package com.ibm.ws.ssl.commands.WSCertExpMonitor;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.Session;
import com.ibm.websphere.management.cmdframework.CommandException;
import com.ibm.websphere.management.cmdframework.CommandLoadException;
import com.ibm.websphere.management.cmdframework.CommandNotFoundException;
import com.ibm.websphere.management.cmdframework.commanddata.CommandData;
import com.ibm.websphere.management.cmdframework.commandmetadata.TaskCommandMetadata;
import com.ibm.websphere.management.cmdframework.provider.AbstractTaskCommand;
import com.ibm.websphere.management.cmdframework.provider.TaskCommandResultImpl;
import com.ibm.websphere.management.configservice.ConfigService;
import com.ibm.websphere.management.configservice.ConfigServiceFactory;
import com.ibm.websphere.management.configservice.ConfigServiceHelper;
import com.ibm.websphere.models.config.ipc.ssl.WSCertificateExpirationMonitor;
import com.ibm.ws.crypto.config.WSNotifier;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.management.configservice.MOFUtil;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.ssl.commands.ProfileCreation.PrepareKeysUtility;
import com.ibm.ws.ssl.commands.certificateRequests.CertificateRequestHelper;
import com.ibm.ws.ssl.commands.keyStores.KeyStoreHelper;
import com.ibm.ws.ssl.commands.personalCertificates.PersonalCertificateHelper;
import com.ibm.ws.ssl.commands.utils.CommandConstants;
import com.ibm.ws.ssl.commands.utils.CommandHelper;
import com.ibm.ws.ssl.commands.utils.TraceNLSHelper;
import com.ibm.ws.ssl.config.KeyStoreManager;
import com.ibm.ws.ssl.config.ManagementScopeManager;
import com.ibm.ws.ssl.config.WSKeyStoreHelper;
import com.ibm.ws.ssl.core.Constants;
import com.ibm.ws.ssl.model.CertReqInfo;
import com.ibm.ws.ssl.model.KeyStoreInfo;
import com.ibm.ws.util.PlatformHelperFactory;
import java.math.BigInteger;
import java.net.InetAddress;
import java.security.Key;
import java.security.PrivateKey;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.text.DateFormat;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import javax.management.AttributeList;
import javax.management.ObjectName;
import org.apache.wsif.wsdl.extensions.jms.JMSConstants;

/* loaded from: input_file:com/ibm/ws/ssl/commands/WSCertExpMonitor/StartCertificateExpMonitor.class */
public class StartCertificateExpMonitor extends AbstractTaskCommand {
    private static TraceComponent tc = Tr.register((Class<?>) StartCertificateExpMonitor.class, "SSL", "com.ibm.ws.ssl.commands.sslCommandTask");
    List expiredCerts;
    List personalCerts;
    List signerCerts;
    HashMap rootSignerDigestCacheMap;
    HashMap rsaRootSignerDigestCacheMap;
    StringBuffer notificationCerts;
    StringBuffer notificationSignerCerts;
    StringBuffer replaceCerts;
    StringBuffer expInfoBuffer;
    StringBuffer deletedKeystoreBuffer;
    StringBuffer rootKeystoreBuffer;
    StringBuffer noUpdateBuffer;
    StringBuffer scanBuffer;
    private Boolean saveConfig;
    WSCertificateExpirationMonitor monitor;
    StartCertificateExpMonitorHelper certMonitorHelper;
    private String provider;
    String linesep;
    String report;
    String preNotificationMsg1;
    String preNotificationMsg2;
    String preNotificationMsg3;
    String preNotificationWarning;
    String preNotificationWarning2;
    String notifyNotice1;
    String notifyNotice2;
    String notifyNotice3;
    String replaceNotice;
    String thresholdNotice;
    String PreNotificationMsg;
    String NotifyNotice;
    long notificationDays;
    boolean replaceWritableSaf;

    public StartCertificateExpMonitor(TaskCommandMetadata taskCommandMetadata) throws CommandNotFoundException {
        super(taskCommandMetadata);
        this.expiredCerts = new ArrayList();
        this.personalCerts = new ArrayList();
        this.signerCerts = new ArrayList();
        this.rootSignerDigestCacheMap = new HashMap();
        this.rsaRootSignerDigestCacheMap = new HashMap();
        this.notificationCerts = new StringBuffer();
        this.notificationSignerCerts = new StringBuffer();
        this.replaceCerts = new StringBuffer();
        this.expInfoBuffer = new StringBuffer();
        this.deletedKeystoreBuffer = new StringBuffer();
        this.rootKeystoreBuffer = new StringBuffer();
        this.noUpdateBuffer = new StringBuffer();
        this.scanBuffer = new StringBuffer();
        this.saveConfig = Boolean.FALSE;
        this.monitor = null;
        this.certMonitorHelper = new StartCertificateExpMonitorHelper();
        this.provider = null;
        this.linesep = System.getProperty("line.separator");
        this.report = null;
        this.preNotificationMsg1 = "The expiration monitor has recently run and discovered that the certificates listed below will be replaced within the next ";
        this.preNotificationMsg2 = " days based upon the configured policy to automatically replace expiring self-signed certificates ";
        this.preNotificationMsg3 = " days prior to expiration.  This notification is warning you that problems may arise when this automatic replace occurs.";
        this.preNotificationWarning = "In some cases, automatic updates to the self-signed certificates can cause outages for WebServer plug-ins operating on unmanaged nodes.  In such a situation, the plugin will be unable to contact the application servers over HTTPS because it will be using signers for certificates that have been replaced by the automatic replacement process.";
        this.preNotificationWarning2 = "To prevent what may be and serious outage you should act before the scheduled replacement date and replace the expiring certificates and update the plugin kdb to use the new signers.";
        this.notifyNotice1 = "*** CERTIFICATES WITHIN THE ";
        this.notifyNotice2 = " DAY PRE-NOTIFICATION THRESHOLD (MAY BE REPLACED WITHIN ";
        this.notifyNotice3 = " DAYS)  ***";
        this.replaceNotice = "*** CERTIFICATES THAT ARE BEYOND THE EXPIRATION THRESHOLD AND HAVE BEEN REPLACED ***";
        this.thresholdNotice = "*** CERTIFICATES THAT ARE BEYOND THE EXPIRATION THRESHOLD ***";
        this.PreNotificationMsg = null;
        this.NotifyNotice = null;
        this.notificationDays = 0L;
        this.replaceWritableSaf = false;
    }

