package com.certicom.tls.interfaceimpl;

import com.bea.security.saml2.util.SAML2Constants;
import com.bea.sslplus.WeblogicHandler;
import com.bea.sslplus.extensions.CertificatePoliciesImpl;
import com.certicom.locale.Resources;
import com.certicom.net.ssl.TrustManager;
import com.certicom.net.ssl.impl.TrustManagerImpl;
import com.certicom.security.asn1.OID;
import com.certicom.security.cert.internal.x509.SSLPlusSupport;
import com.certicom.security.cert.internal.x509.X509V3CertImpl;
import com.certicom.tls.ciphersuite.CipherSuiteSupport;
import com.certicom.tls.ciphersuite.CryptoNames;
import com.certicom.tls.provider.Cipher;
import com.certicom.tls.provider.KeyFactory;
import com.certicom.tls.provider.KeyPairGenerator;
import com.certicom.tls.provider.MessageDigest;
import com.certicom.tls.provider.Signature;
import com.certicom.tls.provider.spec.RSAParameters;
import java.io.InputStream;
import java.io.Serializable;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyManagementException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.Vector;
import javax.net.ssl.SSLSocket;
import javax.resource.spi.work.WorkException;
import weblogic.security.CertificatePolicy;
import weblogic.security.CertificatePolicyQualifier;
import weblogic.security.utils.SSLHostnameVerifier;
import weblogic.security.utils.SSLSetup;
import weblogic.security.utils.SSLTruster;

/* loaded from: input_file:com/certicom/tls/interfaceimpl/CertificateSupport.class */
public final class CertificateSupport implements Serializable {
    private KeyPair rsaEphemeral512;
    private KeyPair rsaEphemeral1024;
    private static Boolean certInitSync = new Boolean(true);
    private static X509V3CertImpl mtEcdsaRootCert = null;
    private static X509V3CertImpl mtRsaRootCert = null;
    private Vector trustedCertificates = new Vector();
    private TrustManager trustManager = new TrustManagerImpl();
    private Object certificateCallbackRef = null;
    private Vector rsaAuthChains = new Vector();
    private Vector dsaAuthChains = new Vector();
    private Vector ecdsaAuthChains = new Vector();
    private Vector hybridAuthChains = new Vector();
    private Vector rsaPrivateKeys = new Vector();
    private Vector dsaPrivateKeys = new Vector();
    private Vector ecdsaPrivateKeys = new Vector();
    private Vector hybridPrivateKeys = new Vector();
    private SSLTruster wlsTruster = null;
    private SSLHostnameVerifier wlsVerifier = null;
    private int exportKeyRefreshCountLimit = -1;
    private int exportKeyRefreshCounter = 0;

    public void setWLSTruster(SSLTruster sSLTruster) {
        this.wlsTruster = sSLTruster;
    }

    public SSLTruster getWLSTruster() {
        return this.wlsTruster;
    }

    public void setWLSVerifier(SSLHostnameVerifier sSLHostnameVerifier) {
        this.wlsVerifier = sSLHostnameVerifier;
    }

    public SSLHostnameVerifier getWLSVerifier() {
        return this.wlsVerifier;
    }

    public synchronized void setExportKeyRefreshCountLimit(int i) {
        this.exportKeyRefreshCountLimit = i;
    }

    public void setTrustManager(TrustManager trustManager) {
        this.trustManager = trustManager;
    }

    public void setCertificateCallbackRef(Object obj) {
        this.certificateCallbackRef = obj;
    }

    public void addRSAExportKey(KeyPair keyPair) throws NoSuchAlgorithmException, InvalidKeyException {
        int bitLength = ((RSAPublicKey) keyPair.getPublic()).getModulus().bitLength();
        if (bitLength > 1024) {
            throw new InvalidKeyException(Resources.getMessage("83"));
        }
        if (bitLength > 512) {
            this.rsaEphemeral1024 = keyPair;
        } else {
            this.rsaEphemeral512 = keyPair;
        }
    }

    public KeyPair getRSAExportKey(int i) {
        if (i > 1024) {
            throw new IllegalArgumentException(Resources.getMessage("43"));
        }
        if (this.exportKeyRefreshCountLimit >= 0) {
            this.exportKeyRefreshCounter++;
            if (this.exportKeyRefreshCounter >= this.exportKeyRefreshCountLimit) {
                this.rsaEphemeral1024 = null;
                this.rsaEphemeral512 = null;
            }
        }
        try {
            if (i > 512) {
                if (this.rsaEphemeral1024 == null) {
                    this.rsaEphemeral1024 = generateRSAExportKey(1024, TLSSystem.getRandomNumberGenerator());
                }
            } else if (this.rsaEphemeral512 == null) {
                this.rsaEphemeral512 = generateRSAExportKey(512, TLSSystem.getRandomNumberGenerator());
            }
        } catch (NoSuchAlgorithmException e) {
            if (WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_WARN)) {
                WeblogicHandler.debug(WeblogicHandler.DEBUG_WARN, "Failed to generate RSA export key", e);
            }
        }
        return i > 512 ? this.rsaEphemeral1024 : this.rsaEphemeral512;
    }

