package com.ibm.ws.security.acme.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.websphere.ssl.SSLConfig;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.acme.AcmeCaException;
import com.ibm.ws.security.acme.AcmeCertificate;
import com.ibm.ws.security.acme.AcmeProvider;
import com.ibm.ws.security.acme.internal.AcmeClient;
import com.ibm.ws.security.acme.internal.exceptions.CertificateRenewRequestBlockedException;
import com.ibm.ws.security.acme.internal.util.AcmeConstants;
import com.ibm.ws.ssl.JSSEProviderFactory;
import com.ibm.ws.ssl.KeyStoreService;
import com.ibm.wsspi.kernel.service.location.WsLocationAdmin;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.atomic.AtomicReference;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(immediate = true, configurationPolicy = ConfigurationPolicy.IGNORE, property = {"service.vendor=IBM"})
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/acme/internal/AcmeProviderImpl.class */
public class AcmeProviderImpl implements AcmeProvider {
    private static final TraceComponent tc = Tr.register(AcmeProviderImpl.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);
    private static final AtomicReference<KeyStoreService> keyStoreServiceRef = new AtomicReference<>();
    private static final AtomicReference<AcmeApplicationStateListener> applicationStateListenerRef = new AtomicReference<>();
    private static AcmeClient acmeClient;
    private static AcmeConfig acmeConfig;

    @Reference
    private WsLocationAdmin wslocation;
    static final long serialVersionUID = 7473883614061662134L;
    private final AtomicServiceReference<ScheduledExecutorService> scheduledExecutorServiceRef = new AtomicServiceReference<>("scheduledExecutorService");
    private AcmeCertCheckerTask acmeCertChecker = null;
    private final ReadWriteLock rwRenewCertLock = new ReentrantReadWriteLock();
    private long lastCertificateRenewalTimestamp = -1;
    private AcmeHistory acmeHistory = new AcmeHistory();

    public void activate(ComponentContext componentContext) {
        this.scheduledExecutorServiceRef.activate(componentContext);
    }

    @Override // com.ibm.ws.security.acme.AcmeProvider
    public void renewAccountKeyPair() throws AcmeCaException {
        acmeClient.renewAccountKeyPair();
    }

    @Override // com.ibm.ws.security.acme.AcmeProvider
    public void renewCertificate() throws AcmeCaException {
        checkAndInstallCertificate(true, null, null, null);
    }

    @Override // com.ibm.ws.security.acme.AcmeProvider
    public void revokeCertificate(String str) throws AcmeCaException {
        revoke(getConfiguredDefaultCertificateChain(), str);
    }

