package com.certicom.tls.interfaceimpl;

import com.certicom.locale.Resources;
import com.certicom.net.ssl.TrustManager;
import com.certicom.net.ssl.impl.TrustManagerImpl;
import com.certicom.security.asn1.OID;
import com.certicom.security.cert.internal.x509.PrincipalImpl;
import com.certicom.security.cert.internal.x509.SSLPlusSupport;
import com.certicom.security.cert.internal.x509.X509V3CertImpl;
import com.certicom.tls.ciphersuite.CipherSuiteSupport;
import com.certicom.tls.ciphersuite.CryptoNames;
import com.certicom.tls.provider.Cipher;
import com.certicom.tls.provider.KeyFactory;
import com.certicom.tls.provider.KeyPairGenerator;
import com.certicom.tls.provider.MessageDigest;
import com.certicom.tls.provider.Signature;
import com.certicom.tls.provider.spec.RSAParameters;
import java.io.InputStream;
import java.io.Serializable;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyManagementException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Set;
import java.util.Vector;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.impl.SSLSocketImpl;
import weblogic.security.utils.SSLCertUtility;
import weblogic.security.utils.SSLHostnameVerifier;
import weblogic.security.utils.SSLSetup;
import weblogic.security.utils.SSLTruster;

/* loaded from: input_file:weblogic.jar:com/certicom/tls/interfaceimpl/CertificateSupport.class */
public final class CertificateSupport implements Serializable {
    private KeyPair rsaEphemeral512;
    private KeyPair rsaEphemeral1024;
    private static Boolean certInitSync = new Boolean(true);
    private static X509V3CertImpl mtEcdsaRootCert = null;
    private static X509V3CertImpl mtRsaRootCert = null;
    private Vector trustedCertificates = new Vector();
    private TrustManager trustManager = new TrustManagerImpl();
    private Object certificateCallbackRef = null;
    private Vector rsaAuthChains = new Vector();
    private Vector dsaAuthChains = new Vector();
    private Vector ecdsaAuthChains = new Vector();
    private Vector hybridAuthChains = new Vector();
    private Vector rsaPrivateKeys = new Vector();
    private Vector dsaPrivateKeys = new Vector();
    private Vector ecdsaPrivateKeys = new Vector();
    private Vector hybridPrivateKeys = new Vector();
    private TLSSystem system = null;
    private int exportKeyRefreshCountLimit = -1;
    private int exportKeyRefreshCounter = 0;
    private SSLTruster theWLSTruster = null;
    private SSLHostnameVerifier theWLSVerifier = null;

    public void setWLSTruster(SSLTruster sSLTruster) {
        this.theWLSTruster = sSLTruster;
    }

    public SSLTruster getWLSTruster() {
        return this.theWLSTruster;
    }

    public void setWLSVerifier(SSLHostnameVerifier sSLHostnameVerifier) {
        this.theWLSVerifier = sSLHostnameVerifier;
    }

    public SSLHostnameVerifier getWLSVerifier() {
        return this.theWLSVerifier;
    }

    public synchronized void setExportKeyRefreshCountLimit(int i, TLSSystem tLSSystem) {
        this.system = tLSSystem;
        this.exportKeyRefreshCountLimit = i;
        if (this.exportKeyRefreshCountLimit <= 0 || this.exportKeyRefreshCounter <= this.exportKeyRefreshCountLimit) {
            return;
        }
        this.exportKeyRefreshCounter = this.exportKeyRefreshCountLimit;
    }

    public synchronized void incrementExportKeyRefreshCount() {
        if (this.exportKeyRefreshCountLimit < 0) {
            return;
        }
        this.exportKeyRefreshCounter++;
        if (this.exportKeyRefreshCounter >= this.exportKeyRefreshCountLimit) {
            try {
                TLSSystem tLSSystem = this.system;
                addRSAExportKey(generateRSAExportKey(512, TLSSystem.getRandomNumberGenerator()));
            } catch (InvalidKeyException e) {
            } catch (NoSuchAlgorithmException e2) {
            }
        }
    }

    public void setTrustManager(TrustManager trustManager) {
        this.trustManager = trustManager;
    }

    public void setCertificateCallbackRef(Object obj) {
        this.certificateCallbackRef = obj;
    }

    public void addRSAExportKey(KeyPair keyPair) throws NoSuchAlgorithmException, InvalidKeyException {
        int bitLength = ((RSAPublicKey) keyPair.getPublic()).getModulus().bitLength();
        if (bitLength > 1024) {
            throw new InvalidKeyException(Resources.getMessage("83"));
        }
        if (bitLength > 512) {
            this.rsaEphemeral1024 = keyPair;
        } else {
            this.rsaEphemeral512 = keyPair;
        }
    }

    public KeyPair getRSAExportKey(int i) {
        if (i > 1024) {
            throw new IllegalArgumentException(Resources.getMessage("43"));
        }
        incrementExportKeyRefreshCount();
        return i > 512 ? this.rsaEphemeral1024 : this.rsaEphemeral512;
    }

    public KeyPair generateRSAExportKey(int i, SecureRandom secureRandom) throws NoSuchAlgorithmException {
        RSAParameters rSAParameters = new RSAParameters(i, 65537);
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(rSAParameters, secureRandom);
        return keyPairGenerator.genKeyPair();
    }