    public KeyPair generateRSAExportKey(int i, SecureRandom secureRandom) throws NoSuchAlgorithmException {
        RSAParameters rSAParameters = new RSAParameters(i, 65537);
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(rSAParameters, secureRandom);
        return keyPairGenerator.genKeyPair();
    }

    public void addAuthChain(X509Certificate[] x509CertificateArr, byte[] bArr) {
        PrivateKey privateKey = null;
        try {
            privateKey = KeyFactory.getInstance(x509CertificateArr[0].getPublicKey().getAlgorithm()).createPrivateKey(bArr, null);
        } catch (Exception e) {
            WeblogicHandler.debugEaten(e);
        }
        addAuthChain(x509CertificateArr, privateKey);
    }

    public void addAuthChain(X509Certificate[] x509CertificateArr, PrivateKey privateKey) {
        for (int i = 0; i < x509CertificateArr.length; i++) {
            try {
                if (!(x509CertificateArr[i] instanceof X509V3CertImpl)) {
                    x509CertificateArr[i] = new X509V3CertImpl(x509CertificateArr[i].getEncoded());
                }
            } catch (CertificateException e) {
                if (WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_ERROR)) {
                    WeblogicHandler.debug(WeblogicHandler.DEBUG_ERROR, "Cannot convert identity certificate", e);
                }
                throw new RuntimeException("Cannot convert identity certificate");
            }
        }
        String algorithm = x509CertificateArr[0].getPublicKey().getAlgorithm();
        if (algorithm.indexOf(CryptoNames.EC) < 0) {
            if (algorithm.equals("RSA")) {
                this.rsaAuthChains.addElement(x509CertificateArr);
                this.rsaPrivateKeys.addElement(privateKey);
                return;
            } else {
                if (algorithm.equals(SAML2Constants.DSA_KEY_TYPE)) {
                    this.dsaAuthChains.addElement(x509CertificateArr);
                    this.dsaPrivateKeys.addElement(privateKey);
                    return;
                }
                return;
            }
        }
        String sigAlgName = x509CertificateArr[0].getSigAlgName();
        if (sigAlgName.equals(CryptoNames.SHA1withRSA) || sigAlgName.equals(CryptoNames.MD5withRSA) || sigAlgName.equals(CryptoNames.MD2withRSA)) {
            this.hybridAuthChains.addElement(x509CertificateArr);
            this.hybridPrivateKeys.addElement(privateKey);
        } else {
            this.ecdsaAuthChains.addElement(x509CertificateArr);
            this.ecdsaPrivateKeys.addElement(privateKey);
        }
    }

    public void removeAuthChain(X509Certificate x509Certificate) {
        for (int i = 0; i < this.rsaAuthChains.size(); i++) {
            if (((X509Certificate[]) this.rsaAuthChains.elementAt(i))[0].equals(x509Certificate)) {
                this.rsaAuthChains.removeElementAt(i);
                this.rsaPrivateKeys.removeElementAt(i);
                return;
            }
        }
        for (int i2 = 0; i2 < this.dsaAuthChains.size(); i2++) {
            if (((X509Certificate[]) this.dsaAuthChains.elementAt(i2))[0].equals(x509Certificate)) {
                this.dsaAuthChains.removeElementAt(i2);
                this.dsaPrivateKeys.removeElementAt(i2);
                return;
            }
        }
        for (int i3 = 0; i3 < this.ecdsaAuthChains.size(); i3++) {
            if (((X509Certificate[]) this.ecdsaAuthChains.elementAt(i3))[0].equals(x509Certificate)) {
                this.ecdsaAuthChains.removeElementAt(i3);
                this.ecdsaPrivateKeys.removeElementAt(i3);
                return;
            }
        }
        for (int i4 = 0; i4 < this.hybridAuthChains.size(); i4++) {
            if (((X509Certificate[]) this.hybridAuthChains.elementAt(i4))[0].equals(x509Certificate)) {
                this.hybridAuthChains.removeElementAt(i4);
                this.hybridPrivateKeys.removeElementAt(i4);
                return;
            }
        }
    }

    public void addTrustedCertificate(X509Certificate x509Certificate) throws CertificateException {
        if (!(x509Certificate instanceof X509V3CertImpl)) {
            x509Certificate = new X509V3CertImpl(x509Certificate.getEncoded());
        }
        if (x509Certificate.getPublicKey() == null) {
            throw new CertificateException("Could not get public key for: " + x509Certificate.getSubjectDN().toString());
        }
        this.trustedCertificates.addElement(x509Certificate);
    }

    public void removeTrustedCertificate(X509Certificate x509Certificate) {
        this.trustedCertificates.removeElement(x509Certificate);
    }

    public void installDefaultTrustedCertificates() {
    }

    public void disableDefaultTrustedCertificates() {
        if (mtEcdsaRootCert != null) {
            removeTrustedCertificate(mtEcdsaRootCert);
        }
        if (mtRsaRootCert != null) {
            removeTrustedCertificate(mtRsaRootCert);
        }
    }

    public boolean isTrustedCertificate(X509Certificate x509Certificate) {
        return this.trustedCertificates.contains(x509Certificate);
    }

