package com.ibm.ws.ssl.commands.migrate;

import com.ibm.ISecurityUtilityImpl.SecConstants;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.Session;
import com.ibm.websphere.management.cmdframework.CommandException;
import com.ibm.websphere.management.cmdframework.CommandLoadException;
import com.ibm.websphere.management.cmdframework.CommandNotFoundException;
import com.ibm.websphere.management.cmdframework.CommandValidationException;
import com.ibm.websphere.management.cmdframework.commanddata.CommandData;
import com.ibm.websphere.management.cmdframework.commandmetadata.TaskCommandMetadata;
import com.ibm.websphere.management.cmdframework.provider.AbstractTaskCommand;
import com.ibm.websphere.management.cmdframework.provider.TaskCommandResultImpl;
import com.ibm.websphere.management.configservice.ConfigDataId;
import com.ibm.websphere.management.configservice.ConfigService;
import com.ibm.websphere.management.configservice.ConfigServiceFactory;
import com.ibm.websphere.management.configservice.ConfigServiceHelper;
import com.ibm.ws.naming.util.C;
import com.ibm.ws.rsadapter.DSConfigHelper;
import com.ibm.ws.security.common.util.AuditConstants;
import com.ibm.ws.ssl.commands.certificateRequests.CertificateRequestHelper;
import com.ibm.ws.ssl.commands.personalCertificates.PersonalCertificateHelper;
import com.ibm.ws.ssl.commands.utils.CommandConstants;
import com.ibm.ws.ssl.commands.utils.CommandHelper;
import com.ibm.ws.ssl.commands.utils.TraceNLSHelper;
import com.ibm.ws.ssl.config.KeyStoreManager;
import com.ibm.ws.ssl.config.ManagementScopeManager;
import com.ibm.ws.ssl.config.WSKeyStoreHelper;
import com.ibm.ws.ssl.core.Constants;
import com.ibm.ws.ssl.model.CertReqInfo;
import com.ibm.ws.ssl.model.KeyStoreInfo;
import java.security.PrivateKey;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Locale;
import javax.management.ObjectName;

/* loaded from: input_file:com/ibm/ws/ssl/commands/migrate/ConvertSelfSignedCertificatesToChained.class */
public class ConvertSelfSignedCertificatesToChained extends AbstractTaskCommand {
    private static TraceComponent tc = Tr.register(ConvertSelfSignedCertificatesToChained.class, "SSL", "com.ibm.ws.ssl.commands.migrate");
    private String certificateReplacementOption;
    private String keyStoreName;
    private String keyStoreScope;
    private String rootCertificateAlias;
    boolean convertAll;
    boolean convertDefaults;
    String linesep;

    public ConvertSelfSignedCertificatesToChained(TaskCommandMetadata taskCommandMetadata) throws CommandNotFoundException {
        super(taskCommandMetadata);
        this.certificateReplacementOption = null;
        this.keyStoreName = null;
        this.keyStoreScope = null;
        this.rootCertificateAlias = null;
        this.convertAll = false;
        this.convertDefaults = false;
        this.linesep = System.getProperty("line.separator");
    }

    public ConvertSelfSignedCertificatesToChained(CommandData commandData) throws CommandNotFoundException, CommandLoadException {
        super(commandData);
        this.certificateReplacementOption = null;
        this.keyStoreName = null;
        this.keyStoreScope = null;
        this.rootCertificateAlias = null;
        this.convertAll = false;
        this.convertDefaults = false;
        this.linesep = System.getProperty("line.separator");
    }