    public void addAuthChain(X509Certificate[] x509CertificateArr, byte[] bArr) {
        PrivateKey privateKey = null;
        try {
            privateKey = KeyFactory.getInstance(x509CertificateArr[0].getPublicKey().getAlgorithm()).createPrivateKey(bArr, null);
        } catch (Exception e) {
            if (SSLSetup.getDebugEaten()) {
                SSLSetup.debug(3, e, "........... Eating Exception ..........");
            }
        }
        addAuthChain(x509CertificateArr, privateKey);
    }

    public void addAuthChain(X509Certificate[] x509CertificateArr, PrivateKey privateKey) {
        String algorithm = x509CertificateArr[0].getPublicKey().getAlgorithm();
        if (algorithm.indexOf(CryptoNames.EC) < 0) {
            if (algorithm.equals("RSA")) {
                this.rsaAuthChains.addElement(x509CertificateArr);
                this.rsaPrivateKeys.addElement(privateKey);
                return;
            } else {
                if (algorithm.equals("DSA")) {
                    this.dsaAuthChains.addElement(x509CertificateArr);
                    this.dsaPrivateKeys.addElement(privateKey);
                    return;
                }
                return;
            }
        }
        String sigAlgName = x509CertificateArr[0].getSigAlgName();
        if (sigAlgName.equals("SHA1withRSA") || sigAlgName.equals("MD5withRSA") || sigAlgName.equals("MD2withRSA")) {
            this.hybridAuthChains.addElement(x509CertificateArr);
            this.hybridPrivateKeys.addElement(privateKey);
        } else {
            this.ecdsaAuthChains.addElement(x509CertificateArr);
            this.ecdsaPrivateKeys.addElement(privateKey);
        }
    }

    public void removeAuthChain(X509Certificate x509Certificate) {
        for (int i = 0; i < this.rsaAuthChains.size(); i++) {
            if (((X509Certificate[]) this.rsaAuthChains.elementAt(i))[0].equals(x509Certificate)) {
                this.rsaAuthChains.removeElementAt(i);
                this.rsaPrivateKeys.removeElementAt(i);
                return;
            }
        }
        for (int i2 = 0; i2 < this.dsaAuthChains.size(); i2++) {
            if (((X509Certificate[]) this.dsaAuthChains.elementAt(i2))[0].equals(x509Certificate)) {
                this.dsaAuthChains.removeElementAt(i2);
                this.dsaPrivateKeys.removeElementAt(i2);
                return;
            }
        }
        for (int i3 = 0; i3 < this.ecdsaAuthChains.size(); i3++) {
            if (((X509Certificate[]) this.ecdsaAuthChains.elementAt(i3))[0].equals(x509Certificate)) {
                this.ecdsaAuthChains.removeElementAt(i3);
                this.ecdsaPrivateKeys.removeElementAt(i3);
                return;
            }
        }
        for (int i4 = 0; i4 < this.hybridAuthChains.size(); i4++) {
            if (((X509Certificate[]) this.hybridAuthChains.elementAt(i4))[0].equals(x509Certificate)) {
                this.hybridAuthChains.removeElementAt(i4);
                this.hybridPrivateKeys.removeElementAt(i4);
                return;
            }
        }
    }

    public void addTrustedCertificate(X509Certificate x509Certificate) throws CertificateException {
        if (x509Certificate.getPublicKey() == null) {
            throw new CertificateException();
        }
        this.trustedCertificates.addElement(x509Certificate);
    }

    public void removeTrustedCertificate(X509Certificate x509Certificate) {
        this.trustedCertificates.removeElement(x509Certificate);
    }