    public X509Certificate[] getAuthChain(String str, int i) {
        if (str.equals(CryptoNames.ECDSA)) {
            str = CryptoNames.EC;
        }
        try {
            if (str.equals(CryptoNames.EC)) {
                if (i < 0 || i >= this.ecdsaAuthChains.size()) {
                    return null;
                }
                return (X509Certificate[]) this.ecdsaAuthChains.elementAt(i);
            }
            if (str.equals("RSA")) {
                if (i < 0 || i >= this.rsaAuthChains.size()) {
                    return null;
                }
                return (X509Certificate[]) this.rsaAuthChains.elementAt(i);
            }
            if (str.indexOf(SAML2Constants.DSA_KEY_TYPE) >= 0) {
                if (i < 0 || i >= this.dsaAuthChains.size()) {
                    return null;
                }
                return (X509Certificate[]) this.dsaAuthChains.elementAt(i);
            }
            if (!str.equals(CryptoNames.HYBRID) || i < 0 || i >= this.hybridAuthChains.size()) {
                return null;
            }
            return (X509Certificate[]) this.hybridAuthChains.elementAt(i);
        } catch (ArrayIndexOutOfBoundsException e) {
            WeblogicHandler.debugEaten(e);
            return null;
        }
    }

    public PrivateKey getPrivateKey(X509Certificate x509Certificate) {
        for (int i = 0; i < this.rsaAuthChains.size(); i++) {
            if (((X509Certificate[]) this.rsaAuthChains.elementAt(i))[0].equals(x509Certificate)) {
                return (PrivateKey) this.rsaPrivateKeys.elementAt(i);
            }
        }
        for (int i2 = 0; i2 < this.dsaAuthChains.size(); i2++) {
            if (((X509Certificate[]) this.dsaAuthChains.elementAt(i2))[0].equals(x509Certificate)) {
                return (PrivateKey) this.dsaPrivateKeys.elementAt(i2);
            }
        }
        for (int i3 = 0; i3 < this.ecdsaAuthChains.size(); i3++) {
            if (((X509Certificate[]) this.ecdsaAuthChains.elementAt(i3))[0].equals(x509Certificate)) {
                return (PrivateKey) this.ecdsaPrivateKeys.elementAt(i3);
            }
        }
        for (int i4 = 0; i4 < this.hybridAuthChains.size(); i4++) {
            if (((X509Certificate[]) this.hybridAuthChains.elementAt(i4))[0].equals(x509Certificate)) {
                return (PrivateKey) this.hybridPrivateKeys.elementAt(i4);
            }
        }
        return null;
    }

    public final void loadLocalIdentity(InputStream inputStream, char[] cArr) throws KeyManagementException {
        Vector localIdentity = SSLPlusSupport.getLocalIdentity(inputStream, cArr);
        X509Certificate[] x509CertificateArr = new X509Certificate[localIdentity.size() - 1];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            x509CertificateArr[i] = (X509Certificate) localIdentity.elementAt(i);
        }
        PublicKey publicKey = ((X509V3CertImpl) localIdentity.elementAt(0)).getPublicKey();
        PrivateKey privateKey = (PrivateKey) localIdentity.lastElement();
        if (!CheckIfKeyMatch(publicKey, privateKey)) {
            throw new KeyManagementException(Resources.getMessage(WorkException.TX_RECREATE_FAILED));
        }
        addAuthChain(x509CertificateArr, privateKey);
    }

    public final boolean CheckIfKeyMatch(PublicKey publicKey, PrivateKey privateKey) throws KeyManagementException {
        byte[] bytes = "Hello World".getBytes();
        byte[] bytes2 = ("CT" + System.currentTimeMillis()).getBytes();
        SecureRandom secureRandom = new SecureRandom(bytes2);
        try {
            String algorithm = publicKey.getAlgorithm();
            String algorithm2 = privateKey.getAlgorithm();
            if (algorithm.indexOf("RSA") >= 0) {
                if (!algorithm2.equalsIgnoreCase("RSA")) {
                    return false;
                }
                try {
                    Cipher cipher = Cipher.getInstance(CryptoNames.RSA_RAW);
                    byte[] addPKCS1Padding = addPKCS1Padding((((RSAPrivateKey) privateKey).getModulus().bitLength() + 7) / 8, bytes);
                    cipher.init(1, privateKey, secureRandom);
                    byte[] doFinal = cipher.doFinal(addPKCS1Padding, 0, addPKCS1Padding.length);
                    cipher.init(2, publicKey, secureRandom);
                    byte[] removePKCS1Padding = removePKCS1Padding(cipher.doFinal(doFinal, 0, doFinal.length));
                    if (bytes.length != removePKCS1Padding.length) {
                        return false;
                    }
                    for (int i = 0; i < bytes.length; i++) {
                        if (bytes[i] != removePKCS1Padding[i]) {
                            return false;
                        }
                    }
                    return true;
                } catch (NoSuchAlgorithmException e) {
                    return false;
                }
            }
            if (algorithm.indexOf(SAML2Constants.DSA_KEY_TYPE) < 0) {
                if (algorithm.indexOf(CryptoNames.EC) < 0) {
                    throw new KeyManagementException(Resources.getMessage("153"));
                }
                if (!algorithm2.startsWith(CryptoNames.EC) || !CipherSuiteSupport.isCryptoAlgAvail(CryptoNames.ECDSA)) {
                    return false;
                }
                MessageDigest messageDigest = MessageDigest.getInstance("SHA");
                messageDigest.update(bytes2);
                messageDigest.update(bytes);
                byte[] digest = messageDigest.digest();
                Signature signature = Signature.getInstance(CryptoNames.ECDSA);
                signature.initSign(privateKey, TLSSystem.getRandomNumberGenerator());
                signature.update(digest);
                byte[] sign = signature.sign();
                Signature signature2 = Signature.getInstance(CryptoNames.ECDSA);
                signature2.initVerify(publicKey);
                signature2.update(digest);
                return signature2.verify(sign);
            }
            if (algorithm2.indexOf(SAML2Constants.DSA_KEY_TYPE) < 0) {
                return false;
            }
            BigInteger g = ((DSAPublicKey) publicKey).getParams().getG();
            BigInteger p = ((DSAPublicKey) publicKey).getParams().getP();
            BigInteger q = ((DSAPublicKey) publicKey).getParams().getQ();
            BigInteger g2 = ((DSAPrivateKey) privateKey).getParams().getG();
            BigInteger p2 = ((DSAPrivateKey) privateKey).getParams().getP();
            BigInteger q2 = ((DSAPrivateKey) privateKey).getParams().getQ();
            if (!g.equals(g2) || !p.equals(p2) || !q.equals(q2) || !CipherSuiteSupport.isCryptoAlgAvail(CryptoNames.DSA)) {
                return false;
            }
            Signature signature3 = Signature.getInstance(CryptoNames.DSA);
            signature3.initSign(privateKey, TLSSystem.getRandomNumberGenerator());
            signature3.update(bytes);
            byte[] sign2 = signature3.sign();
            Signature signature4 = Signature.getInstance(CryptoNames.DSA);
            signature4.initVerify(publicKey);
            signature4.update(bytes);
            return signature4.verify(sign2);
        } catch (Exception e2) {
            e2.printStackTrace();
            throw new KeyManagementException(Resources.getMessage(WorkException.TX_RECREATE_FAILED));
        }
    }

