package com.ibm.ws.ssl.commands.migrate;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.Session;
import com.ibm.websphere.management.cmdframework.CommandException;
import com.ibm.websphere.management.cmdframework.CommandLoadException;
import com.ibm.websphere.management.cmdframework.CommandNotFoundException;
import com.ibm.websphere.management.cmdframework.CommandValidationException;
import com.ibm.websphere.management.cmdframework.commanddata.CommandData;
import com.ibm.websphere.management.cmdframework.commandmetadata.TaskCommandMetadata;
import com.ibm.websphere.management.cmdframework.provider.AbstractTaskCommand;
import com.ibm.websphere.management.cmdframework.provider.TaskCommandResultImpl;
import com.ibm.websphere.management.configservice.ConfigService;
import com.ibm.websphere.management.configservice.ConfigServiceFactory;
import com.ibm.websphere.management.configservice.ConfigServiceHelper;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.rsadapter.DSConfigHelper;
import com.ibm.ws.security.common.util.AuditConstants;
import com.ibm.ws.ssl.commands.WSCertExpMonitor.StartCertificateExpMonitorHelper;
import com.ibm.ws.ssl.commands.certificateRequests.CertificateRequestHelper;
import com.ibm.ws.ssl.commands.personalCertificates.PersonalCertificateHelper;
import com.ibm.ws.ssl.commands.utils.CommandConstants;
import com.ibm.ws.ssl.commands.utils.CommandHelper;
import com.ibm.ws.ssl.commands.utils.TraceNLSHelper;
import com.ibm.ws.ssl.config.KeyStoreManager;
import com.ibm.ws.ssl.config.ManagementScopeManager;
import com.ibm.ws.ssl.config.WSKeyStoreHelper;
import com.ibm.ws.ssl.core.Constants;
import com.ibm.ws.ssl.model.CertReqInfo;
import com.ibm.ws.ssl.model.KeyStoreInfo;
import java.math.BigInteger;
import java.security.Key;
import java.security.PrivateKey;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import javax.crypto.spec.SecretKeySpec;
import javax.management.AttributeList;
import javax.management.ObjectName;
import javax.management.QueryExp;
import org.apache.wsif.wsdl.extensions.jms.JMSConstants;

/* loaded from: input_file:com/ibm/ws/ssl/commands/migrate/ConvertSSLCertificates.class */
public class ConvertSSLCertificates extends AbstractTaskCommand {
    private static TraceComponent tc = Tr.register((Class<?>) ConvertSSLCertificates.class, "SSL", "com.ibm.ws.ssl.commands.sslCommandTask");
    HashMap rootSignerDigestCacheMap;
    List certList;
    StartCertificateExpMonitorHelper certHelper;
    private String inAction;
    private String inSignatureAlgorithm;
    String linesep;
    StringBuffer report;

    public ConvertSSLCertificates(TaskCommandMetadata taskCommandMetadata) throws CommandNotFoundException {
        super(taskCommandMetadata);
        this.rootSignerDigestCacheMap = new HashMap();
        this.certList = new ArrayList();
        this.certHelper = new StartCertificateExpMonitorHelper();
        this.inAction = null;
        this.inSignatureAlgorithm = null;
        this.linesep = System.getProperty("line.separator");
        this.report = new StringBuffer();
    }

    public ConvertSSLCertificates(CommandData commandData) throws CommandNotFoundException, CommandLoadException {
        super(commandData);
        this.rootSignerDigestCacheMap = new HashMap();
        this.certList = new ArrayList();
        this.certHelper = new StartCertificateExpMonitorHelper();
        this.inAction = null;
        this.inSignatureAlgorithm = null;
        this.linesep = System.getProperty("line.separator");
        this.report = new StringBuffer();
    }

    public void validate() throws CommandValidationException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.VALIDATE);
        }
        super.validate();
        getName();
        try {
            this.inAction = (String) getParameter(CommandConstants.ACTION);
            List<String> list = CommandConstants.ACTIONS;
            if (this.inAction != null && !isParmValid(this.inAction, list)) {
                throw new CommandValidationException(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.invalid.action.CWPKI0756E", new Object[]{this.inAction, list}, "Invalid action " + this.inAction + " is entered. Valid values for include: " + list));
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "action parameter is " + this.inAction);
            }
            this.inSignatureAlgorithm = (String) getParameter(CommandConstants.SIGNATURE_ALGORITHM);
            List<String> list2 = Constants.ALL_SIGNATURE_ALGORITHMS;
            if (this.inSignatureAlgorithm != null && !isParmValid(this.inSignatureAlgorithm, list2)) {
                throw new CommandValidationException(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.invalid.sigalg.CWPKI0755E", new Object[]{this.inSignatureAlgorithm, list2}, "Invalid signature algorithm " + this.inSignatureAlgorithm + " is entered. Valid values for include: " + list2));
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "signature algorithm parameter is " + this.inSignatureAlgorithm);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, AuditConstants.VALIDATE);
            }
        } catch (Exception e) {
            throw new CommandValidationException(e.getMessage());
        }
    }