    @FFDCIgnore({AcmeCaException.class})
    private void checkAndInstallCertificate(boolean z, KeyStore keyStore, File file, @Sensitive String str) throws AcmeCaException {
        List<X509Certificate> convertToX509CertChain;
        acquireWriteLock();
        try {
            applicationStateListenerRef.get().waitUntilResourcesAvailable(acmeConfig);
            if (keyStore == null) {
                convertToX509CertChain = getConfiguredDefaultCertificateChain();
            } else {
                try {
                    convertToX509CertChain = convertToX509CertChain(keyStore.getCertificateChain(AcmeConstants.DEFAULT_ALIAS));
                } catch (KeyStoreException e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.acme.internal.AcmeProviderImpl", "183", this, new Object[]{Boolean.valueOf(z), keyStore, file, "<sensitive java.lang.String>"});
                    throw new AcmeCaException(Tr.formatMessage(tc, "CWPKI2029E", new Object[]{file, AcmeConstants.DEFAULT_ALIAS, e.getMessage()}), e);
                }
            }
            AcmeCertificate checkAndRetrieveCertificate = checkAndRetrieveCertificate(convertToX509CertChain, z);
            if (checkAndRetrieveCertificate != null) {
                Certificate[] convertChainToArray = convertChainToArray(checkAndRetrieveCertificate.getCertificateChain());
                try {
                    if (keyStore == null) {
                        keyStoreServiceRef.get().setKeyEntryToKeyStore(AcmeConstants.DEFAULT_KEY_STORE, AcmeConstants.DEFAULT_ALIAS, checkAndRetrieveCertificate.getKeyPair().getPrivate(), convertChainToArray);
                    } else {
                        keyStore.setKeyEntry(AcmeConstants.DEFAULT_ALIAS, checkAndRetrieveCertificate.getKeyPair().getPrivate(), str.toCharArray(), convertChainToArray);
                        FileOutputStream fileOutputStream = new FileOutputStream(file);
                        try {
                            keyStore.store(fileOutputStream, str.toCharArray());
                            fileOutputStream.close();
                        } catch (Throwable th) {
                            fileOutputStream.close();
                            throw th;
                        }
                    }
                    if (!acmeConfig.isDisableMinRenewWindow()) {
                        this.lastCertificateRenewalTimestamp = System.currentTimeMillis();
                    }
                    if (convertToX509CertChain != null) {
                        try {
                            revoke(convertToX509CertChain, "SUPERSEDED");
                        } catch (AcmeCaException e2) {
                            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                                Tr.debug(tc, "Failed to revoke the certificate.", new Object[]{convertToX509CertChain, e2});
                            }
                        }
                    }
                    Tr.audit(tc, "CWPKI2007I", new Object[]{checkAndRetrieveCertificate.getCertificate().getSerialNumber().toString(16), acmeConfig.getDirectoryURI(), checkAndRetrieveCertificate.getCertificate().getNotAfter().toInstant().toString()});
                } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e3) {
                    FFDCFilter.processException(e3, "com.ibm.ws.security.acme.internal.AcmeProviderImpl", "218", this, new Object[]{Boolean.valueOf(z), keyStore, file, "<sensitive java.lang.String>"});
                    throw new AcmeCaException(Tr.formatMessage(tc, "CWPKI2030E", new Object[]{AcmeConstants.DEFAULT_ALIAS, AcmeConstants.DEFAULT_KEY_STORE, e3.getMessage()}), e3);
                }
            } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Previous certificate requested from ACME CA server is still valid.", new Object[0]);
            }
            this.acmeCertChecker.startCertificateChecker(getScheduledExecutorService());
            releaseWriteLock();
        } catch (Throwable th2) {
            releaseWriteLock();
            throw th2;
        }
    }

    @Override // com.ibm.ws.security.acme.AcmeProvider
    public String getHttp01Authorization(String str) throws AcmeCaException {
        return getAcmeClient().getHttp01Authorization(str);
    }

    public void revoke(List<X509Certificate> list, String str) throws AcmeCaException {
        acquireWriteLock();
        try {
            X509Certificate leafCertificate = getLeafCertificate(list);
            if (leafCertificate == null) {
                return;
            }
            String directoryURI = this.acmeHistory.getDirectoryURI(leafCertificate.getSerialNumber().toString(16));
            if (directoryURI == null) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "The certificate was not found in the AcmeHistory file. Use the configured directory URI to revoke.", new Object[0]);
                }
                directoryURI = acmeConfig.getDirectoryURI();
            }
            getAcmeClient().revoke(leafCertificate, str, directoryURI);
            releaseWriteLock();
        } finally {
            releaseWriteLock();
        }
    }

    @Trivial
    private AcmeClient getAcmeClient() throws AcmeCaException {
        if (acmeClient == null) {
            throw new AcmeCaException("Internal error. ACME client was not initialized.");
        }
        return acmeClient;
    }

    @Trivial
    public static AcmeConfig getAcmeConfig() {
        return acmeConfig;
    }

    @Reference(name = AcmeConstants.KEY_KEYSTORE_SERVICE, service = KeyStoreService.class, cardinality = ReferenceCardinality.MANDATORY)
    protected void setKeyStoreService(KeyStoreService keyStoreService) {
        keyStoreServiceRef.set(keyStoreService);
    }

    protected void unsetKeyStoreService(KeyStoreService keyStoreService) {
        keyStoreServiceRef.compareAndSet(keyStoreService, null);
    }