    public byte[] addPKCS1Padding(int i, byte[] bArr) {
        byte[] bArr2 = new byte[0];
        if (bArr.length >= i - 3) {
            return bArr2;
        }
        byte[] bArr3 = new byte[i];
        int i2 = 0 + 1;
        bArr3[0] = 0;
        int i3 = i2 + 1;
        bArr3[i2] = 1;
        while (i3 < (i - bArr.length) - 1) {
            bArr3[i3] = -1;
            i3++;
        }
        bArr3[i3] = 0;
        System.arraycopy(bArr, 0, bArr3, i3 + 1, bArr.length);
        return bArr3;
    }

    public byte[] removePKCS1Padding(byte[] bArr) {
        byte[] bArr2 = new byte[0];
        if (bArr.length < 4 || bArr[0] != 0) {
            return bArr2;
        }
        switch (bArr[1]) {
            case 1:
            case 2:
                int i = 2;
                while (i < bArr.length && bArr[i] != 0) {
                    i++;
                }
                if (i == bArr.length) {
                    return bArr2;
                }
                int i2 = i + 1;
                byte[] bArr3 = new byte[bArr.length - i2];
                System.arraycopy(bArr, i2, bArr3, 0, bArr3.length);
                return bArr3;
            default:
                return bArr2;
        }
    }

    public final void loadTrustedCertificates(InputStream inputStream) throws KeyManagementException {
        int i = 0;
        String str = "No certs loaded";
        for (X509Certificate x509Certificate : SSLPlusSupport.getTrustedCertificates(inputStream)) {
            try {
                addTrustedCertificate(x509Certificate);
                i++;
            } catch (CertificateException e) {
                WeblogicHandler.debugEaten(e);
                str = e.getMessage();
            }
        }
        if (i == 0) {
            throw new KeyManagementException(str);
        }
    }

    public X509Certificate[] getTrustedCertificates() {
        X509Certificate[] x509CertificateArr = new X509Certificate[this.trustedCertificates.size()];
        this.trustedCertificates.copyInto(x509CertificateArr);
        return x509CertificateArr;
    }

    public boolean isClientTrusted(X509Certificate[][] x509CertificateArr, String str, ProtocolVersion protocolVersion, Object obj, SSLSocket sSLSocket) {
        return validateCertificateChain(true, x509CertificateArr, str, protocolVersion, obj, sSLSocket);
    }

    public boolean isServerTrusted(X509Certificate[][] x509CertificateArr, String str, ProtocolVersion protocolVersion, Object obj, SSLSocket sSLSocket) {
        return validateCertificateChain(false, x509CertificateArr, str, protocolVersion, obj, sSLSocket);
    }

    public boolean isServerHostnameValid(SSLSocket sSLSocket) {
        if (this.wlsVerifier != null) {
            return this.wlsVerifier.hostnameValidationCallback(sSLSocket.getInetAddress().getHostName(), sSLSocket);
        }
        return true;
    }

