package org.jivesoftware.util;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.StringWriter;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.StringTokenizer;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.CertException;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.openssl.MiscPEMGenerator;
import org.bouncycastle.openssl.PEMEncryptedKeyPair;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
import org.bouncycastle.pkcs.PKCSException;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.bouncycastle.util.io.pem.PemWriter;
import org.jivesoftware.openfire.keystore.CertificateStore;
import org.jivesoftware.openfire.keystore.CertificateUtils;
import org.jivesoftware.util.cert.CNCertificateIdentityMapping;
import org.jivesoftware.util.cert.CertificateIdentityMapping;
import org.jivesoftware.util.cert.SANCertificateIdentityMapping;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jivesoftware/util/CertificateManager.class */
public class CertificateManager {
    private static final Logger Log = LoggerFactory.getLogger(CertificateManager.class);
    private static Pattern valuesPattern = Pattern.compile("(?i)(=)([^,]*)");
    private static List<CertificateEventListener> listeners = new CopyOnWriteArrayList();
    private static List<CertificateIdentityMapping> serverCertMapping = new ArrayList();
    private static List<CertificateIdentityMapping> clientCertMapping = new ArrayList();

    public static X509Certificate getEndEntityCertificate(Certificate[] certificateArr, KeyStore keyStore, KeyStore keyStore2) {
        if (certificateArr.length == 0) {
            return null;
        }
        X509Certificate x509Certificate = (X509Certificate) certificateArr[0];
        try {
            x509Certificate.checkValidity();
            if (certificateArr.length == 1 && x509Certificate.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal())) {
                try {
                    if (keyStore2.getCertificateAlias(x509Certificate) != null) {
                        return x509Certificate;
                    }
                    return null;
                } catch (KeyStoreException e) {
                    Log.warn("Keystore error while looking for self-signed cert; assuming untrusted.");
                    return null;
                }
            }
            ArrayList arrayList = new ArrayList();
            try {
                Enumeration<String> aliases = keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    if (keyStore.isCertificateEntry(nextElement)) {
                        arrayList.add((X509Certificate) keyStore.getCertificate(nextElement));
                    }
                }
                Enumeration<String> aliases2 = keyStore2.aliases();
                while (aliases2.hasMoreElements()) {
                    String nextElement2 = aliases2.nextElement();
                    if (keyStore2.isCertificateEntry(nextElement2)) {
                        arrayList.add((X509Certificate) keyStore2.getCertificate(nextElement2));
                    }
                }
                for (Certificate certificate : certificateArr) {
                    arrayList.add(certificate);
                }
                CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(arrayList));
                X509CertSelector x509CertSelector = new X509CertSelector();
                x509CertSelector.setCertificate(x509Certificate);
                PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore2, x509CertSelector);
                pKIXBuilderParameters.addCertStore(certStore);
                pKIXBuilderParameters.setDate(new Date());
                pKIXBuilderParameters.setRevocationEnabled(false);
                CertPath certPath = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType()).build(pKIXBuilderParameters).getCertPath();
                CertPathValidator.getInstance("PKIX").validate(certPath, pKIXBuilderParameters);
                return (X509Certificate) certPath.getCertificates().get(0);
            } catch (CertPathBuilderException e2) {
                Log.warn("Path builder: " + e2.getMessage());
                return null;
            } catch (CertPathValidatorException e3) {
                Log.warn("Path validator: " + e3.getMessage());
                return null;
            } catch (Exception e4) {
                Log.warn("Unkown exception while validating certificate chain: " + e4.getMessage());
                return null;
            }
        } catch (CertificateException e5) {
            Log.warn("EE Certificate not valid: " + e5.getMessage());
            return null;
        }
    }

    public static List<String> getClientIdentities(X509Certificate x509Certificate) {
        ArrayList arrayList = new ArrayList();
        Iterator<CertificateIdentityMapping> it = clientCertMapping.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            CertificateIdentityMapping next = it.next();
            List<String> mapIdentity = next.mapIdentity(x509Certificate);
            Log.debug("CertificateManager: " + next.name() + " returned " + mapIdentity.toString());
            if (!mapIdentity.isEmpty()) {
                arrayList.addAll(mapIdentity);
                break;
            }
        }
        return arrayList;
    }