    public StartCertificateExpMonitor(CommandData commandData) throws CommandNotFoundException, CommandLoadException {
        super(commandData);
        this.expiredCerts = new ArrayList();
        this.personalCerts = new ArrayList();
        this.signerCerts = new ArrayList();
        this.rootSignerDigestCacheMap = new HashMap();
        this.rsaRootSignerDigestCacheMap = new HashMap();
        this.notificationCerts = new StringBuffer();
        this.notificationSignerCerts = new StringBuffer();
        this.replaceCerts = new StringBuffer();
        this.expInfoBuffer = new StringBuffer();
        this.deletedKeystoreBuffer = new StringBuffer();
        this.rootKeystoreBuffer = new StringBuffer();
        this.noUpdateBuffer = new StringBuffer();
        this.scanBuffer = new StringBuffer();
        this.saveConfig = Boolean.FALSE;
        this.monitor = null;
        this.certMonitorHelper = new StartCertificateExpMonitorHelper();
        this.provider = null;
        this.linesep = System.getProperty("line.separator");
        this.report = null;
        this.preNotificationMsg1 = "The expiration monitor has recently run and discovered that the certificates listed below will be replaced within the next ";
        this.preNotificationMsg2 = " days based upon the configured policy to automatically replace expiring self-signed certificates ";
        this.preNotificationMsg3 = " days prior to expiration.  This notification is warning you that problems may arise when this automatic replace occurs.";
        this.preNotificationWarning = "In some cases, automatic updates to the self-signed certificates can cause outages for WebServer plug-ins operating on unmanaged nodes.  In such a situation, the plugin will be unable to contact the application servers over HTTPS because it will be using signers for certificates that have been replaced by the automatic replacement process.";
        this.preNotificationWarning2 = "To prevent what may be and serious outage you should act before the scheduled replacement date and replace the expiring certificates and update the plugin kdb to use the new signers.";
        this.notifyNotice1 = "*** CERTIFICATES WITHIN THE ";
        this.notifyNotice2 = " DAY PRE-NOTIFICATION THRESHOLD (MAY BE REPLACED WITHIN ";
        this.notifyNotice3 = " DAYS)  ***";
        this.replaceNotice = "*** CERTIFICATES THAT ARE BEYOND THE EXPIRATION THRESHOLD AND HAVE BEEN REPLACED ***";
        this.thresholdNotice = "*** CERTIFICATES THAT ARE BEYOND THE EXPIRATION THRESHOLD ***";
        this.PreNotificationMsg = null;
        this.NotifyNotice = null;
        this.notificationDays = 0L;
        this.replaceWritableSaf = false;
    }

    protected void beforeStepsExecuted() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "beforeStepsExecuted");
        }
        super.beforeStepsExecuted();
        TaskCommandResultImpl taskCommandResult = getTaskCommandResult();
        if (!taskCommandResult.isSuccessful()) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "beforeStepsExecuted");
                return;
            }
            return;
        }
        try {
            this.saveConfig = (Boolean) getParameter("ExpMonitorSaveConfig");
            taskCommandResult.setResult(startExpMonitor());
        } catch (Exception e) {
            taskCommandResult.setException(new CommandException(e, e.getMessage()));
        }
        setCommandResult(taskCommandResult);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "beforeStepsExecuted");
        }
    }

    public String startExpMonitor() throws Exception {
        ConfigService configService;
        Session configSession;
        ObjectName objectName;
        AttributeList attributeList;
        ObjectName createObjectName;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "startExpMonitor");
        }
        this.provider = Security.getProperty("DEFAULT_JCE_PROVIDER");
        if (this.provider == null) {
            this.provider = "IBMJCE";
        }
        try {
            PersonalCertificateHelper.clearCertReplaced();
            configService = ConfigServiceFactory.getConfigService();
            configSession = getConfigSession();
            objectName = configService.resolve(configSession, "Cell=:Security=")[0];
            attributeList = (AttributeList) configService.getAttribute(configSession, objectName, CommandConstants.WS_CERT_EXP_MONITOR);
            createObjectName = ConfigServiceHelper.createObjectName(attributeList);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.ssl.commands.WSCertExpMonitor.startCertificateExpMonitor", "321");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception while running certificate exp", e.getMessage());
            }
        }
        if (attributeList == null) {
            throw new Exception("certifcate expiration monitor object does not exist.");
        }
        Boolean bool = (Boolean) ConfigServiceHelper.getAttributeValue(attributeList, CommandConstants.DELETE_OLD);
        Integer num = (Integer) ConfigServiceHelper.getAttributeValue(attributeList, CommandConstants.DAYS_BEFORE_NOTIFICATION);
        Boolean bool2 = (Boolean) ConfigServiceHelper.getAttributeValue(attributeList, CommandConstants.AUTO_REPLACE);
        this.notificationDays = getNotifyProperty(configService, configSession, objectName);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "deleteOld=" + bool + " daysBeforeNotify=" + num + " autoReplace=" + bool2);
        }
        String formattedMessage = TraceNLSHelper.getInstance().getFormattedMessage("scanExpiration", new Object[]{num}, "Checking for expired certificate and certificates in the " + num + " days threshold period.");
        this.scanBuffer.append(this.linesep);
        this.scanBuffer.append(formattedMessage);
        this.scanBuffer.append(this.linesep);
        String str = this.preNotificationMsg1 + this.notificationDays + this.preNotificationMsg2 + num + this.preNotificationMsg3;
        this.NotifyNotice = TraceNLSHelper.getInstance().getFormattedMessage("notifyNotice", new Object[]{Long.valueOf(this.notificationDays), Long.valueOf(this.notificationDays)}, this.notifyNotice1 + this.notificationDays + this.notifyNotice2 + this.notificationDays + this.notifyNotice3);
        this.PreNotificationMsg = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.preNotificationMsg.CWPKI0714I", new Object[]{Long.valueOf(this.notificationDays), num}, str);
        this.replaceWritableSaf = replaceWritableSAFCerts(configService, configSession, objectName);
        clearDeletedKeystore(configSession, configService);
        String handleRootKeystore = handleRootKeystore(configSession, configService, num.intValue(), bool2.booleanValue(), bool.booleanValue());
        if (handleRootKeystore.length() > 0) {
            this.rootKeystoreBuffer.append(handleRootKeystore);
        }
        List list = (List) configService.getAttribute(configSession, objectName, CommandConstants.KEY_STORES);
        for (int i = 0; i < list.size(); i++) {
            AttributeList attributeList2 = (AttributeList) list.get(i);
            String str2 = (String) ConfigServiceHelper.getAttributeValue(attributeList2, "name");
            if (!str2.endsWith(Constants.DEFAULT_DELETED_STORE) && !str2.endsWith(Constants.DEFAULT_ROOT_STORE) && !str2.endsWith(Constants.LTPA_KEYS)) {
                try {
                    String checkCertsInKeyStore = checkCertsInKeyStore(configSession, configService, PersonalCertificateHelper.getKsInfo(configSession, configService, str2, (String) configService.getAttribute(configSession, (ObjectName) ConfigServiceHelper.getAttributeValue(attributeList2, CommandConstants.MANAGEMENT_SCOPE), CommandConstants.SCOPE_NAME)), num.intValue());
                    if (checkCertsInKeyStore != null) {
                        this.expInfoBuffer.append(checkCertsInKeyStore);
                    }
                } catch (Exception e2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There is a problem extracting a keystore", e2.getMessage());
                    }
                }
            }
        }
        if (bool2.booleanValue()) {
            if (this.personalCerts.size() > 0 || this.expiredCerts.size() > 0) {
                for (int i2 = 0; i2 < this.expiredCerts.size(); i2++) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Replacing expired certificate....");
                    }
                    String genNewCertsAndReplace = genNewCertsAndReplace(configSession, configService, (CertReqInfo) this.expiredCerts.get(i2), bool.booleanValue());
                    if (genNewCertsAndReplace != null) {
                        this.replaceCerts.append(genNewCertsAndReplace);
                    }
                }
                for (int i3 = 0; i3 < this.personalCerts.size(); i3++) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Replacing personal certificate....");
                    }
                    String genNewCertsAndReplace2 = genNewCertsAndReplace(configSession, configService, (CertReqInfo) this.personalCerts.get(i3), bool.booleanValue());
                    if (genNewCertsAndReplace2 != null) {
                        this.replaceCerts.append(genNewCertsAndReplace2);
                    }
                }
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "autoReplace is off");
        }
        genExpiredSignerList();
        this.report = createCertExpMonitorReport();
        if (this.saveConfig != null && this.saveConfig.booleanValue()) {
            configService.save(configSession, true);
        }
        PersonalCertificateHelper.clearCertReplaced();
        this.expiredCerts.clear();
        this.personalCerts.clear();
        this.signerCerts.clear();
        this.rootSignerDigestCacheMap.clear();
        this.monitor = MOFUtil.convertToEObject(configSession, createObjectName);
        WSNotifier wSNotifier = new WSNotifier(this.monitor.getWsNotification());
        if (this.certMonitorHelper.sendNotification(this.report)) {
            wSNotifier.notify(this.report);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "startExpMonitor");
        }
        return this.report;
    }

