package utils;

import com.rsa.certj.CertJ;
import com.rsa.certj.DatabaseService;
import com.rsa.certj.Provider;
import com.rsa.certj.cert.Certificate;
import com.rsa.certj.cert.CertificateException;
import com.rsa.certj.cert.X509Certificate;
import com.rsa.certj.cert.X509V3Extensions;
import com.rsa.certj.cert.extensions.BasicConstraints;
import com.rsa.certj.cert.extensions.X509V3Extension;
import com.rsa.certj.pkcs12.PKCS12;
import com.rsa.certj.pkcs12.PKCS12Exception;
import com.rsa.certj.provider.db.MemoryDB;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.util.Date;
import java.util.Enumeration;
import javax.security.cert.CertificateEncodingException;
import org.apache.tools.ant.taskdefs.optional.SchemaValidate;
import org.apache.tools.ant.taskdefs.optional.sos.SOSCmd;
import weblogic.security.SecurityLogger;
import weblogic.security.utils.SSLCertUtility;
import weblogic.security.utils.SSLContextWrapper;

/* loaded from: input_file:utils/ValidateCertChain.class */
public class ValidateCertChain {
    private boolean outputEnabled = false;
    private boolean debugEnabled = Boolean.getBoolean("debug");
    private boolean constraintsIssues = false;
    private boolean chainIncomplete = false;

    public void setOutputEnabled(boolean z) {
        this.outputEnabled = z;
    }

    public static void main(String[] strArr) {
        ValidateCertChain validateCertChain = new ValidateCertChain();
        validateCertChain.setOutputEnabled(true);
        if (validateCertChain.processCommandLine(strArr)) {
            System.exit(0);
        } else {
            System.exit(1);
        }
    }

    public boolean processCommandLine(String[] strArr) {
        boolean z = false;
        if (strArr == null || strArr.length == 0) {
            usage();
            return false;
        }
        try {
            if ((strArr[0].equalsIgnoreCase(SOSCmd.FLAG_FILE) || strArr[0].equalsIgnoreCase("-pem")) && strArr.length == 2) {
                z = processPemFile(strArr[1]);
            } else if (strArr[0].equalsIgnoreCase("-jks") && (strArr.length == 3 || strArr.length == 4)) {
                z = processJksKeyStore(strArr[1], strArr[2], strArr.length == 4 ? strArr[3] : null);
            } else if (strArr[0].equalsIgnoreCase("-pkcs12store") && strArr.length == 2) {
                z = processPkcs12(strArr[1]);
            } else {
                if (!strArr[0].equalsIgnoreCase("-pkcs12file") || strArr.length != 3) {
                    usage();
                    return false;
                }
                z = processPkcs12UsingCertJ(strArr[1], strArr[2]);
            }
        } catch (Exception e) {
            printOut(e);
        }
        if (z) {
            printOut("Certificate chain appears valid");
        } else {
            printOut("Certificate chain is invalid");
        }
        return z;
    }

    public boolean processPemFile(String str) {
        boolean z = false;
        try {
            z = validateCertChain(convertChain(SSLCertUtility.inputCertificateChain(SSLContextWrapper.getInstance(), new FileInputStream(str))));
        } catch (FileNotFoundException e) {
            printOut(SchemaValidate.SchemaLocation.ERROR_NO_FILE + str);
        } catch (IOException e2) {
            printOut("Failure processing: " + str);
            printOut(e2);
        } catch (KeyManagementException e3) {
            printOut("Failure processing: " + str);
            printOut(e3);
        }
        return z;
    }

    public boolean processJksKeyStore(String str, String str2, String str3) {
        boolean z = false;
        try {
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(new FileInputStream(str2), str3 == null ? null : str3.toCharArray());
            z = validateCertChain(convertChain(keyStore.getCertificateChain(str)));
        } catch (FileNotFoundException e) {
            printOut(SchemaValidate.SchemaLocation.ERROR_NO_FILE + str2);
        } catch (Exception e2) {
            printOut("Failure processing: " + str2);
            printOut(e2);
        }
        return z;
    }

