load(new FileInputStream(string), str.toCharArray());
                Enumeration<String> aliases = keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    this._trustedKey.add(((X509Certificate) keyStore.getCertificate(aliases.nextElement())).getPublicKey());
                }
                if (this._trustedKey.size() == 0) {
                    RseLogger.logInfo("CertificateValidator", new StringBuffer("No CA found in ").append(string).toString());
                }
            } catch (Throwable th2) {
                try {
                    Security.addProvider(new CMSProvider());
                    KeyStore keyStore2 = KeyStore.getInstance(IDaemonConstants.SSL_KEY_STORE_CMSKS);
                    keyStore2.load(new FileInputStream(string), str.toCharArray());
                    Enumeration<String> aliases2 = keyStore2.aliases();
                    while (aliases2.hasMoreElements()) {
                        this._trustedKey.add(((X509Certificate) keyStore2.getCertificate(aliases2.nextElement())).getPublicKey());
                    }
                    if (this._trustedKey.size() == 0) {
                        RseLogger.logInfo("CertificateValidator", new StringBuffer("No CA found in ").append(string).toString());
                    }
                } catch (Throwable th3) {
                }
            }
        } catch (Throwable th4) {
            RseLogger.logError("CertificateValidator", " ", th4);
        }
    }

    @Override // com.ibm.etools.zos.server.AbstractCertificateValidator
    public int checkCertificate(String str, byte[] bArr, boolean z) {
        this._errorMsg = " ";
        try {
            X509CertImpl x509CertImpl = new X509CertImpl(bArr);
            if (z && validate(x509CertImpl) == -1) {
                RseLogger.logError("CertificateValidator", new StringBuffer("subjectDN=(").append(x509CertImpl.getSubjectDN()).append(")").toString(), null);
                return -1;
            }
            byte[] extensionValue = x509CertImpl.getExtensionValue(str);
            if (extensionValue == null) {
                RseLogger.logError("CertificateValidator", new StringBuffer("subjectDN=(").append(x509CertImpl.getSubjectDN()).append(")").toString(), null);
                this._errorMsg = new StringBuffer("The OID, ").append(str).append(" is not included.").toString();
                return -1;
            }
            CertificateParser certificateParser = new CertificateParser(extensionValue);
            String hostId = certificateParser.getHostId();
            this._userId = certificateParser.getUserId();
            RseLogger.logInfo("CertificateValidator", new StringBuffer("subjectDN=(").append(x509CertImpl.getSubjectDN()).append(")").toString());
            RseLogger.logInfo("CertificateValidator", new StringBuffer("host=").append(hostId).append(", userid=").append(this._userId).toString());
            return 1;
        } catch (Throwable th) {
            RseLogger.logError("CertificateValidator", " ", th);
            return -1;
        }
    }

    @Override // com.ibm.etools.zos.server.AbstractCertificateValidator
    public String getErrorMessage() {
        return this._errorMsg;
    }

    public int validate(X509CertImpl x509CertImpl) {
        try {
            boolean z = false;
            if (this._trustedKey.size() > 0) {
                for (int i = 0; i < this._trustedKey.size() && !z; i++) {
                    try {
                        x509CertImpl.verify((PublicKey) this._trustedKey.get(i));
                        z = true;
                    } catch (Exception e) {
                    }
                }
            }
            if (!z) {
                this._errorMsg = "Certificate validation error by keystore";
                return -1;
            }
            try {
                x509CertImpl.checkValidity();
                if (validateByCRLs(x509CertImpl) == 1) {
                    return 1;
                }
                this._errorMsg = "Certificate validation error by CRLs";
                return -1;
            } catch (Exception e2) {
                this._errorMsg = "Certificate expired or not yet valid";
                return -1;
            }
        } catch (Throwable th) {
            RseLogger.logError("CertificateValidator", " ", th);
            return -1;
        }
    }

    public int validateByCRLs(X509CertImpl x509CertImpl) {
        if (!this._checkCRL) {
            return 1;
        }
        try {
            CertStore certStore = CertStore.getInstance(IDaemonConstants.LDAP_TYPE, new LDAPCertStoreParameters(this._LDAPserver, this._LDAPport));
            X509CRLSelector x509CRLSelector = new X509CRLSelector();
            x509CRLSelector.addIssuerName(x509CertImpl.getIssuerX500Principal().getEncoded());
            Iterator<? extends CRL> it = certStore.getCRLs(x509CRLSelector).iterator();
            while (it.hasNext()) {
                if (((X509CRL) it.next()).isRevoked(x509CertImpl)) {
                    return -1;
                }
            }
            return 1;
        } catch (Throwable th) {
            RseLogger.logError("CertificateValidator", " ", th);
            return 1;
        }
    }

    @Override // com.ibm.etools.zos.server.AbstractCertificateValidator
    public String getUserIdInCertificate() {
        return this._userId;
    }
}