    private String checkCertsInKeyStore(Session session, ConfigService configService, KeyStoreInfo keyStoreInfo, int i) throws Exception {
        String str;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkCertsInKeyStore");
        }
        WSKeyStoreHelper wSKeyStoreHelper = new WSKeyStoreHelper(keyStoreInfo);
        keyStoreInfo.getName();
        keyStoreInfo.getReadOnly();
        keyStoreInfo.getFileBased();
        System.currentTimeMillis();
        long j = 86400000 * i;
        long j2 = 86400000 * this.notificationDays;
        StringBuffer stringBuffer = new StringBuffer();
        System.getProperty("line.separator");
        boolean z = true;
        PersonalCertificateHelper.getKsInfo(session, configService, KeyStoreManager.getDefaultKeyStoreName(Constants.DEFAULT_ROOT_STORE), ManagementScopeManager.getInstance().getNodeScopeName());
        try {
            HashMap listPersonalCertificates = wSKeyStoreHelper.listPersonalCertificates();
            if (listPersonalCertificates != null && listPersonalCertificates.size() > 0) {
                for (String str2 : listPersonalCertificates.keySet()) {
                    Certificate[] certificateArr = (Certificate[]) listPersonalCertificates.get(str2);
                    if (CertificateRequestHelper.isKeyCertReq((X509Certificate) certificateArr[0], str2) == null) {
                        try {
                            certificateArr[0].verify(certificateArr[0].getPublicKey(), this.provider);
                            str = "self-signed";
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Certificate to be renewed is self-signed");
                            }
                        } catch (SignatureException e) {
                            str = "chained";
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Certificate to be renewed is chained");
                            }
                            z = signedByWebSphere(certificateArr);
                        }
                        stringBuffer = checkSignerValidity(str2, certificateArr, stringBuffer, true, keyStoreInfo, str, z, j, j2);
                    }
                }
            }
            HashMap listSignerCertificates = wSKeyStoreHelper.listSignerCertificates();
            if (listSignerCertificates != null && listSignerCertificates.size() > 0) {
                for (String str3 : listSignerCertificates.keySet()) {
                    stringBuffer = checkSignerValidity(str3, new Certificate[]{(X509Certificate) listSignerCertificates.get(str3)}, stringBuffer, false, keyStoreInfo, null, z, j, j2);
                }
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.ssl.commands.WSCertExpMonitor.startCertificateExpMonitor", "593");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception while running certificate exp", e2.getMessage());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkCertsInKeyStore");
        }
        return stringBuffer.toString();
    }

