package com.ibm.mq.ese.pki;

import com.ibm.disthub2.impl.client.BaseConfig;
import com.ibm.mq.commonservices.internal.utils.RASProperties;
import com.ibm.mq.ese.core.AMBIException;
import com.ibm.mq.ese.core.EseUser;
import com.ibm.mq.ese.core.KeyStoreAccess;
import com.ibm.mq.ese.nls.AmsErrorMessageInserts;
import com.ibm.mq.ese.nls.AmsErrorMessages;
import com.ibm.msg.client.commonservices.trace.Trace;
import java.security.AccessController;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;

/* loaded from: input_file:lib/com.ibm.mq.jmqi.jar:com/ibm/mq/ese/pki/X509CertificateValidatorImpl.class */
public class X509CertificateValidatorImpl implements X509CertificateValidator {
    static final String copyright_notice = "Licensed Materials - Property of IBM 5724-H72, 5655-R36, 5724-L26, 5655-L82, 5724-Z94 (c) Copyright IBM Corp. 2011, 2012 All Rights Reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.";
    public static final String sccsid = "@(#) MQMBID sn=p750-004-140807 su=_pY8W4B4HEeS1ypf5zzZGLw pn=com.ibm.mq.ese/src/com/ibm/mq/ese/pki/X509CertificateValidatorImpl.java";
    private static final String CRLDP_EXTENSION_OID = "2.5.29.31";
    private static final String CLASS;
    private CertAccess certAccess;

    public X509CertificateValidatorImpl(CertAccess certAccess) {
        this.certAccess = certAccess;
    }

    @Override // com.ibm.mq.ese.pki.X509CertificateValidator
    public void validateX509Certificate(X509Certificate x509Certificate, boolean[] zArr, int[] iArr, EseUser eseUser) throws InvalidCertificateException {
        validateX509Certificate(x509Certificate, zArr, iArr, true, eseUser);
    }

    @Override // com.ibm.mq.ese.pki.X509CertificateValidator
    public void validateX509Certificate(X509Certificate x509Certificate, boolean[] zArr, int[] iArr, boolean z, EseUser eseUser) throws InvalidCertificateException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.pki.X509CertificateValidatorImpl", "validateX509Certificate(X509Certificate, boolean[], int[], boolean, EseUser)");
        }
        if (x509Certificate == null) {
            throw new IllegalArgumentException("cert is null");
        }
        if (eseUser == null) {
            throw new IllegalArgumentException("user is null");
        }
        String name = x509Certificate.getSubjectDN().getName();
        if (Trace.isOn) {
            Trace.traceInfo(this, "com.ibm.mq.ese.pki.X509CertificateValidatorImpl", "validateX509Certificate(X509Certificate, boolean[], int[], boolean, EseUser)", name + BaseConfig.SUBTOPIC_SEPARATOR + x509Certificate.getSerialNumber().toString(), "");
        }
        KeyStoreAccess keyStore = eseUser.getKeyStore();
        checkUsageBits(x509Certificate, zArr, iArr, z);
        verifyCAConstraint(x509Certificate);
        HashSet hashSet = new HashSet();
        LinkedList linkedList = new LinkedList();
        try {
            addTrustAnchorsAndCertificates(x509Certificate, keyStore, hashSet, linkedList);
            CertPath buildCertPath = buildCertPath(x509Certificate, hashSet, linkedList);
            traceCertPath(buildCertPath);
            TrustAnchor chainTrustAnchor = getChainTrustAnchor(x509Certificate, hashSet, buildCertPath);
            verifyValidityOfTrustAnchor(chainTrustAnchor);
            List<? extends Certificate> certificates = buildCertPath.getCertificates();
            X509Certificate[] x509CertificateArr = (X509Certificate[]) certificates.toArray(new X509Certificate[certificates.size()]);
            if (x509CertificateArr.length == 0 && isSelfSigned(x509Certificate)) {
                x509CertificateArr = new X509Certificate[]{x509Certificate};
            }
            X509CRL[] loadCRLs = this.certAccess.loadCRLs(eseUser.getKeyStore(), eseUser.getPkiSpec(), x509CertificateArr);
            if (loadCRLs.length > 0 && isSelfSigned(x509Certificate)) {
                checkRevocationOfSelfSigned(x509Certificate, loadCRLs);
            }
            CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
            PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
            if ((loadCRLs != null && loadCRLs.length > 0) || isOCSPEnabled() || useCRLDPExtension(buildCertPath, chainTrustAnchor)) {
                pKIXParameters.setRevocationEnabled(true);
                if (loadCRLs != null) {
                    linkedList.addAll(Arrays.asList(loadCRLs));
                }
            } else {
                pKIXParameters.setRevocationEnabled(false);
            }
            pKIXParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(linkedList)));
            certPathValidator.validate(buildCertPath, pKIXParameters);
        } catch (CrlAccessException e) {
            HashMap hashMap = new HashMap();
            hashMap.put(AmsErrorMessageInserts.AMS_INSERT_CERTIFICATE_SUBJECT, name);
            throw new InvalidCertificateException(AmsErrorMessages.mjp_msg_error_failed_to_verify_cert_chain, hashMap, e);
        } catch (InvalidCertificateException e2) {
            throw e2;
        } catch (AMBIException e3) {
            HashMap hashMap2 = new HashMap();
            hashMap2.put(AmsErrorMessageInserts.AMS_INSERT_CERTIFICATE_SUBJECT, name);
            throw new InvalidCertificateException(AmsErrorMessages.mjp_msg_error_failed_to_verify_cert_chain, hashMap2, e3);
        } catch (CertPathValidatorException e4) {
            throwCertPathValidatorException(x509Certificate, e4);
        } catch (GeneralSecurityException e5) {
            HashMap hashMap3 = new HashMap();
            hashMap3.put(AmsErrorMessageInserts.AMS_INSERT_CERTIFICATE_SUBJECT, name);
            throw new InvalidCertificateException(AmsErrorMessages.mjp_msg_error_failed_to_verify_cert_chain, hashMap3, e5);
        }
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.pki.X509CertificateValidatorImpl", "validateX509Certificate(X509Certificate, boolean[], int[], boolean, EseUser)");
        }
    }

