package com.ibm.ws.ssl.config;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ffdc.Manager;
import com.ibm.icu.impl.CalendarAstronomer;
import com.ibm.security.certclient.util.PkNewCertFactory;
import com.ibm.security.certclient.util.PkNewCertificate;
import com.ibm.security.certclient.util.PkSsCertFactory;
import com.ibm.security.certclient.util.PkSsCertificate;
import com.ibm.websphere.crypto.KeyException;
import com.ibm.websphere.ssl.SSLException;
import com.ibm.ws.security.config.SecurityConfig;
import com.ibm.ws.security.config.SecurityConfigObject;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.util.KeyStoreTypeHelper;
import com.ibm.ws.ssl.JSSEProviderFactory;
import com.ibm.ws.ssl.core.Constants;
import com.ibm.ws.ssl.core.TraceNLSHelper;
import com.ibm.ws.ssl.model.CertReqInfo;
import com.ibm.ws.ssl.model.KeyStoreInfo;
import com.ibm.ws.ssl.provider.AbstractJSSEProvider;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.URL;
import java.net.UnknownHostException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;

/* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/ws/ssl/config/CertificateManager.class */
public class CertificateManager {
    private static final TraceComponent tc = Tr.register(CertificateManager.class, "SSL", "com.ibm.ws.ssl.resources.ssl");
    private static CertificateManager thisClass = null;

    private CertificateManager() {
    }

    public static CertificateManager getInstance() {
        if (thisClass == null) {
            thisClass = new CertificateManager();
        }
        return thisClass;
    }

    public Certificate selfSignedCertificateCreate(CertReqInfo certReqInfo) throws Exception {
        PkSsCertificate newSsCert;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "selfSignedCertificateCreate", new Object[]{certReqInfo});
        }
        InputStream inputStream = null;
        FileOutputStream fileOutputStream = null;
        String subjectDN = certReqInfo.getSubjectDN();
        String label = certReqInfo.getLabel();
        int size = certReqInfo.getSize();
        int validDays = certReqInfo.getValidDays();
        KeyStoreInfo ksInfo = certReqInfo.getKsInfo();
        String expand = KeyStoreManager.getInstance().expand(ksInfo.getLocation());
        String type = ksInfo.getType();
        String provider = ksInfo.getProvider();
        String password = ksInfo.getPassword();
        Boolean stashFile = ksInfo.getStashFile();
        String signatureAlgorithm = certReqInfo.getSignatureAlgorithm();
        String keyTypeFromSignatureAlgorithm = FIPSUtils.getKeyTypeFromSignatureAlgorithm(signatureAlgorithm);
        try {
            try {
                boolean z = false;
                if (certReqInfo.getKsInfo().getName().endsWith(Constants.DEFAULT_ROOT_STORE) || certReqInfo.getKsInfo().getName().endsWith(Constants.RSA_TOKEN_ROOT_STORE)) {
                    z = true;
                }
                Date date = new Date();
                date.setTime(date.getTime() - CalendarAstronomer.DAY_MS);
                ArrayList arrayList = new ArrayList();
                try {
                    String userInstallRootPath = SecurityObjectLocator.getAdminData().getUserInstallRootPath();
                    if (userInstallRootPath != null) {
                        String str = (String) Class.forName("com.ibm.ws.ssl.commands.ProfileCreation.PrepareKeysUtility").getMethod("getProfileUUID", String.class, Object.class).invoke(null, userInstallRootPath, null);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Retrieved the following profileUUID for the alternate Subject name: " + str);
                        }
                        addSAN(arrayList, subjectDN, str);
                    } else {
                        addSAN(arrayList, subjectDN, subjectDN);
                    }
                } catch (Exception e) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception creating profileUUID, using subjectDN instead: " + subjectDN, new Object[]{e});
                    }
                    addSAN(arrayList, subjectDN, subjectDN);
                }
                String property = Security.getProperty(Constants.DEFAULT_JCE_PROVIDER);
                if (property == null || property.trim().isEmpty()) {
                    property = !JSSEProviderFactory.isFipsEnabled() ? "IBMJCE" : Constants.IBMJCEFIPS_NAME;
                }
                try {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Creating certificate with following parameters: keySize=" + size + " keyType=" + keyTypeFromSignatureAlgorithm + " signatureAlgorithm=" + signatureAlgorithm + " subjectDN=" + subjectDN + " numValidDays=" + validDays + " notBefore=" + date + " useShortSubjectKId=true subjectAltNames=" + arrayList + " kUsage=" + ((Object) null) + " extKUsage=" + ((Object) null) + " provider =" + property + " keyPair=" + ((Object) null) + " CA=" + z);
                    }
                    newSsCert = PkSsCertFactory.newSsCert(size, keyTypeFromSignatureAlgorithm, signatureAlgorithm, subjectDN, validDays, date, true, arrayList, (List) null, (List) null, property, (KeyPair) null, z);
                } catch (Exception e2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "An exception caught: " + e2.getMessage());
                    }
                    Manager.Ffdc.log(e2, this, "com.ibm.ws.ssl.config.CertificateManager.selfSignedCertificateCreter", "250", this);
                    throw e2;
                } catch (NoSuchMethodError e3) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Certificate Signing API's are not available: " + e3.getMessage());
                    }
                    newSsCert = PkSsCertFactory.newSsCert(size, subjectDN, validDays, date, true, true, arrayList, (List) null, (List) null, property, (KeyPair) null);
                }
                try {
                    Tr.audit(tc, "Self Signed Certificate: notBefore time: " + newSsCert.getCertificate().getNotBefore().toString() + " notAfter time: " + newSsCert.getCertificate().getNotAfter().toString());
                } catch (Throwable th) {
                }
                KeyStore keyStore = KeyStore.getInstance(type, provider);
                if (expand == null || expand.equals("")) {
                    throw new FileNotFoundException("KeyStore file path cannot not be missing or null.");
                }
                File file = new File(expand);
                if (!file.exists()) {
                    keyStore.load(null, password.toCharArray());
                } else if (KeyStoreTypeHelper.isCMSKeyStore(type)) {
                    Class<?> cls = Class.forName("com.ibm.ws.ssl.config.CMSKeyStoreUtility");
                    keyStore = (KeyStore) cls.getMethod("loadCMSKeyStore", File.class, String.class, String.class, String.class, String.class, String.class).invoke(cls.newInstance(), file, expand, password, type, provider, stashFile.toString());
                } else {
                    inputStream = KeyStoreManager.getInstance().getInputStream(expand, true);
                    keyStore.load(inputStream, password.toCharArray());
                }
                newSsCert.setToKeyStore(label, password, keyStore);
                Certificate certificate = keyStore.getCertificate(label);
                if (KeyStoreTypeHelper.isCMSKeyStore(type)) {
                    Class<?> cls2 = Class.forName("com.ibm.ws.ssl.config.CMSKeyStoreUtility");
                    cls2.getMethod("storeCMSKeyStore", KeyStore.class, String.class, String.class, String.class, String.class).invoke(cls2.newInstance(), keyStore, expand, password, type, stashFile.toString());
                } else if (ksInfo.getFileBased().booleanValue()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "KeyStore is file based");
                    }
                    fileOutputStream = new FileOutputStream(expand);
                    keyStore.store(fileOutputStream, password.toCharArray());
                } else {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "KeyStore is not file based");
                    }
                    keyStore.store(new URL(expand).openConnection().getOutputStream(), password.toCharArray());
                }
                if (inputStream != null) {
                    inputStream.close();
                }
                if (fileOutputStream != null) {
                    fileOutputStream.close();
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "selfSignedCertificateCreate");
                }
                return certificate;
            } catch (Exception e4) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Error creating keystore or certificate.", new Object[]{e4});
                }
                Tr.error(tc, "ssl.self.signed.create.error.CWPKI0032E", new Object[]{e4.getMessage()});
                throw new SSLException(TraceNLSHelper.getInstance().getFormattedMessage("ssl.self.signed.create.error.CWPKI0032E", new Object[]{e4.getMessage()}, "Error creating a self-signed certificate.  The exception is " + e4.getMessage()), e4);
            }
        } catch (Throwable th2) {
            if (0 != 0) {
                inputStream.close();
            }
            if (0 != 0) {
                fileOutputStream.close();
            }
            throw th2;
        }
    }