    public void installDefaultTrustedCertificates() {
        try {
            if (mtEcdsaRootCert == null) {
                synchronized (certInitSync) {
                    mtEcdsaRootCert = new X509V3CertImpl(new byte[]{48, -127, -11, 48, -127, -78, -96, 3, 2, 1, 2, 2, 1, 1, 48, 11, 6, 7, 42, -122, 72, -50, 61, 4, 1, 5, 0, 48, 21, 49, 19, 48, 17, 6, 3, 85, 4, 3, 19, 10, 67, 101, 114, 116, 105, 99, 111, 109, 32, 65, 48, 30, 23, 13, 48, 48, 48, 57, 50, 50, 48, 52, 48, 48, 48, 48, 90, 23, 13, 50, 48, 48, 57, 50, 50, 48, 52, 48, 48, 48, 48, 90, 48, 21, 49, 19, 48, 17, 6, 3, 85, 4, 3, 19, 10, 67, 101, 114, 116, 105, 99, 111, 109, 32, 65, 48, 43, 48, 16, 6, 7, 42, -122, 72, -50, 61, 2, 1, 6, 5, 43, -127, 4, 0, 1, 3, 23, 0, 2, 2, -54, -40, 57, 117, -82, -5, -112, 64, 46, -37, -51, 35, -100, -111, -125, 24, 123, -116, -80, 117, -93, 32, 48, 30, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 1, 6, 48, 15, 6, 3, 85, 29, 19, 1, 1, -1, 4, 5, 48, 3, 1, 1, -1, 48, 11, 6, 7, 42, -122, 72, -50, 61, 4, 1, 5, 0, 3, 49, 0, 48, 46, 2, 21, 1, -70, -44, -124, 25, 61, -63, -60, -100, 115, -127, 96, 9, 29, -76, -14, -31, -100, 55, 125, 11, 2, 21, 1, -7, -4, -74, 49, 18, 20, -89, 109, Byte.MAX_VALUE, 93, 75, 40, -47, 99, 70, -107, -97, 72, 55, 9});
                }
            }
            if (mtRsaRootCert == null) {
                synchronized (certInitSync) {
                    mtRsaRootCert = new X509V3CertImpl(new byte[]{48, -126, 1, -66, 48, -126, 1, 39, -96, 3, 2, 1, 2, 2, 1, 1, 48, 13, 6, 9, 42, -122, 72, -122, -9, 13, 1, 1, 5, 5, 0, 48, 21, 49, 19, 48, 17, 6, 3, 85, 4, 3, 19, 10, 67, 101, 114, 116, 105, 99, 111, 109, 32, 66, 48, 30, 23, 13, 48, 48, 48, 57, 50, 50, 48, 52, 48, 48, 48, 48, 90, 23, 13, 50, 48, 48, 57, 50, 50, 48, 52, 48, 48, 48, 48, 90, 48, 21, 49, 19, 48, 17, 6, 3, 85, 4, 3, 19, 10, 67, 101, 114, 116, 105, 99, 111, 109, 32, 66, 48, -127, -99, 48, 13, 6, 9, 42, -122, 72, -122, -9, 13, 1, 1, 1, 5, 0, 3, -127, -117, 0, 48, -127, -121, 2, -127, -127, 0, -93, 16, -56, 21, -16, 75, -71, 113, 112, 84, 87, 17, -80, -21, -40, 108, -86, 72, 97, -52, -64, 93, 6, 29, 123, 12, 121, 94, -114, 38, -124, -115, 100, -75, -39, -9, -120, -82, 82, -101, -123, -94, 21, -84, 121, -96, 125, -28, -71, 50, 21, -37, -119, -98, -87, 110, 64, 43, 13, -59, 74, -65, 1, 77, 105, 85, -81, 115, -111, -23, -46, -22, -40, 119, 77, 123, -63, -96, -45, -56, -119, -14, -1, 121, -109, 118, -9, 22, 43, 107, 118, -104, -96, -16, -71, 43, 48, -113, 70, 24, -13, 80, -18, 6, 120, 91, 111, 115, 118, -35, -15, 93, 52, -26, 102, 45, 96, -109, 103, -17, -31, 66, -81, 95, -110, -40, 109, 15, 2, 1, 3, -93, 32, 48, 30, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 1, 6, 48, 15, 6, 3, 85, 29, 19, 1, 1, -1, 4, 5, 48, 3, 1, 1, -1, 48, 13, 6, 9, 42, -122, 72, -122, -9, 13, 1, 1, 5, 5, 0, 3, -127, -127, 0, 84, -45, 16, 19, -4, -112, -92, 70, 117, -124, 72, 89, 79, 93, -56, 106, -41, -62, 36, 36, 52, -110, -121, -26, -109, 10, -73, 60, -72, -22, -104, -53, 46, -125, 37, 15, 76, 114, -91, 8, -121, -95, 58, 20, -28, 22, 20, 35, 48, -17, -88, -23, -18, 73, -87, 59, -54, -53, -42, 50, 4, -52, 106, -74, -84, 113, -113, 126, 102, -19, -5, 55, 56, 35, 23, -30, 75, 61, 80, -3, 70, 61, -42, -2, -60, 54, 89, 14, 83, 79, -34, 105, -68, 32, -113, -16, 75, 94, -44, -107, 101, -50, -112, 125, 88, -106, -48, 88, -126, 29, -32, -114, -20, -53, -38, -100, -38, 76, 99, -8, -85, 17, 51, -9, -24, -118, -21, 95});
                }
            }
        } catch (CertificateParsingException e) {
            if (SSLSetup.getDebugEaten()) {
                SSLSetup.debug(3, e, "........... Eating Exception ..........");
            }
        }
        try {
            addTrustedCertificate(mtEcdsaRootCert);
            addTrustedCertificate(mtRsaRootCert);
        } catch (CertificateException e2) {
            if (SSLSetup.getDebugEaten()) {
                SSLSetup.debug(3, e2, "........... Eating Exception ..........");
            }
        }
    }

    public void disableDefaultTrustedCertificates() {
        if (mtEcdsaRootCert != null) {
            removeTrustedCertificate(mtEcdsaRootCert);
        }
        if (mtRsaRootCert != null) {
            removeTrustedCertificate(mtRsaRootCert);
        }
    }

    public boolean isTrustedCertificate(X509Certificate x509Certificate) {
        return this.trustedCertificates.contains(x509Certificate);
    }

    public X509Certificate[] getAuthChain(String str, int i) {
        if (str.equals(CryptoNames.ECDSA)) {
            str = CryptoNames.EC;
        }
        try {
            if (str.equals(CryptoNames.EC)) {
                return (X509Certificate[]) this.ecdsaAuthChains.elementAt(i);
            }
            if (str.equals("RSA")) {
                return (X509Certificate[]) this.rsaAuthChains.elementAt(i);
            }
            if (str.indexOf("DSA") >= 0) {
                return (X509Certificate[]) this.dsaAuthChains.elementAt(i);
            }
            if (str.equals(CryptoNames.HYBRID)) {
                return (X509Certificate[]) this.hybridAuthChains.elementAt(i);
            }
            return null;
        } catch (ArrayIndexOutOfBoundsException e) {
            if (!SSLSetup.getDebugEaten()) {
                return null;
            }
            SSLSetup.debug(3, e, "........... Eating Exception ..........");
            return null;
        }
    }