    private String genNewCertsAndReplace(Session session, ConfigService configService, CertReqInfo certReqInfo, boolean z) throws Exception {
        String defaultRootAlias;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "genNewCertsAndReplace");
        }
        String label = certReqInfo.getLabel();
        KeyStoreInfo ksInfo = certReqInfo.getKsInfo();
        String password = ksInfo.getPassword();
        String name = ksInfo.getName();
        String usage = ksInfo.getUsage();
        String scopeNameString = ksInfo.getScopeNameString();
        WSKeyStoreHelper wSKeyStoreHelper = new WSKeyStoreHelper(ksInfo);
        Certificate[] certificateArr = null;
        X509Certificate x509Certificate = null;
        String str = "self-signed";
        boolean z2 = false;
        String str2 = null;
        boolean z3 = false;
        String str3 = Constants.DEFAULT_ROOT_STORE;
        String property = System.getProperty("line.separator");
        StringBuffer stringBuffer = new StringBuffer();
        Locale currentLocale = currentLocale();
        if (usage != null && usage.equals(CommandConstants.KS_USAGE_RSA)) {
            str3 = Constants.RSA_TOKEN_ROOT_STORE;
        }
        KeyStoreInfo ksInfo2 = PersonalCertificateHelper.getKsInfo(session, configService, KeyStoreManager.getDefaultKeyStoreName(str3), ManagementScopeManager.getInstance().getNodeScopeName());
        WSKeyStoreHelper wSKeyStoreHelper2 = new WSKeyStoreHelper(ksInfo2);
        String str4 = ksInfo.getName() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + ksInfo.getScopeNameString() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + label;
        if (!PersonalCertificateHelper.isCertAlreadyReplaced(str4)) {
            try {
                PrivateKey privateKey = (PrivateKey) wSKeyStoreHelper.getKey(label, password);
                if (privateKey != null) {
                    certificateArr = wSKeyStoreHelper.getCertChainFromKey(label);
                    x509Certificate = (X509Certificate) certificateArr[0];
                    if (x509Certificate.getBasicConstraints() != -1) {
                        z2 = true;
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Certificate \"" + label + "\" is not a personal certificate.");
                }
                if (x509Certificate != null && privateKey != null) {
                    try {
                        x509Certificate.verify(x509Certificate.getPublicKey(), this.provider);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Certificate to be renewed is self-signed");
                        }
                    } catch (SignatureException e) {
                        str = "chained";
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Certificate to be renewed is chained");
                        }
                    }
                    boolean z4 = true;
                    if (str.equalsIgnoreCase("chained")) {
                        z4 = signedByWebSphere(certificateArr);
                    }
                    if (str.equals("self-signed") || (str.equals("chained") && z4)) {
                        boolean z5 = false;
                        X509Certificate x509Certificate2 = null;
                        X509Certificate x509Certificate3 = null;
                        if (z && !ksInfo.getType().equals(Constants.KEYSTORE_TYPE_JCERACFKS) && !ksInfo.getType().equals(Constants.KEYSTORE_TYPE_JCECCARACFKS)) {
                            CommandHelper commandHelper = new CommandHelper();
                            commandHelper.deleteCertificate(session, ksInfo, commandHelper.getDeletedKeyStore(session, configService, name), label);
                            z3 = true;
                        }
                        if (str.equals("chained")) {
                            String findRootCertificateAlias = PersonalCertificateHelper.findRootCertificateAlias((X509Certificate) certificateArr[certificateArr.length - 1], ksInfo2);
                            if (findRootCertificateAlias == null && z4 && (defaultRootAlias = PersonalCertificateHelper.getDefaultRootAlias(ksInfo2)) != null) {
                                z5 = true;
                                findRootCertificateAlias = defaultRootAlias;
                            }
                            Key key = wSKeyStoreHelper2.getKey(findRootCertificateAlias, ksInfo2.getPassword());
                            if (key == null) {
                                throw new Exception(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.not.personal.cert.CWPKI0666E", new Object[]{label}, "Certificate \"" + label + "\" is not a personal certificate."));
                            }
                            Certificate[] certChainFromKey = wSKeyStoreHelper2.getCertChainFromKey(findRootCertificateAlias);
                            str2 = wSKeyStoreHelper.createChainedCertificate(certReqInfo, certChainFromKey, (PrivateKey) key, z2, z3);
                            if (z5) {
                                x509Certificate2 = (X509Certificate) certChainFromKey[certChainFromKey.length - 1];
                                x509Certificate3 = (X509Certificate) certificateArr[certificateArr.length - 1];
                            }
                        } else if (str.equals("self-signed")) {
                            str2 = wSKeyStoreHelper.createSelfSignedCertificate(certReqInfo, z2, z3);
                        }
                        String str5 = name + "(" + scopeNameString + ")";
                        String formattedMessage = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.monitor.personal.replace.CWPKI0645I", new Object[]{label, str5}, "Personal certificate alias \"" + label + "\" in KeyStore \"" + str5 + "\" was REPLACED", currentLocale);
                        PersonalCertificateHelper.markCertReplaced(str4);
                        stringBuffer.append(property);
                        stringBuffer.append(formattedMessage);
                        if (!label.equals(str2)) {
                            PersonalCertificateHelper.changeAliasReferences(session, certReqInfo.getKsInfo(), label, str2);
                            String formattedMessage2 = TraceNLSHelper.getInstance().getFormattedMessage("rootCert", new Object[]{label, str2}, "\tNew alias for \"" + label + "\" is \"" + str2 + ".", currentLocale);
                            PersonalCertificateHelper.markCertReplaced(ksInfo.getName() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + ksInfo.getScopeNameString() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + str2);
                            stringBuffer.append(property);
                            stringBuffer.append(formattedMessage2);
                        }
                        if (name.endsWith(Constants.RSA_TOKEN_KEY_STORE)) {
                            try {
                                SecurityObjectLocator.getSecurityConfig("security").getAuthMechanism(AuthMechanismConfig.TYPE_RSATOKEN).reinitializeRSAProperties();
                            } catch (Exception e2) {
                                FFDCFilter.processException(e2, "com.ibm.ws.ssl.commands.WSCertExpMonitor.startCertificateExpMonitor", "841");
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Exception while reinitializing the RSA propagation properties: ", e2.getMessage());
                                }
                            }
                        }
                        X509Certificate x509Certificate4 = (X509Certificate) wSKeyStoreHelper.getSignerFromKey(str2);
                        if (x509Certificate4 != null) {
                            PrivateKey privateKey2 = (PrivateKey) wSKeyStoreHelper.getKey(str2, ksInfo.getPassword());
                            Certificate[] certChainFromKey2 = wSKeyStoreHelper.getCertChainFromKey(str2);
                            if (label.equals(str2)) {
                                str2 = null;
                            }
                            String replaceCerts = PersonalCertificateHelper.replaceCerts(session, ksInfo, label, x509Certificate, str2, x509Certificate4, certChainFromKey2, privateKey2, z, currentLocale);
                            if (z5) {
                                PersonalCertificateHelper.addNewRootSigner(session, x509Certificate3, x509Certificate2);
                            }
                            if (z && (ksInfo.getType().equals(Constants.KEYSTORE_TYPE_JCERACFKS) || ksInfo.getType().equals(Constants.KEYSTORE_TYPE_JCECCARACFKS))) {
                                CommandHelper commandHelper2 = new CommandHelper();
                                commandHelper2.deleteCertificate(session, ksInfo, commandHelper2.getDeletedKeyStore(session, configService, name), label);
                                wSKeyStoreHelper.deleteCertificate(label);
                            }
                            PersonalCertificateHelper.setWorkspaceUpdated(session, ksInfo.getLocation());
                            PersonalCertificateHelper.markSSLConfigChanged(ksInfo, session);
                            if (replaceCerts != null) {
                                stringBuffer.append(replaceCerts);
                            }
                        }
                    }
                }
            } catch (Exception e3) {
                FFDCFilter.processException(e3, "com.ibm.ws.ssl.commands.WSCertExpMonitor.startCertificateExpMonitor", "808");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception while running certificate exp", e3.getMessage());
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "genNewCertsAndReplace");
        }
        return stringBuffer.toString();
    }