    public Certificate chainedCertificateCreate(CertReqInfo certReqInfo, String str, KeyStoreInfo keyStoreInfo) throws Exception {
        String name;
        String password;
        String str2;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "chainedCertificateCreate", new Object[]{certReqInfo, str});
        }
        if (certReqInfo != null && tc.isDebugEnabled()) {
            Tr.entry(tc, "chainedCertificateCreate", "chainedCertInfo=" + certReqInfo.toString());
        }
        if (str != null && tc.isDebugEnabled()) {
            Tr.entry(tc, "rootCertificateAlias", "rootCertificateAlias=" + str);
        }
        if (keyStoreInfo != null && tc.isDebugEnabled()) {
            Tr.entry(tc, "rootKeyStore", "rootKeyStore=" + keyStoreInfo.toString());
        }
        certReqInfo.getSubjectDN();
        String label = certReqInfo.getLabel();
        int size = certReqInfo.getSize();
        certReqInfo.getValidDays();
        KeyStoreInfo ksInfo = certReqInfo.getKsInfo();
        String location = ksInfo.getLocation();
        String type = ksInfo.getType();
        String usage = ksInfo.getUsage();
        String provider = ksInfo.getProvider();
        String password2 = ksInfo.getPassword();
        Boolean stashFile = ksInfo.getStashFile();
        SecurityConfigObject securityConfigObject = null;
        if (keyStoreInfo == null) {
            securityConfigObject = (usage == null || !usage.equals("RSATokenKeys")) ? KeyStoreManager.getDefaultKeyStore(Constants.DEFAULT_ROOT_STORE, null) : KeyStoreManager.getDefaultKeyStore(Constants.RSA_TOKEN_ROOT_STORE, null);
            if (securityConfigObject == null) {
                return selfSignedCertificateCreate(certReqInfo);
            }
            name = securityConfigObject.getString("name");
            password = securityConfigObject.getDecodedString("password");
        } else {
            name = keyStoreInfo.getName();
            password = keyStoreInfo.getPassword();
        }
        WSKeyStore wSKeyStore = keyStoreInfo == null ? new WSKeyStore(securityConfigObject) : new WSKeyStore(keyStoreInfo);
        Object[] invokeKeyStoreCommand = wSKeyStore.invokeKeyStoreCommand("containsAlias", new Object[]{str}, true);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "containsAlias[0] is " + ((Boolean) invokeKeyStoreCommand[0]).booleanValue() + "rootKeyStoreObject " + securityConfigObject);
        }
        if (!((Boolean) invokeKeyStoreCommand[0]).booleanValue() && securityConfigObject != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The root certificate does not exist so create it.");
            }
            String str3 = null;
            int i = 7300;
            Integer.parseInt(Constants.KEY_SIZE);
            String cellName = ManagementScopeManager.getInstance().getCellName();
            String nodeName = ManagementScopeManager.getInstance().getNodeName();
            if (0 == 0) {
                str3 = "cn=${hostname},ou=Root Certificate,ou=" + cellName + ",ou=" + nodeName + ",o=IBM,c=US";
            }
            SSLConfigManager sSLConfigManager = SSLConfigManager.getInstance();
            String globalProperty = sSLConfigManager.getGlobalProperty(Constants.SSLPROP_ROOT_CERT_SUBJECTDN);
            String globalProperty2 = sSLConfigManager.getGlobalProperty(Constants.SSLPROP_ROOT_CERT_ALIAS);
            String globalProperty3 = sSLConfigManager.getGlobalProperty(Constants.SSLPROP_ROOT_CERT_DAYS);
            String globalProperty4 = sSLConfigManager.getGlobalProperty(Constants.SSLPROP_ROOT_CERT_KEYSIZE);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "RootCertCustom Props: com.ibm.ssl.rootCertSubjectDN is set to " + globalProperty + " " + Constants.SSLPROP_ROOT_CERT_ALIAS + " is set to " + globalProperty2 + " " + Constants.SSLPROP_ROOT_CERT_DAYS + " is set to " + globalProperty3 + " " + Constants.SSLPROP_ROOT_CERT_KEYSIZE + " is set to " + globalProperty4);
            }
            if (globalProperty != null) {
                str3 = globalProperty;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "rootSubjectDN has been updated.");
                }
            }
            if (globalProperty2 != null) {
                str = globalProperty2;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "rootCertificateAlias has been updated.");
                }
            }
            if (globalProperty3 != null) {
                i = Integer.parseInt(globalProperty3);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "rootValidDays has been updated.");
                }
            }
            if (globalProperty4 != null) {
                Integer.parseInt(globalProperty4);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "rootCertkeySize has been updated.");
                }
            }
            try {
                str2 = InetAddress.getLocalHost().getCanonicalHostName();
            } catch (UnknownHostException e) {
                if (!System.getProperty(org.eclipse.osgi.framework.internal.core.Constants.JVM_OS_NAME).equals("OS/400")) {
                    throw e;
                }
                str2 = "LOOPBACK";
            }