    private boolean isCertificateRequired(List<X509Certificate> list) throws AcmeCaException {
        boolean z = false;
        if (isExpired(list)) {
            X509Certificate x509Certificate = list.get(0);
            if (acmeConfig.isAutoRenewOnExpiration()) {
                z = true;
                Tr.info(tc, "CWPKI2052I", new Object[]{x509Certificate.getSerialNumber().toString(16), x509Certificate.getNotAfter().toInstant().toString(), acmeConfig.getDirectoryURI()});
            } else {
                Tr.warning(tc, "CWPKI2053W", new Object[]{x509Certificate.getSerialNumber().toString(16), x509Certificate.getNotAfter().toInstant().toString()});
            }
        }
        return list == null || list.isEmpty() || z || hasWrongDomains(list) || hasWrongSubjectRDNs(list) || isRevoked(list);
    }

    private AcmeCertificate checkAndRetrieveCertificate(List<X509Certificate> list, boolean z) throws AcmeCaException {
        acquireWriteLock();
        if (!z) {
            try {
                if (!isCertificateRequired(list)) {
                    releaseWriteLock();
                    return null;
                }
            } catch (Throwable th) {
                releaseWriteLock();
                throw th;
            }
        }
        AcmeCertificate fetchCertificate = fetchCertificate();
        releaseWriteLock();
        return fetchCertificate;
    }

    private List<X509Certificate> convertToX509CertChain(Certificate[] certificateArr) throws AcmeCaException {
        ArrayList arrayList = new ArrayList();
        if (certificateArr != null) {
            for (Certificate certificate : certificateArr) {
                if (!(certificate instanceof X509Certificate)) {
                    throw new AcmeCaException(Tr.formatMessage(tc, "CWPKI2044E", new Object[]{certificate.getType()}));
                }
                arrayList.add((X509Certificate) certificate);
            }
        }
        return arrayList;
    }

    private boolean hasWrongDomains(List<X509Certificate> list) throws AcmeCaException {
        boolean z = false;
        X509Certificate leafCertificate = getLeafCertificate(list);
        if (leafCertificate == null) {
            return false;
        }
        try {
            boolean z2 = false;
            Iterator it = new LdapName(leafCertificate.getSubjectX500Principal().getName()).getRdns().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Rdn rdn = (Rdn) it.next();
                if ("cn".equalsIgnoreCase(rdn.getType())) {
                    Iterator<String> it2 = acmeConfig.getDomains().iterator();
                    while (true) {
                        if (!it2.hasNext()) {
                            break;
                        }
                        if (it2.next().equalsIgnoreCase((String) rdn.getValue())) {
                            z2 = true;
                            break;
                        }
                    }
                }
            }
            if (!z2) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "hasWrongDomains(List<X509Certificate>)", new Object[]{"The certificate subject's common name does not match any of the domains."});
                }
                z = true;
            }
            if (!z) {
                try {
                    Collection<List<?>> subjectAlternativeNames = leafCertificate.getSubjectAlternativeNames();
                    HashSet hashSet = new HashSet();
                    if (subjectAlternativeNames != null) {
                        for (List<?> list2 : subjectAlternativeNames) {
                            if (list2.size() >= 2) {
                                switch (((Integer) list2.get(0)).intValue()) {
                                    case 2:
                                        Object obj = list2.get(1);
                                        if (obj instanceof String) {
                                            hashSet.add((String) obj);
                                        }
                                }
                            }
                        }
                    }
                    if (!hashSet.containsAll(acmeConfig.getDomains())) {
                        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                            Tr.debug(tc, "hasWrongDomains(List<X509Certificate>)", new Object[]{"The certificate subject alternative names do not contain all of the configured domains."});
                        }
                        z = true;
                    }
                } catch (CertificateParsingException e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.acme.internal.AcmeProviderImpl", "546", this, new Object[]{list});
                    throw new AcmeCaException(Tr.formatMessage(tc, "CWPKI2032E", new Object[]{leafCertificate.getSerialNumber().toString(16), e.getMessage()}), e);
                }
            }
            return z;
        } catch (InvalidNameException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.acme.internal.AcmeProviderImpl", "501", this, new Object[]{list});
            throw new AcmeCaException(Tr.formatMessage(tc, "CWPKI2031E", new Object[]{leafCertificate.getSubjectX500Principal().getName(), leafCertificate.getSerialNumber().toString(16), e2.getMessage()}), e2);
        }
    }