    public static List<String> getServerIdentities(X509Certificate x509Certificate) {
        ArrayList arrayList = new ArrayList();
        Iterator<CertificateIdentityMapping> it = serverCertMapping.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            CertificateIdentityMapping next = it.next();
            List<String> mapIdentity = next.mapIdentity(x509Certificate);
            Log.debug("CertificateManager: " + next.name() + " returned " + mapIdentity.toString());
            if (!mapIdentity.isEmpty()) {
                arrayList.addAll(mapIdentity);
                break;
            }
        }
        return arrayList;
    }

    public static boolean isRSACertificate(CertificateStore certificateStore, String str) throws KeyStoreException {
        return isCertificate(certificateStore, str, "RSA");
    }

    public static boolean isDSACertificate(CertificateStore certificateStore, String str) throws KeyStoreException {
        return isCertificate(certificateStore, str, "DSA");
    }

    public static boolean isDSACertificate(X509Certificate x509Certificate) throws KeyStoreException {
        return x509Certificate.getPublicKey().getAlgorithm().equals("DSA");
    }

    private static boolean isCertificate(CertificateStore certificateStore, String str, String str2) throws KeyStoreException {
        Enumeration<String> aliases = certificateStore.getStore().aliases();
        while (aliases.hasMoreElements()) {
            X509Certificate x509Certificate = (X509Certificate) certificateStore.getStore().getCertificate(aliases.nextElement());
            if (x509Certificate.getPublicKey().getAlgorithm().equalsIgnoreCase(str2)) {
                if ("*".equals(str)) {
                    return true;
                }
                Iterator<String> it = getServerIdentities(x509Certificate).iterator();
                while (it.hasNext()) {
                    if (it.next().endsWith(str)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    public static boolean isSelfSignedCertificate(X509Certificate x509Certificate) throws KeyStoreException {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (GeneralSecurityException e) {
            return false;
        }
    }

    public static boolean isSigningRequestPending(X509Certificate x509Certificate) throws KeyStoreException {
        if (!isSelfSignedCertificate(x509Certificate)) {
            return false;
        }
        Matcher matcher = valuesPattern.matcher(x509Certificate.getIssuerDN().toString());
        return matcher.find() && matcher.find();
    }

    public static String createSigningRequest(X509Certificate x509Certificate, PrivateKey privateKey) throws OperatorCreationException, IOException {
        PKCS10CertificationRequest build = new JcaPKCS10CertificationRequestBuilder(x509Certificate.getSubjectX500Principal(), x509Certificate.getPublicKey()).build(new JcaContentSignerBuilder("SHA256WITH" + x509Certificate.getPublicKey().getAlgorithm()).build(privateKey));
        StringWriter stringWriter = new StringWriter();
        PemWriter pemWriter = new PemWriter(stringWriter);
        pemWriter.writeObject(new MiscPEMGenerator(build));
        pemWriter.close();
        return stringWriter.toString();
    }

    public static boolean installReply(KeyStore keyStore, KeyStore keyStore2, char[] cArr, String str, InputStream inputStream) throws Exception {
        if (((X509Certificate) keyStore.getCertificate(str)) == null) {
            Log.warn("Certificate not found for alias: " + str);
            return false;
        }
        PrivateKey privateKey = (PrivateKey) keyStore.getKey(str, cArr);
        Collection<X509Certificate> parseCertificates = parseCertificates(inputStream);
        if (parseCertificates.isEmpty()) {
            throw new Exception("Reply has no certificates");
        }
        List<X509Certificate> establishCertChain = parseCertificates.size() == 1 ? establishCertChain(keyStore, keyStore2, null, parseCertificates.iterator().next()) : validateReply(keyStore, keyStore2, str, null, parseCertificates);
        if (establishCertChain == null) {
            return false;
        }
        keyStore.setKeyEntry(str, privateKey, cArr, (Certificate[]) establishCertChain.toArray(new X509Certificate[establishCertChain.size()]));
        Iterator<CertificateEventListener> it = listeners.iterator();
        while (it.hasNext()) {
            try {
                it.next().certificateSigned(keyStore, str, establishCertChain);
            } catch (Exception e) {
                Log.error(e.getMessage(), (Throwable) e);
            }
        }
        return true;
    }

