package weblogic.security.SSL;

import com.rsa.certj.cert.CertificateException;
import com.rsa.certj.cert.X509Certificate;
import com.rsa.certj.cert.X509V3Extensions;
import com.rsa.certj.cert.extensions.BasicConstraints;
import com.rsa.certj.cert.extensions.X509V3Extension;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.Date;
import java.util.Enumeration;
import java.util.Vector;
import weblogic.apache.xerces.impl.xs.SchemaSymbols;
import weblogic.security.KeyManagementException;
import weblogic.security.MessageDigestUtils;
import weblogic.security.RSAPrivateKey;
import weblogic.security.RSAPublicKey;
import weblogic.security.Utils;
import weblogic.security.X509;

/* loaded from: input_file:weblogic.jar:weblogic/security/SSL/SSLCertificate.class */
public final class SSLCertificate extends HandshakeMessage {
    public Vector certificateList;
    public SSLState state;
    public RSAPrivateKey privateKey;

    public SSLCertificate() {
        this(null);
    }

    public SSLCertificate(SSLState sSLState) {
        this.state = sSLState;
        this.certificateList = new Vector();
    }

    @Override // weblogic.security.Streamable
    public void output(OutputStream outputStream) throws IOException {
        Utils.output24bit(length() - 3, outputStream);
        Utils.output24bit(length() - 6, outputStream);
        Enumeration elements = this.certificateList.elements();
        while (elements.hasMoreElements()) {
            X509 x509 = (X509) elements.nextElement();
            Utils.output24bit(x509.length(), outputStream);
            x509.output(outputStream);
        }
    }

    @Override // weblogic.security.Streamable
    public void input(InputStream inputStream) throws IOException {
        Utils.input24bit(inputStream);
        byte[] bArr = new byte[Utils.input24bit(inputStream)];
        Utils.inputByteArray(bArr, inputStream);
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        while (byteArrayInputStream.available() > 0) {
            Utils.input24bit(byteArrayInputStream);
            try {
                this.certificateList.addElement(new X509(byteArrayInputStream));
            } catch (KeyManagementException e) {
                this.state.socket.sendAlert(2, 42);
                IOException iOException = new IOException(e.toString());
                this.state.socket.abort(iOException);
                throw iOException;
            }
        }
        verify();
    }

    /*  JADX ERROR: NullPointerException in pass: RegionMakerVisitor
        java.lang.NullPointerException
        */
    /* JADX WARN: Finally extract failed */
    public void verify() throws java.io.IOException {
        /*
            Method dump skipped, instructions count: 860
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: weblogic.security.SSL.SSLCertificate.verify():void");
    }

    public boolean validateCertChain(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            SSLState sSLState = this.state;
            SSLState.println("No certificates found");
            return false;
        }
        boolean z = true;
        int length = x509CertificateArr.length - 1;
        Date date = new Date();
        for (int i = 0; i < x509CertificateArr.length; i++) {
            SSLState sSLState2 = this.state;
            SSLState.println(new StringBuffer().append("Cert[").append(i).append("]: ").append(x509CertificateArr[i].getSubjectName()).toString());
            if (!x509CertificateArr[i].checkValidityDate(date)) {
                z = false;
                SSLState sSLState3 = this.state;
                SSLState.println("Validity date check failed");
            }
            if (i == 0 && !verifyEndEntity(x509CertificateArr[0])) {
                SSLState sSLState4 = this.state;
                SSLState.println("First cert in chain is not an end entity\nthis doesn't conform to TLS V1.0 and may be rejected");
            }
            if (i < x509CertificateArr.length - 1) {
                if (!verifyIssuedBy(x509CertificateArr[i], x509CertificateArr[i + 1], i)) {
                    z = false;
                }
            } else if (i == x509CertificateArr.length - 1 && !verifySelfSignedCert(x509CertificateArr[i], i)) {
                z = false;
            }
        }
        return z;
    }

    private boolean verifyIssuedBy(X509Certificate x509Certificate, X509Certificate x509Certificate2, int i) {
        boolean z = true;
        if (!x509Certificate.getIssuerName().equals(x509Certificate2.getSubjectName())) {
            SSLState sSLState = this.state;
            SSLState.println("Issuer DN from certificate, doesn't match subjectDN from the issuer certificate");
            SSLState sSLState2 = this.state;
            SSLState.println(new StringBuffer().append("     Expected DN: ").append(x509Certificate.getIssuerName()).toString());
            SSLState sSLState3 = this.state;
            SSLState.println(new StringBuffer().append("       Actual DN: ").append(x509Certificate2.getSubjectName()).toString());
            z = false;
        }
        if (!verifyCAExtensions(x509Certificate2, i)) {
            z = false;
        }
        return z;
    }