    private boolean useCRLDPExtension(CertPath certPath, TrustAnchor trustAnchor) {
        String str = (String) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.mq.ese.pki.X509CertificateValidatorImpl.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                return System.getProperty("com.ibm.security.enableCRLDP");
            }
        });
        if (str == null || !str.equals(RASProperties.PROPERTY_TRUE)) {
            return false;
        }
        Iterator<? extends Certificate> it = certPath.getCertificates().iterator();
        while (it.hasNext()) {
            if (hasCrlDpExtension((X509Certificate) it.next())) {
                return true;
            }
        }
        return trustAnchor != null && hasCrlDpExtension(trustAnchor.getTrustedCert());
    }

    private boolean hasCrlDpExtension(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(CRLDP_EXTENSION_OID);
        return extensionValue != null && extensionValue.length > 0;
    }

    private void checkRevocationOfSelfSigned(X509Certificate x509Certificate, X509CRL[] x509crlArr) throws InvalidCertificateException {
        for (X509CRL x509crl : x509crlArr) {
            if (x509crl.isRevoked(x509Certificate)) {
                HashMap hashMap = new HashMap();
                hashMap.put(AmsErrorMessageInserts.AMS_INSERT_SUBJECT_NAME, x509Certificate.getSubjectDN().getName());
                throw new InvalidCertificateException(AmsErrorMessages.mjp_certvalid_cert_revoked, hashMap);
            }
        }
    }

    private void verifyValidityOfTrustAnchor(TrustAnchor trustAnchor) throws CertificateExpiredException, CertificateNotYetValidException {
        if (trustAnchor != null) {
            try {
                trustAnchor.getTrustedCert().checkValidity();
            } catch (CertificateExpiredException e) {
                HashMap hashMap = new HashMap();
                hashMap.put(AmsErrorMessageInserts.AMS_INSERT_CERTIFICATE_SUBJECT, trustAnchor.getTrustedCert().getSubjectDN().getName());
                AmsErrorMessages.log(CLASS, "verifyValidityOfTrustAnchor", AmsErrorMessages.mjp_certvalid_error_checking_cert_validity, hashMap);
                throw e;
            } catch (CertificateNotYetValidException e2) {
                throw e2;
            }
        }
    }

    private TrustAnchor getChainTrustAnchor(X509Certificate x509Certificate, Set set, CertPath certPath) {
        int size = certPath.getCertificates().size();
        String name = size == 0 ? x509Certificate.getIssuerDN().getName() : ((X509Certificate) certPath.getCertificates().get(size - 1)).getIssuerDN().getName();
        Iterator it = set.iterator();
        while (it.hasNext()) {
            TrustAnchor trustAnchor = (TrustAnchor) it.next();
            if (trustAnchor.getTrustedCert().getSubjectDN().getName().equals(name)) {
                return trustAnchor;
            }
        }
        return null;
    }

    private void verifyCAConstraint(X509Certificate x509Certificate) throws InvalidCertificateException {
        if (x509Certificate.getBasicConstraints() != -1) {
            HashMap hashMap = new HashMap();
            hashMap.put(AmsErrorMessageInserts.AMS_INSERT_SUBJECT_NAME, x509Certificate.getSubjectDN().getName());
            throw new InvalidCertificateException(AmsErrorMessages.mjp_certvalid_ca_used_as_ee, hashMap);
        }
    }