    public static boolean installCert(KeyStore keyStore, KeyStore keyStore2, String str, String str2, InputStream inputStream, String str3, InputStream inputStream2) throws Exception {
        X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(str2);
        if (x509Certificate != null) {
            Log.warn("Certificate already exists for alias: " + str2);
            return false;
        }
        PrivateKey parsePrivateKey = parsePrivateKey(inputStream, str3);
        Collection<X509Certificate> parseCertificates = parseCertificates(inputStream2);
        if (parseCertificates.isEmpty()) {
            throw new Exception("No certificates were found");
        }
        List<X509Certificate> establishCertChain = parseCertificates.size() == 1 ? establishCertChain(keyStore, keyStore2, x509Certificate, parseCertificates.iterator().next()) : validateReply(keyStore, keyStore2, str2, x509Certificate, parseCertificates);
        if (establishCertChain == null) {
            return false;
        }
        keyStore.setKeyEntry(str2, parsePrivateKey, str.toCharArray(), (Certificate[]) establishCertChain.toArray(new X509Certificate[establishCertChain.size()]));
        for (CertificateEventListener certificateEventListener : listeners) {
            try {
                certificateEventListener.certificateCreated(keyStore, str2, establishCertChain.get(0));
                if (establishCertChain.size() > 1) {
                    certificateEventListener.certificateSigned(keyStore, str2, establishCertChain);
                }
            } catch (Exception e) {
                Log.error(e.getMessage(), (Throwable) e);
            }
        }
        return true;
    }

    public static PrivateKey parsePrivateKey(String str, String str2) throws IOException {
        if (str == null || str.trim().isEmpty()) {
            throw new IllegalArgumentException("Argument 'pemRepresentation' cannot be null or an empty String.");
        }
        return parsePrivateKey(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8)), str2);
    }

    /* JADX WARN: Failed to calculate best type for var: r10v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Failed to calculate best type for var: r9v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.RegisterArg.getSVar()" because the return value of "jadx.core.dex.nodes.InsnNode.getResult()" is null
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.collectRelatedVars(AbstractTypeConstraint.java:31)
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.<init>(AbstractTypeConstraint.java:19)
    	at jadx.core.dex.visitors.typeinference.TypeSearch$1.<init>(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeMoveConstraint(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeConstraint(TypeSearch.java:361)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.collectConstraints(TypeSearch.java:341)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.run(TypeSearch.java:60)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.runMultiVariableSearch(FixTypesVisitor.java:116)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Not initialized variable reg: 10, insn: 0x01a2: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r10 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:98:0x01a2 */
    /* JADX WARN: Not initialized variable reg: 9, insn: 0x019d: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r9 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:96:0x019d */
    /* JADX WARN: Type inference failed for: r10v0, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r9v0, types: [org.bouncycastle.openssl.PEMParser] */
    public static PrivateKey parsePrivateKey(InputStream inputStream, String str) throws IOException {
        ?? r9;
        ?? r10;
        KeyPair keyPair;
        if (str == null) {
            str = "";
        }
        InputStreamReader inputStreamReader = new InputStreamReader(inputStream);
        Throwable th = null;
        try {
            try {
                PEMParser pEMParser = new PEMParser(inputStreamReader);
                Throwable th2 = null;
                Object readObject = pEMParser.readObject();
                JcaPEMKeyConverter provider = new JcaPEMKeyConverter().setProvider("BC");
                if (readObject instanceof PEMEncryptedKeyPair) {
                    keyPair = provider.getKeyPair(((PEMEncryptedKeyPair) readObject).decryptKeyPair(new JcePEMDecryptorProviderBuilder().build(str.toCharArray())));
                } else {
                    if (readObject instanceof PKCS8EncryptedPrivateKeyInfo) {
                        try {
                            PrivateKey privateKey = provider.getPrivateKey(((PKCS8EncryptedPrivateKeyInfo) readObject).decryptPrivateKeyInfo(new JceOpenSSLPKCS8DecryptorProviderBuilder().build(str.toCharArray())));
                            if (pEMParser != null) {
                                if (0 != 0) {
                                    try {
                                        pEMParser.close();
                                    } catch (Throwable th3) {
                                        th2.addSuppressed(th3);
                                    }
                                } else {
                                    pEMParser.close();
                                }
                            }
                            return privateKey;
                        } catch (PKCSException | OperatorCreationException e) {
                            throw new IOException("Unable to decrypt private key.", e);
                        }
                    }
                    if (readObject instanceof PrivateKeyInfo) {
                        PrivateKey privateKey2 = provider.getPrivateKey((PrivateKeyInfo) readObject);
                        if (pEMParser != null) {
                            if (0 != 0) {
                                try {
                                    pEMParser.close();
                                } catch (Throwable th4) {
                                    th2.addSuppressed(th4);
                                }
                            } else {
                                pEMParser.close();
                            }
                        }
                        if (inputStreamReader != null) {
                            if (0 != 0) {
                                try {
                                    inputStreamReader.close();
                                } catch (Throwable th5) {
                                    th.addSuppressed(th5);
                                }
                            } else {
                                inputStreamReader.close();
                            }
                        }
                        return privateKey2;
                    }
                    keyPair = provider.getKeyPair((PEMKeyPair) readObject);
                }
                PrivateKey privateKey3 = keyPair.getPrivate();
                if (pEMParser != null) {
                    if (0 != 0) {
                        try {
                            pEMParser.close();
                        } catch (Throwable th6) {
                            th2.addSuppressed(th6);
                        }
                    } else {
                        pEMParser.close();
                    }
                }
                if (inputStreamReader != null) {
                    if (0 != 0) {
                        try {
                            inputStreamReader.close();
                        } catch (Throwable th7) {
                            th.addSuppressed(th7);
                        }
                    } else {
                        inputStreamReader.close();
                    }
                }
                return privateKey3;
            } catch (Throwable th8) {
                if (r9 != 0) {
                    if (r10 != 0) {
                        try {
                            r9.close();
                        } catch (Throwable th9) {
                            r10.addSuppressed(th9);
                        }
                    } else {
                        r9.close();
                    }
                }
                throw th8;
            }
        } finally {
            if (inputStreamReader != null) {
                if (0 != 0) {
                    try {
                        inputStreamReader.close();
                    } catch (Throwable th10) {
                        th.addSuppressed(th10);
                    }
                } else {
                    inputStreamReader.close();
                }
            }
        }
    }