    public PrivateKey getPrivateKey(X509Certificate x509Certificate) {
        for (int i = 0; i < this.rsaAuthChains.size(); i++) {
            if (((X509Certificate[]) this.rsaAuthChains.elementAt(i))[0].equals(x509Certificate)) {
                return (PrivateKey) this.rsaPrivateKeys.elementAt(i);
            }
        }
        for (int i2 = 0; i2 < this.dsaAuthChains.size(); i2++) {
            if (((X509Certificate[]) this.dsaAuthChains.elementAt(i2))[0].equals(x509Certificate)) {
                return (PrivateKey) this.dsaPrivateKeys.elementAt(i2);
            }
        }
        for (int i3 = 0; i3 < this.ecdsaAuthChains.size(); i3++) {
            if (((X509Certificate[]) this.ecdsaAuthChains.elementAt(i3))[0].equals(x509Certificate)) {
                return (PrivateKey) this.ecdsaPrivateKeys.elementAt(i3);
            }
        }
        for (int i4 = 0; i4 < this.hybridAuthChains.size(); i4++) {
            if (((X509Certificate[]) this.hybridAuthChains.elementAt(i4))[0].equals(x509Certificate)) {
                return (PrivateKey) this.hybridPrivateKeys.elementAt(i4);
            }
        }
        return null;
    }

    public final void loadLocalIdentity(InputStream inputStream, char[] cArr) throws KeyManagementException {
        Vector localIdentity = SSLPlusSupport.getLocalIdentity(inputStream, cArr);
        X509Certificate[] x509CertificateArr = new X509Certificate[localIdentity.size() - 1];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            x509CertificateArr[i] = (X509Certificate) localIdentity.elementAt(i);
        }
        PublicKey publicKey = ((X509V3CertImpl) localIdentity.elementAt(0)).getPublicKey();
        PrivateKey privateKey = (PrivateKey) localIdentity.lastElement();
        if (!CheckIfKeyMatch(publicKey, privateKey)) {
            SSLSetup.debug(3, "Public and private keys don't match, check certificate and private key");
            throw new KeyManagementException(Resources.getMessage("3"));
        }
        addAuthChain(x509CertificateArr, privateKey);
    }

    public final boolean CheckIfKeyMatch(PublicKey publicKey, PrivateKey privateKey) throws KeyManagementException {
        byte[] bytes = "Hello World".getBytes();
        byte[] bytes2 = new StringBuffer().append("CT").append(System.currentTimeMillis()).toString().getBytes();
        SecureRandom secureRandom = new SecureRandom(bytes2);
        try {
            String algorithm = publicKey.getAlgorithm();
            String algorithm2 = privateKey.getAlgorithm();
            if (algorithm.indexOf("RSA") >= 0) {
                if (!algorithm2.equalsIgnoreCase("RSA")) {
                    return false;
                }
                try {
                    Cipher.getInstance(CryptoNames.RSA_PKCS1);
                    Cipher.getInstance(CryptoNames.RSA_RAW);
                    Cipher cipher = Cipher.getInstance(CryptoNames.RSA_RAW);
                    byte[] addPKCS1Padding = addPKCS1Padding((((RSAPrivateKey) privateKey).getModulus().bitLength() + 7) / 8, bytes);
                    cipher.init(1, privateKey, secureRandom);
                    byte[] doFinal = cipher.doFinal(addPKCS1Padding, 0, addPKCS1Padding.length);
                    Cipher cipher2 = Cipher.getInstance(CryptoNames.RSA_RAW);
                    cipher2.init(2, publicKey, secureRandom);
                    byte[] removePKCS1Padding = removePKCS1Padding(cipher2.doFinal(doFinal, 0, doFinal.length));
                    if (bytes.length != removePKCS1Padding.length) {
                        return false;
                    }
                    for (int i = 0; i < bytes.length; i++) {
                        if (bytes[i] != removePKCS1Padding[i]) {
                            return false;
                        }
                    }
                    return true;
                } catch (NoSuchAlgorithmException e) {
                    return false;
                }
            }
            if (algorithm.indexOf("DSA") < 0) {
                if (algorithm.indexOf(CryptoNames.EC) < 0) {
                    throw new KeyManagementException(Resources.getMessage("153"));
                }
                if (!algorithm2.startsWith(CryptoNames.EC) || !CipherSuiteSupport.isCryptoAlgAvail(CryptoNames.ECDSA)) {
                    return false;
                }
                MessageDigest messageDigest = MessageDigest.getInstance("SHA");
                messageDigest.update(bytes2);
                messageDigest.update(bytes);
                byte[] digest = messageDigest.digest();
                Signature signature = Signature.getInstance(CryptoNames.ECDSA);
                signature.initSign(privateKey, TLSSystem.getRandomNumberGenerator());
                signature.update(digest);
                byte[] sign = signature.sign();
                Signature signature2 = Signature.getInstance(CryptoNames.ECDSA);
                signature2.initVerify(publicKey);
                signature2.update(digest);
                if (signature2.verify(sign)) {
                    return true;
                }
                System.out.println("could not verify!");
                return false;
            }
            if (algorithm2.indexOf("DSA") < 0) {
                return false;
            }
            BigInteger g = ((DSAPublicKey) publicKey).getParams().getG();
            BigInteger p = ((DSAPublicKey) publicKey).getParams().getP();
            BigInteger q = ((DSAPublicKey) publicKey).getParams().getQ();
            BigInteger g2 = ((DSAPrivateKey) privateKey).getParams().getG();
            BigInteger p2 = ((DSAPrivateKey) privateKey).getParams().getP();
            BigInteger q2 = ((DSAPrivateKey) privateKey).getParams().getQ();
            if (!g.equals(g2) || !p.equals(p2) || !q.equals(q2) || !CipherSuiteSupport.isCryptoAlgAvail("SHA1withDSA")) {
                return false;
            }
            MessageDigest messageDigest2 = MessageDigest.getInstance("SHA");
            messageDigest2.update(bytes);
            byte[] digest2 = messageDigest2.digest();
            Signature signature3 = Signature.getInstance(CryptoNames.RawDSA);
            signature3.initSign(privateKey, TLSSystem.getRandomNumberGenerator());
            signature3.update(digest2);
            byte[] sign2 = signature3.sign();
            Signature signature4 = Signature.getInstance(CryptoNames.RawDSA);
            signature4.initVerify(publicKey);
            signature4.update(digest2);
            return signature4.verify(sign2);
        } catch (Exception e2) {
            SSLSetup.debug(3, e2, "Exception during key check");
            throw new KeyManagementException(Resources.getMessage("3"));
        }
    }

