package com.ibm.ws.ssl.commands.personalCertificates;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.Session;
import com.ibm.websphere.management.cmdframework.CommandException;
import com.ibm.websphere.management.cmdframework.CommandLoadException;
import com.ibm.websphere.management.cmdframework.CommandNotFoundException;
import com.ibm.websphere.management.cmdframework.CommandValidationException;
import com.ibm.websphere.management.cmdframework.commanddata.CommandData;
import com.ibm.websphere.management.cmdframework.commandmetadata.TaskCommandMetadata;
import com.ibm.websphere.management.cmdframework.provider.AbstractTaskCommand;
import com.ibm.websphere.management.cmdframework.provider.TaskCommandResultImpl;
import com.ibm.websphere.management.configservice.ConfigService;
import com.ibm.websphere.management.configservice.ConfigServiceFactory;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.common.util.AuditConstants;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.ssl.commands.certificateRequests.CertificateRequestHelper;
import com.ibm.ws.ssl.commands.utils.CommandConstants;
import com.ibm.ws.ssl.commands.utils.CommandHelper;
import com.ibm.ws.ssl.commands.utils.SSLCommandsHelper;
import com.ibm.ws.ssl.commands.utils.TraceNLSHelper;
import com.ibm.ws.ssl.config.KeyStoreManager;
import com.ibm.ws.ssl.config.WSKeyStoreHelper;
import com.ibm.ws.ssl.config.WSKeyStoreRemotable;
import com.ibm.ws.ssl.core.Constants;
import com.ibm.ws.ssl.model.KeyStoreInfo;
import java.security.Key;
import java.security.KeyStoreException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Locale;

/* loaded from: input_file:lib/com.ibm.ws.runtime.jar:com/ibm/ws/ssl/commands/personalCertificates/ReplaceCertificate.class */
public class ReplaceCertificate extends AbstractTaskCommand {
    private static TraceComponent tc = Tr.register((Class<?>) ReplaceCertificate.class, "SSL", "com.ibm.ws.ssl.commands.keyStores");
    private String keyStoreName;
    private String keyStoreScope;
    private String certificateAlias;
    private String replacementCertificateAlias;
    private Boolean deleteOldCert;
    private Boolean deleteOldSigners;
    private KeyStoreInfo ksInfo;
    private ConfigService cs;
    private Session session;

    public ReplaceCertificate(TaskCommandMetadata taskCommandMetadata) throws CommandNotFoundException {
        super(taskCommandMetadata);
        this.keyStoreName = null;
        this.keyStoreScope = null;
        this.certificateAlias = null;
        this.replacementCertificateAlias = null;
        this.deleteOldCert = null;
        this.deleteOldSigners = null;
        this.ksInfo = null;
        this.cs = null;
        this.session = null;
    }

    public ReplaceCertificate(CommandData commandData) throws CommandNotFoundException, CommandLoadException {
        super(commandData);
        this.keyStoreName = null;
        this.keyStoreScope = null;
        this.certificateAlias = null;
        this.replacementCertificateAlias = null;
        this.deleteOldCert = null;
        this.deleteOldSigners = null;
        this.ksInfo = null;
        this.cs = null;
        this.session = null;
    }

    public void validate() throws CommandValidationException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.VALIDATE);
        }
        super.validate();
        try {
            this.cs = SSLCommandsHelper.getConfigService(getName());
            this.session = getConfigSession();
            this.keyStoreName = (String) getParameter("keyStoreName");
            this.keyStoreScope = (String) getParameter(CommandConstants.KEY_STORE_SCOPE);
            this.certificateAlias = (String) getParameter("certificateAlias");
            this.replacementCertificateAlias = (String) getParameter(CommandConstants.REPLACE_CERT_ALIAS);
            this.deleteOldCert = (Boolean) getParameter(CommandConstants.DELETE_OLD_CERT);
            this.deleteOldSigners = (Boolean) getParameter(CommandConstants.DELETE_OLD_SIGNERS);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "keyStoreName=" + this.keyStoreName + " keyStoreScope= " + this.keyStoreScope + " certAlias=" + this.certificateAlias + " replacementCertificateAlias=" + this.replacementCertificateAlias + " deleteOldCert= " + this.deleteOldCert + " deleteOldSigners= " + this.deleteOldSigners);
            }
            CommandHelper commandHelper = new CommandHelper();
            if (this.keyStoreScope == null) {
                this.keyStoreScope = commandHelper.defaultScope();
                Tr.debug(tc, "Default cell scopeName: " + this.keyStoreScope);
            }
            if (this.certificateAlias.equalsIgnoreCase(this.replacementCertificateAlias)) {
                throw new CommandValidationException(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.dup.alias.values.CWPKI0674E", new Object[]{"certificateAlias", CommandConstants.REPLACE_CERT_ALIAS}, "certificateAlias and replacementCertificate alias values must be different."));
            }
            this.ksInfo = PersonalCertificateHelper.getKsInfo(this.session, this.cs, this.keyStoreName, this.keyStoreScope);
            if (this.ksInfo.getReadOnly().booleanValue()) {
                throw new CommandValidationException(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.readonly.keystore.CWPKI0699E", new Object[]{this.ksInfo.getName()}, this.ksInfo.getName() + " is marked as a read only key store.  Unable to perform write operations to the key store file."));
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, AuditConstants.VALIDATE);
            }
        } catch (Exception e) {
            throw new CommandValidationException(e.getMessage());
        }
    }

