package com.ibm.ws.wssecurity.util;

import com.ibm.security.pkcs7.Content;
import com.ibm.security.pkcs7.ContentInfo;
import com.ibm.security.pkcs7.SignedData;
import com.ibm.websphere.management.application.AppConstants;
import com.ibm.websphere.wssecurity.callbackhandler.X509ConsumeCallback;
import com.ibm.ws.wssecurity.confimpl.PrivateCommonConfig;
import com.ibm.ws.wssecurity.handler.PolicyInboundConfig;
import com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.KeyInfo;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.SignatureStructureException;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.XSignatureException;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.core.config.CallbackHandlerConfig;
import com.ibm.wsspi.wssecurity.core.config.KeyStoreConfig;
import com.ibm.wsspi.wssecurity.core.config.TokenConsumerConfig;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.AccessController;
import java.security.InvalidAlgorithmParameterException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.Provider;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathBuilderResult;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Vector;
import javax.security.auth.login.LoginException;
import org.apache.axiom.om.OMElement;

/* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/ws/wssecurity/util/CertificateUtil.class */
public class CertificateUtil {
    private static final String comp = "security.wssecurity";
    public static final int ENCIPHERMENT = 0;
    public static final int SIGNATURE = 1;
    private static final TraceComponent tc = Tr.register(CertificateUtil.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = CertificateUtil.class.getName();
    private static final String[] KEY_USAGE = {"digitalSignature", "nonRepudiation", "keyEncipherment", "dataEncipherment", "keyAgreement", "keyCertSign", "cRLSign", "encipherOnly", "decipherOnly"};

    /* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/ws/wssecurity/util/CertificateUtil$X509DataUtil.class */
    public static class X509DataUtil {
        KeyInfo.X509Data x5data;
        CertStore docStore = null;
        Key publicKey;

        public X509DataUtil(KeyInfo.X509Data x509Data, Key key) {
            this.x5data = x509Data;
            this.publicKey = key;
        }

        private CertStore createCertStore() throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
            if (CertificateUtil.tc.isEntryEnabled()) {
                Tr.entry(CertificateUtil.tc, "createCertStore()");
            }
            Vector vector = new Vector();
            X509Certificate[] certificates = this.x5data.getCertificates();
            if (certificates != null) {
                for (X509Certificate x509Certificate : certificates) {
                    vector.addElement(x509Certificate);
                }
            }
            CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(vector));
            if (CertificateUtil.tc.isEntryEnabled()) {
                Tr.exit(CertificateUtil.tc, "createCertStore() returns " + certStore);
            }
            return certStore;
        }

        public Key validate(PKIXBuilderParameters pKIXBuilderParameters) throws XSignatureException {
            return validateAndGetCert(pKIXBuilderParameters).getPublicKey();
        }

        public X509Certificate validateAndGetCert(PKIXBuilderParameters pKIXBuilderParameters) throws XSignatureException {
            if (CertificateUtil.tc.isEntryEnabled()) {
                Tr.entry(CertificateUtil.tc, "validateAndGetCert(" + pKIXBuilderParameters + ")");
            }
            List<CertStore> certStores = pKIXBuilderParameters.getCertStores();
            ArrayList arrayList = new ArrayList((certStores == null ? 0 : certStores.size()) + 1);
            for (int i = 0; i < certStores.size(); i++) {
                arrayList.add(certStores.get(i));
            }
            try {
                arrayList.add(createCertStore());
                pKIXBuilderParameters.setCertStores(arrayList);
                CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
                CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
                CertPath certPath = certPathBuilder.build(pKIXBuilderParameters).getCertPath();
                certPathValidator.validate(certPath, pKIXBuilderParameters);
                List<? extends Certificate> certificates = certPath.getCertificates();
                X509Certificate x509Certificate = certificates.isEmpty() ? null : (X509Certificate) certificates.get(0);
                if (CertificateUtil.tc.isEntryEnabled()) {
                    Tr.exit(CertificateUtil.tc, "validateAndGetCert(PKIXBuilderParameters params) returns " + x509Certificate);
                }
                return x509Certificate;
            } catch (InvalidAlgorithmParameterException e) {
                pKIXBuilderParameters.setCertStores(certStores);
                throw new XSignatureException(e);
            } catch (NoSuchAlgorithmException e2) {
                pKIXBuilderParameters.setCertStores(certStores);
                throw new XSignatureException(e2);
            } catch (CertPathBuilderException e3) {
                pKIXBuilderParameters.setCertStores(certStores);
                throw new XSignatureException(e3);
            } catch (CertPathValidatorException e4) {
                pKIXBuilderParameters.setCertStores(certStores);
                throw new XSignatureException(e4);
            }
        }