    public boolean processPkcs12(String str) {
        boolean z = false;
        try {
            KeyStore keyStore = KeyStore.getInstance("PKCS12");
            keyStore.load(new FileInputStream(str), null);
            String str2 = null;
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                str2 = aliases.nextElement();
                if (keyStore.isKeyEntry(str2)) {
                    break;
                }
            }
            if (str2 == null) {
                printOut("No alias for certs/key found");
            } else {
                z = validateCertChain(convertChain(keyStore.getCertificateChain(str2)));
            }
        } catch (FileNotFoundException e) {
            printOut(SchemaValidate.SchemaLocation.ERROR_NO_FILE + str);
        } catch (KeyStoreException e2) {
            if (e2.getMessage().equalsIgnoreCase("PKCS12 not found")) {
                printOut("PKCS12 keystore not supported, try using -pkcs12file");
            } else {
                printOut("Failure processing: " + str);
                printOut(e2);
            }
        } catch (Exception e3) {
            printOut("Failure processing: " + str);
            printOut(e3);
        }
        return z;
    }

    public boolean processPkcs12UsingCertJ(String str, String str2) {
        boolean z = false;
        try {
            CertJ certJ = new CertJ(new Provider[]{new MemoryDB("In-Memory Provider")});
            z = validateCertChain(convertChain(new PKCS12(certJ, (DatabaseService) certJ.bindServices(1), str2.toCharArray(), str).getCertificates()));
        } catch (PKCS12Exception e) {
            printOut("Failure processing: " + str);
            printOut(e);
        } catch (Exception e2) {
            printOut("Failure processing: " + str);
            printOut(e2);
        }
        return z;
    }

    private X509Certificate[] convertChain(Certificate[] certificateArr) {
        if (certificateArr == null || certificateArr.length == 0) {
            return null;
        }
        try {
            X509Certificate[] x509CertificateArr = new X509Certificate[certificateArr.length];
            for (int i = 0; i < certificateArr.length; i++) {
                x509CertificateArr[i] = (X509Certificate) certificateArr[i];
            }
            return x509CertificateArr;
        } catch (ClassCastException e) {
            printOut("Problem converting certificate chain");
            printOut(e);
            return null;
        }
    }

    private X509Certificate[] convertChain(javax.security.cert.X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            return null;
        }
        try {
            X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length];
            for (int i = 0; i < x509CertificateArr.length; i++) {
                x509CertificateArr2[i] = new X509Certificate(x509CertificateArr[i].getEncoded(), 0, 0);
            }
            return x509CertificateArr2;
        } catch (CertificateException e) {
            printOut("Problem converting certificate chain");
            printOut(e);
            return null;
        } catch (CertificateEncodingException e2) {
            printOut("Problem converting certificate chain");
            printOut(e2);
            return null;
        }
    }

    private X509Certificate[] convertChain(java.security.cert.Certificate[] certificateArr) {
        if (certificateArr == null || certificateArr.length == 0) {
            return null;
        }
        try {
            X509Certificate[] x509CertificateArr = new X509Certificate[certificateArr.length];
            for (int i = 0; i < certificateArr.length; i++) {
                x509CertificateArr[i] = new X509Certificate(certificateArr[i].getEncoded(), 0, 0);
            }
            return x509CertificateArr;
        } catch (CertificateException e) {
            printOut("Problem converting certificate chain");
            printOut(e);
            return null;
        } catch (java.security.cert.CertificateEncodingException e2) {
            printOut("Problem converting certificate chain");
            printOut(e2);
            return null;
        }
    }

    public static void validateServerCertChain(javax.security.cert.X509Certificate[] x509CertificateArr) {
        ValidateCertChain validateCertChain = new ValidateCertChain();
        validateCertChain.validateCertChain(validateCertChain.convertChain(x509CertificateArr));
        validateCertChain.logForServer();
    }

    public static void validateServerCertChain(java.security.cert.Certificate[] certificateArr) {
        ValidateCertChain validateCertChain = new ValidateCertChain();
        validateCertChain.validateCertChain(validateCertChain.convertChain(certificateArr));
        validateCertChain.logForServer();
    }

    public void logForServer() {
        if (this.constraintsIssues) {
            SecurityLogger.logCertificateChainConstraints();
        } else if (this.chainIncomplete) {
            SecurityLogger.logCertificateChainIncompleteConstraintsNotChecked();
        }
    }