    @Override // com.ibm.websphere.management.cmdframework.provider.AbstractTaskCommand, com.ibm.websphere.management.cmdframework.provider.AbstractAdminCommand, com.ibm.websphere.management.cmdframework.AdminCommand
    public void validate() throws CommandValidationException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.VALIDATE);
        }
        super.validate();
        try {
            this.certificateReplacementOption = (String) getParameter("certificateReplacementOption");
            this.keyStoreName = (String) getParameter("keyStoreName");
            this.keyStoreScope = (String) getParameter(CommandConstants.KEY_STORE_SCOPE);
            this.rootCertificateAlias = (String) getParameter(CommandConstants.ROOT_CERT_ALIAS);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "certificateReplacementOption=" + this.certificateReplacementOption + " keyStoreName=" + this.keyStoreName + " keyStoreScope=" + this.keyStoreScope);
            }
            if (this.keyStoreName != null && this.keyStoreName.equals("")) {
                this.keyStoreName = null;
            }
            if (this.keyStoreScope != null && this.keyStoreScope.equals("")) {
                this.keyStoreScope = null;
            }
            if (this.rootCertificateAlias != null && this.rootCertificateAlias.equals("")) {
                this.rootCertificateAlias = null;
            }
            if (this.certificateReplacementOption != null && !validCertReplacementType(this.certificateReplacementOption)) {
                throw new CommandValidationException(TraceNLSHelper.getInstance().getString("ssl.command.convert.options.CWPKI0728E", "Certificate replacement option is not valid specify, ALL_CERTIFICATES, DEFAULT_CERTIFICATES, or KEYSTORE_CERTIFICATES"));
            }
            if (this.certificateReplacementOption.equalsIgnoreCase("ALL_CERTIFICATES")) {
                this.convertAll = true;
            } else if (this.certificateReplacementOption.equalsIgnoreCase("DEFAULT_CERTIFICATES")) {
                this.convertDefaults = true;
            } else if (this.certificateReplacementOption.equalsIgnoreCase("KEYSTORE_CERTIFICATES")) {
                if (this.keyStoreName == null) {
                    throw new CommandValidationException(TraceNLSHelper.getInstance().getString("ssl.command.no.keystore.CWPKI0731E", "The keyStoreName parameter needs to be provided with a keystore name when the KEYSTORE_CERTIFICATES option is specified."));
                }
                CommandHelper commandHelper = new CommandHelper();
                if (this.keyStoreScope == null) {
                    this.keyStoreScope = commandHelper.defaultScope();
                    Tr.debug(tc, "Default cell scopeName: " + this.keyStoreScope);
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, AuditConstants.VALIDATE);
            }
        } catch (Exception e) {
            throw new CommandValidationException(e.getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.ibm.websphere.management.cmdframework.provider.AbstractTaskCommand
    public void afterStepsExecuted() {
        ConfigService configService;
        Session configSession;
        KeyStoreInfo ksInfo;
        WSKeyStoreHelper wSKeyStoreHelper;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "afterStepsExecuted");
        }
        super.afterStepsExecuted();
        TaskCommandResultImpl taskCommandResultImpl = (TaskCommandResultImpl) getTaskCommandResult();
        if (!taskCommandResultImpl.isSuccessful()) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "afterStepsExecuted");
                return;
            }
            return;
        }
        String str = null;
        try {
            configService = ConfigServiceFactory.getConfigService();
            configSession = getConfigSession();
            ksInfo = PersonalCertificateHelper.getKsInfo(configSession, configService, KeyStoreManager.getDefaultKeyStoreName(Constants.DEFAULT_ROOT_STORE), ManagementScopeManager.getInstance().getNodeScopeName());
            wSKeyStoreHelper = new WSKeyStoreHelper(ksInfo);
            if (this.rootCertificateAlias == null) {
                this.rootCertificateAlias = PersonalCertificateHelper.getDefaultRootAlias(ksInfo);
            }
        } catch (Exception e) {
            taskCommandResultImpl.setException(new CommandException(e, e.getMessage()));
        }
        if (!wSKeyStoreHelper.containsAlias(this.rootCertificateAlias)) {
            throw new CommandValidationException(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.cert.does.not.exist.CWPKI0655E", new Object[]{this.rootCertificateAlias, ksInfo.getName()}, "Certificate alias " + this.rootCertificateAlias + " does not exist in key store " + ksInfo.getName() + SecConstants.STRING_HOSTNAME_DELIMITER));
        }
        PrivateKey privateKey = (PrivateKey) wSKeyStoreHelper.getKey(this.rootCertificateAlias, ksInfo.getPassword());
        Certificate[] certChainFromKey = wSKeyStoreHelper.getCertChainFromKey(this.rootCertificateAlias);
        if (this.keyStoreName == null) {
            str = replaceCertsInKeystores(configSession, configService, certChainFromKey, privateKey);
        } else {
            if (this.keyStoreName.endsWith(Constants.DEFAULT_DELETED_STORE) || this.keyStoreName.endsWith(Constants.DEFAULT_ROOT_STORE) || this.keyStoreName.endsWith(Constants.RSA_TOKEN_ROOT_STORE) || this.keyStoreName.endsWith(Constants.LTPA_KEYS)) {
                throw new CommandValidationException(TraceNLSHelper.getInstance().getString("ssl.command.no.convert.CWPKI0730E", "Not allowed to replace self-signed certificates in specified keystore."));
            }
            KeyStoreInfo ksInfo2 = PersonalCertificateHelper.getKsInfo(configSession, configService, this.keyStoreName, this.keyStoreScope);
            if (!ksInfo2.getReadOnly().booleanValue()) {
                str = replaceSelfSignedCerts(configSession, configService, ksInfo2, certChainFromKey, privateKey);
            }
        }
        taskCommandResultImpl.setResult(str);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "afterStepsExecuted");
        }
    }