    protected void beforeStepsExecuted() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "beforeStepsExecuted");
        }
        super.beforeStepsExecuted();
        TaskCommandResultImpl taskCommandResult = getTaskCommandResult();
        if (!taskCommandResult.isSuccessful()) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "beforeStepsExecuted");
                return;
            }
            return;
        }
        try {
            taskCommandResult.setResult(convertCertificates());
        } catch (Exception e) {
            taskCommandResult.setException(new CommandException(e, e.getMessage()));
        }
        setCommandResult(taskCommandResult);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "beforeStepsExecuted");
        }
    }

    public String convertCertificates() throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "convertCertificates");
        }
        try {
            PersonalCertificateHelper.clearCertReplaced();
            ConfigService configService = ConfigServiceFactory.getConfigService();
            Session configSession = getConfigSession();
            ObjectName objectName = configService.resolve(configSession, "Cell=:Security=")[0];
            boolean z = this.inAction.equalsIgnoreCase("replace");
            if (z) {
                String handleRootKeystore = handleRootKeystore(configSession, configService, this.inSignatureAlgorithm);
                if (!handleRootKeystore.isEmpty()) {
                    this.report.append(handleRootKeystore);
                }
            } else {
                checkCertsInKeyStore(configSession, configService, PersonalCertificateHelper.getKsInfo(configSession, configService, KeyStoreManager.getDefaultKeyStoreName(Constants.DEFAULT_ROOT_STORE), ManagementScopeManager.getInstance().getNodeScopeName()), this.inSignatureAlgorithm);
            }
            List list = (List) configService.getAttribute(configSession, objectName, CommandConstants.KEY_STORES);
            for (int i = 0; i < list.size(); i++) {
                AttributeList attributeList = (AttributeList) list.get(i);
                String str = (String) ConfigServiceHelper.getAttributeValue(attributeList, "name");
                if (!str.endsWith(Constants.DEFAULT_DELETED_STORE) && !str.endsWith(Constants.DEFAULT_ROOT_STORE) && !str.endsWith(Constants.LTPA_KEYS) && !str.contains("RSAToken")) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Looking at keystore " + str);
                    }
                    try {
                        checkCertsInKeyStore(configSession, configService, PersonalCertificateHelper.getKsInfo(configSession, configService, str, (String) configService.getAttribute(configSession, (ObjectName) ConfigServiceHelper.getAttributeValue(attributeList, CommandConstants.MANAGEMENT_SCOPE), CommandConstants.SCOPE_NAME)), this.inSignatureAlgorithm);
                    } catch (Exception e) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "There is a problem extracting a keystore while looking at keystores ", e.getMessage());
                        }
                    }
                }
            }
            if (z) {
                if (this.certList.size() > 0) {
                    for (int i2 = 0; i2 < this.certList.size(); i2++) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Replacing certificate....");
                        }
                        String genNewCertsAndReplace = genNewCertsAndReplace(configSession, configService, (CertReqInfo) this.certList.get(i2), this.inSignatureAlgorithm);
                        if (genNewCertsAndReplace != null) {
                            this.report.append(this.linesep);
                            this.report.append(genNewCertsAndReplace);
                        }
                    }
                }
            } else if (this.certList.size() > 0) {
                for (int i3 = 0; i3 < this.certList.size(); i3++) {
                    CertReqInfo certReqInfo = (CertReqInfo) this.certList.get(i3);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Getting information on the " + certReqInfo.getLabel());
                    }
                    String certificateInfoForList = getCertificateInfoForList(configSession, configService, certReqInfo, this.inSignatureAlgorithm);
                    if (certificateInfoForList != null) {
                        this.report.append(this.linesep);
                        this.report.append(certificateInfoForList);
                    }
                }
            }
            PersonalCertificateHelper.clearCertReplaced();
            this.certList.clear();
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.ssl.commands.migrate.convertSSLCertificates", "288");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception while running certificate exp", e2.getMessage());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "convertCertificates");
        }
        if (this.report.length() < 1) {
            String string = TraceNLSHelper.getInstance().getString("ssl.command.cert.signature.algorithm.no.replace.CWPKI0760I", "There are no personal certificates to replace in the configuration.");
            this.report.append(this.linesep);
            this.report.append(string);
        }
        return this.report.toString();
    }

    private String checkCertsInKeyStore(Session session, ConfigService configService, KeyStoreInfo keyStoreInfo, String str) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkCertsInKeyStore", new Object[]{keyStoreInfo, str});
        }
        WSKeyStoreHelper wSKeyStoreHelper = new WSKeyStoreHelper(keyStoreInfo);
        keyStoreInfo.getName();
        try {
            HashMap listPersonalCertificates = wSKeyStoreHelper.listPersonalCertificates();
            if (listPersonalCertificates != null && listPersonalCertificates.size() > 0) {
                for (String str2 : listPersonalCertificates.keySet()) {
                    Certificate[] certificateArr = (Certificate[]) listPersonalCertificates.get(str2);
                    if (CertificateRequestHelper.isKeyCertReq((X509Certificate) certificateArr[0], str2) == null) {
                        checkCertSignatureAlgorithm(str2, (X509Certificate) certificateArr[0], keyStoreInfo, str);
                    }
                }
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.ssl.commands.migrate.convertSSLCertificates", "336");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception while running certificate exp", e.getMessage());
            }
        }
        if (!tc.isEntryEnabled()) {
            return null;
        }
        Tr.exit(tc, "checkCertsInKeyStore");
        return null;
    }