    protected void afterStepsExecuted() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "afterStepsExecuted");
        }
        super.afterStepsExecuted();
        TaskCommandResultImpl taskCommandResult = getTaskCommandResult();
        if (!taskCommandResult.isSuccessful()) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "afterStepsExecuted");
            }
        } else {
            try {
                taskCommandResult.setResult(personalCertificateReplace(this.ksInfo, this.certificateAlias, this.replacementCertificateAlias, this.deleteOldCert.booleanValue(), this.deleteOldSigners.booleanValue(), this.keyStoreScope));
            } catch (Exception e) {
                taskCommandResult.setException(new CommandException(e, e.getMessage()));
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "afterStepsExecuted");
            }
        }
    }

    public String personalCertificateReplace(KeyStoreInfo keyStoreInfo, String str, String str2, boolean z, boolean z2, String str3) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "personalCertificateReplace");
        }
        WSKeyStoreRemotable wSKeyStoreRemotable = new WSKeyStoreRemotable(keyStoreInfo);
        boolean booleanValue = keyStoreInfo.getReadOnly().booleanValue();
        Certificate[] certificateArr = null;
        Certificate[] certificateArr2 = null;
        Key key = null;
        Key key2 = null;
        StringBuffer stringBuffer = new StringBuffer();
        X509Certificate x509Certificate = null;
        X509Certificate x509Certificate2 = null;
        Locale locale = getLocale();
        if (locale == null) {
            locale = Locale.getDefault();
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, "locale is null, use system locale:" + locale);
            }
        }
        if (!booleanValue) {
            try {
                if (!((Boolean) wSKeyStoreRemotable.invokeKeyStoreCommand("isKeyEntry", new Object[]{str})[0]).booleanValue()) {
                    throw new CommandValidationException(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.not.personal.cert.CWPKI0666E", new Object[]{str}, "Certificate \"" + str + "\" is not a personal certificate."));
                }
                Object[] invokeKeyStoreCommand = wSKeyStoreRemotable.invokeKeyStoreCommand("getCertificate", new Object[]{str});
                certificateArr = (Certificate[]) wSKeyStoreRemotable.invokeKeyStoreCommand("getCertificateChain", new Object[]{str})[0];
                Object[] objArr = new Object[2];
                objArr[0] = str;
                objArr[1] = keyStoreInfo.getPassword() != null ? keyStoreInfo.getPassword().toCharArray() : null;
                key2 = (Key) wSKeyStoreRemotable.invokeKeyStoreCommand("getKey", objArr)[0];
                x509Certificate = (X509Certificate) invokeKeyStoreCommand[0];
                if (CertificateRequestHelper.isKeyCertReq(x509Certificate, str) != null) {
                    throw new CommandValidationException(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.not.personal.cert.CWPKI0666E", new Object[]{str}, "Certificate \"" + str + "\" is not a personal certificate."));
                }
                if (!((Boolean) wSKeyStoreRemotable.invokeKeyStoreCommand("isKeyEntry", new Object[]{str2})[0]).booleanValue()) {
                    throw new CommandValidationException(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.not.personal.cert.CWPKI0666E", new Object[]{str2}, "Certificate \"" + str2 + "\" is not a personal certificate."));
                }
                x509Certificate2 = (X509Certificate) wSKeyStoreRemotable.invokeKeyStoreCommand("getCertificate", new Object[]{str2})[0];
                if (CertificateRequestHelper.isKeyCertReq(x509Certificate2, str2) != null) {
                    throw new CommandValidationException(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.not.personal.cert.CWPKI0666E", new Object[]{str2}, "Certificate \"" + str2 + "\" is not a personal certificate."));
                }
                certificateArr2 = (Certificate[]) wSKeyStoreRemotable.invokeKeyStoreCommand("getCertificateChain", new Object[]{str2})[0];
                Object[] objArr2 = new Object[2];
                objArr2[0] = str2;
                objArr2[1] = keyStoreInfo.getPassword() != null ? keyStoreInfo.getPassword().toCharArray() : null;
                key = (Key) wSKeyStoreRemotable.invokeKeyStoreCommand("getKey", objArr2)[0];
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.ssl.commands.personalCertificates.ReplaceCertificate", "%c%");
                throw e;
            }
        }
        if (x509Certificate == null || x509Certificate2 == null) {
            throw new KeyStoreException("Certificate not found in keyStore.");