        public X509CertSelector createSelector() throws IOException {
            if (CertificateUtil.tc.isEntryEnabled()) {
                Tr.entry(CertificateUtil.tc, "createSelector()");
            }
            X509CertSelector x509CertSelector = new X509CertSelector();
            String[] issuerNames = this.x5data.getIssuerNames();
            if (issuerNames != null && issuerNames.length > 0) {
                BigInteger[] serialNumbers = this.x5data.getSerialNumbers();
                x509CertSelector.setIssuer(issuerNames[0]);
                x509CertSelector.setSerialNumber(serialNumbers[0]);
            }
            String[] subjectNames = this.x5data.getSubjectNames();
            if (subjectNames == null || subjectNames.length <= 0) {
                X509Certificate[] certificates = this.x5data.getCertificates();
                if (certificates != null && certificates.length > 0) {
                    if (CertificateUtil.tc.isDebugEnabled()) {
                        Tr.debug(CertificateUtil.tc, "CertPath Selector = " + x509CertSelector.getClass().getName());
                        Tr.debug(CertificateUtil.tc, "SubjectDN = " + certificates[0].getSubjectX500Principal().getName());
                    }
                    x509CertSelector.setSubject(certificates[0].getSubjectX500Principal().getEncoded());
                }
            } else {
                x509CertSelector.setSubject(subjectNames[0]);
            }
            Object[] sKIs = this.x5data.getSKIs();
            if (sKIs != null && sKIs.length > 0) {
                x509CertSelector.setSubjectKeyIdentifier((byte[]) sKIs[0]);
            }
            X509Certificate[] certificates2 = this.x5data.getCertificates();
            if (certificates2 != null && certificates2.length == 1) {
                x509CertSelector.setCertificate(certificates2[0]);
            }
            if (this.publicKey != null) {
                x509CertSelector.setSubjectPublicKey(this.publicKey.getEncoded());
            }
            if (CertificateUtil.tc.isEntryEnabled()) {
                Tr.exit(CertificateUtil.tc, "createSelector() returns " + x509CertSelector);
            }
            return x509CertSelector;
        }
    }

    public static boolean isUsedFor(Certificate certificate, int i) {
        boolean[] keyUsage;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isUsedFor(" + certificate + ", " + i + ")");
        }
        boolean z = true;
        if (certificate != null && "X.509".equals(certificate.getType()) && (keyUsage = ((X509Certificate) certificate).getKeyUsage()) != null) {
            switch (i) {
                case 0:
                    z = keyUsage.length > 3 && keyUsage[2] && keyUsage[3];
                    break;
                case 1:
                    z = keyUsage.length > 0 && keyUsage[0];
                    break;
                default:
                    throw new RuntimeException("Unknown usage type: " + i);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isUsedFor(Certificate cert, int type) returns " + z);
        }
        return z;
    }

    public static String keyUsageToString(Certificate certificate) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "keyUsageToString(" + certificate + ")");
        }
        String str = null;
        if (certificate != null && "X.509".equals(certificate.getType())) {
            str = keyUsageToString(((X509Certificate) certificate).getKeyUsage());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "keyUsageToString(Certificate cert) returns " + str);
        }
        return str;
    }

    public static String keyUsageToString(boolean[] zArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "keyUsageToString(" + zArr + ")");
        }
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append('{');
        for (int i = 0; i < KEY_USAGE.length && i < zArr.length; i++) {
            if (i > 0) {
                stringBuffer.append(", ");
            }
            stringBuffer.append(KEY_USAGE[i]);
            stringBuffer.append('=');
            stringBuffer.append(zArr[i]);
        }
        stringBuffer.append('}');
        String stringBuffer2 = stringBuffer.toString();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "keyUsageToString(boolean[] usage) returns " + stringBuffer2);
        }
        return stringBuffer2;
    }

    public static X509DataUtil[] getX509Data(OMElement oMElement) throws XSignatureException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getX509Data(" + oMElement + ")");
        }
        try {
            KeyInfo keyInfo = getKeyInfo(oMElement);
            KeyInfo.X509Data[] x509Data = keyInfo.getX509Data();
            if (x509Data == null || x509Data.length == 0) {
                throw new SignatureStructureException("No X509Data elements.");
            }
            Key keyValue = keyInfo.getKeyValue();
            X509DataUtil[] x509DataUtilArr = new X509DataUtil[x509Data.length];
            for (int i = 0; i < x509Data.length; i++) {
                x509DataUtilArr[i] = new X509DataUtil(x509Data[i], keyValue);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getX509Data(Element signature) returns " + x509DataUtilArr);
            }
            return x509DataUtilArr;
        } catch (SignatureStructureException e) {
            throw new XSignatureException(e);
        }
    }