            selfSignedCertificateCreate(new CertReqInfo(str, size, KeyStoreManager.expandHostNameVariable(str3, str2), i, new KeyStoreInfo(name, securityConfigObject.getUnexpandedString("location"), password, securityConfigObject.getString("provider"), securityConfigObject.getString("type"), securityConfigObject.getBoolean("fileBased"), null, null, null, securityConfigObject.getBoolean("readOnly"), null, null, null, null, null, null, null), securityConfigObject.getUnexpandedString("location")));
            wSKeyStore.clearJavaKeyStore();
            wSKeyStore = new WSKeyStore(securityConfigObject);
        }
        try {
            PkNewCertificate chainedCertificateCreate = chainedCertificateCreate(certReqInfo, str, wSKeyStore, name, password.toCharArray());
            InputStream inputStream = null;
            FileOutputStream fileOutputStream = null;
            try {
                try {
                    KeyStore keyStore = KeyStore.getInstance(type, provider);
                    File file = new File(location);
                    if (!file.exists()) {
                        keyStore.load(null, password2.toCharArray());
                    } else if (KeyStoreTypeHelper.isCMSKeyStore(type)) {
                        Class<?> cls = Class.forName("com.ibm.ws.ssl.config.CMSKeyStoreUtility");
                        keyStore = (KeyStore) cls.getMethod("loadCMSKeyStore", File.class, String.class, String.class, String.class, String.class, String.class).invoke(cls.newInstance(), file, location, password2, type, provider, stashFile.toString());
                    } else {
                        inputStream = KeyStoreManager.getInstance().getInputStream(location, true);
                        keyStore.load(inputStream, password2.toCharArray());
                    }
                    chainedCertificateCreate.setToKeyStore(label, password2, keyStore);
                    Certificate[] certificateChain = keyStore.getCertificateChain(label);
                    if (KeyStoreTypeHelper.isCMSKeyStore(type)) {
                        Class<?> cls2 = Class.forName("com.ibm.ws.ssl.config.CMSKeyStoreUtility");
                        cls2.getMethod("storeCMSKeyStore", KeyStore.class, String.class, String.class, String.class, String.class).invoke(cls2.newInstance(), keyStore, location, password2, type, stashFile.toString());
                    } else if (ksInfo.getFileBased().booleanValue()) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "KeyStore is a file based");
                        }
                        fileOutputStream = new FileOutputStream(location);
                        keyStore.store(fileOutputStream, password2.toCharArray());
                    } else {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "KeyStore is not file based");
                        }
                        keyStore.store(new URL(location).openConnection().getOutputStream(), password2.toCharArray());
                    }
                    X509Certificate[] certificateChain2 = chainedCertificateCreate.getCertificateChain();
                    try {
                        Tr.audit(tc, "Chained Certificate\n\t Owner: " + certificateChain2[0].getSubjectDN() + "\n\t Issuer: " + certificateChain2[0].getIssuerDN() + "\n\t Not Before: " + certificateChain2[0].getNotBefore().toString() + "\n\t Not After: " + certificateChain2[0].getNotAfter().toString() + "\n\t Serial: " + certificateChain2[0].getSerialNumber());
                    } catch (Throwable th) {
                    }
                    if (certificateChain == null || certificateChain.length <= 0) {
                        if (!tc.isEntryEnabled()) {
                            return null;
                        }
                        Tr.exit(tc, "chainedCertificateCreate (null)");
                        return null;
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "chainedCertificateCreate (success)");
                    }
                    Certificate certificate = certificateChain[certificateChain.length - 1];
                    if (inputStream != null) {
                        inputStream.close();
                    }
                    if (fileOutputStream != null) {
                        fileOutputStream.close();
                    }
                    return certificate;
                } catch (Exception e2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Error creating keystore or certificate.", new Object[]{e2});
                    }
                    Tr.error(tc, "ssl.chained.create.error.CWPKI0043E", new Object[]{e2.getMessage()});
                    throw new SSLException(TraceNLSHelper.getInstance().getFormattedMessage("ssl.chained.create.error.CWPKI0043E", new Object[]{e2.getMessage()}, "Error creating a chained certificate.  The exception is " + e2.getMessage()), e2);
                }
            } finally {
                if (inputStream != null) {
                    inputStream.close();
                }
                if (fileOutputStream != null) {
                    fileOutputStream.close();
                }
            }
        } catch (ClassNotFoundException e3) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Certificate Signing API's are not available: " + e3.getMessage());
            }
            return selfSignedCertificateCreate(certReqInfo);
        }
    }