    private String genNewCertsAndReplace(Session session, ConfigService configService, CertReqInfo certReqInfo, String str) throws Exception {
        String defaultRootAlias;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "genNewCertsAndReplace");
        }
        String label = certReqInfo.getLabel();
        KeyStoreInfo ksInfo = certReqInfo.getKsInfo();
        String password = ksInfo.getPassword();
        String name = ksInfo.getName();
        ksInfo.getUsage();
        String scopeNameString = ksInfo.getScopeNameString();
        WSKeyStoreHelper wSKeyStoreHelper = new WSKeyStoreHelper(ksInfo);
        Certificate[] certificateArr = null;
        X509Certificate x509Certificate = null;
        String str2 = "self-signed";
        boolean z = false;
        String str3 = null;
        boolean z2 = false;
        String property = System.getProperty("line.separator");
        StringBuffer stringBuffer = new StringBuffer();
        String property2 = Security.getProperty("DEFAULT_JCE_PROVIDER");
        if (property2 == null) {
            property2 = "IBMJCE";
        }
        currentLocale();
        if (ksInfo.getReadOnly().booleanValue()) {
            String str4 = ksInfo.getName() + "(" + ksInfo.getScopeNameString() + ")";
            String formattedMessage = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.signature.algorithm.cannot.replace.CWPKI0759E", new Object[]{label, str4}, "The personal certificate " + label + " in the " + str4 + " keystore can not be replaced.  The certificate can come from a Certificate Authority (CA) or it can be in a read only keystore.");
            PersonalCertificateHelper.markCertReplaced(null);
            stringBuffer.append(property);
            stringBuffer.append(formattedMessage);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "genNewCertsAndReplace");
            }
            return stringBuffer.toString();
        }
        KeyStoreInfo ksInfo2 = PersonalCertificateHelper.getKsInfo(session, configService, KeyStoreManager.getDefaultKeyStoreName(Constants.DEFAULT_ROOT_STORE), ManagementScopeManager.getInstance().getNodeScopeName());
        WSKeyStoreHelper wSKeyStoreHelper2 = new WSKeyStoreHelper(ksInfo2);
        String str5 = ksInfo.getName() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + ksInfo.getScopeNameString() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + label;
        if (!PersonalCertificateHelper.isCertAlreadyReplaced(str5)) {
            try {
                Key key = wSKeyStoreHelper.getKey(label, password);
                if (key != null && !(key instanceof SecretKeySpec)) {
                    certificateArr = wSKeyStoreHelper.getCertChainFromKey(label);
                    x509Certificate = (X509Certificate) certificateArr[0];
                    if (x509Certificate.getBasicConstraints() != -1) {
                        z = true;
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Certificate \"" + label + "\" is not a personal certificate.");
                }
                if (x509Certificate != null && key != null) {
                    try {
                        x509Certificate.verify(x509Certificate.getPublicKey(), property2);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Certificate to be renewed is self-signed");
                        }
                    } catch (SignatureException e) {
                        str2 = "chained";
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Certificate to be renewed is chained");
                        }
                    }
                    boolean z3 = true;
                    if (str2.equalsIgnoreCase("chained")) {
                        z3 = this.certHelper.signedByWebSphere(certificateArr, this.rootSignerDigestCacheMap);
                    }
                    if (str2.equals("self-signed") || (str2.equals("chained") && z3)) {
                        boolean z4 = false;
                        X509Certificate x509Certificate2 = null;
                        X509Certificate x509Certificate3 = null;
                        if (!ksInfo.getType().equals(Constants.KEYSTORE_TYPE_JCERACFKS) && !ksInfo.getType().equals(Constants.KEYSTORE_TYPE_JCECCARACFKS)) {
                            CommandHelper commandHelper = new CommandHelper();
                            commandHelper.deleteCertificate(session, ksInfo, commandHelper.getDeletedKeyStore(session, configService, name), label);
                            z2 = true;
                        }
                        if (str2.equals("chained")) {
                            String findRootCertificateAlias = PersonalCertificateHelper.findRootCertificateAlias((X509Certificate) certificateArr[certificateArr.length - 1], ksInfo2);
                            if (findRootCertificateAlias == null && z3 && (defaultRootAlias = PersonalCertificateHelper.getDefaultRootAlias(ksInfo2)) != null) {
                                z4 = true;
                                findRootCertificateAlias = defaultRootAlias;
                            }
                            Key key2 = wSKeyStoreHelper2.getKey(findRootCertificateAlias, ksInfo2.getPassword());
                            if (key2 == null) {
                                throw new Exception(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.not.personal.cert.CWPKI0666E", new Object[]{label}, "Certificate \"" + label + "\" is not a personal certificate."));
                            }
                            Certificate[] certChainFromKey = wSKeyStoreHelper2.getCertChainFromKey(findRootCertificateAlias);
                            certReqInfo.setSize(getNewCertSize(str, certReqInfo));
                            str3 = wSKeyStoreHelper.createChainedCertificate(certReqInfo, certChainFromKey, (PrivateKey) key2, z, z2);
                            if (z4) {
                                x509Certificate2 = (X509Certificate) certChainFromKey[certChainFromKey.length - 1];
                                x509Certificate3 = (X509Certificate) certificateArr[certificateArr.length - 1];
                            }
                        } else if (str2.equals("self-signed")) {
                            certReqInfo.setSize(getNewCertSize(str, certReqInfo));
                            certReqInfo.setSignatureAlgorithm(str);
                            str3 = wSKeyStoreHelper.createSelfSignedCertificate(certReqInfo, z, z2);
                        }
                        String str6 = name + "(" + scopeNameString + ")";
                        String formattedMessage2 = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.signature.algorithm.replace.CWPKI0758I", new Object[]{label, str6}, "The personal certificate " + label + " in the " + str6 + " keystore has been replaced.");
                        stringBuffer.append(property);
                        stringBuffer.append(formattedMessage2);
                        PersonalCertificateHelper.markCertReplaced(str5);
                        X509Certificate x509Certificate4 = (X509Certificate) wSKeyStoreHelper.getSignerFromKey(str3);
                        if (x509Certificate4 != null) {
                            replaceCerts(session, ksInfo, label, x509Certificate, str3, x509Certificate4, wSKeyStoreHelper.getCertChainFromKey(str3), (PrivateKey) wSKeyStoreHelper.getKey(str3, ksInfo.getPassword()));
                            if (z4) {
                                PersonalCertificateHelper.addNewRootSigner(session, x509Certificate3, x509Certificate2);
                            }
                            PersonalCertificateHelper.setWorkspaceUpdated(session, ksInfo.getLocation());
                            PersonalCertificateHelper.markSSLConfigChanged(ksInfo, session);
                        }
                    } else {
                        String str7 = name + "(" + scopeNameString + ")";
                        String formattedMessage3 = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.signature.algorithm.cannot.replace.CWPKI0759E", new Object[]{label, str7}, "The personal certificate " + label + " in the " + str7 + " keystore can not be replaced.  The certificate can come from a Certificate Authority (CA) or it can be in a read only keystore.");
                        stringBuffer.append(property);
                        stringBuffer.append(formattedMessage3);
                    }
                }
            } catch (Exception e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.ssl.commands.migrate.convertSSLCertificates", "556");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception while running certificate exp", e2.getMessage());
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "genNewCertsAndReplace");
        }
        return stringBuffer.toString();
    }

