package com.ibm.ws.ssl.commands.FIPS;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.Session;
import com.ibm.websphere.management.cmdframework.CommandException;
import com.ibm.websphere.management.cmdframework.CommandLoadException;
import com.ibm.websphere.management.cmdframework.CommandNotFoundException;
import com.ibm.websphere.management.cmdframework.CommandValidationException;
import com.ibm.websphere.management.cmdframework.commanddata.CommandData;
import com.ibm.websphere.management.cmdframework.commandmetadata.TaskCommandMetadata;
import com.ibm.websphere.management.cmdframework.provider.AbstractTaskCommand;
import com.ibm.websphere.management.cmdframework.provider.TaskCommandResultImpl;
import com.ibm.websphere.management.configservice.ConfigService;
import com.ibm.websphere.management.configservice.ConfigServiceFactory;
import com.ibm.websphere.management.configservice.ConfigServiceHelper;
import com.ibm.ws.ssl.commands.WSCertExpMonitor.StartCertificateExpMonitorHelper;
import com.ibm.ws.ssl.commands.personalCertificates.PersonalCertificateHelper;
import com.ibm.ws.ssl.commands.utils.CommandConstants;
import com.ibm.ws.ssl.config.FIPSUtils;
import com.ibm.ws.ssl.config.KeyStoreManager;
import com.ibm.ws.ssl.config.ManagementScopeManager;
import com.ibm.ws.ssl.config.WSKeyStoreHelper;
import com.ibm.ws.ssl.core.Constants;
import com.ibm.ws.ssl.model.KeyStoreInfo;
import java.security.PrivateKey;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import javax.management.AttributeList;

/* loaded from: input_file:lib/com.ibm.ws.runtime.jar:com/ibm/ws/ssl/commands/FIPS/ConvertCertForSecurityStandard.class */
public class ConvertCertForSecurityStandard extends AbstractTaskCommand {
    private static TraceComponent tc = Tr.register((Class<?>) ConvertCertForSecurityStandard.class, "SSL", "com.ibm.ws.ssl.commands");
    private ConfigService cs;
    private Session session;
    private String fipsLevel;
    private String suiteBLevel;
    private String signatureAlgorithm;
    private int keySize;
    FIPSCommandHelper fipsHelper;
    private StartCertificateExpMonitorHelper scemHelper;
    private HashMap rootSignerDigestCacheMap;

    public ConvertCertForSecurityStandard(TaskCommandMetadata taskCommandMetadata) throws CommandNotFoundException {
        super(taskCommandMetadata);
        this.cs = null;
        this.session = null;
        this.fipsLevel = null;
        this.suiteBLevel = null;
        this.signatureAlgorithm = null;
        this.keySize = 0;
        this.fipsHelper = null;
        this.scemHelper = new StartCertificateExpMonitorHelper();
        this.rootSignerDigestCacheMap = new HashMap();
    }

    public ConvertCertForSecurityStandard(CommandData commandData) throws CommandNotFoundException, CommandLoadException {
        super(commandData);
        this.cs = null;
        this.session = null;
        this.fipsLevel = null;
        this.suiteBLevel = null;
        this.signatureAlgorithm = null;
        this.keySize = 0;
        this.fipsHelper = null;
        this.scemHelper = new StartCertificateExpMonitorHelper();
        this.rootSignerDigestCacheMap = new HashMap();
    }

