package com.ibm.ws.security.acme.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.acme.AcmeCaException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.URI;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.DLSequence;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;

/* JADX INFO: Access modifiers changed from: package-private */
@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/acme/internal/CertificateRevocationChecker.class */
public class CertificateRevocationChecker {
    private final AcmeConfig acmeConfig;
    boolean overrideForIBMJDK;
    static final long serialVersionUID = -8349948851227413242L;
    private static final TraceComponent tc = Tr.register(CertificateRevocationChecker.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);
    private static String os_name = System.getProperty("os.name").toLowerCase();
    private static String java_vendor = System.getProperty("java.vendor").toLowerCase();
    private static String java_version = System.getProperty("java.version");
    private static String java_runtime = System.getProperty("java.runtime.version");
    private static String IBMJCE = "IBMJCE";
    private static String IBM_CERT_PARTH = "IBMCertPath";

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertificateRevocationChecker(AcmeConfig acmeConfig) {
        this.overrideForIBMJDK = false;
        this.acmeConfig = acmeConfig;
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Check for hybrid JDK: " + os_name + ", " + java_vendor + ", " + java_version + ", " + java_runtime, new Object[0]);
        }
        if (os_name.startsWith("mac")) {
            if ((java_vendor.contains("ibm") || (java_vendor.contains("oracle") && java_runtime.contains("SR"))) && java_version.startsWith("1.8")) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Detected Hybrid JDK 1.8 on Mac, will set IBM Providers on getInstance for isRevoked checks", new Object[0]);
                }
                this.overrideForIBMJDK = true;
            }
        }
    }

    private static List<String> getCrlDistributionPoints(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());
        if (extensionValue == null) {
            return null;
        }
        try {
            ASN1InputStream aSN1InputStream = new ASN1InputStream(new ByteArrayInputStream(extensionValue));
            DEROctetString readObject = aSN1InputStream.readObject();
            aSN1InputStream.close();
            ASN1InputStream aSN1InputStream2 = new ASN1InputStream(new ByteArrayInputStream(readObject.getOctets()));
            CRLDistPoint cRLDistPoint = CRLDistPoint.getInstance(aSN1InputStream2.readObject());
            aSN1InputStream2.close();
            ArrayList arrayList = null;
            for (DistributionPoint distributionPoint : cRLDistPoint.getDistributionPoints()) {
                DistributionPointName distributionPoint2 = distributionPoint.getDistributionPoint();
                if (distributionPoint2 != null && distributionPoint2.getType() == 0) {
                    GeneralName[] names = GeneralNames.getInstance(distributionPoint2.getName()).getNames();
                    for (int i = 0; i < names.length; i++) {
                        if (names[i].getTagNo() == 6) {
                            String string = DERIA5String.getInstance(names[i].getName()).getString();
                            if (arrayList == null) {
                                arrayList = new ArrayList();
                            }
                            arrayList.add(string);
                        }
                    }
                }
            }
            return arrayList;
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.acme.internal.CertificateRevocationChecker", "179", (Object) null, new Object[]{x509Certificate});
            Tr.error(tc, "CWPKI2061E", new Object[]{x509Certificate.getSerialNumber().toString(16), e.getMessage()});
            return null;
        }
    }

    private static String getOcspUrl(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.authorityInfoAccess.getId());
        if (extensionValue == null) {
            return null;
        }
        ASN1Encodable aSN1Encodable = null;
        try {
            DLSequence parseExtensionValue = JcaX509ExtensionUtils.parseExtensionValue(extensionValue);
            if (!(parseExtensionValue instanceof DLSequence)) {
                return null;
            }
            DLSequence dLSequence = parseExtensionValue;
            for (int i = 0; i < dLSequence.size(); i++) {
                aSN1Encodable = dLSequence.getObjectAt(i);
                if (aSN1Encodable instanceof DLSequence) {
                    break;
                }
            }
            if (!(aSN1Encodable instanceof DLSequence)) {
                return null;
            }
            DLSequence dLSequence2 = (DLSequence) aSN1Encodable;
            for (int i2 = 0; i2 < dLSequence2.size(); i2++) {
                aSN1Encodable = dLSequence2.getObjectAt(i2);
                if (aSN1Encodable instanceof DERTaggedObject) {
                    break;
                }
            }
            if (!(aSN1Encodable instanceof DERTaggedObject)) {
                return null;
            }
            DERTaggedObject dERTaggedObject = (DERTaggedObject) aSN1Encodable;
            byte[] encoded = dERTaggedObject.getEncoded();
            if (dERTaggedObject.getTagNo() == 6) {
                return new String(encoded, 2, (int) encoded[1]);
            }
            return null;
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.acme.internal.CertificateRevocationChecker", "258", (Object) null, new Object[]{x509Certificate});
            Tr.error(tc, "CWPKI2060E", new Object[]{x509Certificate.getSerialNumber().toString(16), e.getMessage()});
            return null;
        }
    }