    private boolean hasWrongSubjectRDNs(List<X509Certificate> list) throws AcmeCaException {
        boolean z = false;
        X509Certificate leafCertificate = getLeafCertificate(list);
        if (leafCertificate == null) {
            return false;
        }
        List<Rdn> subjectDN = acmeConfig.getSubjectDN();
        try {
            List rdns = new LdapName(leafCertificate.getSubjectX500Principal().getName()).getRdns();
            boolean z2 = true;
            if (rdns.size() == 1) {
                z2 = ((Rdn) rdns.get(0)).equals(subjectDN.get(0));
            } else if (rdns.size() == subjectDN.size()) {
                int i = 0;
                while (true) {
                    if (i >= rdns.size()) {
                        break;
                    }
                    if (!((Rdn) rdns.get(i)).equals(subjectDN.get(i))) {
                        z2 = false;
                        break;
                    }
                    i++;
                }
            } else {
                z2 = false;
            }
            if (!z2) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "hasWrongSubjectRDNs(List<X509Certificate>)", new Object[]{"The certificate subject's RDNs do not match the configuration."});
                }
                z = true;
            }
            return z;
        } catch (InvalidNameException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.acme.internal.AcmeProviderImpl", "583", this, new Object[]{list});
            throw new AcmeCaException(Tr.formatMessage(tc, "CWPKI2031E", new Object[]{leafCertificate.getSubjectX500Principal().getName(), leafCertificate.getSerialNumber().toString(16), e.getMessage()}), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isExpired(List<X509Certificate> list) {
        X509Certificate leafCertificate = getLeafCertificate(list);
        if (leafCertificate == null) {
            return false;
        }
        Date notAfter = leafCertificate.getNotAfter();
        Calendar calendar = Calendar.getInstance();
        Date time = calendar.getTime();
        calendar.setTimeInMillis(notAfter.getTime() - acmeConfig.getRenewBeforeExpirationMs().longValue());
        Date time2 = calendar.getTime();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "isExpired: notAfter: " + notAfter + ", calculated renew Date: " + time2 + ", compared to now: " + time, new Object[0]);
        }
        return time.compareTo(time2) >= 0;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isRevoked(List<X509Certificate> list) throws AcmeCaException {
        return new CertificateRevocationChecker(acmeConfig).isRevoked(list);
    }

    private AcmeCertificate fetchCertificate() throws AcmeCaException {
        return getAcmeClient().fetchCertificate(false);
    }

    @Trivial
    private static Certificate[] convertChainToArray(List<X509Certificate> list) {
        X509Certificate[] x509CertificateArr = new X509Certificate[list.size()];
        int i = 0;
        Iterator<X509Certificate> it = list.iterator();
        while (it.hasNext()) {
            int i2 = i;
            i++;
            x509CertificateArr[i2] = it.next();
        }
        return x509CertificateArr;
    }

    @Override // com.ibm.ws.security.acme.AcmeProvider
    public AcmeClient.AcmeAccount getAccount() throws AcmeCaException {
        return acmeClient.getAccount();
    }

    public static X509Certificate getLeafCertificate(List<X509Certificate> list) {
        if (list == null || list.isEmpty()) {
            return null;
        }
        return list.get(0);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @FFDCIgnore({CertificateException.class})
    public List<X509Certificate> getConfiguredDefaultCertificateChain() throws AcmeCaException {
        try {
            return convertToX509CertChain(keyStoreServiceRef.get().getCertificateChainFromKeyStore(AcmeConstants.DEFAULT_KEY_STORE, AcmeConstants.DEFAULT_ALIAS));
        } catch (KeyStoreException | CertificateException e) {
            return null;
        }
    }