    public byte[] addPKCS1Padding(int i, byte[] bArr) {
        byte[] bArr2 = new byte[0];
        if (bArr.length >= i - 3) {
            return bArr2;
        }
        byte[] bArr3 = new byte[i];
        int i2 = 0 + 1;
        bArr3[0] = 0;
        int i3 = i2 + 1;
        bArr3[i2] = 1;
        while (i3 < (i - bArr.length) - 1) {
            bArr3[i3] = -1;
            i3++;
        }
        bArr3[i3] = 0;
        System.arraycopy(bArr, 0, bArr3, i3 + 1, bArr.length);
        return bArr3;
    }

    public byte[] removePKCS1Padding(byte[] bArr) {
        byte[] bArr2 = new byte[0];
        if (bArr.length < 4 || bArr[0] != 0) {
            return bArr2;
        }
        switch (bArr[1]) {
            case 1:
            case 2:
                int i = 2;
                while (i < bArr.length && bArr[i] != 0) {
                    i++;
                }
                if (i == bArr.length) {
                    return bArr2;
                }
                int i2 = i + 1;
                byte[] bArr3 = new byte[bArr.length - i2];
                System.arraycopy(bArr, i2, bArr3, 0, bArr3.length);
                return bArr3;
            default:
                return bArr2;
        }
    }

    public final void loadTrustedCertificates(InputStream inputStream) throws KeyManagementException {
        for (X509Certificate x509Certificate : SSLPlusSupport.getTrustedCertificates(inputStream)) {
            try {
                addTrustedCertificate(x509Certificate);
            } catch (CertificateException e) {
                if (SSLSetup.getDebugEaten()) {
                    SSLSetup.debug(3, e, "........... Eating Exception ..........");
                }
            }
        }
    }

    public X509Certificate[] getTrustedCertificates() {
        X509Certificate[] x509CertificateArr = new X509Certificate[this.trustedCertificates.size()];
        this.trustedCertificates.copyInto(x509CertificateArr);
        return x509CertificateArr;
    }

    public boolean isClientTrusted(X509Certificate[] x509CertificateArr, String str, ProtocolVersion protocolVersion, Object obj) {
        return validateCertificateChain(true, x509CertificateArr, str, protocolVersion, obj, null);
    }

    public boolean isClientTrusted(X509Certificate[] x509CertificateArr, String str, ProtocolVersion protocolVersion, Object obj, SSLSocket sSLSocket) {
        return validateCertificateChain(true, x509CertificateArr, str, protocolVersion, obj, sSLSocket);
    }

    public boolean isServerTrusted(X509Certificate[] x509CertificateArr, String str, ProtocolVersion protocolVersion, Object obj) {
        return validateCertificateChain(false, x509CertificateArr, str, protocolVersion, obj, null);
    }

    public boolean isServerTrusted(X509Certificate[] x509CertificateArr, String str, ProtocolVersion protocolVersion, Object obj, SSLSocket sSLSocket) {
        if (this.theWLSVerifier != null) {
            X509Certificate x509Certificate = null;
            if (x509CertificateArr != null && x509CertificateArr.length != 0) {
                x509Certificate = x509CertificateArr[0];
            }
            if (!this.theWLSVerifier.hostnameValidationCallback(SSLCertUtility.toJavaX509(x509Certificate), sSLSocket, sSLSocket.getInetAddress().getHostName())) {
                return false;
            }
        }
        return validateCertificateChain(false, x509CertificateArr, str, protocolVersion, obj, sSLSocket);
    }