    public static Collection<X509Certificate> parseCertificates(String str) throws IOException, CertificateException {
        return parseCertificates(new ByteArrayInputStream(str.replaceAll("(?m) +$", "").replaceAll("(?m)^ +", "").getBytes(StandardCharsets.UTF_8)));
    }

    public static Collection<X509Certificate> parseCertificates(InputStream inputStream) throws IOException, CertificateException {
        CertificateFactory certificateFactory;
        try {
            certificateFactory = CertificateFactory.getInstance("X509", "BC");
        } catch (NoSuchProviderException e) {
            certificateFactory = CertificateFactory.getInstance("X509");
        }
        return certificateFactory.generateCertificates(inputStream);
    }

    public static void addListener(CertificateEventListener certificateEventListener) {
        if (certificateEventListener == null) {
            throw new NullPointerException();
        }
        listeners.add(certificateEventListener);
    }

    public static void removeListener(CertificateEventListener certificateEventListener) {
        listeners.remove(certificateEventListener);
    }

    private static List<X509Certificate> establishCertChain(KeyStore keyStore, KeyStore keyStore2, X509Certificate x509Certificate, X509Certificate x509Certificate2) throws Exception {
        if (x509Certificate != null) {
            if (!x509Certificate.getPublicKey().equals(x509Certificate2.getPublicKey())) {
                throw new Exception("Public keys in reply and keystore don't match");
            }
            if (x509Certificate2.equals(x509Certificate)) {
                throw new Exception("Certificate reply and certificate in keystore are identical");
            }
        }
        Hashtable hashtable = new Hashtable();
        if (keyStore.size() > 0) {
            hashtable.putAll(getCertsByIssuer(keyStore));
        }
        if (keyStore2.size() > 0) {
            hashtable.putAll(getCertsByIssuer(keyStore2));
        }
        java.util.LinkedList linkedList = new java.util.LinkedList();
        if (buildChain(x509Certificate2, linkedList, hashtable)) {
            return linkedList;
        }
        throw new Exception("Failed to establish chain from reply");
    }

    private static boolean buildChain(X509Certificate x509Certificate, java.util.LinkedList<X509Certificate> linkedList, Map<String, List<X509Certificate>> map) {
        Principal subjectDN = x509Certificate.getSubjectDN();
        Principal issuerDN = x509Certificate.getIssuerDN();
        if (subjectDN.equals(issuerDN)) {
            linkedList.addFirst(x509Certificate);
            return true;
        }
        List<X509Certificate> list = map.get(issuerDN.getName());
        if (list == null || list.isEmpty()) {
            return false;
        }
        for (X509Certificate x509Certificate2 : list) {
            try {
                x509Certificate.verify(x509Certificate2.getPublicKey());
                if (!buildChain(x509Certificate2, linkedList, map)) {
                    return false;
                }
            } catch (Exception e) {
                return false;
            }
        }
        linkedList.addFirst(x509Certificate);
        return true;
    }