    private boolean validateCertificateChain(boolean z, X509Certificate[][] x509CertificateArr, String str, ProtocolVersion protocolVersion, Object obj, SSLSocket sSLSocket) {
        X509Certificate[] x509CertificateArr2;
        boolean[] keyUsage;
        X509Certificate[] x509CertificateArr3 = x509CertificateArr[0];
        int i = 0;
        if (x509CertificateArr3 == null || x509CertificateArr3.length == 0) {
            x509CertificateArr2 = x509CertificateArr3;
        } else {
            try {
                x509CertificateArr2 = completeCertChain(x509CertificateArr3);
            } catch (CertificateException e) {
                if (WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_WARN)) {
                    WeblogicHandler.debug(WeblogicHandler.DEBUG_WARN, "Cannot complete the certificate chain: " + e.getMessage(), (Exception) null);
                }
                TrustManager trustManager = this.trustManager;
                i = 0 | 16;
                x509CertificateArr2 = x509CertificateArr3;
            }
        }
        x509CertificateArr[0] = x509CertificateArr2;
        if (x509CertificateArr2 == null) {
            if (i == 0) {
                TrustManager trustManager2 = this.trustManager;
                i |= 1;
            }
            if (this.wlsTruster != null) {
                i = this.wlsTruster.validationCallback(x509CertificateArr2, i, sSLSocket, getTrustedCertificates());
                if (i != 0) {
                    SSLTruster sSLTruster = this.wlsTruster;
                    if ((i & 64) != 0) {
                        if (!WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_WARN)) {
                            return false;
                        }
                        WeblogicHandler.debug(WeblogicHandler.DEBUG_WARN, "Trust failure (" + i + "): " + WeblogicHandler.getErrorName(i), (Exception) null);
                        return false;
                    }
                }
                if (WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_INFO)) {
                    WeblogicHandler.debug(WeblogicHandler.DEBUG_INFO, "Trust status (" + i + "): " + WeblogicHandler.getErrorName(i), (Exception) null);
                }
            }
            return this.trustManager.certificateCallback(x509CertificateArr2, i, obj != null ? obj : this.certificateCallbackRef);
        }
        for (int i2 = 0; i2 < x509CertificateArr2.length; i2++) {
            X509Certificate x509Certificate = x509CertificateArr2[i2];
            if (WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_INFO)) {
                WeblogicHandler.debug(WeblogicHandler.DEBUG_INFO, "Validating certificate " + i2 + " in the chain: " + x509Certificate, (Exception) null);
            }
            Principal issuerDN = x509Certificate.getIssuerDN();
            if (i2 + 1 != x509CertificateArr2.length) {
                Principal subjectDN = x509CertificateArr2[i2 + 1].getSubjectDN();
                if (!subjectDN.equals(issuerDN)) {
                    TrustManager trustManager3 = this.trustManager;
                    i |= 1;
                    if (WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_WARN)) {
                        WeblogicHandler.debug(WeblogicHandler.DEBUG_WARN, "Certificate chain is invalid because the issuer DN does not match the next certificate subject: " + subjectDN, (Exception) null);
                    }
                }
            }
            TrustManager trustManager4 = this.trustManager;
            if ((i & 8) == 0) {
                TrustManager trustManager5 = this.trustManager;
                if ((i & 16) == 0 && i2 + 1 != x509CertificateArr2.length) {
                    try {
                        PublicKey publicKey = x509CertificateArr2[i2 + 1].getPublicKey();
                        if (publicKey instanceof RSAPublicKey) {
                            BigInteger publicExponent = ((RSAPublicKey) publicKey).getPublicExponent();
                            if (!WeblogicHandler.isValidRSAPublicExponent(publicExponent)) {
                                TrustManager trustManager6 = this.trustManager;
                                i |= 8;
                                if (WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_WARN)) {
                                    WeblogicHandler.debug(WeblogicHandler.DEBUG_WARN, "Signature verification failed because RSA key public exponent [" + publicExponent + "] is too small", (Exception) null);
                                }
                            }
                        }
                        x509Certificate.verify(publicKey);
                    } catch (Exception e2) {
                        WeblogicHandler.debugEaten(e2);
                        TrustManager trustManager7 = this.trustManager;
                        i |= 8;
                        if (WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_WARN)) {
                            WeblogicHandler.debug(WeblogicHandler.DEBUG_WARN, "Signature verification failed", (Exception) null);
                        }
                    }
                }
            }
            TrustManager trustManager8 = this.trustManager;
            if ((i & 2) == 0) {
                try {
                    x509Certificate.checkValidity();
                } catch (Exception e3) {
                    WeblogicHandler.debugEaten(e3);
                    TrustManager trustManager9 = this.trustManager;
                    i |= 2;
                    if (WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_WARN)) {
                        WeblogicHandler.debug(WeblogicHandler.DEBUG_WARN, "Certificate is invalid: " + e3.getMessage(), (Exception) null);
                    }
                }
            }
            boolean z2 = false;
            Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
            if (criticalExtensionOIDs != null) {
                Iterator<String> it = criticalExtensionOIDs.iterator();
                while (it.hasNext()) {
                    String obj2 = it.next().toString();
                    if (obj2.equals("2.5.29.19")) {
                        int basicConstraints = x509Certificate.getBasicConstraints();
                        if (basicConstraints != -1 && basicConstraints != Integer.MAX_VALUE && basicConstraints + 1 < i2) {
                            SSLSetup.logCertificateChainPathLenExceededConstraintsFailure(sSLSocket);
                            if (!WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_INFO)) {
                                return false;
                            }
                            WeblogicHandler.debug(WeblogicHandler.DEBUG_INFO, "Failed x509 basic constraints check", (Exception) null);
                            return false;
                        }
                        if (basicConstraints == -1 && i2 > 0) {
                            SSLSetup.logCertificateChainNotACaConstraintsFailure(sSLSocket);
                            if (!WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_INFO)) {
                                return false;
                            }
                            WeblogicHandler.debug(WeblogicHandler.DEBUG_INFO, "Failed x509 basic constraints check - is not CA", (Exception) null);
                            return false;
                        }
                        z2 = true;
                    } else if (obj2.equals("2.5.29.15")) {
                        boolean[] keyUsage2 = x509Certificate.getKeyUsage();
                        if (keyUsage2 == null) {
                            continue;
                        } else if (i2 == 0) {
                            try {
                                int keyAgreementAlgorithm = CipherSuiteSupport.getCipherSuite(str).getKeyAgreementAlgorithm();
                                if (!z) {
                                    if (!keyUsage2[4] && keyAgreementAlgorithm == 5) {
                                        SSLSetup.logCertificateChainAlgKeyUsageFailure(sSLSocket);
                                        return false;
                                    }
                                    if (!keyUsage2[4] && keyAgreementAlgorithm == 12) {
                                        SSLSetup.logCertificateChainAlgKeyUsageFailure(sSLSocket);
                                        return false;
                                    }