    private static KeyInfo getKeyInfo(OMElement oMElement) throws SignatureStructureException, XSignatureException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKeyInfo(" + oMElement + ")");
        }
        OMElement searchForKeyInfo = KeyInfo.searchForKeyInfo(oMElement);
        if (searchForKeyInfo == null) {
            throw new SignatureStructureException("No KeyInfo element.");
        }
        KeyInfo keyInfo = new KeyInfo(searchForKeyInfo);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getKeyInfo(Element signature) returns " + keyInfo);
        }
        return keyInfo;
    }

    public static X509Certificate generateX509Certificate(byte[] bArr, Provider provider) throws CertificateException, NoSuchProviderException {
        return (X509Certificate) generateCertificate(bArr, "X.509", provider);
    }

    public static Certificate generateCertificate(byte[] bArr, String str, Provider provider) throws CertificateException, NoSuchProviderException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "generateX509Certificate(byte[] binary[" + bArr + "],String type[" + str + "],Provider provider[" + provider + "])");
        }
        Certificate certificate = null;
        if (bArr != null && str != null) {
            certificate = (provider == null ? CertificateFactory.getInstance(str) : CertificateFactory.getInstance(str, provider)).generateCertificate(new ByteArrayInputStream(bArr));
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "generateX509Certificate(byte[] binary,String type,Provider provider) returns Certificate[" + certificate + "]");
        }
        return certificate;
    }

    public static byte[] encodePkiPath(Provider provider, List list, KeyStore keyStore, String str) throws CertificateException, KeyStoreException {
        CertPath certPath;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "encodePkiPath(Provider provider[" + provider + "],List certStores[" + list + "],KeyStore kstore[" + keyStore + "],String alias[" + str + "])");
        }
        byte[] bArr = null;
        if (keyStore != null && str != null && (certPath = getCertPath(keyStore, str, provider)) != null) {
            bArr = certPath.getEncoded("PkiPath");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "encodePkiPath(Provider provider,CertStores certStores,KeyStore kstore,String alias) returns byte[][" + bArr + "]");
        }
        return bArr;
    }

    public static byte[] encodePKCS7(Provider provider, List list, KeyStore keyStore, String str) throws CertStoreException, KeyStoreException, IOException, SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "encodePKCS7(Provider provider[" + provider + "],List certStores[" + list + "],KeyStore kstore[" + keyStore + "],String alias[" + str + "])");
        }
        byte[] bArr = null;
        if (keyStore != null && str != null) {
            X509CRL[] extractCRLs = extractCRLs(list);
            if (tc.isDebugEnabled()) {
                listCrlContents(extractCRLs);
            }
            bArr = getBinaryEncodedContent(getSignedData(keyStore, str, extractCRLs));
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "encodePKCS7(Provider provider,List certStores,KeyStore kstore,String alias) returns byte[][" + bArr + "]");
        }
        return bArr;
    }

    private static X509CRL[] extractCRLs(List list) throws CertStoreException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "extractCRLs(List certStores[" + list + "])");
        }
        ArrayList arrayList = new ArrayList();
        if (list != null && !list.isEmpty()) {
            Iterator it = list.iterator();
            while (it.hasNext()) {
                CertStore certStore = (CertStore) it.next();
                Collection<? extends CRL> cRLs = certStore.getCRLs(new X509CRLSelector());
                if (cRLs != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, cRLs.size() + " CRLs found in the cert store[" + certStore + "].");
                    }
                    arrayList.addAll(cRLs);
                }
            }
        }
        X509CRL[] x509crlArr = new X509CRL[arrayList.size()];
        for (int i = 0; i < x509crlArr.length; i++) {
            x509crlArr[i] = (X509CRL) arrayList.get(i);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "extractCRLs(List certStores) returns X509CRL[] " + x509crlArr);
        }
        return x509crlArr;
    }

    public static void listCrlContents(Collection collection) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "listCrlContents(Collection crlList [" + (collection == null ? AppConstants.NULL_STRING : collection.isEmpty() ? "empty" : "populated") + "])");
        }
        if (tc.isDebugEnabled() && collection != null && !collection.isEmpty()) {
            Iterator it = collection.iterator();
            while (it.hasNext()) {
                listCrlContents((X509CRL) it.next());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "listCrlContents(Collection)");
        }
    }

