package com.ibm.ws.ssl.commands.personalCertificates;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.Session;
import com.ibm.websphere.management.cmdframework.CommandException;
import com.ibm.websphere.management.cmdframework.CommandLoadException;
import com.ibm.websphere.management.cmdframework.CommandNotFoundException;
import com.ibm.websphere.management.cmdframework.CommandValidationException;
import com.ibm.websphere.management.cmdframework.commanddata.CommandData;
import com.ibm.websphere.management.cmdframework.commandmetadata.TaskCommandMetadata;
import com.ibm.websphere.management.cmdframework.provider.AbstractTaskCommand;
import com.ibm.websphere.management.cmdframework.provider.TaskCommandResultImpl;
import com.ibm.websphere.management.configservice.ConfigDataId;
import com.ibm.websphere.management.configservice.ConfigService;
import com.ibm.websphere.management.configservice.ConfigServiceFactory;
import com.ibm.websphere.management.configservice.ConfigServiceHelper;
import com.ibm.ws.ssl.commands.certificateRequests.CertificateRequestHelper;
import com.ibm.ws.ssl.commands.utils.CommandConstants;
import com.ibm.ws.ssl.commands.utils.CommandHelper;
import com.ibm.ws.ssl.commands.utils.TraceNLSHelper;
import com.ibm.ws.ssl.config.WSKeyStoreHelper;
import com.ibm.ws.ssl.config.WSKeyStoreRemotable;
import com.ibm.ws.ssl.core.Constants;
import com.ibm.ws.ssl.model.CertReqInfo;
import com.ibm.ws.ssl.model.KeyStoreInfo;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Locale;
import javax.management.ObjectName;
import javax.management.timer.Timer;

/* loaded from: input_file:wasJars/cryptoimpl.jar:com/ibm/ws/ssl/commands/personalCertificates/RenewCertificate.class */
public class RenewCertificate extends AbstractTaskCommand {
    private static TraceComponent tc = Tr.register(RenewCertificate.class, "SSL", "com.ibm.ws.ssl.commands.keyStores");
    private String keyStoreName;
    private String keyStoreScope;
    private String certificateAlias;
    private Boolean deleteSigners;
    private KeyStoreInfo ksInfo;
    private KeyStoreInfo rootKsInfo;
    private String rootKeyStoreName;
    private KeyStoreInfo deletedKsInfo;
    private Session session;

    public RenewCertificate(TaskCommandMetadata taskCommandMetadata) throws CommandNotFoundException {
        super(taskCommandMetadata);
        this.keyStoreName = null;
        this.keyStoreScope = null;
        this.certificateAlias = null;
        this.deleteSigners = null;
        this.ksInfo = null;
        this.rootKsInfo = null;
        this.rootKeyStoreName = null;
        this.deletedKsInfo = null;
        this.session = null;
    }

    public RenewCertificate(CommandData commandData) throws CommandNotFoundException, CommandLoadException {
        super(commandData);
        this.keyStoreName = null;
        this.keyStoreScope = null;
        this.certificateAlias = null;
        this.deleteSigners = null;
        this.ksInfo = null;
        this.rootKsInfo = null;
        this.rootKeyStoreName = null;
        this.deletedKsInfo = null;
        this.session = null;
    }

    @Override // com.ibm.websphere.management.cmdframework.provider.AbstractTaskCommand, com.ibm.websphere.management.cmdframework.provider.AbstractAdminCommand, com.ibm.websphere.management.cmdframework.AdminCommand
    public void validate() throws CommandValidationException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validate");
        }
        super.validate();
        try {
            ConfigService configService = ConfigServiceFactory.getConfigService();
            this.session = getConfigSession();
            ObjectName createObjectName = ConfigServiceHelper.createObjectName((ConfigDataId) null, "Security");
            ObjectName objectName = configService.resolve(this.session, "Cell=")[0];
            if (objectName != null) {
                ObjectName objectName2 = configService.queryConfigObjects(this.session, objectName, createObjectName, null)[0];
            }
            this.keyStoreName = (String) getParameter(CommandConstants.KEY_STORE_NAME);