    public boolean validateCertChain(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            printOut("No certificates found");
            return false;
        }
        boolean z = true;
        int length = x509CertificateArr.length - 1;
        Date date = new Date();
        for (int i = 0; i < x509CertificateArr.length; i++) {
            printOut("Cert[" + i + "]: " + x509CertificateArr[i].getSubjectName());
            if (!x509CertificateArr[i].checkValidityDate(date)) {
                z = false;
                printOut("     Validity date check failed");
            }
            if (i == 0 && !verifyEndEntity(x509CertificateArr[0])) {
                printOut("First cert in chain is not an end entity\nthis doesn't conform to TLS V1.0 and may be rejected");
            }
            if (i < x509CertificateArr.length - 1) {
                if (!verifyIssuedBy(x509CertificateArr[i], x509CertificateArr[i + 1], i)) {
                    z = false;
                }
            } else if (i == x509CertificateArr.length - 1 && !verifySelfSignedCert(x509CertificateArr[i], i)) {
                z = false;
            }
        }
        return z;
    }

    private boolean verifyIssuedBy(X509Certificate x509Certificate, X509Certificate x509Certificate2, int i) {
        boolean z = true;
        if (!x509Certificate.getIssuerName().equals(x509Certificate2.getSubjectName())) {
            printOut("Issuer DN from certificate, doesn't match subjectDN from the issuer certificate");
            printOut("     Expected DN: " + x509Certificate.getIssuerName());
            printOut("       Actual DN: " + x509Certificate2.getSubjectName());
            z = false;
        }
        if (!verifyCAExtensions(x509Certificate2, i)) {
            z = false;
        }
        return z;
    }

    public boolean verifySelfSignedCert(X509Certificate x509Certificate, int i) {
        boolean z = true;
        boolean z2 = true;
        if (!x509Certificate.getIssuerName().equals(x509Certificate.getSubjectName())) {
            this.chainIncomplete = true;
            printOut("Certificate chain is incomplete, can't confirm the entire chain is valid");
            z2 = false;
            if (i == 0) {
                return true;
            }
        }
        if (i == 0 && !verifyCAExtensions(x509Certificate, i)) {
            z = false;
        }
        if (z2) {
        }
        return z;
    }

    public boolean verifyCAExtensions(X509Certificate x509Certificate, int i) {
        int pathLen;
        boolean z = true;
        boolean z2 = false;
        int version = x509Certificate.getVersion();
        if (version == 0 || version == 1) {
            printOut("CA is version " + (version + 1) + ", BasicConstraints extension will not be present which is valid for that version");
            return true;
        }
        X509V3Extensions extensions = x509Certificate.getExtensions();
        if (extensions != null) {
            for (int i2 = 0; i2 < extensions.getExtensionCount(); i2++) {
                try {
                    X509V3Extension extensionByIndex = extensions.getExtensionByIndex(i2);
                    if (extensionByIndex instanceof BasicConstraints) {
                        z2 = true;
                        BasicConstraints basicConstraints = (BasicConstraints) extensionByIndex;
                        if (!basicConstraints.getCA() || !basicConstraints.getCriticality()) {
                            this.constraintsIssues = true;
                            printOut("CA cert not marked with critical BasicConstraint indicating it is a CA");
                            z = false;
                        }
                        if (i != -1 && (pathLen = basicConstraints.getPathLen()) != -1 && i > pathLen) {
                            this.constraintsIssues = true;
                            printOut("PathLength constraint exceeded, constraint = " + pathLen + ", current = " + i);
                            z = false;
                        }
                    }
                } catch (CertificateException e) {
                    printOut("Failed getting extensions");
                    printOut(e);
                }
            }
        }
        if (!z2) {
            this.constraintsIssues = true;
            printOut("CA cert not marked with critical BasicConstraint indicating it is a CA");
            z = false;
        }
        return z;
    }

    public boolean verifyEndEntity(X509Certificate x509Certificate) {
        return true;
    }

    public void usage() {
        printOut("\nUsage:\n\t java utils.ValidateCertChain -file pemcertificatefilename\n\t java utils.ValidateCertChain -pem pemcertificatefilename\n\t java utils.ValidateCertChain -pkcs12store pkcs12storefilename\n\t java utils.ValidateCertChain -pkcs12file pkcs12filename password\n\t java utils.ValidateCertChain -jks alias storefilename [storePass]");
    }

    private void printOut(String str) {
        if (this.outputEnabled) {
            System.out.println(str);
        }
    }

    private void printOut(Exception exc) {
        if (this.outputEnabled && this.debugEnabled) {
            exc.printStackTrace();
        }
    }
}