    public static void listCrlContents(X509CRL x509crl) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "listCrlContents(X509CRL crl [" + (x509crl == null ? AppConstants.NULL_STRING : "not null") + "])");
        }
        if (tc.isDebugEnabled() && x509crl != null) {
            try {
                Tr.debug(tc, "Issuer: " + x509crl.getIssuerDN().getName());
                Tr.debug(tc, "Revoked certificates:");
                Set<? extends X509CRLEntry> revokedCertificates = x509crl.getRevokedCertificates();
                if (revokedCertificates == null) {
                    Tr.debug(tc, "  None");
                } else {
                    for (X509CRLEntry x509CRLEntry : revokedCertificates) {
                        if (x509CRLEntry != null) {
                            Tr.debug(tc, " " + x509CRLEntry.getSerialNumber().toString(10) + "=0x" + x509CRLEntry.getSerialNumber().toString(16));
                        }
                    }
                }
            } catch (Exception e) {
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "listCrlContents(X509CRL)");
        }
    }

    public static void listCrlContents(X509CRL[] x509crlArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "listCrlContents(X509CRL[] crls [" + (x509crlArr == null ? AppConstants.NULL_STRING : x509crlArr.length == 0 ? "empty" : "populated") + "])");
        }
        if (tc.isDebugEnabled() && x509crlArr != null) {
            for (X509CRL x509crl : x509crlArr) {
                listCrlContents(x509crl);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "listCrlContents(X509CRL[])");
        }
    }

    public static void listCertContents(Collection collection) {
        if (!tc.isDebugEnabled() || collection == null || collection.isEmpty()) {
            return;
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "listCertContents(Collection certList [" + (collection == null ? AppConstants.NULL_STRING : collection.isEmpty() ? "empty" : "populated") + "])");
        }
        Iterator it = collection.iterator();
        while (it.hasNext()) {
            X509Certificate x509Certificate = (X509Certificate) it.next();
            Tr.debug(tc, "Subject: " + x509Certificate.getSubjectX500Principal().getName() + " SN: " + x509Certificate.getSerialNumber().toString(10) + "=0x" + x509Certificate.getSerialNumber().toString(16));
            Tr.debug(tc, x509Certificate.toString());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "listCertContents(Collection)");
        }
    }

    public static void listCertData(PKIXParameters pKIXParameters) {
        if (!tc.isDebugEnabled() || pKIXParameters == null) {
            return;
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "listCertData(PKIXParameters pkixParams [" + (pKIXParameters == null ? AppConstants.NULL_STRING : "not null") + "])");
        }
        try {
            int i = 1;
            List<CertStore> certStores = pKIXParameters.getCertStores();
            if (certStores == null) {
                Tr.debug(tc, "  None");
            } else {
                X509CRLSelector x509CRLSelector = new X509CRLSelector();
                X509CertSelector x509CertSelector = new X509CertSelector();
                for (CertStore certStore : certStores) {
                    int i2 = i;
                    i++;
                    Tr.debug(tc, "  CertStore #" + i2);
                    listCrlContents(certStore.getCRLs(x509CRLSelector));
                    listCertContents(certStore.getCertificates(x509CertSelector));
                }
            }
        } catch (Exception e) {
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "listCertData");
        }
    }

    private static Content getSignedData(KeyStore keyStore, String str, CRL[] crlArr) throws KeyStoreException, IOException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSignedData(KeyStore ks[" + keyStore + "], String alias[" + str + "], CRL[] crls[" + crlArr + "])");
        }
        SignedData signedData = null;
        Certificate[] certificateChain = keyStore.getCertificateChain(str);
        if (certificateChain != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, certificateChain.length + " certificates found");
            }
            signedData = new SignedData(certificateChain, crlArr);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSignedData(KeyStore ks, String alias, CRL[] crls,  returns SignedData[" + signedData + "]");
        }
        return signedData;
    }

    private static byte[] getBinaryEncodedContent(Content content) throws IOException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getBinaryEncodedContent(Content data[" + content + "])");
        }
        ContentInfo contentInfo = new ContentInfo(content);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        contentInfo.encode(byteArrayOutputStream);
        byte[] byteArray = byteArrayOutputStream.toByteArray();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getBinaryEncodedContent(Content data) returns byte[] " + byteArray);
        }
        return byteArray;
    }