    private String getCertificateInfoForList(Session session, ConfigService configService, CertReqInfo certReqInfo, String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCertificateInfoForList");
        }
        String label = certReqInfo.getLabel();
        KeyStoreInfo ksInfo = certReqInfo.getKsInfo();
        String password = ksInfo.getPassword();
        String name = ksInfo.getName();
        String scopeNameString = ksInfo.getScopeNameString();
        String signatureAlgorithm = certReqInfo.getSignatureAlgorithm();
        WSKeyStoreHelper wSKeyStoreHelper = new WSKeyStoreHelper(ksInfo);
        X509Certificate x509Certificate = null;
        StringBuffer stringBuffer = new StringBuffer();
        String property = System.getProperty("line.separator");
        currentLocale();
        try {
            Key key = wSKeyStoreHelper.getKey(label, password);
            if (key != null && !(key instanceof SecretKeySpec)) {
                x509Certificate = (X509Certificate) wSKeyStoreHelper.getCertChainFromKey(label)[0];
            }
            if (x509Certificate != null && key != null) {
                String str2 = name + "(" + scopeNameString + ")";
                String formattedMessage = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.signature.lgorithm.CWPKI0757I", new Object[]{label, str2, signatureAlgorithm}, "Personal certificate alias " + label + " in keystore " + str2 + " has a signature algorithm of " + signatureAlgorithm);
                stringBuffer.append(property);
                stringBuffer.append(formattedMessage);
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.ssl.commands.migrate.convertSSLCertificates", "617");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception while running certificate exp", e.getMessage());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getCertificateInfoForList");
        }
        return stringBuffer.toString();
    }

    private String handleRootKeystore(Session session, ConfigService configService, String str) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "handleRootKeystore");
        }
        StringBuffer stringBuffer = new StringBuffer();
        KeyStoreInfo ksInfo = PersonalCertificateHelper.getKsInfo(session, configService, KeyStoreManager.getDefaultKeyStoreName(Constants.DEFAULT_ROOT_STORE), ManagementScopeManager.getInstance().getNodeScopeName());
        storeRootCertificateDigest(ksInfo);
        checkCertsInKeyStore(session, configService, ksInfo, str);
        if (this.certList.size() > 0) {
            for (int i = 0; i < this.certList.size(); i++) {
                String genNewRootAndReplace = genNewRootAndReplace(session, configService, (CertReqInfo) this.certList.get(i), str);
                if (genNewRootAndReplace != null) {
                    stringBuffer.append(genNewRootAndReplace);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "handleRootKeystore");
        }
        return stringBuffer.toString();
    }