    public PkNewCertificate chainedCertificateCreate(CertReqInfo certReqInfo, String str, WSKeyStore wSKeyStore, String str2, char[] cArr) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "chainedCertificateCreate", new Object[]{certReqInfo});
        }
        InputStream inputStream = null;
        FileOutputStream fileOutputStream = null;
        String subjectDN = certReqInfo.getSubjectDN();
        String label = certReqInfo.getLabel();
        int size = certReqInfo.getSize();
        int validDays = certReqInfo.getValidDays();
        try {
            Thread.currentThread().getContextClassLoader().loadClass("com.ibm.security.certclient.util.PkNewCertFactory");
            X509Certificate[] x509CertificateArr = null;
            ArrayList arrayList = new ArrayList();
            try {
                String userInstallRootPath = SecurityObjectLocator.getAdminData().getUserInstallRootPath();
                if (userInstallRootPath != null) {
                    String str3 = (String) Class.forName("com.ibm.ws.ssl.commands.ProfileCreation.PrepareKeysUtility").getMethod("getProfileUUID", String.class, Object.class).invoke(null, userInstallRootPath, null);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Retrieved the following profileUUID for the alternate Subject name: " + str3);
                    }
                    addSAN(arrayList, subjectDN, str3);
                } else {
                    addSAN(arrayList, subjectDN, subjectDN);
                }
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception creating profileUUID, using subjectDN instead: " + subjectDN, new Object[]{e});
                }
                addSAN(arrayList, subjectDN, subjectDN);
            }
            try {
                try {
                    Object[] invokeKeyStoreCommand = wSKeyStore.invokeKeyStoreCommand("containsAlias", new Object[]{str});
                    Object[] invokeKeyStoreCommand2 = wSKeyStore.invokeKeyStoreCommand("isKeyEntry", new Object[]{str});
                    if (!((Boolean) invokeKeyStoreCommand[0]).booleanValue()) {
                        throw new Exception(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.does.not.exist.CWPKI0655E", new Object[]{label, str2}, "Certificate alias \"" + str + "\" does not exist in key store \"" + str2 + "\"."));
                    }
                    if (!((Boolean) invokeKeyStoreCommand2[0]).booleanValue()) {
                        throw new Exception(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.not.personal.cert.CWPKI0666E", new Object[]{label}, "Certificate \"" + str + "\" is not a personal certificate."));
                    }
                    Certificate[] certificateArr = (Certificate[]) wSKeyStore.invokeKeyStoreCommand("getCertificateChain", new Object[]{str})[0];
                    if (certificateArr != null) {
                        x509CertificateArr = new X509Certificate[certificateArr.length];
                        for (int i = 0; i < certificateArr.length; i++) {
                            x509CertificateArr[i] = (X509Certificate) certificateArr[i];
                        }
                    }
                    if (x509CertificateArr[0].getBasicConstraints() == -1) {
                        throw new Exception(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.not.ca.CWPKI0701E", new Object[]{label}, "Certificate specified as alias \"" + str + "\" is not a certificate authority (CA) certificate"));
                    }
                    PrivateKey privateKey = (PrivateKey) wSKeyStore.invokeKeyStoreCommand("getKey", new Object[]{str, cArr})[0];
                    boolean z = certReqInfo.getKsInfo().getName().endsWith(Constants.DEFAULT_ROOT_STORE);
                    Date date = new Date();
                    date.setTime(date.getTime() - CalendarAstronomer.DAY_MS);
                    PkNewCertificate newCert = PkNewCertFactory.newCert(size, subjectDN, validDays, date, true, arrayList, (List) null, (List) null, Security.getProperty(Constants.DEFAULT_JCE_PROVIDER), (KeyPair) null, x509CertificateArr, privateKey, z);
                    if (0 != 0) {
                        inputStream.close();
                    }
                    if (0 != 0) {
                        fileOutputStream.close();
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "chainedCertificateCreate");
                    }
                    return newCert;
                } catch (Exception e2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Error creating keystore or certificate.", new Object[]{e2});
                    }
                    Tr.error(tc, "ssl.chained.create.error.CWPKI0043E", new Object[]{e2.getMessage()});
                    throw new SSLException(TraceNLSHelper.getInstance().getFormattedMessage("ssl.chained.create.error.CWPKI0043E", new Object[]{e2.getMessage()}, "Error creating a chained certificate.  The exception is " + e2.getMessage()), e2);
                }
            } catch (Throwable th) {
                if (0 != 0) {
                    inputStream.close();
                }
                if (0 != 0) {
                    fileOutputStream.close();
                }
                throw th;
            }
        } catch (ClassNotFoundException e3) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Certificate Signing API's are not available: " + e3.getMessage());
            }
            throw e3;
        }
    }