    private String createCertExpMonitorReport() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createCertExpMonitorReport");
        }
        StringBuffer stringBuffer = new StringBuffer();
        String property = System.getProperty("line.separator");
        boolean z = false;
        String string = TraceNLSHelper.getInstance().getString("certMonitorTitle", "**** Subject:  Expiration Monitor ****");
        String string2 = TraceNLSHelper.getInstance().getString("ssl.command.preNotificationWarning.CWPKI0715I", this.preNotificationWarning + " " + this.preNotificationWarning2);
        String string3 = TraceNLSHelper.getInstance().getString("thresholdNotice", "*** CERTIFICATES THAT ARE EXIPIRED OR IN THE EXPIRATION THRESHOLD ***");
        String string4 = TraceNLSHelper.getInstance().getString("rootReplaceNotice", "*** ROOT CERTIFICATES THAT ARE REPLACED AND CERTIFICATES REPLACED DUE TO THE ROOT CERTIFICATE BEING REPLACED ***");
        String string5 = TraceNLSHelper.getInstance().getString("replaceNotice", "*** CERTIFICATES THAT ARE EXPIRED OR BEYOND THE EXPIRATION THRESHOLD AND HAVE BEEN REPLACED ***");
        String string6 = TraceNLSHelper.getInstance().getString("noUpdateNotice", "*** CERTIFICATES THAT ARE EXPIRED OR BEYOND THE EXPIRATION THRESHOLD THAT CAN NOT BE REPLACED BY THE SERVER ***");
        stringBuffer.append(property);
        stringBuffer.append(string);
        stringBuffer.append(property);
        stringBuffer.append(property);
        try {
            String canonicalHostName = InetAddress.getLocalHost().getCanonicalHostName();
            String profileUUID = PrepareKeysUtility.getProfileUUID(SecurityObjectLocator.getAdminData().getUserInstallRootPath(), (Session) null);
            String processType = ManagementScopeManager.getInstance().getProcessType();
            stringBuffer.append("Hostname: " + canonicalHostName);
            stringBuffer.append(property);
            stringBuffer.append("Profile UUID: " + profileUUID);
            stringBuffer.append(property);
            stringBuffer.append("Process type: " + processType);
            stringBuffer.append(property);
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception while getting host information: ", e.getMessage());
            }
        }
        if (this.notificationCerts.length() > 0) {
            stringBuffer.append(this.NotifyNotice);
            stringBuffer.append(property);
            stringBuffer.append(this.PreNotificationMsg);
            stringBuffer.append(property);
            stringBuffer.append(property);
            stringBuffer.append(string2);
            stringBuffer.append(property);
            stringBuffer.append(property);
            stringBuffer.append(this.notificationCerts);
            stringBuffer.append(property);
            z = true;
        }
        if (this.notificationCerts.length() > 0 && this.notificationSignerCerts.length() > 0) {
            stringBuffer.append(this.notificationSignerCerts);
            stringBuffer.append(property);
        }
        stringBuffer.append(this.scanBuffer);
        if (this.expInfoBuffer.length() > 0) {
            stringBuffer.append(property);
            stringBuffer.append(string3);
            stringBuffer.append(property);
            stringBuffer.append(this.expInfoBuffer);
            stringBuffer.append(property);
            z = true;
        }
        if (this.rootKeystoreBuffer.length() > 0) {
            stringBuffer.append(property);
            stringBuffer.append(string4);
            stringBuffer.append(property);
            stringBuffer.append(this.rootKeystoreBuffer);
            stringBuffer.append(property);
            z = true;
        }
        if (this.replaceCerts.length() > 0) {
            stringBuffer.append(property);
            stringBuffer.append(string5);
            stringBuffer.append(property);
            stringBuffer.append(this.replaceCerts);
            stringBuffer.append(property);
            z = true;
        }
        if (this.noUpdateBuffer.length() > 0) {
            stringBuffer.append(property);
            stringBuffer.append(string6);
            stringBuffer.append(property);
            stringBuffer.append(this.noUpdateBuffer);
            stringBuffer.append(property);
            z = true;
        }
        if (!z) {
            String string7 = TraceNLSHelper.getInstance().getString("ssl.command.monitor.no.cert.status.CWPKI0735I", "There is no certificate expiration information to report on at this time.");
            stringBuffer.append(property);
            stringBuffer.append(string7);
            stringBuffer.append(property);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createCertExpMonitorReport");
        }
        return stringBuffer.toString();
    }

    private long getNotifyProperty(ConfigService configService, Session session, ObjectName objectName) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getNotifyProperty");
        }
        try {
            String str = (String) PersonalCertificateHelper.getCustomProperty(configService, session, objectName, "com.ibm.ws.security.expirationMonitorNotificationPeriod");
            if (str != null) {
                return new Long(str).longValue();
            }
        } catch (Exception e) {
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getNotifyProperty");
        }
        return new Long("90").longValue();
    }

    private boolean replaceWritableSAFCerts(ConfigService configService, Session session, ObjectName objectName) {
        String str;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "replaceWritableSAFCerts");
        }
        boolean z = false;
        if (PlatformHelperFactory.getPlatformHelper().isZOS() && (str = (String) PersonalCertificateHelper.getCustomProperty(configService, session, objectName, "com.ibm.ssl.replaceWritableSAFCerts")) != null && str.equalsIgnoreCase("true")) {
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "replaceWritableSAFCerts", Boolean.valueOf(z));
        }
        return z;
    }

    private void clearDeletedKeystore(Session session, ConfigService configService) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "clearDeletedKeystore");
        }
        try {
            KeyStoreInfo defaultKeyStore = new CommandHelper().getDefaultKeyStore(session, configService, Constants.DEFAULT_DELETED_STORE);
            if (!defaultKeyStore.getReadOnly().booleanValue() && defaultKeyStore.getFileBased().booleanValue()) {
                boolean z = false;
                WSKeyStoreHelper wSKeyStoreHelper = new WSKeyStoreHelper(defaultKeyStore);
                if (!wSKeyStoreHelper.containsAlias("dummyclientsigner")) {
                    wSKeyStoreHelper.setSignerCert("dummyclientsigner", KeyStoreHelper.getCertFromArmFile("client"));
                    z = true;
                }
                if (!wSKeyStoreHelper.containsAlias("dummyserversigner")) {
                    wSKeyStoreHelper.setSignerCert("dummyserversigner", KeyStoreHelper.getCertFromArmFile("server"));
                    z = true;
                }
                String[] certAliases = wSKeyStoreHelper.getCertAliases();
                if (certAliases.length > 0) {
                    for (String str : certAliases) {
                        if (!str.equalsIgnoreCase("dummyServerSigner") && !str.equalsIgnoreCase("dummyClientSigner")) {
                            wSKeyStoreHelper.deleteCertificate(str);
                            z = true;
                        }
                    }
                }
                if (z) {
                    PersonalCertificateHelper.setWorkspaceUpdated(session, defaultKeyStore.getLocation());
                }
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.ssl.commands.WSCertExpMonitor.startCertificateExpMonitor", "997");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Problem cleaning out the deleted keystore ", e.getMessage());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "clearDeletedKeystore");
        }
    }