    private String genNewRootAndReplace(Session session, ConfigService configService, CertReqInfo certReqInfo, String str) throws Exception {
        String defaultRootAlias;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "genNewRootAndReplace");
        }
        KeyStoreInfo ksInfo = certReqInfo.getKsInfo();
        String label = certReqInfo.getLabel();
        WSKeyStoreHelper wSKeyStoreHelper = new WSKeyStoreHelper(ksInfo);
        String password = ksInfo.getPassword();
        String name = ksInfo.getName();
        Boolean readOnly = ksInfo.getReadOnly();
        ksInfo.getFileBased();
        String str2 = "self-signed";
        boolean z = false;
        String str3 = null;
        boolean z2 = false;
        Locale currentLocale = currentLocale();
        StringBuffer stringBuffer = new StringBuffer();
        String str4 = ksInfo.getName() + "(" + ksInfo.getScopeNameString() + ")";
        try {
            if (readOnly.booleanValue()) {
                String formattedMessage = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.signature.algorithm.cannot.replace.CWPKI0759E", new Object[]{label, str4}, "The personal certificate " + label + " in the " + str4 + " keystore can not be replaced.  The certificate can come from a Certificate Authority (CA) or it can be in a read only keystore.");
                stringBuffer.append(this.linesep);
                stringBuffer.append(formattedMessage);
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "genNewRootAndReplace");
                }
                return stringBuffer.toString();
            }
            Key key = wSKeyStoreHelper.getKey(label, password);
            if (key == null || (key instanceof SecretKeySpec)) {
                if (tc.isEntryEnabled()) {
                    Tr.debug(tc, label + " does not appear to be a personal certificate");
                }
                if (!tc.isEntryEnabled()) {
                    return null;
                }
                Tr.exit(tc, "genNewRootAndReplace");
                return null;
            }
            Certificate[] certChainFromKey = wSKeyStoreHelper.getCertChainFromKey(label);
            X509Certificate x509Certificate = (X509Certificate) certChainFromKey[0];
            if (x509Certificate.getBasicConstraints() != -1) {
                z = true;
            }
            if (x509Certificate != null && key != null) {
                try {
                    x509Certificate.verify(x509Certificate.getPublicKey());
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Certificate to be renewed is self-signed");
                    }
                } catch (SignatureException e) {
                    str2 = "chained";
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Certificate to be renewed is chained");
                    }
                }
                boolean z3 = true;
                if (str2.equalsIgnoreCase("chained")) {
                    z3 = this.certHelper.signedByWebSphere(certChainFromKey, this.rootSignerDigestCacheMap);
                }
                if (str2.equals("self-signed") || (str2.equals("chained") && z3)) {
                    boolean z4 = false;
                    X509Certificate x509Certificate2 = null;
                    X509Certificate x509Certificate3 = null;
                    if (!ksInfo.getType().equals(Constants.KEYSTORE_TYPE_JCERACFKS) && !ksInfo.getType().equals(Constants.KEYSTORE_TYPE_JCECCARACFKS)) {
                        CommandHelper commandHelper = new CommandHelper();
                        commandHelper.deleteCertificate(session, ksInfo, commandHelper.getDeletedKeyStore(session, configService, name), label);
                        z2 = true;
                    }
                    if (str2.equals("chained")) {
                        String findRootCertificateAlias = PersonalCertificateHelper.findRootCertificateAlias((X509Certificate) certChainFromKey[1], ksInfo);
                        if (findRootCertificateAlias == null && z3 && (defaultRootAlias = PersonalCertificateHelper.getDefaultRootAlias(ksInfo)) != null) {
                            z4 = true;
                            findRootCertificateAlias = defaultRootAlias;
                        }
                        PrivateKey privateKey = (PrivateKey) wSKeyStoreHelper.getKey(findRootCertificateAlias, password);
                        if (privateKey == null) {
                            String formattedMessage2 = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.signature.algorithm.cannot.replace.CWPKI0759E", new Object[]{label, str4}, "The personal certificate " + label + " in the " + str4 + " keystore can not be replaced.  The certificate can come from a Certificate Authority (CA) or it can be in a read only keystore.");
                            stringBuffer.append(this.linesep);
                            stringBuffer.append(formattedMessage2);
                            if (tc.isEntryEnabled()) {
                                Tr.exit(tc, "genNewRootAndReplace");
                            }
                            return stringBuffer.toString();
                        }
                        Certificate[] certChainFromKey2 = wSKeyStoreHelper.getCertChainFromKey(findRootCertificateAlias);
                        certReqInfo.setSize(getNewCertSize(str, certReqInfo));
                        str3 = wSKeyStoreHelper.createChainedCertificate(certReqInfo, certChainFromKey2, privateKey, z, z2);
                        if (z4) {
                            x509Certificate3 = (X509Certificate) certChainFromKey2[certChainFromKey2.length - 1];
                            x509Certificate2 = (X509Certificate) certChainFromKey[certChainFromKey.length - 1];
                        }
                    } else if (str2.equals("self-signed")) {
                        certReqInfo.setSize(getNewCertSize(str, certReqInfo));
                        certReqInfo.setSignatureAlgorithm(str);
                        str3 = wSKeyStoreHelper.createSelfSignedCertificate(certReqInfo, z, z2);
                    }
                    String formattedMessage3 = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.signature.algorithm.replace.CWPKI0758I", new Object[]{label, str4}, "The personal certificate \"" + label + " in the " + str4 + " keystore has been replaced.");
                    PersonalCertificateHelper.markCertReplaced(ksInfo.getName() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + ksInfo.getScopeNameString() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + label);
                    stringBuffer.append(this.linesep);
                    stringBuffer.append(formattedMessage3);
                    X509Certificate x509Certificate4 = (X509Certificate) wSKeyStoreHelper.getSignerFromKey(str3);
                    if (x509Certificate4 != null) {
                        PrivateKey privateKey2 = (PrivateKey) wSKeyStoreHelper.getKey(str3, password);
                        Certificate[] certChainFromKey3 = wSKeyStoreHelper.getCertChainFromKey(str3);
                        String recreateChainedWithNewRoot = recreateChainedWithNewRoot(session, configService, certChainFromKey, (PrivateKey) key, certChainFromKey3, privateKey2, true, currentLocale, certReqInfo.getSize());
                        if (recreateChainedWithNewRoot != null) {
                            stringBuffer.append(this.linesep);
                            stringBuffer.append(recreateChainedWithNewRoot);
                        }
                        String recreateRootsWithNewRoot = this.certHelper.recreateRootsWithNewRoot(session, configService, certChainFromKey, (PrivateKey) key, certChainFromKey3, privateKey2, true, currentLocale, certReqInfo.getSize());
                        if (recreateRootsWithNewRoot != null) {
                            stringBuffer.append(this.linesep);
                            stringBuffer.append(recreateRootsWithNewRoot);
                        }
                        replaceCerts(session, ksInfo, label, x509Certificate, str3, x509Certificate4, certChainFromKey3, privateKey2);
                        if (z4) {
                            PersonalCertificateHelper.addNewRootSigner(session, x509Certificate2, x509Certificate3);
                        }
                    } else if (tc.isEntryEnabled()) {
                        Tr.debug(tc, "Unable to get the signer for the newly created certificate:" + str3 + " in " + ksInfo.getName());
                    }
                    PersonalCertificateHelper.setWorkspaceUpdated(session, ksInfo.getLocation());
                    PersonalCertificateHelper.markSSLConfigChanged(ksInfo, session);
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "genNewRootAndReplace");
            }
            return stringBuffer.toString();
        } catch (Exception e2) {
            throw e2;
        }
    }