    private static CertPath getCertPath(KeyStore keyStore, String str, Provider provider) throws KeyStoreException, CertificateException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCertPath(KeyStore ks[" + keyStore + "], String alias[" + str + "], Provider provider[" + provider + "])");
        }
        CertPath certPath = null;
        Certificate[] certificateChain = keyStore.getCertificateChain(str);
        final Vector vector = new Vector();
        if (certificateChain != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, certificateChain.length + " certificates found");
            }
            for (Certificate certificate : certificateChain) {
                vector.add(certificate);
            }
            final CertificateFactory certificateFactory = provider == null ? CertificateFactory.getInstance("X.509") : CertificateFactory.getInstance("X.509", provider);
            try {
                certPath = (CertPath) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.wssecurity.util.CertificateUtil.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws CertificateException {
                        return certificateFactory.generateCertPath(vector);
                    }
                });
            } catch (PrivilegedActionException e) {
                Throwable cause = e.getCause();
                if (cause instanceof CertificateException) {
                    throw ((CertificateException) cause);
                }
                throw new CertificateException(cause);
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Acquired certificate chain is null.");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getCertPath(KeyStore ks, String alias,Provider provider) returns CertPath[" + certPath + "]");
        }
        return certPath;
    }

    public static CertPath generateCertPath(byte[] bArr, String str, String str2, Provider provider) throws CertificateException, NoSuchProviderException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "generateCertPath(byte[] binary[" + bArr + "],String factoryType[" + str + "],String encodingType[" + str2 + "],Provider provider[" + provider + "])");
        }
        CertPath certPath = null;
        if (bArr != null && str != null && str2 != null) {
            certPath = (provider == null ? CertificateFactory.getInstance(str) : CertificateFactory.getInstance(str, provider)).generateCertPath(new ByteArrayInputStream(bArr), str2);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "generateCertPath(byte[] binary,String factoryType,String encoingType,Provider provider) returns CertPath[" + certPath + "]");
        }
        return certPath;
    }

    public static Collection generateCRLs(byte[] bArr, String str, Provider provider) throws CertificateException, CRLException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "generateCRLs(byte[] binary[" + bArr + "],String factoryType[" + str + "],Provider provider[" + provider + "])");
        }
        Collection<? extends CRL> collection = null;
        if (bArr != null && str != null) {
            collection = (provider == null ? CertificateFactory.getInstance(str) : CertificateFactory.getInstance(str, provider)).generateCRLs(new ByteArrayInputStream(bArr));
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "generateCRLs(byte[] binary,String factoryType,Provider provider) returns Collection[" + collection + "]");
        }
        return collection;
    }

    public static PKIXCertPathValidatorResult validateX509Certificate(X509Certificate x509Certificate, Provider provider, PKIXParameters pKIXParameters) throws CertPathBuilderException, CertPathValidatorException, CertStoreException, KeyStoreException, InvalidAlgorithmParameterException, IOException, NoSuchAlgorithmException, CertificateExpiredException, CertificateNotYetValidException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateX509Certificate(X509Certificate cert[" + x509Certificate + "], Provider provider[" + provider + "],PKIXParameters params[" + pKIXParameters + "])");
        }
        PKIXCertPathValidatorResult pKIXCertPathValidatorResult = null;
        if (x509Certificate != null && pKIXParameters != null) {
            boolean z = false;
            Set<TrustAnchor> trustAnchors = pKIXParameters.getTrustAnchors();
            if (trustAnchors != null && trustAnchors.size() > 0) {
                Iterator<TrustAnchor> it = trustAnchors.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    X509Certificate trustedCert = it.next().getTrustedCert();
                    if (x509Certificate.equals(trustedCert)) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Target certificate found in trust store.  Checking certificate's validity.");
                        }
                        trustedCert.checkValidity();
                        z = true;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Target certificate found in trust store and is valid. Skipping CertPath build and validate.");
                        }
                    }
                }
            }
            if (!z) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Target certificate not found in trust store.");
                }
                CertPathBuilderResult buildCertPath = buildCertPath(x509Certificate, null, pKIXParameters, provider, false);
                if (buildCertPath != null) {
                    pKIXCertPathValidatorResult = validateCertPath(buildCertPath.getCertPath(), pKIXParameters);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validateX509Certificate(X509Certificate cert, Provider provider,PKIXParameters params) returns PKIXCertPathValidatorResult[" + pKIXCertPathValidatorResult + "]");
        }
        return pKIXCertPathValidatorResult;
    }