    private String replaceCertsInKeystores(Session session, ConfigService configService, Certificate[] certificateArr, PrivateKey privateKey) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "replaceCertsInKeystores");
        }
        StringBuffer stringBuffer = new StringBuffer();
        CommandHelper commandHelper = new CommandHelper();
        try {
            for (ObjectName objectName : configService.queryConfigObjects(session, configService.resolve(session, "Cell=:Security=")[0], ConfigServiceHelper.createObjectName((ConfigDataId) null, "KeyStore"), null)) {
                String str = (String) configService.getAttribute(session, objectName, "name");
                if (!((Boolean) configService.getAttribute(session, objectName, DSConfigHelper.READONLY)).booleanValue() && !str.endsWith(Constants.DEFAULT_DELETED_STORE) && !str.endsWith(Constants.DEFAULT_ROOT_STORE) && !str.endsWith(Constants.RSA_TOKEN_ROOT_STORE) && !str.endsWith(Constants.LTPA_KEYS) && ((this.keyStoreScope == null || commandHelper.withInScope(configService, session, configService.getAttributes(session, objectName, null, false), this.keyStoreScope)) && (this.convertAll || (this.convertDefaults && (str.equals("CellDefaultKeyStore") || str.equals("NodeDefaultKeyStore")))))) {
                    String replaceSelfSignedCerts = replaceSelfSignedCerts(session, configService, PersonalCertificateHelper.getKsInfo(session, configService, str, (String) configService.getAttribute(session, (ObjectName) configService.getAttribute(session, objectName, CommandConstants.MANAGEMENT_SCOPE), CommandConstants.SCOPE_NAME)), certificateArr, privateKey);
                    if (!replaceSelfSignedCerts.isEmpty()) {
                        stringBuffer.append(replaceSelfSignedCerts);
                        stringBuffer.append(this.linesep);
                    }
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "replaceCertsInKeystores");
            }
            return stringBuffer.toString();
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception while replacing self-signed certifictates", e.getMessage());
            }
            throw e;
        }
    }