    public String recreateChainedWithNewRoot(Session session, ConfigService configService, Certificate[] certificateArr, PrivateKey privateKey, Certificate[] certificateArr2, Key key, boolean z, Locale locale, int i) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "recreateChainedWithNewRoot");
        }
        ObjectName objectName = configService.resolve(session, "Cell=:Security=")[0];
        StringBuffer stringBuffer = new StringBuffer();
        X509Certificate x509Certificate = (X509Certificate) certificateArr[0];
        for (AttributeList attributeList : (List) configService.getAttribute(session, objectName, CommandConstants.KEY_STORES)) {
            String str = (String) ConfigServiceHelper.getAttributeValue(attributeList, "name");
            if (!str.endsWith(Constants.DEFAULT_DELETED_STORE) && !str.endsWith(Constants.DEFAULT_ROOT_STORE) && !str.endsWith(Constants.RSA_TOKEN_ROOT_STORE) && !str.endsWith(Constants.LTPA_KEYS)) {
                try {
                    KeyStoreInfo ksInfo = PersonalCertificateHelper.getKsInfo(session, configService, str, (String) configService.getAttribute(session, (ObjectName) ConfigServiceHelper.getAttributeValue(attributeList, CommandConstants.MANAGEMENT_SCOPE), CommandConstants.SCOPE_NAME));
                    WSKeyStoreHelper wSKeyStoreHelper = new WSKeyStoreHelper(ksInfo);
                    String[] certAliases = wSKeyStoreHelper.getCertAliases();
                    if (certAliases != null) {
                        for (String str2 : certAliases) {
                            String str3 = ksInfo.getName() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + ksInfo.getScopeNameString() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + str2;
                            if (!PersonalCertificateHelper.isCertAlreadyReplaced(str3) && wSKeyStoreHelper.isCertSignedWithThisRoot(x509Certificate, str2)) {
                                if (ksInfo.getReadOnly().booleanValue()) {
                                    String str4 = ksInfo.getName() + "(" + ksInfo.getScopeNameString() + ")";
                                    String formattedMessage = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.signature.algorithm.cannot.replace.CWPKI0759E", new Object[]{str2, str4}, "The personal certificate " + str2 + " in the " + str4 + " keystore can not be replaced.  The certificate can come from a Certificate Authority (CA) or it can be in a read only keystore.");
                                    PersonalCertificateHelper.markCertReplaced(str3);
                                    stringBuffer.append(this.linesep);
                                    stringBuffer.append(formattedMessage);
                                } else {
                                    X509Certificate x509Certificate2 = (X509Certificate) wSKeyStoreHelper.getSignerFromKey(str2);
                                    CertReqInfo createCertInfoFromCert = this.certHelper.createCertInfoFromCert(str2, x509Certificate2, ksInfo);
                                    if (i > 0) {
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "== keysize in the original cert is " + createCertInfoFromCert.getSize() + " converting to " + i);
                                        }
                                        createCertInfoFromCert.setSize(i);
                                    }
                                    String createChainedCertificate = wSKeyStoreHelper.createChainedCertificate(createCertInfoFromCert, certificateArr2, (PrivateKey) key, x509Certificate2.getBasicConstraints() != -1, true);
                                    String str5 = ksInfo.getName() + "(" + ksInfo.getScopeNameString() + ")";
                                    String formattedMessage2 = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.renewCertWithNewRoot.CWPKI0718I", new Object[]{str2, str5}, "Personal certificate alias \"" + str2 + "\" in keystore \"" + str5 + "\"was RENEWED with a new root certificate");
                                    PersonalCertificateHelper.markCertReplaced(str3);
                                    stringBuffer.append(this.linesep);
                                    stringBuffer.append(formattedMessage2);
                                    if (!str2.equals(createChainedCertificate)) {
                                        PersonalCertificateHelper.changeAliasReferences(session, createCertInfoFromCert.getKsInfo(), str2, createChainedCertificate);
                                        String formattedMessage3 = TraceNLSHelper.getInstance().getFormattedMessage("aliasChange", new Object[]{str2, createChainedCertificate}, "\tNew alias for \"" + str2 + "\" is \"" + createChainedCertificate + ".");
                                        PersonalCertificateHelper.markCertReplaced(ksInfo.getName() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + ksInfo.getScopeNameString() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + createChainedCertificate);
                                        stringBuffer.append(this.linesep);
                                        stringBuffer.append(formattedMessage3);
                                    }
                                    X509Certificate x509Certificate3 = (X509Certificate) wSKeyStoreHelper.getSignerFromKey(createChainedCertificate);
                                    Certificate[] certChainFromKey = wSKeyStoreHelper.getCertChainFromKey(createChainedCertificate);
                                    Key key2 = wSKeyStoreHelper.getKey(createChainedCertificate, ksInfo.getPassword());
                                    if (str2.equals(createChainedCertificate)) {
                                        createChainedCertificate = null;
                                    }
                                    String replaceCerts = replaceCerts(session, ksInfo, str2, x509Certificate2, createChainedCertificate, x509Certificate3, certChainFromKey, key2);
                                    if (replaceCerts.length() > 0) {
                                        stringBuffer.append(replaceCerts);
                                    }
                                }
                            }
                        }
                    }
                    PersonalCertificateHelper.setWorkspaceUpdated(session, ksInfo.getLocation());
                    PersonalCertificateHelper.markSSLConfigChanged(ksInfo, session);
                } catch (Exception e) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There is a problem extracting a keystore ", e.getMessage());
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "recreateChainedWithNewRoot");
        }
        return stringBuffer.toString();
    }