    public void validate() throws CommandValidationException {
        this.cs = ConfigServiceFactory.getConfigService();
        this.session = getConfigSession();
        this.fipsHelper = new FIPSCommandHelper();
        String str = (String) getParameter(CommandConstants.FIPS_LEVEL);
        String str2 = (String) getParameter(CommandConstants.SUITE_B_LEVEL);
        String str3 = (String) getParameter(CommandConstants.SIGNATURE_ALGORITHM);
        String str4 = (String) getParameter(CommandConstants.KEY_SIZE);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "fipsLevel: " + str);
            Tr.debug(tc, "suiteBLevel: " + str2);
            Tr.debug(tc, "signatureAlgorithm:" + str3);
            Tr.debug(tc, "keySize:" + str4);
        }
        if (str != null) {
            try {
                if (!str.isEmpty()) {
                    this.fipsLevel = this.fipsHelper.validateFipsLevel(str);
                }
            } catch (Exception e) {
                throw new CommandValidationException(e, e.getMessage());
            }
        }
        if (str2 != null && !str2.isEmpty()) {
            this.suiteBLevel = this.fipsHelper.validateSuiteBLevel(str2);
        }
        if (this.fipsLevel != null && this.suiteBLevel != null) {
            throw new CommandValidationException("Both fipsLevel and suiteBLevel parameters can not be specified at the same time when converting certificates.");
        }
        if (this.fipsLevel == null && this.suiteBLevel == null) {
            throw new CommandValidationException("Either the fipsLevel or suiteBLevel parameters must be specified when converting certificates.");
        }
        if (FIPSUtils.checkFipsEnabled()) {
            String checkFipsLevel = FIPSUtils.checkFipsLevel();
            String checkSuiteBLevel = FIPSUtils.checkSuiteBLevel();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "currentFipsLevel=" + checkFipsLevel + " currentSuiteBLevel=" + checkSuiteBLevel);
                Tr.debug(tc, "First, checking signatureAlgorithm to see if it is supported under current FipsLevel.");
            }
            if (str3 != null && str3.length() > 0) {
                this.signatureAlgorithm = this.fipsHelper.validateSignatureAlgorithm(checkFipsLevel, checkSuiteBLevel, str3);
            }
        }
        if (str3 == null || str3.length() <= 0) {
            this.signatureAlgorithm = FIPSUtils.getSignatureAlgorithms(true, this.fipsLevel, this.suiteBLevel).get(0);
        } else {
            this.signatureAlgorithm = this.fipsHelper.validateSignatureAlgorithm(this.fipsLevel, this.suiteBLevel, str3);
        }
        String keyTypeFromSignatureAlgorithm = FIPSUtils.getKeyTypeFromSignatureAlgorithm(this.signatureAlgorithm);
        if (str4 != null && str4.length() > 0 && !keyTypeFromSignatureAlgorithm.equals(Constants.EC)) {
            this.keySize = this.fipsHelper.validateKeySize(this.fipsLevel, this.suiteBLevel, this.signatureAlgorithm, Integer.parseInt(str4));
        } else if (keyTypeFromSignatureAlgorithm.equals(Constants.EC)) {
            this.keySize = Constants.EC_signatureAlgorithmToKeySize.get(this.signatureAlgorithm).intValue();
        } else {
            this.keySize = FIPSUtils.getMinimumSupportedKeySize(this.fipsLevel, this.suiteBLevel, FIPSUtils.getKeyTypeFromSignatureAlgorithm(this.signatureAlgorithm));
        }
    }

    protected void beforeStepsExecuted() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "beforeStepsExecuted");
        }
        super.beforeStepsExecuted();
        AttributeList attributeList = new AttributeList();
        TaskCommandResultImpl taskCommandResult = getTaskCommandResult();
        if (!taskCommandResult.isSuccessful()) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "beforeStepsExecuted");
                return;
            }
            return;
        }
        try {
            attributeList = convertCertsForFips(this.fipsLevel, this.suiteBLevel, this.signatureAlgorithm, this.keySize);
        } catch (Exception e) {
            taskCommandResult.setException(new CommandException(e, e.getMessage()));
            try {
                this.cs.discard(this.session);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Discarded workspace changes.  If certificate conversion is half-way done and left in the workspace, it might affect subsequent commands.");
                }
            } catch (Exception e2) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Error discarding changes in the workspace.   Please restart Wsadmin session to clear up the workspace.");
                }
            }
        }
        taskCommandResult.setResult(attributeList);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "beforeStepsExecuted");
        }
    }