    public boolean isKeyCertJarAvailable() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isKeyCertJarAvailable");
        }
        boolean z = true;
        try {
            Thread.currentThread().getContextClassLoader().loadClass("com.ibm.security.certclient.util.PkSsCertFactory");
        } catch (ClassNotFoundException e) {
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, "isKeyCertJarAvailable", "Unable to load class \"com.ibm.security.certclient.util.PkSsCertFactory\".");
            }
            z = false;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isKeyCertJarAvailable", Boolean.valueOf(z));
        }
        return z;
    }

    public byte[] getEncodedRootSigner(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getEncodedRootSigner", new Object[]{str});
        }
        Certificate rootSigner = getRootSigner(str);
        if (rootSigner != null) {
            try {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getEncodedRootSigner (success)");
                }
                return rootSigner.getEncoded();
            } catch (CertificateEncodingException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Error encoding root signer.", new Object[]{e});
                }
                Manager.Ffdc.log(e, this, "com.ibm.ws.ssl.config.CertificateManager.getEncodedRootSigner", "600", this);
            }
        }
        if (!tc.isEntryEnabled()) {
            return null;
        }
        Tr.exit(tc, "getEncodedRootSigner (null)");
        return null;
    }

    public Certificate getRootSigner(String str) {
        String defaultKeyStoreName;
        WSKeyStore keyStore;
        String property;
        Certificate[] certificateArr;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRootSigner", new Object[]{str});
        }
        if (str.equalsIgnoreCase("SSL")) {
            defaultKeyStoreName = KeyStoreManager.getDefaultKeyStoreName(Constants.DEFAULT_KEY_STORE);
            keyStore = KeyStoreManager.getInstance().getKeyStore(defaultKeyStoreName);
            property = SecurityObjectLocator.getSecurityConfig().getProperty(Constants.SSLPROP_ROOT_CERT_ALIAS);
            if (property == null || property.length() == 0) {
                property = "default";
            }
        } else {
            if (!str.equalsIgnoreCase("RSA")) {
                if (!tc.isEntryEnabled()) {
                    return null;
                }
                Tr.exit(tc, "getRootSigner: Invalid input \"type\".");
                return null;
            }
            defaultKeyStoreName = KeyStoreManager.getDefaultKeyStoreName(Constants.RSA_TOKEN_KEY_STORE);
            keyStore = KeyStoreManager.getInstance().getKeyStore(defaultKeyStoreName);
            property = SecurityObjectLocator.getSecurityConfig().getProperty("com.ibm.rsa.rootCertAlias");
            if (property == null || property.length() == 0) {
                property = "default";
            }
        }
        WSKeyStoreRemotableInterface wSKeyStoreRemotableInterface = null;
        if (keyStore != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Getting remotable instance of WSKeyStore name: " + defaultKeyStoreName);
            }
            wSKeyStoreRemotableInterface = WSKeyStoreRemotableFactory.getInstance(keyStore);
        }
        if (wSKeyStoreRemotableInterface != null) {
            try {
                Object[] invokeKeyStoreCommand = wSKeyStoreRemotableInterface.invokeKeyStoreCommand("getCertificateChain", new Object[]{property}, Boolean.FALSE);
                if (invokeKeyStoreCommand == null || invokeKeyStoreCommand[0] == null) {
                    Object[] invokeKeyStoreCommand2 = wSKeyStoreRemotableInterface.invokeKeyStoreCommand("aliases", new Object[0], Boolean.FALSE);
                    if (invokeKeyStoreCommand2 != null && invokeKeyStoreCommand2[0] != null) {
                        for (String str2 : (String[]) invokeKeyStoreCommand2) {
                            Object[] invokeKeyStoreCommand3 = wSKeyStoreRemotableInterface.invokeKeyStoreCommand("isKeyEntry", new Object[]{str2}, Boolean.FALSE);
                            if (invokeKeyStoreCommand3 != null && invokeKeyStoreCommand3[0] != null) {
                                if (((Boolean) invokeKeyStoreCommand3[0]).booleanValue()) {
                                    Object[] invokeKeyStoreCommand4 = wSKeyStoreRemotableInterface.invokeKeyStoreCommand("getCertificateChain", new Object[]{str2}, Boolean.FALSE);
                                    if (invokeKeyStoreCommand4 != null && invokeKeyStoreCommand4.length > 0 && (certificateArr = (Certificate[]) invokeKeyStoreCommand4[0]) != null) {
                                        if (tc.isEntryEnabled()) {
                                            Tr.exit(tc, "getRootSigner (success): " + ((X509Certificate) certificateArr[certificateArr.length - 1]).getSubjectDN());
                                        }
                                        return certificateArr[certificateArr.length - 1];
                                    }
                                } else if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Alias \"" + str2 + "\" is not a key entry.");