                                    if (!keyUsage2[2] && keyAgreementAlgorithm == 6 && protocolVersion.equals(ProtocolVersions.TLS10)) {
                                        SSLSetup.logCertificateChainAlgKeyUsageFailure(sSLSocket);
                                        return false;
                                    }
                                    if (keyAgreementAlgorithm == 7) {
                                        int bitLength = ((RSAPublicKey) x509Certificate.getPublicKey()).getModulus().bitLength();
                                        if (bitLength <= 512 && !keyUsage2[2]) {
                                            SSLSetup.logCertificateChainAlgKeyUsageFailure(sSLSocket);
                                            return false;
                                        }
                                        if (bitLength > 512 && !keyUsage2[0]) {
                                            SSLSetup.logCertificateChainAlgKeyUsageFailure(sSLSocket);
                                            return false;
                                        }
                                    } else if (keyAgreementAlgorithm == 8) {
                                        int bitLength2 = ((RSAPublicKey) x509Certificate.getPublicKey()).getModulus().bitLength();
                                        if (bitLength2 <= 1024 && !keyUsage2[2]) {
                                            SSLSetup.logCertificateChainAlgKeyUsageFailure(sSLSocket);
                                            return false;
                                        }
                                        if (bitLength2 > 1024 && !keyUsage2[0]) {
                                            SSLSetup.logCertificateChainAlgKeyUsageFailure(sSLSocket);
                                            return false;
                                        }
                                    } else if (!keyUsage2[0] && (keyAgreementAlgorithm == 2 || keyAgreementAlgorithm == 3 || keyAgreementAlgorithm == 4)) {
                                        SSLSetup.logCertificateChainAlgKeyUsageFailure(sSLSocket);
                                        return false;
                                    }
                                } else if (protocolVersion.equals(ProtocolVersions.TLS10) && !keyUsage2[0] && keyAgreementAlgorithm != 5 && keyAgreementAlgorithm != 12) {
                                    SSLSetup.logCertificateChainAlgKeyUsageFailure(sSLSocket);
                                    return false;
                                }
                            } catch (NoSuchAlgorithmException e4) {
                                SSLSetup.logCertificateChainCheckKeyUsageFailure(sSLSocket);
                                WeblogicHandler.debugEaten(e4);
                                return false;
                            }
                        } else if (!keyUsage2[5]) {
                            SSLSetup.logCertificateChainCertSignKeyUsageFailure(sSLSocket);
                            return false;
                        }
                    } else if (obj2.equals("2.5.29.37") && i2 == 0) {
                        try {
                            List extendedKeyUsage = x509Certificate instanceof X509V3CertImpl ? ((X509V3CertImpl) x509Certificate).getExtendedKeyUsage() : null;
                            if (extendedKeyUsage != null) {
                                boolean z3 = false;
                                Iterator it2 = extendedKeyUsage.iterator();
                                while (!z3 && it2.hasNext()) {
                                    String str2 = (String) it2.next();
                                    if ((z && str2.equals(OID.ID_KP_CLIENT_AUTH)) || (!z && str2.equals(OID.ID_KP_SERVER_AUTH))) {
                                        z3 = true;
                                    }
                                }
                                if (z3 && (keyUsage = x509Certificate.getKeyUsage()) != null) {
                                    z3 = keyUsage[0] || keyUsage[4] || (!z && keyUsage[2]);
                                }
                                if (!z3) {
                                    if (!WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_WARN)) {
                                        return false;
                                    }
                                    WeblogicHandler.debug(WeblogicHandler.DEBUG_WARN, "ExtendedKeyUsage failed the validation check", (Exception) null);
                                    return false;
                                }
                            } else {
                                continue;
                            }
                        } catch (CertificateParsingException e5) {
                            if (!WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_WARN)) {
                                return false;
                            }
                            WeblogicHandler.debug(WeblogicHandler.DEBUG_WARN, "Caught exception while retrieving extended key usage", e5);
                            return false;
                        }
                    } else if (obj2.equals("2.5.29.17")) {
                        continue;
                    } else {
                        if (!obj2.equals("2.5.29.32")) {
                            SSLSetup.logCertificateChainUnrecognizedExtensionFailure(sSLSocket, obj2);
                            return false;
                        }
                        boolean processCertificatePolicies = processCertificatePolicies(x509Certificate, sSLSocket);
                        if (!processCertificatePolicies) {
                            return processCertificatePolicies;
                        }
                    }
                }
            }
            if (!TLSSystem.getX509BasicConstraintBug()) {
                if (i2 > 0 && TLSSystem.getX509NoV1CAs() && x509Certificate.getVersion() == 0) {
                    SSLSetup.logCertificateChainNoV1CAFailure(sSLSocket);
                    if (!WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_INFO)) {
                        return false;
                    }
                    WeblogicHandler.debug(WeblogicHandler.DEBUG_INFO, "Failed x509 No V1 CAs check", (Exception) null);
                    return false;
                }
                if (i2 > 0 && x509Certificate.getVersion() == 2 && !z2 && (TLSSystem.getX509StrictConstraints() || !isPathLengthValid(x509Certificate, i2))) {
                    if (TLSSystem.getX509StrictConstraints()) {
                        SSLSetup.logCertificateChainConstraintsStrictNonCriticalFailure(sSLSocket);
                    } else if (x509Certificate.getExtensionValue("2.5.29.19") == null) {
                        SSLSetup.logCertificateChainMissingConstraintsFailure(sSLSocket);
                    } else if (x509Certificate.getBasicConstraints() < 0) {
                        SSLSetup.logCertificateChainNotACaConstraintsFailure(sSLSocket);
                    } else {
                        SSLSetup.logCertificateChainPathLenExceededConstraintsFailure(sSLSocket);
                    }
                    if (!WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_INFO)) {
                        return false;
                    }
                    WeblogicHandler.debug(WeblogicHandler.DEBUG_INFO, "Failed x509 strict constraints check", (Exception) null);
                    return false;
                }
            }
        }
        if (this.wlsTruster != null) {
            i = this.wlsTruster.validationCallback(x509CertificateArr2, i, sSLSocket, getTrustedCertificates());
            if (i != 0) {
                SSLTruster sSLTruster2 = this.wlsTruster;
                if ((i & 64) != 0) {
                    if (!WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_WARN)) {
                        return false;
                    }
                    WeblogicHandler.debug(WeblogicHandler.DEBUG_WARN, "Trust failure (" + i + "): " + WeblogicHandler.getErrorName(i), (Exception) null);
                    return false;
                }
            }
            if (WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_INFO)) {
                WeblogicHandler.debug(WeblogicHandler.DEBUG_INFO, "Trust status (" + i + "): " + WeblogicHandler.getErrorName(i), (Exception) null);
            }
        }
        return this.trustManager.certificateCallback(x509CertificateArr2, i, obj != null ? obj : this.certificateCallbackRef);
    }