    private boolean validateCertificateChain(boolean z, X509Certificate[] x509CertificateArr, String str, ProtocolVersion protocolVersion, Object obj, SSLSocket sSLSocket) {
        TrustManager trustManager = this.trustManager;
        int i = 16;
        X509Certificate[] completeCertChain = completeCertChain(x509CertificateArr);
        if (completeCertChain == null) {
            TrustManager trustManager2 = this.trustManager;
            int i2 = 16 | 4;
            if (this.theWLSTruster != null) {
                i2 = this.theWLSTruster.validationCallback(SSLCertUtility.toJavaX509(completeCertChain), i2, sSLSocket);
                if (i2 != 0 && (i2 & 64) != 0) {
                    SSLSetup.debug(2, new StringBuffer().append("Trust failure (").append(i2).append("): ").append(SSLSetup.transformTrustBits(i2)).toString());
                    return false;
                }
                SSLSetup.debug(3, new StringBuffer().append("Trust status (").append(i2).append("): ").append(SSLSetup.transformTrustBits(i2)).toString());
            }
            return this.trustManager.certificateCallback(SSLCertUtility.toJavaX509(completeCertChain), i2, obj != null ? obj : this.certificateCallbackRef);
        }
        for (int i3 = 0; i3 < completeCertChain.length; i3++) {
            X509Certificate x509Certificate = completeCertChain[i3];
            TrustManager trustManager3 = this.trustManager;
            if ((i & 16) != 0 && isTrustedCertificate(x509Certificate)) {
                i &= 239;
            }
            if (!(i3 + 1 != completeCertChain.length ? convertToCerticom(completeCertChain[i3 + 1].getSubjectDN()) : convertToCerticom(x509Certificate.getSubjectDN())).equals(convertToCerticom(x509Certificate.getIssuerDN()))) {
                if (i3 + 1 == completeCertChain.length) {
                    TrustManager trustManager4 = this.trustManager;
                    i |= 4;
                } else {
                    TrustManager trustManager5 = this.trustManager;
                    i |= 1;
                }
            }
            TrustManager trustManager6 = this.trustManager;
            if ((i & 16) != 0) {
                TrustManager trustManager7 = this.trustManager;
                if ((i & 8) == 0 && i3 + 1 != completeCertChain.length) {
                    try {
                        x509Certificate.verify(completeCertChain[i3 + 1].getPublicKey());
                    } catch (Exception e) {
                        if (SSLSetup.getDebugEaten()) {
                            SSLSetup.debug(3, e, "........... Eating Exception ..........");
                        }
                        TrustManager trustManager8 = this.trustManager;
                        i |= 8;
                    }
                }
            }
            TrustManager trustManager9 = this.trustManager;
            if ((i & 2) == 0) {
                try {
                    x509Certificate.checkValidity();
                } catch (Exception e2) {
                    if (SSLSetup.getDebugEaten()) {
                        SSLSetup.debug(3, e2, "........... Eating Exception ..........");
                    }
                    TrustManager trustManager10 = this.trustManager;
                    i |= 2;
                }
            }
            boolean z2 = false;
            Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
            if (criticalExtensionOIDs != null) {
                Iterator<String> it = criticalExtensionOIDs.iterator();
                while (it.hasNext()) {
                    String obj2 = it.next().toString();
                    if (obj2.equals(OID.ID_CE_BASIC_CONSTRAINTS)) {
                        int basicConstraints = x509Certificate.getBasicConstraints();
                        if (basicConstraints != -1 && basicConstraints != Integer.MAX_VALUE && basicConstraints + 1 < i3) {
                            SSLSetup.logCertificateChainPathLenExceededConstraintsFailure((SSLSocketImpl) sSLSocket);
                            return false;
                        }
                        z2 = true;
                    } else {
                        if (!obj2.equals(OID.ID_CE_KEY_USAGE)) {
                            return false;
                        }
                        boolean[] keyUsage = x509Certificate.getKeyUsage();
                        if (keyUsage == null) {
                            continue;
                        } else if (i3 == 0) {
                            try {
                                int keyAgreementAlgorithm = CipherSuiteSupport.getCipherSuite(str).getKeyAgreementAlgorithm();
                                if (!z) {
                                    if (!keyUsage[4] && keyAgreementAlgorithm == 5) {
                                        return false;
                                    }
                                    if (!keyUsage[4] && keyAgreementAlgorithm == 12) {
                                        return false;
                                    }
                                    if (!keyUsage[2] && keyAgreementAlgorithm == 6 && protocolVersion.equals(ProtocolVersions.TLS10)) {
                                        return false;
                                    }
                                    if (keyAgreementAlgorithm == 7) {
                                        int bitLength = ((RSAPublicKey) x509Certificate.getPublicKey()).getModulus().bitLength();
                                        if (bitLength <= 512 && !keyUsage[2]) {
                                            return false;
                                        }
                                        if (bitLength > 512 && !keyUsage[0]) {
                                            return false;
                                        }
                                    } else if (keyAgreementAlgorithm == 8) {
                                        int bitLength2 = ((RSAPublicKey) x509Certificate.getPublicKey()).getModulus().bitLength();
                                        if (bitLength2 <= 1024 && !keyUsage[2]) {
                                            return false;
                                        }
                                        if (bitLength2 > 1024 && !keyUsage[0]) {
                                            return false;
                                        }
                                    } else if (!keyUsage[0] && (keyAgreementAlgorithm == 2 || keyAgreementAlgorithm == 3 || keyAgreementAlgorithm == 4)) {
                                        return false;
                                    }
                                } else if (protocolVersion.equals(ProtocolVersions.TLS10) && !keyUsage[0] && keyAgreementAlgorithm != 5 && keyAgreementAlgorithm != 12) {
                                    return false;
                                }
                            } catch (NoSuchAlgorithmException e3) {
                                if (!SSLSetup.getDebugEaten()) {
                                    return false;
                                }
                                SSLSetup.debug(3, e3, "........... Eating Exception ..........");
                                return false;
                            }
                        } else if (!keyUsage[5]) {
                            return false;
                        }
                    }
                }
            }
            if (!TLSSystem.getX509BasicConstraintBug() && i3 > 0) {
                X509V3CertImpl ConvertToX509V3CertImpl = ConvertToX509V3CertImpl(x509Certificate);
                if (ConvertToX509V3CertImpl == null) {
                    SSLSetup.logCertificateChainConstraintsConversionFailure((SSLSocketImpl) sSLSocket);
                    return false;
                }
                if (ConvertToX509V3CertImpl.getVersion() == 2 && (!ConvertToX509V3CertImpl.getIsCA() || (TLSSystem.getX509StrictConstraints() && !z2))) {
                    if (!ConvertToX509V3CertImpl.getBasicConstraintsPresent()) {
                        SSLSetup.logCertificateChainMissingConstraintsFailure((SSLSocketImpl) sSLSocket);
                        return false;
                    }
                    if (!ConvertToX509V3CertImpl.getIsCA()) {
                        SSLSetup.logCertificateChainNotACaConstraintsFailure((SSLSocketImpl) sSLSocket);
                        return false;
                    }
                    if (!TLSSystem.getX509StrictConstraints() || z2) {
                        return false;
                    }
                    SSLSetup.logCertificateChainConstraintsStrictNonCriticalFailure((SSLSocketImpl) sSLSocket);
                    return false;
                }
            }
        }
        if (this.theWLSTruster != null) {
            i = this.theWLSTruster.validationCallback(SSLCertUtility.toJavaX509(completeCertChain), i, sSLSocket);
            if (i != 0 && (i & 64) != 0) {
                SSLSetup.debug(2, new StringBuffer().append("Trust failure (").append(i).append("): ").append(SSLSetup.transformTrustBits(i)).toString());
                return false;
            }
            SSLSetup.debug(3, new StringBuffer().append("Trust status (").append(i).append("): ").append(SSLSetup.transformTrustBits(i)).toString());
        }
        return this.trustManager.certificateCallback(SSLCertUtility.toJavaX509(completeCertChain), i, obj != null ? obj : this.certificateCallbackRef);
    }