                                }
                            }
                        }
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Did not find a certificate from the list of aliases in the keystore that matched isKeyEntry().");
                        }
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Did not find any certificates in the returnedData.");
                    }
                } else {
                    Certificate[] certificateArr2 = (Certificate[]) invokeKeyStoreCommand[0];
                    if (certificateArr2 != null) {
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "getRootSigner (success): " + ((X509Certificate) certificateArr2[certificateArr2.length - 1]).getSubjectDN());
                        }
                        return certificateArr2[certificateArr2.length - 1];
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Did not get a certificate in returnedData from specific alias: " + property);
                    }
                }
            } catch (KeyException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Error obtaining the root signer.", new Object[]{e});
                }
                Manager.Ffdc.log(e, this, "com.ibm.ws.ssl.config.CertificateManager.getRootSigner", "729", this);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Error getting the root signer from keystore " + defaultKeyStoreName + ".");
        }
        if (!tc.isEntryEnabled()) {
            return null;
        }
        Tr.exit(tc, "getRootSigner (null)");
        return null;
    }

    public void addRootSigner(Certificate certificate, String str) {
        String defaultKeyStoreName;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addRootSigner", new Object[]{certificate, str});
        }
        String principal = ((X509Certificate) certificate).getSubjectDN().toString();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Adding signer of type \"" + str + "\" with alias: " + principal);
        }
        if (str == null) {
            str = "SSL";
        }
        if (str.equalsIgnoreCase("SSL")) {
            defaultKeyStoreName = KeyStoreManager.getDefaultKeyStoreName(Constants.DEFAULT_TRUST_STORE);
        } else {
            if (!str.equalsIgnoreCase("RSA")) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "addRootSigner: Invalid input \"type\".");
                    return;
                }
                return;
            }
            defaultKeyStoreName = KeyStoreManager.getDefaultKeyStoreName(Constants.RSA_TOKEN_TRUST_STORE);
        }
        WSKeyStore keyStore = KeyStoreManager.getInstance().getKeyStore(defaultKeyStoreName);
        WSKeyStoreRemotableInterface wSKeyStoreRemotableInterface = null;
        if (keyStore != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Getting remotable instance of WSKeyStore.");
            }
            wSKeyStoreRemotableInterface = WSKeyStoreRemotableFactory.getInstance(keyStore);
        }
        if (wSKeyStoreRemotableInterface != null) {
            if (Boolean.valueOf(Boolean.getBoolean(keyStore.getProperty(Constants.SSLPROP_KEY_STORE_READ_ONLY))).booleanValue()) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "addRootSigner (read-only, noop)");
                    return;
                }
                return;
            }
            try {
                wSKeyStoreRemotableInterface.invokeKeyStoreCommand("reinitializeKeyStore", null, Boolean.FALSE);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "keyStore reinitialized");
                }
                Object[] invokeKeyStoreCommand = wSKeyStoreRemotableInterface.invokeKeyStoreCommand("getCertificateAlias", new Object[]{certificate}, Boolean.FALSE);
                if (invokeKeyStoreCommand != null && invokeKeyStoreCommand[0] != null && !invokeKeyStoreCommand[0].equals("<null>")) {
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "addRootSigner (already exists)", new Object[]{invokeKeyStoreCommand[0]});
                        return;
                    }
                    return;
                }
                wSKeyStoreRemotableInterface.invokeKeyStoreCommand("setCertificateEntry", new Object[]{principal, certificate}, Boolean.FALSE);
                wSKeyStoreRemotableInterface.store();
                KeyStoreManager.getInstance().clearJavaKeyStoresFromKeyStoreMap();
                AbstractJSSEProvider.clearSSLContextCache();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Successfully added signer to keystore: " + defaultKeyStoreName);
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "addRootSigner (success)");
                    return;
                }
                return;
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Error adding the root signer.", new Object[]{e});
                }
                Manager.Ffdc.log(e, this, "com.ibm.ws.ssl.config.CertificateManager.addRootSigner", "812", this);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Adding the root signer to keystore " + defaultKeyStoreName + ".");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addRootSigner");
        }
    }