    public static PKIXCertPathValidatorResult validateCertPath(CertPath certPath, PKIXParameters pKIXParameters) throws CertPathValidatorException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateCertPath(CertPath path[" + certPath + "],PKIXParameters params[" + pKIXParameters + "])");
        }
        PKIXCertPathValidatorResult pKIXCertPathValidatorResult = null;
        if (certPath != null && pKIXParameters == null) {
            pKIXCertPathValidatorResult = (PKIXCertPathValidatorResult) CertPathValidator.getInstance("PKIX").validate(certPath, pKIXParameters);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validateCertPath(CertPath path,PKIXParameters params) returns PKIXCertPathValidatorResult[" + pKIXCertPathValidatorResult + "]");
        }
        return pKIXCertPathValidatorResult;
    }

    public static BigInteger convertSerialNumber(String str) throws ParseException {
        long j;
        int i;
        int i2;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "convertSerialNumber(String data[" + str + "])");
        }
        BigInteger bigInteger = null;
        if (str != null) {
            long j2 = 0;
            for (int i3 = 0; i3 < str.length(); i3++) {
                long j3 = j2 << 4;
                char charAt = str.charAt(i3);
                if ('0' <= charAt && charAt <= '9') {
                    j = j3;
                    i = charAt;
                    i2 = 48;
                } else if ('a' <= charAt && charAt <= 'f') {
                    j = j3;
                    i = charAt + '\n';
                    i2 = 97;
                } else {
                    if ('A' > charAt || charAt > 'F') {
                        throw new ParseException("Illegal character: " + charAt, i3);
                    }
                    j = j3;
                    i = charAt + '\n';
                    i2 = 65;
                }
                j2 = j + (i - i2);
            }
            bigInteger = BigInteger.valueOf(j2);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "convertSerialNumber(String data) returns BigInteger[" + bigInteger + "]");
        }
        return bigInteger;
    }

    public static CertPathBuilderResult buildCertPath(X509Certificate x509Certificate, CertPath certPath, PKIXParameters pKIXParameters, Provider provider, boolean z) throws CertPathBuilderException, CertPathValidatorException, CertStoreException, KeyStoreException, InvalidAlgorithmParameterException, IOException, NoSuchAlgorithmException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "buildCertPath(cert, path, pkixParams, provider)");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "cert [" + (x509Certificate == null ? AppConstants.NULL_STRING : "not null") + "], path [" + (certPath == null ? AppConstants.NULL_STRING : "not null") + "], pkixParams [" + (pKIXParameters == null ? AppConstants.NULL_STRING : "not null") + "], isPkcs7 [" + z + "]");
        }
        CertPathBuilder certPathBuilder = provider == null ? CertPathBuilder.getInstance("PKIX") : CertPathBuilder.getInstance("PKIX", provider);
        X509CertSelector x509CertSelector = (X509CertSelector) pKIXParameters.getTargetCertConstraints();
        x509CertSelector.setSubject(x509Certificate.getSubjectX500Principal().getEncoded());
        pKIXParameters.setTargetCertConstraints(x509CertSelector);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "CertPathProvider = " + (provider == null ? "default" : provider.getName()));
            Tr.debug(tc, "CertPath Builder = " + certPathBuilder.getClass().getName());
            Tr.debug(tc, "CertPath Selector = " + x509CertSelector.getClass().getName());
            Tr.debug(tc, "SubjectDN = " + x509Certificate.getSubjectX500Principal().getName());
        }
        HashSet hashSet = null;
        if (certPath == null) {
            hashSet = new HashSet();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding single cert to pkixParams");
            }
            hashSet.add(x509Certificate);
        } else if (!z) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding all certs in the path to pkixParams");
            }
            hashSet = new HashSet(certPath.getCertificates());
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Certificates in path:");
                listCertContents(hashSet);
            }
            if (!hashSet.contains(x509Certificate)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Adding primary cert to pkixParams");
                }
                hashSet.add(x509Certificate);
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Certs already populated in pkixParams");
        }
        if (hashSet != null) {
            pKIXParameters.addCertStore(provider == null ? CertStore.getInstance("Collection", new CollectionCertStoreParameters(hashSet)) : CertStore.getInstance("Collection", new CollectionCertStoreParameters(hashSet), provider));
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Final pkixParams before build: [" + pKIXParameters + "]");
            Tr.debug(tc, "Certificate data in final pkixParams:");
            listCertData(pKIXParameters);
        }
        CertPathBuilderResult certPathBuilderResult = null;
        if (certPathBuilder != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Building the cert path...");
            }
            certPathBuilderResult = certPathBuilder.build(pKIXParameters);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "CertPathBuilderResult=" + certPathBuilderResult);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "buildCertPath");
        }
        return certPathBuilderResult;
    }