    public boolean validateECDSA_fixed_ECDH(boolean z, X509Certificate[] x509CertificateArr, ProtocolVersion protocolVersion) {
        TrustManager trustManager = this.trustManager;
        X509Certificate x509Certificate = x509CertificateArr[0];
        Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs == null) {
            return true;
        }
        Iterator<String> it = criticalExtensionOIDs.iterator();
        while (it.hasNext()) {
            if (it.next().toString().equals(OID.ID_CE_KEY_USAGE)) {
                boolean[] keyUsage = x509Certificate.getKeyUsage();
                if (keyUsage == null) {
                    return true;
                }
                if (protocolVersion.equals(ProtocolVersions.TLS10) && !keyUsage[4] && z) {
                    return false;
                }
                return !protocolVersion.equals(ProtocolVersions.TLS10) || keyUsage[0] || z;
            }
        }
        return true;
    }

    public X509Certificate[] completeCertChain(X509Certificate[] x509CertificateArr) {
        Principal principal;
        X509Certificate[] findInTrusted;
        X509Certificate x509Certificate;
        X509Certificate[] findInTrusted2;
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            return x509CertificateArr;
        }
        X509Certificate[] replaceCaExpiredCerts = replaceCaExpiredCerts(x509CertificateArr);
        Principal convertToCerticom = convertToCerticom(replaceCaExpiredCerts[replaceCaExpiredCerts.length - 1].getSubjectDN());
        Principal convertToCerticom2 = convertToCerticom(replaceCaExpiredCerts[replaceCaExpiredCerts.length - 1].getIssuerDN());
        while (true) {
            principal = convertToCerticom2;
            if (!convertToCerticom.equals(principal) && (findInTrusted2 = findInTrusted(principal)) != null) {
                replaceCaExpiredCerts = appendToCertChain(replaceCaExpiredCerts, findInTrusted2[0]);
                convertToCerticom = convertToCerticom(replaceCaExpiredCerts[replaceCaExpiredCerts.length - 1].getSubjectDN());
                convertToCerticom2 = convertToCerticom(replaceCaExpiredCerts[replaceCaExpiredCerts.length - 1].getIssuerDN());
            }
        }
        if (x509CertificateArr.length > 1 && convertToCerticom.equals(principal) && (findInTrusted = findInTrusted(principal)) != null) {
            for (int i = 0; i < findInTrusted.length && (x509Certificate = findInTrusted[i]) != null; i++) {
                if (x509Certificate.equals(replaceCaExpiredCerts[replaceCaExpiredCerts.length - 1])) {
                    return replaceCaExpiredCerts;
                }
            }
            X509Certificate x509Certificate2 = findInTrusted[0];
            if (x509Certificate2 != null && !x509Certificate2.equals(replaceCaExpiredCerts[replaceCaExpiredCerts.length - 1]) && principal.equals(convertToCerticom(x509Certificate2.getSubjectDN()))) {
                replaceCaExpiredCerts[replaceCaExpiredCerts.length - 1] = x509Certificate2;
            }
        }
        return replaceCaExpiredCerts;
    }