    public void deleteRootSigner(Certificate certificate, String str) {
        String defaultKeyStoreName;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "deleteRootSigner", new Object[]{certificate, str});
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Deleting signer of type \"" + str + "\".");
        }
        if (str == null) {
            str = "SSL";
        }
        if (str.equalsIgnoreCase("SSL")) {
            defaultKeyStoreName = KeyStoreManager.getDefaultKeyStoreName(Constants.DEFAULT_TRUST_STORE);
        } else {
            if (!str.equalsIgnoreCase("RSA")) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "deleteRootSigner: Invalid input \"type\".");
                    return;
                }
                return;
            }
            defaultKeyStoreName = KeyStoreManager.getDefaultKeyStoreName(Constants.RSA_TOKEN_TRUST_STORE);
        }
        WSKeyStore keyStore = KeyStoreManager.getInstance().getKeyStore(defaultKeyStoreName);
        WSKeyStoreRemotableInterface wSKeyStoreRemotableInterface = null;
        if (keyStore != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Getting remotable instance of WSKeyStore.");
            }
            wSKeyStoreRemotableInterface = WSKeyStoreRemotableFactory.getInstance(keyStore);
        }
        if (wSKeyStoreRemotableInterface != null) {
            if (Boolean.valueOf(Boolean.getBoolean(keyStore.getProperty(Constants.SSLPROP_KEY_STORE_READ_ONLY))).booleanValue()) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "deleteRootSigner (read-only, noop)");
                    return;
                }
                return;
            }
            try {
                wSKeyStoreRemotableInterface.invokeKeyStoreCommand("reinitializeKeyStore", null, Boolean.FALSE);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "keyStore reinitialized");
                }
                Object[] invokeKeyStoreCommand = wSKeyStoreRemotableInterface.invokeKeyStoreCommand("getCertificateAlias", new Object[]{certificate}, Boolean.FALSE);
                if (invokeKeyStoreCommand != null && invokeKeyStoreCommand[0] != null && !invokeKeyStoreCommand[0].equals("<null>")) {
                    String str2 = (String) invokeKeyStoreCommand[0];
                    if (str2 != null) {
                        wSKeyStoreRemotableInterface.invokeKeyStoreCommand("deleteEntry", new Object[]{str2}, Boolean.FALSE);
                        wSKeyStoreRemotableInterface.store();
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "deleteRootSigner (success)");
                            return;
                        }
                        return;
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Did not get a certificate from the returned data.");
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Did not get any returned data.");
                }
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Error deleting the root signer.", new Object[]{e});
                }
                Manager.Ffdc.log(e, this, "com.ibm.ws.ssl.config.CertificateManager.deleteRootSigner", "896", this);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Did not delete root signer from keystore " + defaultKeyStoreName + ".");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "deleteRootSigner");
        }
    }