    private String handleRootKeystore(Session session, ConfigService configService, int i, boolean z, boolean z2) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "handleRootKeystore");
        }
        String nodeScopeName = ManagementScopeManager.getInstance().getNodeScopeName();
        KeyStoreInfo ksInfo = PersonalCertificateHelper.getKsInfo(session, configService, KeyStoreManager.getDefaultKeyStoreName(Constants.DEFAULT_ROOT_STORE), nodeScopeName);
        KeyStoreInfo ksInfo2 = PersonalCertificateHelper.getKsInfo(session, configService, KeyStoreManager.getDefaultKeyStoreName(Constants.RSA_TOKEN_ROOT_STORE), nodeScopeName);
        StringBuffer stringBuffer = new StringBuffer();
        storeRootCertificateDigest(ksInfo, ksInfo2);
        String checkCertsInKeyStore = checkCertsInKeyStore(session, configService, ksInfo, i);
        if (checkCertsInKeyStore.length() > 0) {
            this.expInfoBuffer.append(checkCertsInKeyStore);
        }
        String checkCertsInKeyStore2 = checkCertsInKeyStore(session, configService, ksInfo2, i);
        if (checkCertsInKeyStore2.length() > 0) {
            this.expInfoBuffer.append(checkCertsInKeyStore2);
        }
        if (z && this.expiredCerts.size() > 0) {
            for (int i2 = 0; i2 < this.expiredCerts.size(); i2++) {
                String genNewRootAndReplace = genNewRootAndReplace(session, configService, (CertReqInfo) this.expiredCerts.get(i2), z2);
                if (genNewRootAndReplace != null) {
                    stringBuffer.append(genNewRootAndReplace);
                }
            }
            this.expiredCerts.clear();
        }
        if (z && this.personalCerts.size() > 0) {
            for (int i3 = 0; i3 < this.personalCerts.size(); i3++) {
                String genNewRootAndReplace2 = genNewRootAndReplace(session, configService, (CertReqInfo) this.personalCerts.get(i3), z2);
                if (genNewRootAndReplace2 != null) {
                    stringBuffer.append(genNewRootAndReplace2);
                }
            }
            this.personalCerts.clear();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "handleRootKeystore");
        }
        return stringBuffer.toString();
    }

    private String genNewRootAndReplace(Session session, ConfigService configService, CertReqInfo certReqInfo, boolean z) throws Exception {
        String defaultRootAlias;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "genNewRootAndReplace");
        }
        KeyStoreInfo ksInfo = certReqInfo.getKsInfo();
        String label = certReqInfo.getLabel();
        WSKeyStoreHelper wSKeyStoreHelper = new WSKeyStoreHelper(ksInfo);
        String password = ksInfo.getPassword();
        String name = ksInfo.getName();
        String str = "self-signed";
        boolean z2 = false;
        String str2 = null;
        StringBuffer stringBuffer = new StringBuffer();
        boolean z3 = false;
        try {
            Locale currentLocale = currentLocale();
            PrivateKey privateKey = (PrivateKey) wSKeyStoreHelper.getKey(label, password);
            if (privateKey == null) {
                if (!tc.isEntryEnabled()) {
                    return null;
                }
                Tr.debug(tc, label + " does not appear to be a personal certificate");
                return null;
            }
            Certificate[] certChainFromKey = wSKeyStoreHelper.getCertChainFromKey(label);
            X509Certificate x509Certificate = (X509Certificate) certChainFromKey[0];
            if (x509Certificate.getBasicConstraints() != -1) {
                z2 = true;
            }
            if (x509Certificate != null && privateKey != null) {
                try {
                    x509Certificate.verify(x509Certificate.getPublicKey(), this.provider);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Certificate to be renewed is self-signed");
                    }
                } catch (SignatureException e) {
                    str = "chained";
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Certificate to be renewed is chained");
                    }
                }
                boolean z4 = true;
                if (str.equalsIgnoreCase("chained")) {
                    z4 = certChainFromKey.length == 1 ? false : signedByWebSphere(certChainFromKey);
                }
                if (str.equals("self-signed") || (str.equals("chained") && z4)) {
                    boolean z5 = false;
                    X509Certificate x509Certificate2 = null;
                    X509Certificate x509Certificate3 = null;
                    if (z && !ksInfo.getType().equals(Constants.KEYSTORE_TYPE_JCERACFKS) && !ksInfo.getType().equals(Constants.KEYSTORE_TYPE_JCECCARACFKS)) {
                        CommandHelper commandHelper = new CommandHelper();
                        commandHelper.deleteCertificate(session, ksInfo, commandHelper.getDeletedKeyStore(session, configService, name), label);
                        z3 = true;
                    }
                    if (str.equals("chained")) {
                        String findRootCertificateAlias = PersonalCertificateHelper.findRootCertificateAlias((X509Certificate) certChainFromKey[1], ksInfo);
                        if (findRootCertificateAlias == null && z4 && (defaultRootAlias = PersonalCertificateHelper.getDefaultRootAlias(ksInfo)) != null) {
                            z5 = true;
                            findRootCertificateAlias = defaultRootAlias;
                        }
                        PrivateKey privateKey2 = (PrivateKey) wSKeyStoreHelper.getKey(findRootCertificateAlias, password);
                        if (privateKey2 != null) {
                            Certificate[] certChainFromKey2 = wSKeyStoreHelper.getCertChainFromKey(findRootCertificateAlias);
                            str2 = wSKeyStoreHelper.createChainedCertificate(certReqInfo, certChainFromKey2, privateKey2, z2, z3);
                            if (z5) {
                                x509Certificate3 = (X509Certificate) certChainFromKey2[certChainFromKey2.length - 1];
                                x509Certificate2 = (X509Certificate) certChainFromKey[certChainFromKey.length - 1];
                            }
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Certificate \"" + label + "\" is not a personal certificate.");
                        }
                    } else if (str.equals("self-signed")) {
                        str2 = wSKeyStoreHelper.createSelfSignedCertificate(certReqInfo, z2, z3);
                    }
                    if (z && (ksInfo.getType().equals(Constants.KEYSTORE_TYPE_JCERACFKS) || ksInfo.getType().equals(Constants.KEYSTORE_TYPE_JCECCARACFKS))) {
                        CommandHelper commandHelper2 = new CommandHelper();
                        commandHelper2.deleteCertificate(session, ksInfo, commandHelper2.getDeletedKeyStore(session, configService, name), label);
                        wSKeyStoreHelper.deleteCertificate(label);
                    }
                    String str3 = ksInfo.getName() + "(" + ksInfo.getScopeNameString() + ")";
                    String formattedMessage = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.rootCertReplaced.CWPKI0717I", new Object[]{label, str3}, "Root certificate alias \"" + str2 + "\" in KeyStore \"" + str3 + "\" was REPLACED");
                    PersonalCertificateHelper.markCertReplaced(ksInfo.getName() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + ksInfo.getScopeNameString() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + label);
                    stringBuffer.append(this.linesep);
                    stringBuffer.append(formattedMessage);
                    if (!label.equals(str2)) {
                        String formattedMessage2 = TraceNLSHelper.getInstance().getFormattedMessage("aliasChange", new Object[]{label, str2}, "\tNew alias for \"" + label + "\" is \"" + str2 + ".");
                        PersonalCertificateHelper.markCertReplaced(ksInfo.getName() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + ksInfo.getScopeNameString() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + str2);
                        stringBuffer.append(this.linesep);
                        stringBuffer.append(formattedMessage2);
                    }
                    X509Certificate x509Certificate4 = (X509Certificate) wSKeyStoreHelper.getSignerFromKey(str2);
                    if (x509Certificate4 != null) {
                        PrivateKey privateKey3 = (PrivateKey) wSKeyStoreHelper.getKey(str2, password);
                        Certificate[] certChainFromKey3 = wSKeyStoreHelper.getCertChainFromKey(str2);
                        String recreateChainedWithNewRoot = this.certMonitorHelper.recreateChainedWithNewRoot(session, configService, certChainFromKey, privateKey, certChainFromKey3, privateKey3, z, currentLocale);
                        if (recreateChainedWithNewRoot.length() > 0) {
                            stringBuffer.append(recreateChainedWithNewRoot);
                        }
                        String recreateRootsWithNewRoot = this.certMonitorHelper.recreateRootsWithNewRoot(session, configService, certChainFromKey, privateKey, certChainFromKey3, privateKey3, z, currentLocale);
                        if (recreateRootsWithNewRoot.length() > 0) {
                            stringBuffer.append(recreateRootsWithNewRoot);
                        }
                        String replaceCerts = PersonalCertificateHelper.replaceCerts(session, ksInfo, label, x509Certificate, str2, x509Certificate4, certChainFromKey3, privateKey3, z, currentLocale);
                        if (replaceCerts.length() > 0) {
                            stringBuffer.append(replaceCerts);
                        }
                        if (z5) {
                            PersonalCertificateHelper.addNewRootSigner(session, x509Certificate2, x509Certificate3);
                        }
                    } else if (tc.isEntryEnabled()) {
                        Tr.debug(tc, "Unable to get the signer for the newly created certificate:" + str2 + " in " + ksInfo.getName());
                    }
                    PersonalCertificateHelper.setWorkspaceUpdated(session, ksInfo.getLocation());
                    PersonalCertificateHelper.markSSLConfigChanged(ksInfo, session);
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "genNewRootAndReplace");
            }
            return stringBuffer.toString();
        } catch (Exception e2) {
            throw e2;
        }
    }