    private static Map<String, List<X509Certificate>> getCertsByIssuer(KeyStore keyStore) throws Exception {
        HashMap hashMap = new HashMap();
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(aliases.nextElement());
            if (x509Certificate != null) {
                Principal subjectDN = x509Certificate.getSubjectDN();
                List list = (List) hashMap.get(subjectDN);
                if (list == null) {
                    list = new ArrayList();
                    list.add(x509Certificate);
                } else if (!list.contains(x509Certificate)) {
                    list.add(x509Certificate);
                }
                hashMap.put(subjectDN.getName(), list);
            }
        }
        return hashMap;
    }

    @Deprecated
    public static List<X509Certificate> order(Collection<X509Certificate> collection) throws CertificateException {
        return CertificateUtils.order(collection);
    }

    private static List<X509Certificate> validateReply(KeyStore keyStore, KeyStore keyStore2, String str, X509Certificate x509Certificate, Collection<X509Certificate> collection) throws Exception {
        ArrayList arrayList = new ArrayList(collection);
        if (x509Certificate != null) {
            PublicKey publicKey = x509Certificate.getPublicKey();
            int i = 0;
            while (i < arrayList.size() && !publicKey.equals(((X509Certificate) arrayList.get(i)).getPublicKey())) {
                i++;
            }
            if (i == arrayList.size()) {
                throw new Exception("Certificate reply does not contain public key for <alias>: " + str);
            }
            X509Certificate x509Certificate2 = (X509Certificate) arrayList.get(0);
            arrayList.set(0, arrayList.get(i));
            arrayList.set(i, x509Certificate2);
        }
        Principal issuerDN = ((X509Certificate) arrayList.get(0)).getIssuerDN();
        for (int i2 = 1; i2 < arrayList.size() - 1; i2++) {
            int i3 = i2;
            while (true) {
                if (i3 >= arrayList.size()) {
                    break;
                }
                if (((X509Certificate) arrayList.get(i3)).getSubjectDN().equals(issuerDN)) {
                    X509Certificate x509Certificate3 = (X509Certificate) arrayList.get(i2);
                    arrayList.set(i2, arrayList.get(i3));
                    arrayList.set(i3, x509Certificate3);
                    issuerDN = ((X509Certificate) arrayList.get(i2)).getIssuerDN();
                    break;
                }
                i3++;
            }
            if (i3 == arrayList.size()) {
                throw new Exception("Incomplete certificate chain in reply");
            }
        }
        for (int i4 = 0; i4 < arrayList.size() - 1; i4++) {
            try {
                ((X509Certificate) arrayList.get(i4)).verify(((X509Certificate) arrayList.get(i4 + 1)).getPublicKey());
            } catch (Exception e) {
                throw new Exception("Certificate chain in reply does not verify: " + e.getMessage());
            }
        }
        X509Certificate x509Certificate4 = (X509Certificate) arrayList.get(arrayList.size() - 1);
        boolean z = keyStore.getCertificateAlias(x509Certificate4) != null;
        boolean z2 = keyStore2.getCertificateAlias(x509Certificate4) != null;
        if (!z && !z2) {
            boolean z3 = false;
            X509Certificate x509Certificate5 = null;
            Enumeration<String> aliases = keyStore2.aliases();
            while (aliases.hasMoreElements()) {
                x509Certificate5 = (X509Certificate) keyStore2.getCertificate(aliases.nextElement());
                if (x509Certificate5 != null) {
                    try {
                        x509Certificate4.verify(x509Certificate5.getPublicKey());
                        z3 = true;
                        break;
                    } catch (Exception e2) {
                    }
                }
            }
            if (!z3) {
                return null;
            }
            if (!x509Certificate4.getSubjectDN().equals(x509Certificate4.getIssuerDN())) {
                arrayList.add(x509Certificate5);
            }
        }
        return arrayList;
    }