    private boolean isPathLengthValid(X509Certificate x509Certificate, int i) {
        int basicConstraints = x509Certificate.getBasicConstraints();
        if (basicConstraints != -1 && basicConstraints != Integer.MAX_VALUE && basicConstraints + 1 < i) {
            if (!WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_INFO)) {
                return false;
            }
            WeblogicHandler.debug(WeblogicHandler.DEBUG_INFO, "Failed x509 basic constraints check, pathLen exceeded", (Exception) null);
            return false;
        }
        if (basicConstraints != -1 || i <= 0) {
            return true;
        }
        if (!WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_INFO)) {
            return false;
        }
        WeblogicHandler.debug(WeblogicHandler.DEBUG_INFO, "Failed x509 basic constraints check - is not CA", (Exception) null);
        return false;
    }

    public boolean validateECDSA_fixed_ECDH(boolean z, X509Certificate[] x509CertificateArr, ProtocolVersion protocolVersion) {
        TrustManager trustManager = this.trustManager;
        X509Certificate x509Certificate = x509CertificateArr[0];
        Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs == null) {
            return true;
        }
        Iterator<String> it = criticalExtensionOIDs.iterator();
        while (it.hasNext()) {
            if (it.next().toString().equals("2.5.29.15")) {
                boolean[] keyUsage = x509Certificate.getKeyUsage();
                if (keyUsage == null) {
                    return true;
                }
                if (protocolVersion.equals(ProtocolVersions.TLS10) && !keyUsage[4] && z) {
                    return false;
                }
                return !protocolVersion.equals(ProtocolVersions.TLS10) || keyUsage[0] || z;
            }
        }
        return true;
    }