        }
        PersonalCertificateHelper.changeAliasReferences(this.session, keyStoreInfo, str, str2);
        stringBuffer.append(PersonalCertificateHelper.replaceCerts(this.session, keyStoreInfo, str, x509Certificate, str2, x509Certificate2, certificateArr2, key, z2, locale));
        CommandHelper commandHelper = new CommandHelper();
        X509Certificate x509Certificate3 = (X509Certificate) certificateArr[certificateArr.length - 1];
        String generateDigest = KeyStoreManager.getInstance().generateDigest("MD5", x509Certificate3);
        X509Certificate x509Certificate4 = (X509Certificate) certificateArr2[certificateArr2.length - 1];
        if (!KeyStoreManager.getInstance().generateDigest("MD5", x509Certificate4).equals(generateDigest)) {
            if (tc.isEntryEnabled()) {
                Tr.entry(tc, "Certificate is signed by a new root certificate, add root signer to keystores where old root signer exists");
            }
            String usage = this.ksInfo.getUsage();
            String defaultKeyStoreName = (usage == null || !usage.equals(CommandConstants.KS_USAGE_RSA)) ? commandHelper.getDefaultKeyStoreName(Constants.DEFAULT_ROOT_STORE, this.session, this.cs) : commandHelper.getDefaultKeyStoreName(Constants.RSA_TOKEN_ROOT_STORE, this.session, this.cs);
            KeyStoreInfo ksInfo = PersonalCertificateHelper.getKsInfo(this.session, this.cs, defaultKeyStoreName, commandHelper.getScopeForNodeKeyStore(this.session, this.cs, defaultKeyStoreName));
            String str4 = null;
            WSKeyStoreHelper wSKeyStoreHelper = new WSKeyStoreHelper(ksInfo);
            String[] certAliases = wSKeyStoreHelper.getCertAliases();
            int i = 0;
            while (true) {
                if (i < certAliases.length) {
                    String str5 = certAliases[i];
                    X509Certificate signer = wSKeyStoreHelper.getSigner(str5);
                    if (signer != null && signer.getSerialNumber().compareTo(x509Certificate3.getSerialNumber()) == 0 && KeyStoreManager.getInstance().generateDigest("MD5", signer).equals(generateDigest)) {
                        str4 = str5;
                        break;
                    }
                    i++;
                } else {
                    break;
                }
            }
            stringBuffer.append(PersonalCertificateHelper.replaceCerts(this.session, ksInfo, null, x509Certificate3, str4, x509Certificate4, null, null, false, locale));
        }
        if (z) {
            WSKeyStoreRemotable wSKeyStoreRemotable2 = null;
            KeyStoreInfo deletedKeyStore = commandHelper.getDeletedKeyStore(this.session, ConfigServiceFactory.getConfigService(), this.keyStoreName);
            if (deletedKeyStore != null && !deletedKeyStore.getReadOnly().booleanValue()) {
                wSKeyStoreRemotable2 = new WSKeyStoreRemotable(deletedKeyStore);
            }
            if (wSKeyStoreRemotable2 != null && !deletedKeyStore.getType().equals(Constants.KEYSTORE_TYPE_JCERACFKS) && !deletedKeyStore.getType().equals(Constants.KEYSTORE_TYPE_JCECCARACFKS)) {
                Object[] objArr3 = new Object[4];
                objArr3[0] = keyStoreInfo.getName() + "_" + str;
                objArr3[1] = key2;
                objArr3[2] = deletedKeyStore.getPassword() != null ? deletedKeyStore.getPassword().toCharArray() : null;
                objArr3[3] = certificateArr;
                wSKeyStoreRemotable2.invokeKeyStoreCommand("setKeyEntry", objArr3);
                PersonalCertificateHelper.setWorkspaceUpdated(this.session, deletedKeyStore.getLocation());
            }
            wSKeyStoreRemotable.invokeKeyStoreCommand("deleteEntry", new Object[]{str});
            String formattedMessage = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.monitor.personal.delete.CWPKI0647I", new Object[]{str, keyStoreInfo.getName()}, "Personal certificate alias \"" + str + "\" was DELETED from KeyStore \"" + keyStoreInfo.getName() + "\"", locale);
            stringBuffer.append(System.getProperty("line.separator"));
            stringBuffer.append(formattedMessage);
        }
        if (keyStoreInfo.getFileBased().booleanValue()) {
            PersonalCertificateHelper.setWorkspaceUpdated(this.session, keyStoreInfo.getLocation());
        }
        PersonalCertificateHelper.markSSLConfigChanged(keyStoreInfo, this.session);
        if (keyStoreInfo.getName().endsWith(Constants.RSA_TOKEN_KEY_STORE)) {
            SecurityObjectLocator.getSecurityConfig("security").getAuthMechanism(AuthMechanismConfig.TYPE_RSATOKEN).reinitializeRSAProperties();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "personalCertificateExport");
        }
        return stringBuffer.toString();
    }
}