    public boolean verifySelfSignedCert(X509Certificate x509Certificate, int i) {
        boolean z = true;
        boolean z2 = true;
        if (!x509Certificate.getIssuerName().equals(x509Certificate.getSubjectName())) {
            SSLState sSLState = this.state;
            SSLState.println("Certificate chain is incomplete, can't confirm the entire chain is valid");
            z2 = false;
            if (i == 0) {
                return true;
            }
        }
        if (i == 0 && !verifyCAExtensions(x509Certificate, i)) {
            z = false;
        }
        if (z2) {
        }
        return z;
    }

    public boolean verifyCAExtensions(X509Certificate x509Certificate, int i) {
        int pathLen;
        String enforceCertificateConstraints;
        boolean z = true;
        boolean z2 = false;
        x509Certificate.getVersion();
        X509V3Extensions extensions = x509Certificate.getExtensions();
        if (extensions != null) {
            for (int i2 = 0; i2 < extensions.getExtensionCount(); i2++) {
                try {
                    X509V3Extension extensionByIndex = extensions.getExtensionByIndex(i2);
                    if (extensionByIndex instanceof BasicConstraints) {
                        z2 = true;
                        BasicConstraints basicConstraints = (BasicConstraints) extensionByIndex;
                        if (!basicConstraints.getCA()) {
                            SSLState sSLState = this.state;
                            SSLState.println("CA cert not marked with BasicConstraint indicating it is a CA");
                            z = false;
                        }
                        boolean z3 = false;
                        if (this.state.params != null && (enforceCertificateConstraints = this.state.params.getEnforceCertificateConstraints()) != null && enforceCertificateConstraints.equalsIgnoreCase(SchemaSymbols.ATTVAL_STRICT)) {
                            z3 = true;
                        }
                        if (z3 && !basicConstraints.getCriticality()) {
                            SSLState sSLState2 = this.state;
                            SSLState.println("CA cert not marked with critical BasicConstraint indicating it is a CA");
                            z = false;
                        }
                        if (i != -1 && (pathLen = basicConstraints.getPathLen()) != -1 && i > pathLen) {
                            SSLState sSLState3 = this.state;
                            SSLState.println(new StringBuffer().append("PathLength constraint exceeded, constraint = ").append(pathLen).append(", current = ").append(i).toString());
                            z = false;
                        }
                    }
                } catch (CertificateException e) {
                    SSLState sSLState4 = this.state;
                    SSLState.println("Failed getting extensions");
                    SSLState sSLState5 = this.state;
                    SSLState.println(e);
                }
            }
        }
        if (!z2) {
            SSLState sSLState6 = this.state;
            SSLState.println("CA cert not marked with critical BasicConstraint indicating it is a CA");
            z = false;
        }
        return z;
    }

    public boolean verifyEndEntity(X509Certificate x509Certificate) {
        return true;
    }

    @Override // weblogic.security.Streamable
    public int length() {
        int i = 6;
        Enumeration elements = this.certificateList.elements();
        while (elements.hasMoreElements()) {
            i += 3 + ((X509) elements.nextElement()).length();
        }
        return i;
    }

    public String toString() {
        StringBuffer stringBuffer = new StringBuffer(new StringBuffer().append(this.certificateList.size()).append(" certificate(s):\n").toString());
        Enumeration elements = this.certificateList.elements();
        while (elements.hasMoreElements()) {
            stringBuffer.append(new StringBuffer().append("  ").append((X509) elements.nextElement()).append("\n").toString());
        }
        return stringBuffer.toString();
    }

    public RSAPublicKey getPublicKey() {
        return (RSAPublicKey) ((X509) this.certificateList.elementAt(0)).getKey();
    }

    public RSAPrivateKey getPrivateKey() {
        return this.privateKey;
    }

    public X509 rootCA() {
        return (X509) this.certificateList.elementAt(this.certificateList.size() - 1);
    }

    public X509 leafCert() {
        return (X509) this.certificateList.elementAt(0);
    }

    public X509[] getCertificates() {
        X509[] x509Arr = new X509[this.certificateList.size()];
        this.certificateList.copyInto(x509Arr);
        return x509Arr;
    }

    public boolean rootCAvalid(byte[][] bArr) {
        for (byte[] bArr2 : bArr) {
            if (MessageDigestUtils.isEqual(rootCA().getFingerprint(), bArr2)) {
                return true;
            }
        }
        return false;
    }

    public boolean rootCAvalid() {
        return rootCAvalid(this.state.params.rootCAfingerprints);
    }
}