    public static synchronized X509Certificate createX509V3Certificate(KeyPair keyPair, int i, String str, String str2, String str3, String str4) throws GeneralSecurityException, IOException {
        X500NameBuilder x500NameBuilder = new X500NameBuilder();
        x500NameBuilder.addRDN(BCStyle.CN, str2);
        X500NameBuilder x500NameBuilder2 = new X500NameBuilder();
        x500NameBuilder2.addRDN(BCStyle.CN, str);
        return createX509V3Certificate(keyPair, i, x500NameBuilder2, x500NameBuilder, str3, str4);
    }

    public static synchronized X509Certificate createX509V3Certificate(KeyPair keyPair, int i, X500NameBuilder x500NameBuilder, X500NameBuilder x500NameBuilder2, String str, String str2) throws GeneralSecurityException, IOException {
        PublicKey publicKey = keyPair.getPublic();
        PrivateKey privateKey = keyPair.getPrivate();
        byte[] bArr = new byte[8];
        SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
        secureRandom.setSeed(new Date().getTime());
        secureRandom.nextBytes(bArr);
        BigInteger abs = new BigInteger(bArr).abs();
        X500Name build = x500NameBuilder.build();
        X500Name build2 = x500NameBuilder2.build();
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(build, abs, new Date(), new Date(System.currentTimeMillis() + (i * 86400000)), build2, publicKey);
        jcaX509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, build2.getRDNs().length == 0, new GeneralNames(new GeneralName[]{new GeneralName(0, new DERSequence(new ASN1Encodable[]{new ASN1ObjectIdentifier(SANCertificateIdentityMapping.OTHERNAME_XMPP_OID), new DERUTF8String(str)}))}));
        JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
        jcaX509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(publicKey));
        jcaX509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, jcaX509ExtensionUtils.createAuthorityKeyIdentifier(publicKey));
        try {
            X509CertificateHolder build3 = jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder(str2).build(privateKey));
            if (!build3.isValidOn(new Date())) {
                throw new GeneralSecurityException("Certificate validity not valid");
            }
            if (build3.isSignatureValid(new JcaContentVerifierProviderBuilder().build(publicKey))) {
                return new JcaX509CertificateConverter().getCertificate(build3);
            }
            throw new GeneralSecurityException("Certificate signature not valid");
        } catch (OperatorCreationException | CertException e) {
            throw new GeneralSecurityException((Throwable) e);
        }
    }

    static {
        String property = JiveGlobals.getProperty("provider.serverCertIdentityMap.classList");
        if (property != null) {
            StringTokenizer stringTokenizer = new StringTokenizer(property, " ,\t\n\r\f");
            while (stringTokenizer.hasMoreTokens()) {
                String nextToken = stringTokenizer.nextToken();
                try {
                    CertificateIdentityMapping certificateIdentityMapping = (CertificateIdentityMapping) ClassUtils.forName(nextToken).newInstance();
                    Log.debug("CertificateManager: Loaded server identity mapping " + nextToken);
                    serverCertMapping.add(certificateIdentityMapping);
                } catch (Exception e) {
                    Log.error("CertificateManager: Error loading CertificateIdentityMapping: " + nextToken + "\n" + e);
                }
            }
        }
        if (serverCertMapping.isEmpty()) {
            Log.debug("CertificateManager: No server CertificateIdentityMapping's found. Loading default mappings");
            serverCertMapping.add(new SANCertificateIdentityMapping());
            serverCertMapping.add(new CNCertificateIdentityMapping());
        }
        String property2 = JiveGlobals.getProperty("provider.clientCertIdentityMap.classList");
        if (property2 != null) {
            StringTokenizer stringTokenizer2 = new StringTokenizer(property2, " ,\t\n\r\f");
            while (stringTokenizer2.hasMoreTokens()) {
                String nextToken2 = stringTokenizer2.nextToken();
                try {
                    CertificateIdentityMapping certificateIdentityMapping2 = (CertificateIdentityMapping) ClassUtils.forName(nextToken2).newInstance();
                    Log.debug("CertificateManager: Loaded client identity mapping " + nextToken2);
                    clientCertMapping.add(certificateIdentityMapping2);
                } catch (Exception e2) {
                    Log.error("CertificateManager: Error loading CertificateIdentityMapping: " + nextToken2 + "\n" + e2);
                }
            }
        }
        if (clientCertMapping.isEmpty()) {
            Log.debug("CertificateManager: No client CertificateIdentityMapping's found. Loading default mappings");
            clientCertMapping.add(new CNCertificateIdentityMapping());
        }
    }
}