    public AttributeList convertCertsForFips(String str, String str2, String str3, int i) throws Exception {
        new AttributeList();
        AttributeList certSecurityStatus = this.fipsHelper.getCertSecurityStatus(this.session, str, str2);
        List<AttributeList> list = (List) ConfigServiceHelper.getAttributeValue(certSecurityStatus, Constants.CERT_STATUS_CAN_CONVERT);
        List list2 = (List) ConfigServiceHelper.getAttributeValue(certSecurityStatus, Constants.CERT_STATUS_CAN_NOT_CONVERT);
        List list3 = (List) ConfigServiceHelper.getAttributeValue(certSecurityStatus, Constants.CERT_STATUS_MEET_SECURITY_STANDARD);
        list.addAll(list3);
        list3.clear();
        ArrayList<AttributeList> arrayList = new ArrayList();
        ArrayList<AttributeList> arrayList2 = new ArrayList();
        for (AttributeList attributeList : list) {
            String str4 = (String) ConfigServiceHelper.getAttributeValue(attributeList, Constants.CERT_INFO_KEYSTORE_NAME);
            if (str4 == null || !str4.endsWith(Constants.DEFAULT_ROOT_STORE)) {
                arrayList2.add(attributeList);
            } else {
                arrayList.add(attributeList);
            }
        }
        String nodeScopeName = ManagementScopeManager.getInstance().getNodeScopeName();
        KeyStoreInfo ksInfo = PersonalCertificateHelper.getKsInfo(this.session, this.cs, KeyStoreManager.getDefaultKeyStoreName(Constants.DEFAULT_ROOT_STORE), nodeScopeName);
        this.scemHelper.populateDigestCacheMap(this.rootSignerDigestCacheMap, ksInfo);
        for (AttributeList attributeList2 : arrayList) {
            convertCertForFips((String) ConfigServiceHelper.getAttributeValue(attributeList2, Constants.CERT_INFO_ALIAS), ksInfo, ksInfo, this.keySize, this.signatureAlgorithm);
            ConfigServiceHelper.setAttributeValue(attributeList2, Constants.CERT_INFO_REASON, "");
            list3.add(attributeList2);
        }
        for (AttributeList attributeList3 : arrayList2) {
            convertCertForFips((String) ConfigServiceHelper.getAttributeValue(attributeList3, Constants.CERT_INFO_ALIAS), ksInfo, PersonalCertificateHelper.getKsInfo(this.session, this.cs, (String) ConfigServiceHelper.getAttributeValue(attributeList3, Constants.CERT_INFO_KEYSTORE_NAME), (String) ConfigServiceHelper.getAttributeValue(attributeList3, Constants.CERT_INFO_MANAGEMENT_SCOPE)), this.keySize, this.signatureAlgorithm);
            ConfigServiceHelper.setAttributeValue(attributeList3, Constants.CERT_INFO_REASON, "");
            list3.add(attributeList3);
        }
        AttributeList attributeList4 = new AttributeList();
        ConfigServiceHelper.setAttributeValue(attributeList4, Constants.CERT_STATUS_CAN_CONVERT, new ArrayList());
        ConfigServiceHelper.setAttributeValue(attributeList4, Constants.CERT_STATUS_CAN_NOT_CONVERT, list2);
        ConfigServiceHelper.setAttributeValue(attributeList4, Constants.CERT_STATUS_MEET_SECURITY_STANDARD, list3);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "beforeStepsExecuted");
        }
        return attributeList4;
    }