    private void throwCertPathValidatorException(X509Certificate x509Certificate, CertPathValidatorException certPathValidatorException) throws InvalidCertificateException {
        Throwable cause = certPathValidatorException.getCause();
        if (cause instanceof CertificateNotYetValidException) {
            HashMap hashMap = new HashMap();
            hashMap.put(AmsErrorMessageInserts.AMS_INSERT_CERTIFICATE_SUBJECT, x509Certificate.getSubjectDN().getName());
            hashMap.put(AmsErrorMessageInserts.AMS_INSERT_DATE, x509Certificate.getNotBefore());
            throw new InvalidCertificateException(AmsErrorMessages.mjp_certvalid_error_cert_not_valid_yet, hashMap, certPathValidatorException);
        }
        if (cause instanceof CertificateExpiredException) {
            HashMap hashMap2 = new HashMap();
            hashMap2.put(AmsErrorMessageInserts.AMS_INSERT_CERTIFICATE_SUBJECT, x509Certificate.getSubjectDN().getName());
            hashMap2.put(AmsErrorMessageInserts.AMS_INSERT_DATE, x509Certificate.getNotAfter());
            throw new InvalidCertificateException(AmsErrorMessages.mjp_certvalid_error_cert_expired, hashMap2, certPathValidatorException);
        }
        if (cause instanceof SignatureException) {
            HashMap hashMap3 = new HashMap();
            hashMap3.put(AmsErrorMessageInserts.AMS_INSERT_ISSUER_NAME, x509Certificate.getIssuerX500Principal().getName());
            throw new InvalidCertificateException(AmsErrorMessages.mjp_msg_error_verify_crl_signature, hashMap3, certPathValidatorException);
        }
        HashMap hashMap4 = new HashMap();
        if (x509Certificate == null) {
            hashMap4.put(AmsErrorMessageInserts.AMS_INSERT_CERTIFICATE_SUBJECT, "<null>");
        } else {
            hashMap4.put(AmsErrorMessageInserts.AMS_INSERT_CERTIFICATE_SUBJECT, x509Certificate.getSubjectDN().getName());
        }
        throw new InvalidCertificateException(AmsErrorMessages.mjp_msg_error_failed_to_verify_cert_chain, hashMap4, certPathValidatorException);
    }

    protected boolean isOCSPEnabled() {
        return ((Boolean) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.mq.ese.pki.X509CertificateValidatorImpl.2
            @Override // java.security.PrivilegedAction
            public Object run() {
                String property = Security.getProperty("ocsp.enable");
                return property != null && property.equalsIgnoreCase(RASProperties.PROPERTY_TRUE);
            }
        })).booleanValue();
    }

    private void addTrustAnchorsAndCertificates(X509Certificate x509Certificate, KeyStoreAccess keyStoreAccess, Set set, List list) throws AMBIException {
        list.add(x509Certificate);
        boolean isSelfSigned = isSelfSigned(x509Certificate);
        Enumeration aliases = keyStoreAccess.aliases();
        while (aliases.hasMoreElements()) {
            String str = (String) aliases.nextElement();
            X509Certificate certificate = keyStoreAccess.getCertificate(str);
            if (certificate != null) {
                if (isSelfSigned && certificate.equals(x509Certificate)) {
                    set.add(new TrustAnchor(certificate, null));
                } else if (!certificate.equals(x509Certificate)) {
                    if (keyStoreAccess.isCertificateEntry(str) && isSelfSigned(certificate)) {
                        set.add(new TrustAnchor(certificate, null));
                    } else {
                        list.add(certificate);
                    }
                }
            }
        }
        traceTAs(set);
    }

    private void traceTAs(Set set) {
        if (Trace.isOn) {
            Iterator it = set.iterator();
            while (it.hasNext()) {
                Trace.data(this, "com.ibm.mq.ese.pki.X509CertificateValidatorImpl", "traceTAs(Set)", ((TrustAnchor) it.next()).getTrustedCert().getSubjectDN().getName(), null);
            }
        }
    }

    private void traceCertPath(CertPath certPath) {
        if (Trace.isOn) {
            Iterator<? extends Certificate> it = certPath.getCertificates().iterator();
            while (it.hasNext()) {
                Trace.data(this, "com.ibm.mq.ese.pki.X509CertificateValidatorImpl", "traceTAs(Set)", ((X509Certificate) it.next()).getSubjectDN().getName(), null);
            }
        }
    }