            this.keyStoreScope = (String) getParameter(CommandConstants.KEY_STORE_SCOPE);
            this.certificateAlias = (String) getParameter(CommandConstants.CERT_ALIAS);
            this.deleteSigners = (Boolean) getParameter(CommandConstants.DELETE_OLD_SIGNERS);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "keyStoreName=" + this.keyStoreName + " keyStoreScope= " + this.keyStoreScope + " certAlias=" + this.certificateAlias);
            }
            CommandHelper commandHelper = new CommandHelper();
            if (this.keyStoreScope == null) {
                this.keyStoreScope = commandHelper.defaultCellScope(objectName);
                Tr.debug(tc, "Default cell scopeName: " + this.keyStoreScope);
            }
            this.ksInfo = PersonalCertificateHelper.getKsInfo(this.session, configService, this.keyStoreName, this.keyStoreScope);
            if (this.ksInfo.getReadOnly().booleanValue()) {
                throw new CommandValidationException(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.readonly.keystore.CWPKI0699E", new Object[]{this.ksInfo.getName()}, this.ksInfo.getName() + " is marked as a read only key store.  Unable to perform write operations to the key store file."));
            }
            String usage = this.ksInfo.getUsage();
            if (usage == null || !usage.equals(CommandConstants.KS_USAGE_RSA)) {
                this.rootKeyStoreName = commandHelper.getDefaultKeyStoreName(Constants.DEFAULT_ROOT_STORE, this.session, configService);
            } else {
                this.rootKeyStoreName = commandHelper.getDefaultKeyStoreName(Constants.RSA_TOKEN_ROOT_STORE, this.session, configService);
            }
            this.rootKsInfo = PersonalCertificateHelper.getKsInfo(this.session, configService, this.rootKeyStoreName, commandHelper.getScopeForNodeKeyStore(this.session, configService, this.rootKeyStoreName));
            this.deletedKsInfo = commandHelper.getDeletedKeyStore(this.session, configService, this.keyStoreName);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "validate");
            }
        } catch (Exception e) {
            throw new CommandValidationException(e.getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.ibm.websphere.management.cmdframework.provider.AbstractTaskCommand
    public void afterStepsExecuted() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "afterStepsExecuted");
        }
        super.afterStepsExecuted();
        TaskCommandResultImpl taskCommandResultImpl = (TaskCommandResultImpl) getTaskCommandResult();
        if (!taskCommandResultImpl.isSuccessful()) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "afterStepsExecuted");
            }
        } else {
            try {
                taskCommandResultImpl.setResult(personalCertificateRenew(this.session, this.ksInfo, this.certificateAlias, this.keyStoreScope));
            } catch (Exception e) {
                taskCommandResultImpl.setException(new CommandException(e, e.getMessage()));
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "afterStepsExecuted");
            }
        }
    }

    public String personalCertificateRenew(Session session, KeyStoreInfo keyStoreInfo, String str, String str2) throws Exception {
        String defaultRootAlias;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "personalCertificateRenew");
        }
        StringBuffer stringBuffer = new StringBuffer();
        WSKeyStoreRemotable wSKeyStoreRemotable = new WSKeyStoreRemotable(keyStoreInfo);
        keyStoreInfo.getFileBased().booleanValue();
        keyStoreInfo.getReadOnly().booleanValue();
        String password = keyStoreInfo.getPassword();
        boolean z = false;
        boolean z2 = false;
        String str3 = "self-signed";
        boolean z3 = false;
        try {
            if (!((Boolean) wSKeyStoreRemotable.invokeKeyStoreCommand("isKeyEntry", new Object[]{str})[0]).booleanValue()) {
                throw new Exception(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.not.personal.cert.CWPKI0666E", new Object[]{str}, "Certificate \"" + str + "\" is not a personal certificate."));