    private X509Certificate[] appendToCertChain(X509Certificate[] x509CertificateArr, X509Certificate x509Certificate) {
        X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length + 1];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            x509CertificateArr2[i] = x509CertificateArr[i];
        }
        x509CertificateArr2[x509CertificateArr.length] = x509Certificate;
        return x509CertificateArr2;
    }

    private X509Certificate[] replaceCaExpiredCerts(X509Certificate[] x509CertificateArr) {
        for (int i = 1; i < x509CertificateArr.length; i++) {
            boolean z = false;
            try {
                x509CertificateArr[i].checkValidity();
            } catch (CertificateExpiredException e) {
                if (SSLSetup.getDebugEaten()) {
                    SSLSetup.debug(3, e, "........... Eating Exception ..........");
                }
                z = true;
            } catch (CertificateNotYetValidException e2) {
                if (SSLSetup.getDebugEaten()) {
                    SSLSetup.debug(3, e2, "........... Eating Exception ..........");
                }
                z = true;
            }
            if (z) {
                x509CertificateArr[i] = replaceWithTrusted(x509CertificateArr[i]);
            }
        }
        return x509CertificateArr;
    }

    private X509Certificate replaceWithTrusted(X509Certificate x509Certificate) {
        X509Certificate[] x509CertificateArr = new X509Certificate[this.trustedCertificates.size()];
        X509Certificate[] findInTrusted = findInTrusted(x509Certificate.getSubjectDN());
        return findInTrusted != null ? findInTrusted[0] : x509Certificate;
    }

    private X509Certificate[] findInTrusted(Principal principal) {
        X509Certificate[] x509CertificateArr = new X509Certificate[this.trustedCertificates.size()];
        Enumeration elements = this.trustedCertificates.elements();
        int i = 0;
        Principal convertToCerticom = convertToCerticom(principal);
        while (elements.hasMoreElements()) {
            X509Certificate x509Certificate = (X509Certificate) elements.nextElement();
            if (convertToCerticom.equals(convertToCerticom(x509Certificate.getSubjectDN()))) {
                try {
                    x509Certificate.checkValidity();
                    x509CertificateArr[i] = x509Certificate;
                    i++;
                } catch (CertificateExpiredException e) {
                    if (SSLSetup.getDebugEaten()) {
                        SSLSetup.debug(3, e, "........... Eating Exception ..........");
                    }
                } catch (CertificateNotYetValidException e2) {
                    if (SSLSetup.getDebugEaten()) {
                        SSLSetup.debug(3, e2, "........... Eating Exception ..........");
                    }
                }
            }
        }
        if (i != 0) {
            return x509CertificateArr;
        }
        return null;
    }

    public static Principal convertToCerticom(Principal principal) {
        if (principal == null) {
            return null;
        }
        Principal principal2 = principal;
        if (!(principal2 instanceof PrincipalImpl)) {
            SSLSetup.debug(3, new StringBuffer().append("Converting principal: ").append(principal2).toString());
            try {
                Method method = principal2.getClass().getMethod("getEncoded", null);
                if (method != null) {
                    principal2 = new PrincipalImpl((byte[]) method.invoke(principal2, null));
                } else {
                    SSLSetup.debug(3, new StringBuffer().append("Couldn't convert principal, SKIPPING: ").append(principal2).toString());
                }
            } catch (IllegalAccessException e) {
                SSLSetup.debug(3, e, new StringBuffer().append("Couldn't convert principal, SKIPPING: ").append(principal2).toString());
            } catch (NoSuchMethodException e2) {
                SSLSetup.debug(3, e2, new StringBuffer().append("Couldn't convert principal, SKIPPING: ").append(principal2).toString());
            } catch (InvocationTargetException e3) {
                SSLSetup.debug(3, e3, new StringBuffer().append("Couldn't convert principal, SKIPPING: ").append(principal2).toString());
            }
        }
        return principal2;
    }

    private X509V3CertImpl ConvertToX509V3CertImpl(X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            return null;
        }
        if (x509Certificate instanceof X509V3CertImpl) {
            return (X509V3CertImpl) x509Certificate;
        }
        X509V3CertImpl x509V3CertImpl = null;
        try {
            x509V3CertImpl = new X509V3CertImpl(x509Certificate.getEncoded());
        } catch (CertificateEncodingException e) {
            SSLSetup.debug(2, e, new StringBuffer().append("Problem Certificate: ").append(x509Certificate).toString());
        } catch (CertificateParsingException e2) {
            SSLSetup.debug(2, e2, new StringBuffer().append("Problem Certificate: ").append(x509Certificate).toString());
        }
        return x509V3CertImpl;
    }
}