    public static String buildCertIndex(String str, TokenConsumerConfig tokenConsumerConfig, boolean z) {
        String str2;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "buildCertIndex(encoded[" + (str == null ? AppConstants.NULL_STRING : "not null") + "], config[" + (tokenConsumerConfig == null ? AppConstants.NULL_STRING : "not null") + "], isX509 [" + z + "])");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Building certificate cache index.");
        }
        String str3 = null;
        String str4 = null;
        if (tokenConsumerConfig != null) {
            str3 = Integer.valueOf(tokenConsumerConfig.hashCode()).toString();
        }
        if (z) {
            str2 = str + str3;
        } else {
            if (str != null) {
                str4 = Integer.valueOf(str.hashCode()).toString();
            }
            str2 = str4 + str3;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Hash code of the config object = " + str3);
            if (str4 != null) {
                Tr.debug(tc, "Hash code of encoded cert string = " + str4);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "buildCertIndex() returns x509CertIndex = " + str2);
        }
        return str2;
    }

    public static PKIXBuilderParameters createPKIXBuilderParameters(X509ConsumeCallback x509ConsumeCallback, TokenConsumerConfig tokenConsumerConfig, Map map) throws LoginException {
        return createPKIXBuilderParameters(x509ConsumeCallback, tokenConsumerConfig, map, false);
    }

    public static PKIXBuilderParameters reCreatePKIXBuilderParameters(X509ConsumeCallback x509ConsumeCallback, TokenConsumerConfig tokenConsumerConfig, Map map) throws LoginException {
        return createPKIXBuilderParameters(x509ConsumeCallback, tokenConsumerConfig, map, true);
    }

    public static PKIXBuilderParameters createPKIXBuilderParameters(X509ConsumeCallback x509ConsumeCallback, TokenConsumerConfig tokenConsumerConfig, Map map, boolean z) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createPKIXBuilderParameters(X509ConsumeCallback, TokenConsumerConfig, Map, reloadKeystore=" + z + ")");
        }
        KeyStoreManager keyStoreManager = KeyStoreManager.getInstance();
        KeyStoreConfig trustAnchor = getTrustAnchor(x509ConsumeCallback, tokenConsumerConfig);
        try {
            PKIXBuilderParameters createPKIXBuilderParameters = createPKIXBuilderParameters(keyStoreManager.getKeyStore(trustAnchor.getPath(), trustAnchor.getType(), trustAnchor.getPassword() == null ? null : trustAnchor.getPassword().toCharArray(), trustAnchor.getKsRef(), z), x509ConsumeCallback.getCertStores(), ConfigUtil.getIsTrueProperty(map, PolicyInboundConfig.PIC_REVOCATION_ENABLED), z);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createPKIXBuilderParameters(X509ConsumeCallback, TokenConsumerConfig, Map, reloadKeystore");
            }
            return createPKIXBuilderParameters;
        } catch (Exception e) {
            Tr.processException(e, clsName + ".createPKIXBuilderParameters", "1050");
            LoginException loginException = new LoginException(e.getMessage());
            loginException.initCause(e);
            throw loginException;
        }
    }