    private void genExpiredSignerList() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "genExpiredSignerList");
        }
        Locale currentLocale = currentLocale();
        try {
            if (this.signerCerts.size() > 0) {
                for (int i = 0; i < this.signerCerts.size(); i++) {
                    CertReqInfo certReqInfo = (CertReqInfo) this.signerCerts.get(i);
                    String label = certReqInfo.getLabel();
                    KeyStoreInfo ksInfo = certReqInfo.getKsInfo();
                    String str = ksInfo.getName() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + ksInfo.getScopeNameString() + JMSConstants.JMS_URL_QUERY_SEPERATOR2 + label;
                    if (!PersonalCertificateHelper.isCertAlreadyReplaced(str)) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "entry=" + str);
                        }
                        X509Certificate signer = new WSKeyStoreHelper(ksInfo).getSigner(label);
                        if (signer != null) {
                            String format = DateFormat.getDateInstance(2, currentLocale).format(signer.getNotAfter());
                            String str2 = ksInfo.getName() + "(" + ksInfo.getScopeNameString() + ")";
                            String formattedMessage = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.monitor.signer.expires.CWPKI0642I", new Object[]{label, str2, format}, "Signer certificate alias \"" + label + "\" in KeyStore \"" + str2 + "\" expires on " + format, currentLocale);
                            this.noUpdateBuffer.append(this.linesep);
                            this.noUpdateBuffer.append(formattedMessage);
                        }
                    }
                }
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.ssl.commands.WSCertExpMonitor.startCertificateExpMonitor", "1624");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception while building signer that can not be replaced: ", e.getMessage());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "genExpiredSignerList");
        }
    }