    private X509Certificate[] completeCertChain(X509Certificate[] x509CertificateArr) throws CertificateException {
        X509Certificate[] findInTrusted = findInTrusted(x509CertificateArr[0].getSubjectDN());
        if (findInTrusted != null) {
            for (int i = 0; i < findInTrusted.length && findInTrusted[i] != null; i++) {
                if (findInTrusted[i].equals(x509CertificateArr[0])) {
                    return x509CertificateArr;
                }
            }
        }
        for (int i2 = 0; i2 < x509CertificateArr.length; i2++) {
            X509Certificate[] findInTrusted2 = findInTrusted(x509CertificateArr[i2].getIssuerDN());
            if (findInTrusted2 != null) {
                X509Certificate x509Certificate = null;
                if (findInTrusted2.length <= 1 || findInTrusted2[1] == null) {
                    x509Certificate = findInTrusted2[0];
                } else {
                    for (int i3 = 0; i3 < findInTrusted2.length && findInTrusted2[i3] != null; i3++) {
                        try {
                            x509CertificateArr[i2].verify(findInTrusted2[i3].getPublicKey());
                            x509Certificate = findInTrusted2[i3];
                            break;
                        } catch (Exception e) {
                        }
                    }
                }
                if (x509Certificate != null) {
                    X509Certificate[] x509CertificateArr2 = new X509Certificate[i2 + 2];
                    System.arraycopy(x509CertificateArr, 0, x509CertificateArr2, 0, i2 + 1);
                    x509CertificateArr2[i2 + 1] = x509Certificate;
                    return x509CertificateArr2;
                }
            }
        }
        throw new CertificateException("No trusted cert found");
    }

    private X509Certificate[] appendToCertChain(X509Certificate[] x509CertificateArr, X509Certificate x509Certificate) {
        X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length + 1];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            x509CertificateArr2[i] = x509CertificateArr[i];
        }
        x509CertificateArr2[x509CertificateArr.length] = x509Certificate;
        return x509CertificateArr2;
    }

    private X509Certificate[] replaceCaExpiredCerts(X509Certificate[] x509CertificateArr) {
        for (int i = 1; i < x509CertificateArr.length; i++) {
            boolean z = false;
            try {
                x509CertificateArr[i].checkValidity();
            } catch (CertificateExpiredException e) {
                WeblogicHandler.debugEaten(e);
                z = true;
            } catch (CertificateNotYetValidException e2) {
                WeblogicHandler.debugEaten(e2);
                z = true;
            }
            if (z) {
                x509CertificateArr[i] = replaceWithTrusted(x509CertificateArr[i]);
            }
        }
        return x509CertificateArr;
    }

    private X509Certificate replaceWithTrusted(X509Certificate x509Certificate) {
        X509Certificate[] x509CertificateArr = new X509Certificate[this.trustedCertificates.size()];
        X509Certificate[] findInTrusted = findInTrusted(x509Certificate.getSubjectDN());
        return findInTrusted != null ? findInTrusted[0] : x509Certificate;
    }

    private X509Certificate[] findInTrusted(Principal principal) {
        X509Certificate[] findInTrusted_Validity = findInTrusted_Validity(principal, true);
        if (findInTrusted_Validity == null) {
            findInTrusted_Validity = findInTrusted_Validity(principal, false);
        }
        return findInTrusted_Validity;
    }

    private X509Certificate[] findInTrusted_Validity(Principal principal, boolean z) {
        X509Certificate[] x509CertificateArr = new X509Certificate[this.trustedCertificates.size()];
        Enumeration elements = this.trustedCertificates.elements();
        int i = 0;
        while (elements.hasMoreElements()) {
            X509Certificate x509Certificate = (X509Certificate) elements.nextElement();
            if (principal.equals(x509Certificate.getSubjectDN())) {
                if (z) {
                    try {
                        x509Certificate.checkValidity();
                    } catch (CertificateExpiredException e) {
                        WeblogicHandler.debugEaten(e);
                    } catch (CertificateNotYetValidException e2) {
                        WeblogicHandler.debugEaten(e2);
                    }
                }
                x509CertificateArr[i] = x509Certificate;
                i++;
            }
        }
        if (i != 0) {
            return x509CertificateArr;
        }
        return null;
    }

    public static boolean processCertificatePolicies(X509Certificate x509Certificate, SSLSocket sSLSocket) {
        boolean z = true;
        try {
            CertificatePolicy[] policies = CertificatePoliciesImpl.getPolicies(x509Certificate);
            if (policies == null || policies.length == 0) {
                return false;
            }
            for (CertificatePolicy certificatePolicy : policies) {
                String id = certificatePolicy.getID();
                if (OID.ID_CE_CERTIFICATE_POLICIES_ANYPOLICY.equals(id)) {
                    return true;
                }
                if (!WeblogicHandler.isPolicyAllowed(id)) {
                    SSLSetup.logCertificatePolicyIdDoesntExistIntheList(sSLSocket, id);
                    z = false;
                }
                for (CertificatePolicyQualifier certificatePolicyQualifier : certificatePolicy.getPolicyQualifiers()) {
                    if (!OID.ID_QT_CPS.equalsIgnoreCase(certificatePolicyQualifier.getID())) {
                        SSLSetup.logPolicyQualifierIdNotCPS(sSLSocket, certificatePolicyQualifier.getID());
                        z = false;
                    }
                }
            }
            return z;
        } catch (CertificateParsingException e) {
            if (WeblogicHandler.isDebugEnabled(WeblogicHandler.DEBUG_ERROR)) {
                WeblogicHandler.debug(WeblogicHandler.DEBUG_ERROR, "Cannot Get Extension out of the Certificate ", e);
            }
            throw new RuntimeException("Cannot get the Extension from certificate");
        }
    }
}