    public EncodedCertificateInfo createPersonalCertificate(CertReqInfo certReqInfo, String str) {
        String property;
        String string;
        String decodedString;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createPersonalCertificate", new Object[]{certReqInfo, str});
        }
        try {
            if (str.equalsIgnoreCase("SSL")) {
                SecurityConfigObject defaultKeyStore = KeyStoreManager.getDefaultKeyStore(Constants.DEFAULT_ROOT_STORE, null);
                property = SecurityObjectLocator.getSecurityConfig().getProperty("com.ibm.ws.ssl.rootCertAlias");
                if (property == null || property.length() == 0) {
                    property = "root";
                }
                string = defaultKeyStore.getString("name");
                decodedString = defaultKeyStore.getDecodedString("password");
            } else {
                if (!str.equalsIgnoreCase("RSA")) {
                    if (!tc.isEntryEnabled()) {
                        return null;
                    }
                    Tr.exit(tc, "getRootSigner: Invalid input \"type\".");
                    return null;
                }
                SecurityConfigObject defaultKeyStore2 = KeyStoreManager.getDefaultKeyStore(Constants.RSA_TOKEN_ROOT_STORE, null);
                property = SecurityObjectLocator.getSecurityConfig().getProperty("com.ibm.ws.rsa.rootCertAlias");
                if (property == null || property.length() == 0) {
                    property = "root";
                }
                string = defaultKeyStore2.getString("name");
                decodedString = defaultKeyStore2.getDecodedString("password");
            }
            return new EncodedCertificateInfo(chainedCertificateCreate(certReqInfo, property, KeyStoreManager.getInstance().getKeyStore(string), string, decodedString.toCharArray()));
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception creating a personal certificate.", new Object[]{e});
            }
            Manager.Ffdc.log(e, this, "com.ibm.ws.ssl.config.CertificateManager.createPersonalCertificate", "980", this);
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "createPersonalCertificate");
            return null;
        }
    }

    public Certificate[] createPersonalCertificate(byte[] bArr, String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createPersonalCertificate");
        }
        if (!tc.isEntryEnabled()) {
            return null;
        }
        Tr.exit(tc, "createPersonalCertificate");
        return null;
    }

    public String incrementAlias(KeyStore keyStore, String str) throws KeyStoreException {
        int lastIndexOf;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "incrementAlias", new Object[]{str});
        }
        int i = 1;
        String str2 = null;
        do {
            if (str2 != null) {
                str = str2;
            }
            try {
                lastIndexOf = str.lastIndexOf(95);
            } catch (NumberFormatException e) {
                int i2 = i;
                i++;
                str2 = str + "_" + i2;
            }
            if (lastIndexOf == -1) {
                throw new NumberFormatException();
                break;
            }
            String substring = str.substring(lastIndexOf + 1);
            str2 = str.substring(0, lastIndexOf + 1) + substring.replaceAll(substring, Integer.toString(Integer.parseInt(substring) + 1));
        } while (keyStore.containsAlias(str2));
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "incrementAlias", new Object[]{str2});
        }
        return str2;
    }

    private void runTest() {
        KeyStoreInfo keyStoreInfo = new KeyStoreInfo("PeteKeyStore", "c:/temp/pete_key.p12", Constants.DEFAULT_KEYSTORE_PASSWORD, "IBMJCE", Constants.KEYSTORE_TYPE_PKCS12, Boolean.TRUE, "", null, null, Boolean.FALSE, Boolean.FALSE, Boolean.FALSE, null, null, Boolean.FALSE, null, "Pete's key store");
        CertReqInfo certReqInfo = new CertReqInfo("mycert", 1024, "cn=pete,o=ibm,c=us", 365, keyStoreInfo, keyStoreInfo.getLocation());
        EncodedCertificateInfo createPersonalCertificate = createPersonalCertificate(certReqInfo, "RSA");
        System.out.println(createPersonalCertificate);
        System.out.println(EncodedCertificateInfo.createFromBytes(createPersonalCertificate.getBytes()));
        EncodedCertificateInfo createPersonalCertificate2 = createPersonalCertificate(certReqInfo, "SSL");
        System.out.println(createPersonalCertificate2);
        System.out.println(EncodedCertificateInfo.createFromBytes(createPersonalCertificate2.getBytes()));
    }

    private static void addSAN(List list, String str, String str2) throws Exception {
        if (SecurityObjectLocator.getSecurityConfig("security") != null) {
            if (SecurityObjectLocator.getSecurityConfig("security").getPropertyBool(SecurityConfig.ADD_SAN_SSL_CERTIFICATE, false)) {
                if (tc.isEntryEnabled()) {
                    Tr.debug(tc, "Adding SAN to SSL Certificate");
                }
                String obtainDN = obtainDN(str);
                list.add("user@domain");
                list.add(obtainDN);
                list.add("http://" + obtainDN);
                list.add("127.0.0.1");
                list.add("http://" + obtainDN);
            }
        } else if (tc.isEntryEnabled()) {
            Tr.debug(tc, "Security object has not initialized yet. SAN will not be added to the SSL certificate.");
        }
        list.add("ProfileUUID:" + str2);
    }

    private static String obtainDN(String str) throws Exception {
        if (str == null) {
            throw new Exception("The Subject DN should never be null");
        }
        String str2 = null;
        for (Rdn rdn : new LdapName(str).getRdns()) {
            Tr.debug(tc, "The rdn values are: " + rdn.getType() + " -> " + rdn.getValue());
            if (rdn.getType().toString().equalsIgnoreCase("CN")) {
                str2 = rdn.getValue().toString();
                Tr.debug(tc, "The CN value that is going to be used is: " + str2);
            }
        }
        if (str2 == null) {
            throw new Exception("A value for CN was not found.");
        }
        return str2;
    }
}