    public static X509Certificate getSignerCertificate(List<X509Certificate> list) {
        int size;
        if (list == null || (size = list.size()) <= 1) {
            return null;
        }
        return list.get(size - 1);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @FFDCIgnore({CertPathValidatorException.class})
    public boolean isRevoked(List<X509Certificate> list) throws AcmeCaException {
        if (!this.acmeConfig.isRevocationCheckerEnabled().booleanValue()) {
            return false;
        }
        X509Certificate leafCertificate = AcmeProviderImpl.getLeafCertificate(list);
        X509Certificate signerCertificate = getSignerCertificate(list);
        if (signerCertificate == null) {
            return false;
        }
        if (getOcspUrl(leafCertificate) == null && getCrlDistributionPoints(leafCertificate) == null) {
            return false;
        }
        try {
            KeyStore checkForKeyStoreProviderOverride = checkForKeyStoreProviderOverride();
            if (checkForKeyStoreProviderOverride == null) {
                checkForKeyStoreProviderOverride = KeyStore.getInstance(KeyStore.getDefaultType());
            }
            checkForKeyStoreProviderOverride.load(null);
            checkForKeyStoreProviderOverride.setCertificateEntry("signer", signerCertificate);
            CertPathBuilder checkForCertPathBuilderProviderOverride = checkForCertPathBuilderProviderOverride();
            if (checkForCertPathBuilderProviderOverride == null) {
                checkForCertPathBuilderProviderOverride = CertPathBuilder.getInstance("PKIX");
            }
            PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) checkForCertPathBuilderProviderOverride.getRevocationChecker();
            HashSet hashSet = new HashSet();
            hashSet.add(PKIXRevocationChecker.Option.SOFT_FAIL);
            if (this.acmeConfig.isDisableFallback().booleanValue()) {
                hashSet.add(PKIXRevocationChecker.Option.NO_FALLBACK);
            }
            if (this.acmeConfig.isPreferCrls().booleanValue()) {
                hashSet.add(PKIXRevocationChecker.Option.PREFER_CRLS);
            }
            pKIXRevocationChecker.setOptions(hashSet);
            URI ocspResponderUrl = this.acmeConfig.getOcspResponderUrl();
            if (ocspResponderUrl != null) {
                pKIXRevocationChecker.setOcspResponder(ocspResponderUrl);
            }
            ArrayList arrayList = new ArrayList();
            arrayList.add(leafCertificate);
            CertPath checkForCertPathProviderOverride = checkForCertPathProviderOverride(arrayList);
            if (checkForCertPathProviderOverride == null) {
                checkForCertPathProviderOverride = CertificateFactory.getInstance("X.509").generateCertPath(arrayList);
            }
            PKIXParameters pKIXParameters = new PKIXParameters(checkForKeyStoreProviderOverride);
            pKIXParameters.addCertPathChecker(pKIXRevocationChecker);
            CertPathValidator checkForCertPathValidatorProviderOverride = checkForCertPathValidatorProviderOverride();
            if (checkForCertPathValidatorProviderOverride == null) {
                checkForCertPathValidatorProviderOverride = CertPathValidator.getInstance("PKIX");
            }
            try {
                checkForCertPathValidatorProviderOverride.validate(checkForCertPathProviderOverride, pKIXParameters);
                if (pKIXRevocationChecker.getSoftFailExceptions().isEmpty()) {
                    return false;
                }
                Tr.warning(tc, Tr.formatMessage(tc, "CWPKI2058W", new Object[]{pKIXRevocationChecker.getSoftFailExceptions()}), new Object[0]);
                return false;
            } catch (InvalidAlgorithmParameterException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.acme.internal.CertificateRevocationChecker", "426", this, new Object[]{list});
                throw new AcmeCaException("Invalid algorithm parameter passed into CertPathValidator.validate(...) method.", e);
            } catch (CertPathValidatorException e2) {
                Tr.info(tc, Tr.formatMessage(tc, "CWPKI2059I", new Object[]{leafCertificate.getSerialNumber().toString(16)}), new Object[0]);
                return true;
            }
        } catch (IOException | InvalidAlgorithmParameterException | KeyStoreException | NoSuchAlgorithmException | CertificateException e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.acme.internal.CertificateRevocationChecker", "404", this, new Object[]{list});
            throw new AcmeCaException(Tr.formatMessage(tc, "CWPKI2057E", new Object[]{e3.getMessage()}), e3);
        }
    }

    @FFDCIgnore({KeyStoreException.class})
    @Trivial
    private KeyStore checkForKeyStoreProviderOverride() {
        if (!this.overrideForIBMJDK) {
            return null;
        }
        try {
            return KeyStore.getInstance(KeyStore.getDefaultType(), IBMJCE);
        } catch (KeyStoreException | NoSuchProviderException e) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Attempted to set the " + IBMJCE + " as the specific provoider for KeyStore.getInstance, but it failed. Will try default provider.", new Object[]{e});
            return null;
        }
    }

    @FFDCIgnore({NoSuchAlgorithmException.class})
    @Trivial
    private CertPathBuilder checkForCertPathBuilderProviderOverride() {
        if (!this.overrideForIBMJDK) {
            return null;
        }
        try {
            return CertPathBuilder.getInstance("PKIX", IBM_CERT_PARTH);
        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Attempted to set the " + IBM_CERT_PARTH + " as the specific provoider for CertPathBuilder.getInstance, but it failed. Will try default provider.", new Object[]{e});
            return null;
        }
    }

    @FFDCIgnore({CertificateException.class})
    @Trivial
    private CertPath checkForCertPathProviderOverride(List<X509Certificate> list) {
        if (!this.overrideForIBMJDK) {
            return null;
        }
        try {
            return CertificateFactory.getInstance("X.509", IBMJCE).generateCertPath(list);
        } catch (NoSuchProviderException | CertificateException e) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Attempted to set the " + IBMJCE + " as the specific provoider for CertificateFactory.getInstance, but it failed. Will try default provider.", new Object[]{e});
            return null;
        }
    }

    @FFDCIgnore({NoSuchAlgorithmException.class})
    @Trivial
    private CertPathValidator checkForCertPathValidatorProviderOverride() {
        if (!this.overrideForIBMJDK) {
            return null;
        }
        try {
            return CertPathValidator.getInstance("PKIX", IBM_CERT_PARTH);
        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Attempted to set the " + IBMJCE + " as the specific provoider for CertPathValidator.getInstance, but it failed. Will try default provider.", new Object[]{e});
            return null;
        }
    }
}