    public static PKIXBuilderParameters createPKIXBuilderParameters(KeyStore keyStore, List list, boolean z, boolean z2) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createPKIXBuilderParameters(trustAnchor[" + ConfigUtil.getObjState(keyStore) + "], certStores[" + ConfigUtil.getObjState(list) + "], isRevocationEnabled=" + z + ", reloadKeystore=" + z2 + ")");
        }
        PKIXBuilderParameters pKIXBuilderParameters = null;
        try {
            pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
            pKIXBuilderParameters.setDate(null);
            if (list != null) {
                Iterator it = list.iterator();
                while (it.hasNext()) {
                    pKIXBuilderParameters.addCertStore((CertStore) it.next());
                }
                if (z) {
                    pKIXBuilderParameters.setRevocationEnabled(true);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, " RevocationEnabled.");
                    }
                } else {
                    pKIXBuilderParameters.setRevocationEnabled(false);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, " Revocation Not Enabled.");
                    }
                }
            } else {
                pKIXBuilderParameters.setRevocationEnabled(false);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, " Revocation Not Enabled.");
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createPKIXBuilderParameters(trustAnchor, certStores, isRevocationEnabled, reloadKeystore) returns:" + pKIXBuilderParameters);
            }
            return pKIXBuilderParameters;
        } catch (InvalidAlgorithmParameterException e) {
            Tr.processException(e, clsName + ".createPKIXBuilderParameters", "1298");
            String[] strArr = new String[1];
            strArr[0] = pKIXBuilderParameters.toString() == null ? "" : pKIXBuilderParameters.toString();
            String message = ConfigUtil.getMessage("security.wssecurity.WSSecurityDefaultConsumerConfig.s03", strArr);
            Tr.error(tc, message);
            LoginException loginException = new LoginException(message);
            loginException.initCause(e);
            throw loginException;
        } catch (KeyStoreException e2) {
            Tr.processException(e2, clsName + ".createPKIXBuilderParameters", "1309");
            String message2 = ConfigUtil.getMessage("security.wssecurity.CommonReceiverConfig.s12", new String[]{e2.getMessage()});
            Tr.error(tc, message2);
            LoginException loginException2 = new LoginException(message2);
            loginException2.initCause(e2);
            throw loginException2;
        } catch (Exception e3) {
            Tr.processException(e3, clsName + ".createPKIXBuilderParameters", "1318");
            String message3 = ConfigUtil.getMessage("security.wssecurity.WSSecurityDefaultConsumerConfig.s01", new String[]{e3.getMessage()});
            Tr.error(tc, message3);
            LoginException loginException3 = new LoginException(message3);
            loginException3.initCause(e3);
            throw loginException3;
        }
    }

    private static KeyStoreConfig getTrustAnchor(X509ConsumeCallback x509ConsumeCallback, TokenConsumerConfig tokenConsumerConfig) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getTrustAnchor");
        }
        PrivateCommonConfig.KeyStoreConfImpl keyStoreConfImpl = new PrivateCommonConfig.KeyStoreConfImpl();
        if (x509ConsumeCallback != null) {
            keyStoreConfImpl._path = x509ConsumeCallback.getTrustAnchorPath();
            keyStoreConfImpl._type = x509ConsumeCallback.getTrustAnchorType();
            char[] trustAnchorPassword = x509ConsumeCallback.getTrustAnchorPassword();
            keyStoreConfImpl._password = trustAnchorPassword == null ? null : new String(trustAnchorPassword);
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "x509Callback is null");
        }
        if (tokenConsumerConfig != null) {
            CallbackHandlerConfig callbackHandler = tokenConsumerConfig.getCallbackHandler();
            if (callbackHandler != null) {
                KeyStoreConfig trustAnchor = callbackHandler.getTrustAnchor();
                if (trustAnchor != null) {
                    if (keyStoreConfImpl._path == null) {
                        keyStoreConfImpl._path = trustAnchor.getPath();
                        keyStoreConfImpl._type = trustAnchor.getType();
                        keyStoreConfImpl._password = trustAnchor.getPassword();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "x509Callback.getTrustAnchorPath() is null");
                        }
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "x509Callback.getTrustAnchorPath() is not null");
                    }
                    keyStoreConfImpl._ksRef = trustAnchor.getKsRef();
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "tconfig.getCallbackHandler().getTrustAnchor() is null");
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "tconfig.getCallbackHandler() is null");
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "tconfig is null");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getTrustAnchor returns: " + keyStoreConfImpl);
        }
        return keyStoreConfImpl;
    }

    public static void auditCertChain(X509Certificate x509Certificate, PKIXBuilderParameters pKIXBuilderParameters, Map<Object, Object> map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "auditCertChain");
        }
        String str = "";
        try {
            Set<TrustAnchor> trustAnchors = pKIXBuilderParameters.getTrustAnchors();
            if (trustAnchors != null) {
                Iterator<TrustAnchor> it = trustAnchors.iterator();
                while (it.hasNext()) {
                    str = str + it.next().getTrustedCert().toString();
                }
            }
            List<CertStore> certStores = pKIXBuilderParameters.getCertStores();
            X509CertSelector x509CertSelector = new X509CertSelector();
            if (certStores != null) {
                Iterator<CertStore> it2 = certStores.iterator();
                while (it2.hasNext()) {
                    Collection<? extends Certificate> certificates = it2.next().getCertificates(x509CertSelector);
                    if (certificates != null) {
                        Iterator<? extends Certificate> it3 = certificates.iterator();
                        if (it3.hasNext()) {
                            str = str + ((X509Certificate) it3.next()).toString();
                        }
                    }
                }
            }
            str = str + x509Certificate.toString();
        } catch (Exception e) {
            e.printStackTrace();
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Complete Certificate chain = " + str);
        }
        map.put("CertChain", str);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "auditCertChain");
        }
    }
}