    void convertCertForFips(String str, KeyStoreInfo keyStoreInfo, KeyStoreInfo keyStoreInfo2, int i, String str2) throws Exception {
        int i2;
        String defaultRootAlias;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "== convertCertForFips alias=" + str + " in keystore=" + keyStoreInfo2.getName());
        }
        boolean z = false;
        if (keyStoreInfo2.getName().endsWith(Constants.DEFAULT_ROOT_STORE)) {
            z = true;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "convertingCertInRootKeyStore is set");
            }
        }
        WSKeyStoreHelper wSKeyStoreHelper = new WSKeyStoreHelper(keyStoreInfo);
        WSKeyStoreHelper wSKeyStoreHelper2 = new WSKeyStoreHelper(keyStoreInfo2);
        String password = keyStoreInfo2.getPassword();
        PrivateKey privateKey = (PrivateKey) wSKeyStoreHelper2.getKey(str, password);
        int i3 = Constants.CERT_TYPE_NOT_EVALUATED;
        String property = Security.getProperty("DEFAULT_JCE_PROVIDER");
        if (property == null) {
            property = "IBMJCE";
        }
        if (privateKey == null) {
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, str + " does not appear to be a personal certificate");
                return;
            }
            return;
        }
        Certificate[] certChainFromKey = wSKeyStoreHelper2.getCertChainFromKey(str);
        X509Certificate x509Certificate = (X509Certificate) certChainFromKey[0];
        if (certMeetsRequirements(x509Certificate, i, str2)) {
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, str + " already meets the requirements.");
                return;
            }
            return;
        }
        if (x509Certificate != null && privateKey != null) {
            try {
                x509Certificate.verify(x509Certificate.getPublicKey(), property);
                i2 = Constants.CERT_TYPE_SELF_SIGNED;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Alias:" + str + " to be converted is self-signed");
                }
            } catch (SignatureException e) {
                i2 = Constants.CERT_TYPE_CHAINED;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Alias:" + str + " to be converted is chained");
                }
            }
            boolean z2 = false;
            X509Certificate x509Certificate2 = null;
            X509Certificate x509Certificate3 = null;
            if (i2 == Constants.CERT_TYPE_CHAINED) {
                boolean signedByWebSphere = this.scemHelper.signedByWebSphere(certChainFromKey, this.rootSignerDigestCacheMap);
                String findRootCertificateAlias = z ? PersonalCertificateHelper.findRootCertificateAlias((X509Certificate) certChainFromKey[1], keyStoreInfo) : PersonalCertificateHelper.findRootCertificateAlias((X509Certificate) certChainFromKey[certChainFromKey.length - 1], keyStoreInfo);
                if (findRootCertificateAlias == null && signedByWebSphere && (defaultRootAlias = PersonalCertificateHelper.getDefaultRootAlias(keyStoreInfo)) != null) {
                    z2 = true;
                    findRootCertificateAlias = defaultRootAlias;
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Root certificate alias for chained certificate:" + str + " is " + findRootCertificateAlias + " signWithDefaultRoot=" + z2);
                }
                PrivateKey privateKey2 = (PrivateKey) wSKeyStoreHelper.getKey(findRootCertificateAlias, keyStoreInfo.getPassword());
                if (privateKey2 == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Certificate \"" + str + "\" is not a personal certificate.");
                        return;
                    }
                    return;
                } else {
                    Certificate[] certChainFromKey2 = wSKeyStoreHelper.getCertChainFromKey(findRootCertificateAlias);
                    wSKeyStoreHelper2.createChainedCertificateForFips(x509Certificate, keyStoreInfo2, str, i, certChainFromKey2, privateKey2);
                    if (z2) {
                        x509Certificate3 = (X509Certificate) certChainFromKey2[certChainFromKey2.length - 1];
                        x509Certificate2 = (X509Certificate) certChainFromKey[certChainFromKey.length - 1];
                    }
                }
            }
            if (i2 == Constants.CERT_TYPE_SELF_SIGNED) {
                wSKeyStoreHelper2.createSelfSignedCertificateForFips(x509Certificate, keyStoreInfo2, str, i, str2);
            }
            X509Certificate x509Certificate4 = (X509Certificate) wSKeyStoreHelper2.getSignerFromKey(str);
            if (x509Certificate4 != null) {
                PrivateKey privateKey3 = (PrivateKey) wSKeyStoreHelper2.getKey(str, password);
                Certificate[] certChainFromKey3 = wSKeyStoreHelper2.getCertChainFromKey(str);
                if (z) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "== Calling recreateChainedWithNewRoot for alias: " + str);
                    }
                    String recreateChainedWithNewRoot = this.scemHelper.recreateChainedWithNewRoot(this.session, this.cs, certChainFromKey, privateKey, certChainFromKey3, privateKey3, true, null, i);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "== Result of recreateChainedWithNewRoot for alias. msg=" + recreateChainedWithNewRoot);
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "== Calling recreateRootsWithNewRoot for alias: " + str);
                    }
                    String recreateRootsWithNewRoot = this.scemHelper.recreateRootsWithNewRoot(this.session, this.cs, certChainFromKey, privateKey, certChainFromKey3, privateKey3, true, null, i);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "== Result of recreateRootsWithNewRoot for alias. msg=" + recreateRootsWithNewRoot);
                    }
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "== Calling replaceCerts for alias:" + str);
                }
                String replaceCerts = PersonalCertificateHelper.replaceCerts(this.session, keyStoreInfo2, str, x509Certificate, str, x509Certificate4, certChainFromKey3, privateKey3, true, null);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "== Result of replaceCerts for alias. msg=" + replaceCerts);
                }
                if (z2) {
                    PersonalCertificateHelper.addNewRootSigner(this.session, x509Certificate2, x509Certificate3);
                }
            } else if (tc.isEntryEnabled()) {
                Tr.debug(tc, "Unable to get the signer for the newly created certificate:" + str + " in " + keyStoreInfo.getName());
            }
            if (z) {
                PersonalCertificateHelper.setWorkspaceUpdated(this.session, keyStoreInfo.getLocation());
                PersonalCertificateHelper.markSSLConfigChanged(keyStoreInfo, this.session);
            }
            PersonalCertificateHelper.setWorkspaceUpdated(this.session, keyStoreInfo2.getLocation());
            PersonalCertificateHelper.markSSLConfigChanged(keyStoreInfo2, this.session);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "convertRootCertForFips alias=" + str);
        }
    }

    private boolean certMeetsRequirements(X509Certificate x509Certificate, int i, String str) {
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "certMeetsRequirements");
        }
        try {
            if (PersonalCertificateHelper.getKeySizeFromPublicKey(x509Certificate.getPublicKey()) != i) {
                if (!tc.isEntryEnabled()) {
                    return false;
                }
                Tr.exit(tc, "certMeetsRequirements: false");
                return false;
            }
            if (x509Certificate.getSigAlgName().equals(str)) {
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "certMeetsRequirements: true");
                return true;
            }
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "certMeetsRequirements: false");
            return false;
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception occured while checking certificate " + e.getMessage());
            }
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "certMeetsRequirements: false");
            return false;
        }
    }
}