    private boolean isSelfSigned(X509Certificate x509Certificate) {
        return x509Certificate.getIssuerDN().equals(x509Certificate.getSubjectDN());
    }

    private CertPath buildCertPath(X509Certificate x509Certificate, Set set, List list) throws InvalidAlgorithmParameterException, CertPathBuilderException, NoSuchAlgorithmException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.pki.X509CertificateValidatorImpl", "buildCertPath(X509Certificate, Set, List)");
        }
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters((Set<TrustAnchor>) set, x509CertSelector);
        pKIXBuilderParameters.setRevocationEnabled(false);
        pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(list)));
        CertPath certPath = certPathBuilder.build(pKIXBuilderParameters).getCertPath();
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.mq.ese.pki.X509CertificateValidatorImpl", "buildCertPath(X509Certificate, Set, List)", new Object[]{Integer.valueOf(certPath.getCertificates() == null ? 0 : certPath.getCertificates().size())});
        }
        return certPath;
    }

    private void checkUsageBits(X509Certificate x509Certificate, boolean[] zArr, int[] iArr, boolean z) throws InvalidCertificateException {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.mq.ese.pki.X509CertificateValidatorImpl", "checkUsageBits(X509Certificate, boolean[], int[], boolean)");
        }
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null || iArr == null || iArr.length == 0) {
            if (Trace.isOn) {
                Trace.traceInfo(this, "com.ibm.mq.ese.pki.X509CertificateValidatorImpl", "checkUsageBits(X509Certificate, boolean[], int[], boolean)", "usage bits not set", "");
            }
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.pki.X509CertificateValidatorImpl", "checkUsageBits(X509Certificate, boolean[], int[], boolean)");
                return;
            }
            return;
        }
        if (z) {
            for (int i : iArr) {
                if (keyUsage[i] != zArr[i]) {
                    HashMap hashMap = new HashMap();
                    hashMap.put(AmsErrorMessageInserts.AMS_INSERT_CERTIFICATE_SUBJECT, x509Certificate.getSubjectDN().getName());
                    hashMap.put(AmsErrorMessageInserts.AMS_INSERT_USAGE_BIT_NAME, KEY_USAGE_NAMES[i]);
                    hashMap.put(AmsErrorMessageInserts.AMS_INSERT_EXPECTED_USAGE_BIT_VALUE, Boolean.valueOf(zArr[i]));
                    hashMap.put(AmsErrorMessageInserts.AMS_INSERT_USAGE_BIT_VALUE, Boolean.valueOf(keyUsage[i]));
                    throw new InvalidCertificateException(AmsErrorMessages.mjp_certvalid_error_cert_keyusage_not_match, hashMap);
                }
            }
            if (Trace.isOn) {
                Trace.exit(this, "com.ibm.mq.ese.pki.X509CertificateValidatorImpl", "checkUsageBits(X509Certificate, boolean[], int[], boolean)");
                return;
            }
            return;
        }
        for (int i2 : iArr) {
            if (keyUsage[i2] == zArr[i2]) {
                if (Trace.isOn) {
                    Trace.exit(this, "com.ibm.mq.ese.pki.X509CertificateValidatorImpl", "checkUsageBits(X509Certificate, boolean[], int[], boolean)");
                    return;
                }
                return;
            }
        }
        StringBuffer stringBuffer = new StringBuffer();
        StringBuffer stringBuffer2 = new StringBuffer();
        for (int i3 = 0; i3 < iArr.length; i3++) {
            if (i3 != 0) {
                stringBuffer.append(", ");
                stringBuffer2.append(", ");
            }
            stringBuffer.append(KEY_USAGE_NAMES[i3] + "(" + (zArr[i3] ? 1 : 0) + ")");
            stringBuffer2.append(KEY_USAGE_NAMES[i3] + "(" + (keyUsage[i3] ? 1 : 0) + ")");
        }
        HashMap hashMap2 = new HashMap();
        hashMap2.put(AmsErrorMessageInserts.AMS_INSERT_SUBJECT_NAME, x509Certificate.getSubjectDN().getName());
        hashMap2.put(AmsErrorMessageInserts.AMS_INSERT_KEY_VALUE_LIST, stringBuffer.toString());
        hashMap2.put(AmsErrorMessageInserts.AMS_INSERT_EXPECTED_KEY_VALUE_LIST, stringBuffer2.toString());
        throw new InvalidCertificateException(AmsErrorMessages.mjp_certvalid_error_cert_no_keyusage_bit_matches, hashMap2);
    }

    static {
        if (Trace.isOn) {
            Trace.data("com.ibm.mq.ese.pki.X509CertificateValidatorImpl", "static", "SCCS id", (Object) sccsid);
        }
        CLASS = X509CertificateValidatorImpl.class.getName();
    }
}