    private static String replaceCerts(Session session, KeyStoreInfo keyStoreInfo, String str, X509Certificate x509Certificate, String str2, X509Certificate x509Certificate2, Certificate[] certificateArr, Key key) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "replaceCerts");
        }
        ArrayList arrayList = new ArrayList();
        String name = keyStoreInfo.getName();
        String scopeNameString = keyStoreInfo.getScopeNameString();
        String property = System.getProperty("line.separator");
        StringBuffer stringBuffer = new StringBuffer();
        ConfigService configService = ConfigServiceFactory.getConfigService();
        ObjectName objectName = configService.resolve(session, "Cell=:Security=")[0];
        BigInteger serialNumber = x509Certificate.getSerialNumber();
        String generateDigest = KeyStoreManager.getInstance().generateDigest("SHA-1", x509Certificate);
        for (AttributeList attributeList : (List) configService.getAttribute(session, objectName, CommandConstants.KEY_STORES)) {
            String str3 = (String) ConfigServiceHelper.getAttributeValue(attributeList, "name");
            Boolean bool = (Boolean) ConfigServiceHelper.getAttributeValue(attributeList, DSConfigHelper.READONLY);
            ObjectName objectName2 = (ObjectName) ConfigServiceHelper.getAttributeValue(attributeList, CommandConstants.MANAGEMENT_SCOPE);
            String str4 = (String) ConfigServiceHelper.getAttributeValue(attributeList, "password");
            String str5 = (String) ConfigServiceHelper.getAttributeValue(attributeList, "type");
            String str6 = (String) configService.getAttribute(session, objectName2, CommandConstants.SCOPE_NAME);
            if ((!str3.equals(name) || !str6.equals(scopeNameString)) && !str3.endsWith(Constants.DEFAULT_DELETED_STORE)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Reading keystore: " + str3);
                }
                ObjectName[] queryConfigObjects = configService.queryConfigObjects(session, (ObjectName) null, ConfigServiceHelper.createObjectName(attributeList), (QueryExp) null);
                try {
                    KeyStoreInfo ksInfo = PersonalCertificateHelper.getKsInfo(session, configService, str3, str6);
                    WSKeyStoreHelper wSKeyStoreHelper = new WSKeyStoreHelper(ksInfo);
                    try {
                        if (!bool.booleanValue()) {
                            for (String str7 : wSKeyStoreHelper.getCertAliases()) {
                                boolean isCertEntry = wSKeyStoreHelper.isCertEntry(str7);
                                boolean isCertKeyEntry = wSKeyStoreHelper.isCertKeyEntry(str7);
                                X509Certificate signer = wSKeyStoreHelper.getSigner(str7);
                                if (str2 == null) {
                                    str2 = str7;
                                }
                                if (signer != null && x509Certificate.getSerialNumber().compareTo(serialNumber) == 0 && KeyStoreManager.getInstance().generateDigest("SHA-1", signer).equals(generateDigest)) {
                                    if (isCertEntry) {
                                        String signerCertOverwrite = wSKeyStoreHelper.setSignerCertOverwrite(str7, x509Certificate2);
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "Signer certificate " + signerCertOverwrite + " is added to " + str3);
                                        }
                                        String str8 = str3 + "(" + scopeNameString + ")";
                                        PersonalCertificateHelper.markCertReplaced(ksInfo.getName() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + ksInfo.getScopeNameString() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + str7);
                                        arrayList.add(queryConfigObjects[0]);
                                        PersonalCertificateHelper.setWorkspaceUpdated(session, ksInfo.getLocation());
                                    }
                                    if (isCertKeyEntry && key != null && certificateArr[0] != null) {
                                        String str9 = ksInfo.getName() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + ksInfo.getScopeNameString() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + str7;
                                        if (!PersonalCertificateHelper.isCertAlreadyReplaced(str9) && CertificateRequestHelper.isKeyCertReq(signer, str7) == null) {
                                            if (str5.equals(Constants.KEYSTORE_TYPE_CMS)) {
                                                wSKeyStoreHelper.deleteCertChain(wSKeyStoreHelper.getCertificateChain(str7));
                                            }
                                            String personalCertOverwrite = wSKeyStoreHelper.setPersonalCertOverwrite(str7, str4, certificateArr, (PrivateKey) key);
                                            if (tc.isDebugEnabled()) {
                                                Tr.debug(tc, "Personal certificate " + personalCertOverwrite + " is added to " + str3);
                                            }
                                            String str10 = str3 + "(" + scopeNameString + ")";
                                            String formattedMessage = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.signature.algorithm.replace.CWPKI0758I", new Object[]{str, str10}, "The personal certificate " + str + " in the " + str10 + " keystore has been replaced.");
                                            stringBuffer.append(property);
                                            stringBuffer.append(formattedMessage);
                                            PersonalCertificateHelper.markCertReplaced(str9);
                                            arrayList.add(queryConfigObjects[0]);
                                            PersonalCertificateHelper.setWorkspaceUpdated(session, ksInfo.getLocation());
                                        }
                                    }
                                }
                            }
                            if (arrayList != null && arrayList.size() > 0) {
                                PersonalCertificateHelper.markSSLConfigChanged(arrayList, session, configService, objectName);
                            }
                        }
                    } catch (Exception e) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception occurred replacing signers.", new Object[]{e});
                        }
                        throw e;
                    }
                } catch (Exception e2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There is a problem extracting a keystore", e2.getMessage());
                    }
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Skipping keystore: " + str3);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "replaceCerts");
        }
        return stringBuffer.toString();
    }