            }
            Certificate[] certificateArr = (Certificate[]) wSKeyStoreRemotable.invokeKeyStoreCommand("getCertificateChain", new Object[]{str})[0];
            X509Certificate x509Certificate = (X509Certificate) certificateArr[0];
            PrivateKey privateKey = (PrivateKey) wSKeyStoreRemotable.invokeKeyStoreCommand("getKey", new Object[]{str, password.toCharArray()})[0];
            if (CertificateRequestHelper.isKeyCertReq(x509Certificate, str) != null) {
                throw new Exception(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.not.personal.cert.CWPKI0666E", new Object[]{str}, "Certificate \"" + str + "\" is not a personal certificate."));
            }
            if (x509Certificate.getBasicConstraints() != -1) {
                z = true;
            }
            if (x509Certificate == null || privateKey == null) {
                throw new KeyStoreException("Certificate not found in keyStore.");
            }
            try {
                x509Certificate.verify(x509Certificate.getPublicKey());
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Certificate to be renewed is self-signed");
                }
            } catch (SignatureException e) {
                str3 = "chained";
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Certificate to be renewed is chained");
                }
            }
            boolean z4 = true;
            if (str3.equalsIgnoreCase("chained")) {
                z4 = PersonalCertificateHelper.signedByWebSphere((X509Certificate) certificateArr[certificateArr.length - 1], privateKey, this.rootKsInfo);
            }
            if (!z4) {
                ConfigService configService = ConfigServiceFactory.getConfigService();
                ObjectName objectName = null;
                try {
                    objectName = PersonalCertificateHelper.getCertificateObj(session, configService, configService.resolve(session, "Cell=:Security=")[0], str, keyStoreInfo);
                } catch (CommandValidationException e2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Error obtaining certificate object: " + e2.getMessage());
                    }
                }
                if (objectName != null) {
                    throw new Exception(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.ca.norenew.CWPKI0702E", new Object[]{str}, "Certificate specified as alias " + str + " is a certificate authority (CA) certificate and must be renewed manually."));
                }
                throw new Exception(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.root.cert.not.exist.CWPKI0705E", new Object[]{x509Certificate.getSerialNumber().toString(), this.rootKsInfo.getName()}, "The root certificate used to sign the certificate with serial number " + x509Certificate.getSerialNumber().toString() + " could not be found in key store " + this.rootKsInfo.getName() + "."));
            }
            PublicKey publicKey = x509Certificate.getPublicKey();
            int bitLength = publicKey instanceof RSAPublicKey ? ((RSAPublicKey) publicKey).getModulus().bitLength() : ((DSAPublicKey) publicKey).getParams().getP().bitLength();
            if (bitLength % 2 != 0) {
                bitLength++;
            }
            int intValue = new Long((x509Certificate.getNotAfter().getTime() - x509Certificate.getNotBefore().getTime()) / Timer.ONE_DAY).intValue();
            String obj = x509Certificate.getSubjectDN().toString();
            String uUIDFromCert = PersonalCertificateHelper.getUUIDFromCert(x509Certificate);
            CertReqInfo certReqInfo = new CertReqInfo(str, bitLength, obj, intValue, this.ksInfo, null);
            if (uUIDFromCert != null) {
                certReqInfo.setProfileUUID(uUIDFromCert);
            }
            X509Certificate x509Certificate2 = null;
            X509Certificate x509Certificate3 = null;
            X509Certificate x509Certificate4 = null;
            if (!this.ksInfo.getType().equals(Constants.KEYSTORE_TYPE_JCERACFKS) && !this.ksInfo.getType().equals(Constants.KEYSTORE_TYPE_JCECCARACFKS)) {