    private String replaceSelfSignedCerts(Session session, ConfigService configService, KeyStoreInfo keyStoreInfo, Certificate[] certificateArr, PrivateKey privateKey) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "replaceSelfSignedCerts");
        }
        StringBuffer stringBuffer = new StringBuffer();
        boolean z = false;
        String property = Security.getProperty("DEFAULT_JCE_PROVIDER");
        if (property == null) {
            property = "IBMJCE";
        }
        Locale locale = getLocale();
        if (locale == null) {
            locale = Locale.getDefault();
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, "locale is null, use system locale:" + locale);
            }
        }
        try {
            WSKeyStoreHelper wSKeyStoreHelper = new WSKeyStoreHelper(keyStoreInfo);
            String[] certAliases = wSKeyStoreHelper.getCertAliases();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Converting self-signed certificates in \"" + keyStoreInfo.getName() + ":" + keyStoreInfo.getScopeNameString() + "\" to chained certificates.");
            }
            if (certAliases != null) {
                for (String str : certAliases) {
                    if (wSKeyStoreHelper.isCertKeyEntry(str)) {
                        X509Certificate x509Certificate = (X509Certificate) wSKeyStoreHelper.getCertChainFromKey(str)[0];
                        if (x509Certificate != null && CertificateRequestHelper.isKeyCertReq(x509Certificate, str) == null) {
                            try {
                                x509Certificate.verify(x509Certificate.getPublicKey(), property);
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Certificate to be renewed is self-signed");
                                }
                                CertReqInfo createCertInfoFromCert = createCertInfoFromCert(str, x509Certificate, keyStoreInfo);
                                if (x509Certificate.getBasicConstraints() != -1) {
                                    z = true;
                                }
                                wSKeyStoreHelper.createChainedCertificate(createCertInfoFromCert, certificateArr, privateKey, z, true);
                                stringBuffer.append(TraceNLSHelper.getInstance().getFormattedMessage("ssl.command.convert.cert.CWPKI0729I", new Object[]{str, keyStoreInfo.getName() + C.L_PARENTHESIS + keyStoreInfo.getScopeNameString() + C.R_PARENTHESIS}, "Self-signed certificate " + str + " in " + keyStoreInfo.getName() + ":" + keyStoreInfo.getScopeNameString() + " has been converted to a chained certificate."));
                                stringBuffer.append(this.linesep);
                                PersonalCertificateHelper.replaceCerts(session, keyStoreInfo, str, x509Certificate, null, (X509Certificate) certificateArr[certificateArr.length - 1], null, null, true, locale);
                            } catch (SignatureException e) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Certificate \"" + str + "\" is not a self-signed certificate.");
                                }
                            }
                        }
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Certificate \"" + str + "\" is not a personal certificate.");
                    }
                }
            }
            PersonalCertificateHelper.setWorkspaceUpdated(session, keyStoreInfo.getLocation());
            PersonalCertificateHelper.markSSLConfigChanged(keyStoreInfo, session);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "replaceSelfSignedCerts");
            }
            return stringBuffer.toString();
        } catch (Exception e2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception while replacing self-signed certifictates", e2.getMessage());
            }
            throw e2;
        }
    }

    private CertReqInfo createCertInfoFromCert(String str, X509Certificate x509Certificate, KeyStoreInfo keyStoreInfo) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createCertInfoFromCert");
        }
        int keySizeFromPublicKey = PersonalCertificateHelper.getKeySizeFromPublicKey(x509Certificate.getPublicKey());
        int intValue = new Long((x509Certificate.getNotAfter().getTime() - x509Certificate.getNotBefore().getTime()) / 86400000).intValue();
        String obj = x509Certificate.getSubjectDN().toString();
        String uUIDFromCert = PersonalCertificateHelper.getUUIDFromCert(x509Certificate);
        CertReqInfo certReqInfo = new CertReqInfo(str, keySizeFromPublicKey, obj, intValue, keyStoreInfo, null);
        if (uUIDFromCert != null) {
            certReqInfo.setProfileUUID(uUIDFromCert);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createCertInfoFromCert");
        }
        return certReqInfo;
    }

    private boolean validCertReplacementType(String str) {
        return str.equalsIgnoreCase("ALL_CERTIFICATES") || str.equalsIgnoreCase("DEFAULT_CERTIFICATES") || str.equalsIgnoreCase("KEYSTORE_CERTIFICATES");
    }
}