    private StringBuffer checkCertSignatureAlgorithm(String str, X509Certificate x509Certificate, KeyStoreInfo keyStoreInfo, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkCertSignatureAlgorithm", new Object[]{str, x509Certificate, keyStoreInfo, str2});
        }
        String name = keyStoreInfo.getName();
        String str3 = name + "(" + keyStoreInfo.getScopeNameString() + ")";
        if (!x509Certificate.getSigAlgName().equals(str2)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Alias " + str + " in key store " + name + " does not have a " + str2 + ".");
            }
            this.certList.add(this.certHelper.createCertInfoFromCert(str, x509Certificate, keyStoreInfo));
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Alias " + str + " in key store " + name + " is already signed with " + str2 + ".");
        }
        if (!tc.isEntryEnabled()) {
            return null;
        }
        Tr.exit(tc, "checkCertSignatureAlgorithm");
        return null;
    }

    private void storeRootCertificateDigest(KeyStoreInfo keyStoreInfo) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "storeRootCertificateDigest");
        }
        try {
            this.rootSignerDigestCacheMap = this.certHelper.populateDigestCacheMap(this.rootSignerDigestCacheMap, keyStoreInfo);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.ssl.commands.migrate.convertSSLCertificates", "1227");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unable to build the list root certificate digests: ", e.getMessage());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "storeRootCertificateDigest");
        }
    }

    private boolean isParmValid(String str, List<String> list) {
        boolean z = false;
        if (str != null) {
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                if (str.equalsIgnoreCase(it.next())) {
                    z = true;
                }
            }
        }
        return z;
    }

    private int getNewCertSize(String str, CertReqInfo certReqInfo) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getNewCertSize");
        }
        int size = certReqInfo.getSize();
        if (Constants.signatureAlgorithmToKeyType.get(str).equals(Constants.EC)) {
            size = Constants.EC_signatureAlgorithmToKeySize.get(str).intValue();
        }
        if (Constants.signatureAlgorithmToKeyType.get(certReqInfo.getSignatureAlgorithm()).equals(Constants.EC) && Constants.signatureAlgorithmToKeyType.get(str).equals("RSA")) {
            size = Integer.parseInt(Constants.KEY_SIZE);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getNewCertSize " + size);
        }
        return size;
    }

    Locale currentLocale() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "currentLocale");
        }
        Locale locale = getLocale();
        if (locale == null) {
            locale = Locale.getDefault();
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, "locale is null, use system locale:" + locale);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "currentLocale", locale);
        }
        return locale;
    }
}