    private StringBuffer checkSignerValidity(String str, Certificate[] certificateArr, StringBuffer stringBuffer, boolean z, KeyStoreInfo keyStoreInfo, String str2, boolean z2, long j, long j2) {
        String formattedMessage;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkSignerValidity");
        }
        Locale currentLocale = currentLocale();
        String property = System.getProperty("line.separator");
        X509Certificate x509Certificate = null;
        if (certificateArr != null) {
            x509Certificate = (X509Certificate) certificateArr[0];
        }
        Date notAfter = x509Certificate.getNotAfter();
        x509Certificate.getNotBefore();
        long time = notAfter.getTime();
        long j3 = time - j;
        long j4 = j3 - j2;
        String name = keyStoreInfo.getName();
        Boolean readOnly = keyStoreInfo.getReadOnly();
        Boolean fileBased = keyStoreInfo.getFileBased();
        String str3 = name + "(" + keyStoreInfo.getScopeNameString() + ")";
        String format = DateFormat.getDateInstance(2, currentLocale).format(new Date(j3));
        DateFormat.getDateInstance(2, currentLocale).format(new Date(j4));
        String format2 = DateFormat.getDateInstance(2, currentLocale).format(notAfter);
        if (isCertExpired(x509Certificate)) {
            if (z) {
                formattedMessage = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.monitor.personal.expired.CWPKI0680I", new Object[]{str, str3, format2}, "Personal certificate alias \"" + str + "\" in KeyStore \"" + str3 + "\" expired on " + format2, currentLocale);
                if ((str2.equals("self-signed") || (str2.equals("chained") && z2)) && !readOnly.booleanValue() && (fileBased.booleanValue() || (!fileBased.booleanValue() && this.replaceWritableSaf))) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Alias " + str + " in key store " + name + " was added to the expired certs list.");
                    }
                    this.expiredCerts.add(this.certMonitorHelper.createCertInfoFromCert(str, x509Certificate, keyStoreInfo));
                } else {
                    this.noUpdateBuffer.append(property);
                    this.noUpdateBuffer.append(formattedMessage);
                }
            } else {
                if (!readOnly.booleanValue() && fileBased.booleanValue()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Alias " + str + " in key store " + name + " was added to the signer certs list.");
                    }
                    this.signerCerts.add(this.certMonitorHelper.createCertInfoFromCert(str, x509Certificate, keyStoreInfo));
                }
                formattedMessage = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.monitor.signer.expired.CWPKI0679I", new Object[]{str, str3, format2}, "Signer certificate alias \"" + str + "\" in KeyStore \"" + str3 + "\" expired on " + format2, currentLocale);
            }
            stringBuffer.append(property);
            stringBuffer.append(formattedMessage);
        } else {
            long currentTimeMillis = System.currentTimeMillis();
            String format3 = DateFormat.getDateInstance(2, currentLocale).format(notAfter);
            if (time - currentTimeMillis <= j) {
                Tr.debug(tc, "Certificate is within the threshold");
                if (z) {
                    String formattedMessage2 = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.monitor.personal.expires.CWPKI0643I", new Object[]{str, str3, format3}, "Personal certificate alias \"" + str + "\" in KeyStore \"" + str3 + "\" expires on " + format3, currentLocale);
                    if ((str2.equals("self-signed") || (str2.equals("chained") && z2)) && ((!readOnly.booleanValue() && fileBased.booleanValue()) || (!fileBased.booleanValue() && this.replaceWritableSaf))) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Alias " + str + " in key store " + name + " was added to the personel certs list.");
                        }
                        this.personalCerts.add(this.certMonitorHelper.createCertInfoFromCert(str, x509Certificate, keyStoreInfo));
                    } else {
                        formattedMessage2 = formattedMessage2 + (" certificateType = " + str2 + " issuedByWebSphere=" + z2 + "readOnly=" + readOnly + " fileBased=" + fileBased + "replaceWritableSaf=" + this.replaceWritableSaf);
                        this.noUpdateBuffer.append(property);
                        this.noUpdateBuffer.append(formattedMessage2);
                    }
                    stringBuffer.append(property);
                    stringBuffer.append(formattedMessage2);
                } else {
                    if (!readOnly.booleanValue() && fileBased.booleanValue()) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Alias " + str + " in key store " + name + " was added to the signerCerts list.");
                        }
                        this.signerCerts.add(this.certMonitorHelper.createCertInfoFromCert(str, x509Certificate, keyStoreInfo));
                    }
                    String formattedMessage3 = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.monitor.signer.expires.CWPKI0642I", new Object[]{str, str3, format3}, "Signer certificate alias \"" + str + "\" in KeyStore \"" + str3 + "\" expires on " + format3, currentLocale);
                    stringBuffer.append(property);
                    stringBuffer.append(formattedMessage3);
                }
            } else if (j4 <= currentTimeMillis && currentTimeMillis < j3) {
                if (z) {
                    if (!readOnly.booleanValue() && fileBased.booleanValue() && (str2.equals("self-signed") || (str2.equals("chained") && z2))) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Alias " + str + " in key store " + str3 + " was added to the notification list.");
                        }
                        this.notificationCerts.append(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.preNotifyPersonalCert.CWPKI0719I", new Object[]{str, str3, format3, format}, "Personal certificate \"" + str + "\" in the \"" + str3 + "\" key store is due to expire on " + format2 + " and can be replaced after the threshold date " + format + ".", currentLocale));
                        this.notificationCerts.append(property);
                    }
                } else if (!readOnly.booleanValue() && fileBased.booleanValue()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Alias " + str + " in key store " + str3 + " was added to the notificationSignerCerts list.");
                    }
                    this.notificationCerts.append(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.preNotifySignerCert.CWPKI0720I", new Object[]{str, str3, format3, format}, "Signer certificate \"" + str + "\" in the \"" + str3 + "\" key store is due to expire on " + format2 + " and can be replaced after the threshold date " + format + ".", currentLocale));
                    this.notificationCerts.append(property);
                }
            }
            if (certificateArr.length > 1) {
                stringBuffer = checkValidityOfCertChain(str, str3, certificateArr, stringBuffer, currentTimeMillis, j);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkSignerValidity");
        }
        return stringBuffer;
    }

    private boolean isCertExpired(X509Certificate x509Certificate) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isCertExpired");
        }
        boolean z = false;
        try {
            x509Certificate.checkValidity();
        } catch (CertificateExpiredException e) {
            z = true;
        } catch (CertificateNotYetValidException e2) {
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isCertExpired " + z);
        }
        return z;
    }

    private StringBuffer checkValidityOfCertChain(String str, String str2, Certificate[] certificateArr, StringBuffer stringBuffer, long j, long j2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checValidityOfCertChain");
        }
        for (int i = 1; i < certificateArr.length; i++) {
            X509Certificate x509Certificate = (X509Certificate) certificateArr[i];
            BigInteger serialNumber = x509Certificate.getSerialNumber();
            if (isCertExpired(x509Certificate)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Alias " + str + " in key store " + str2 + " is signed by a certificate that is expired.");
                }
                String formattedMessage = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.certChain.expired.CWPKI0741I", new Object[]{str, str2, serialNumber}, "The " + str + " certificate in the " + str2 + "  keystore is signed with a certificate that is expired.  The certificate with the serial number " + serialNumber + " in the certificate chain is expired.");
                stringBuffer.append(this.linesep);
                stringBuffer.append(formattedMessage);
            } else {
                Date notAfter = x509Certificate.getNotAfter();
                long time = notAfter.getTime();
                Locale currentLocale = currentLocale();
                if (time - j <= j2) {
                    String format = DateFormat.getDateInstance(2, currentLocale).format(notAfter);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Alias " + str + " in key store " + str2 + " is signed by a certificate that is about to expire.");
                    }
                    String formattedMessage2 = TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.certChain.will.expire.CWPKI0742I", new Object[]{str, str2, serialNumber, format}, "The " + str + " certificate in the " + str2 + " keystore is signed with a certificate that will expire soon.   The certificate with the serial number " + serialNumber + " in the certificate chain will expire on " + format + ".", currentLocale);
                    stringBuffer.append(this.linesep);
                    stringBuffer.append(formattedMessage2);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checValidityOfCertChain");
        }
        return stringBuffer;
    }

    private void storeRootCertificateDigest(KeyStoreInfo keyStoreInfo, KeyStoreInfo keyStoreInfo2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "storeRootCertificateDigest");
        }
        try {
            this.rootSignerDigestCacheMap = this.certMonitorHelper.populateDigestCacheMap(this.rootSignerDigestCacheMap, keyStoreInfo);
            this.rsaRootSignerDigestCacheMap = this.certMonitorHelper.populateDigestCacheMap(this.rsaRootSignerDigestCacheMap, keyStoreInfo2);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.ssl.commands.WSCertExpMonitor.storeRootCertificateDigest", "1624");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unable to build the list root certificate digests: ", e.getMessage());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "storeRootCertificateDigest");
        }
    }

    private boolean signedByWebSphere(Certificate[] certificateArr) {
        StartCertificateExpMonitorHelper startCertificateExpMonitorHelper = new StartCertificateExpMonitorHelper();
        boolean signedByWebSphere = startCertificateExpMonitorHelper.signedByWebSphere(certificateArr, this.rootSignerDigestCacheMap);
        if (!signedByWebSphere) {
            signedByWebSphere = startCertificateExpMonitorHelper.signedByWebSphere(certificateArr, this.rsaRootSignerDigestCacheMap);
        }
        return signedByWebSphere;
    }

    Locale currentLocale() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "currentLocale");
        }
        Locale locale = getLocale();
        if (locale == null) {
            locale = Locale.getDefault();
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, "locale is null, use system locale:" + locale);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "currentLocale", locale);
        }
        return locale;
    }
}