                z2 = true;
            }
            String str4 = str;
            WSKeyStoreHelper wSKeyStoreHelper = new WSKeyStoreHelper(this.ksInfo);
            WSKeyStoreHelper wSKeyStoreHelper2 = new WSKeyStoreHelper(this.rootKsInfo);
            if (str3.equals("chained")) {
                String findRootCertificateAlias = PersonalCertificateHelper.findRootCertificateAlias((X509Certificate) certificateArr[1], this.rootKsInfo);
                if (findRootCertificateAlias == null && z4 && (defaultRootAlias = PersonalCertificateHelper.getDefaultRootAlias(this.rootKsInfo)) != null) {
                    z3 = true;
                    findRootCertificateAlias = defaultRootAlias;
                }
                if (findRootCertificateAlias == null) {
                    throw new Exception(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.root.cert.not.exist.CWPKI0705E", new Object[]{x509Certificate.getSerialNumber().toString(), this.rootKsInfo.getName()}, "The root certificate used to sign the certificate with serial number " + x509Certificate.getSerialNumber().toString() + " could not be found in key store " + this.rootKsInfo.getName() + "."));
                }
                Certificate[] certChainFromKey = wSKeyStoreHelper2.getCertChainFromKey(findRootCertificateAlias);
                str4 = wSKeyStoreHelper.createChainedCertificate(certReqInfo, certChainFromKey, (PrivateKey) wSKeyStoreHelper2.getKey(findRootCertificateAlias, this.rootKsInfo.getPassword()), z, z2);
                x509Certificate2 = wSKeyStoreHelper.getSigner(str4);
                if (z3) {
                    x509Certificate4 = (X509Certificate) certChainFromKey[certChainFromKey.length - 1];
                    x509Certificate3 = (X509Certificate) certificateArr[certificateArr.length - 1];
                }
            } else if (str3.equals("self-signed")) {
                str4 = wSKeyStoreHelper.createSelfSignedCertificate(certReqInfo, z, z2);
                x509Certificate2 = wSKeyStoreHelper.getSigner(str4);
            }
            if (str4 != str) {
                PersonalCertificateHelper.changeAliasReferences(session, keyStoreInfo, str, str4);
            }
            if (this.ksInfo.getType().equals(Constants.KEYSTORE_TYPE_JCERACFKS) || this.ksInfo.getType().equals(Constants.KEYSTORE_TYPE_JCECCARACFKS)) {
                new CommandHelper().deleteCertificate(session, keyStoreInfo, this.deletedKsInfo, str);
                new WSKeyStoreHelper(this.ksInfo).deleteCertificate(str);
            }
            Locale locale = getLocale();
            if (locale == null) {
                locale = Locale.getDefault();
                if (tc.isEntryEnabled()) {
                    Tr.debug(tc, "locale is null, use system locale:" + locale);
                }
            }
            String formattedMessage = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.renewed.CWPKI0704I", new Object[]{str, keyStoreInfo.getName()}, "Personal certificate with alias \"" + str + "\" in KeyStore \"" + keyStoreInfo.getName() + "\" was RENEWED.", locale);
            stringBuffer.append(System.getProperty("line.separator"));
            stringBuffer.append(formattedMessage);
            stringBuffer.append(PersonalCertificateHelper.replaceCerts(session, keyStoreInfo, str, x509Certificate, null, x509Certificate2, null, null, this.deleteSigners.booleanValue(), locale));
            if (z3) {
                PersonalCertificateHelper.addNewRootSigner(session, x509Certificate3, x509Certificate4);
            }
            if (keyStoreInfo.getFileBased().booleanValue()) {
                PersonalCertificateHelper.setWorkspaceUpdated(session, keyStoreInfo.getLocation());
            }
            PersonalCertificateHelper.markSSLConfigChanged(keyStoreInfo, session);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "personalCertificateRenew");
            }
            return stringBuffer.toString();
        } catch (Exception e3) {
            throw new Exception(e3);
        }
    }
}