    @Override // com.ibm.ws.security.acme.AcmeProvider
    public File createDefaultSSLCertificate(String str, @Sensitive String str2, String str3, String str4) throws CertificateException {
        try {
            applicationStateListenerRef.get().waitUntilResourcesAvailable(acmeConfig);
            try {
                AcmeCertificate fetchCertificate = fetchCertificate();
                File createKeyStore = createKeyStore(str, fetchCertificate, str2, str3, str4);
                if (!acmeConfig.isDisableMinRenewWindow()) {
                    this.lastCertificateRenewalTimestamp = System.currentTimeMillis();
                }
                this.acmeHistory.updateAcmeFile(fetchCertificate, null, acmeConfig.getDirectoryURI(), acmeClient.getAccount().getLocation().toString(), this.wslocation);
                Tr.audit(tc, "CWPKI2007I", new Object[]{fetchCertificate.getCertificate().getSerialNumber().toString(16), acmeConfig.getDirectoryURI(), fetchCertificate.getCertificate().getNotAfter().toInstant().toString()});
                this.acmeCertChecker.startCertificateChecker(getScheduledExecutorService());
                return createKeyStore;
            } catch (AcmeCaException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.acme.internal.AcmeProviderImpl", "819", this, new Object[]{str, "<sensitive java.lang.String>", str3, str4});
                createKeyStore(str, null, str2, str3, str4);
                throw new CertificateException(e.getMessage(), e);
            } catch (Exception e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.acme.internal.AcmeProviderImpl", "823", this, new Object[]{str, "<sensitive java.lang.String>", str3, str4});
                throw e2;
            }
        } catch (AcmeCaException e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.acme.internal.AcmeProviderImpl", "775", this, new Object[]{str, "<sensitive java.lang.String>", str3, str4});
            throw new CertificateException(e3.getMessage(), e3);
        }
    }

    private File createKeyStore(String str, AcmeCertificate acmeCertificate, @Sensitive String str2, String str3, String str4) throws CertificateException {
        try {
            KeyStore keyStoreInstance = JSSEProviderFactory.getInstance().getKeyStoreInstance(str3, str4);
            keyStoreInstance.load(null, str2.toCharArray());
            if (acmeCertificate != null) {
                keyStoreInstance.setKeyEntry(AcmeConstants.DEFAULT_ALIAS, acmeCertificate.getKeyPair().getPrivate(), str2.toCharArray(), convertChainToArray(acmeCertificate.getCertificateChain()));
            }
            File file = new File(str);
            try {
                if (file.getParentFile() != null && !file.getParentFile().exists()) {
                    file.getParentFile().mkdirs();
                }
                FileOutputStream fileOutputStream = new FileOutputStream(file);
                try {
                    keyStoreInstance.store(fileOutputStream, str2.toCharArray());
                    fileOutputStream.close();
                    return file;
                } catch (Throwable th) {
                    fileOutputStream.close();
                    throw th;
                }
            } catch (IOException | KeyStoreException | NoSuchAlgorithmException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.acme.internal.AcmeProviderImpl", "882", this, new Object[]{str, acmeCertificate, "<sensitive java.lang.String>", str3, str4});
                throw new CertificateException(Tr.formatMessage(tc, "CWPKI2035E", new Object[]{file.getName(), e.getMessage()}), e);
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | NoSuchProviderException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.acme.internal.AcmeProviderImpl", "863", this, new Object[]{str, acmeCertificate, "<sensitive java.lang.String>", str3, str4});
            throw new CertificateException(Tr.formatMessage(tc, "CWPKI2034E", new Object[]{e2.getMessage()}), e2);
        }
    }

    @Override // com.ibm.ws.security.acme.AcmeProvider
    public void updateDefaultSSLCertificate(KeyStore keyStore, File file, @Sensitive String str) throws CertificateException {
        List<X509Certificate> convertToX509CertChain;
        try {
            boolean directoryURIChanged = this.acmeHistory.directoryURIChanged(acmeConfig.getDirectoryURI(), this.wslocation, acmeConfig.isDisableRenewOnNewHistory());
            checkAndInstallCertificate(directoryURIChanged, keyStore, file, str);
            if (directoryURIChanged) {
                if (keyStore == null) {
                    convertToX509CertChain = getConfiguredDefaultCertificateChain();
                } else {
                    try {
                        convertToX509CertChain = convertToX509CertChain(keyStore.getCertificateChain(AcmeConstants.DEFAULT_ALIAS));
                    } catch (KeyStoreException e) {
                        FFDCFilter.processException(e, "com.ibm.ws.security.acme.internal.AcmeProviderImpl", "909", this, new Object[]{keyStore, file, "<sensitive java.lang.String>"});
                        throw new AcmeCaException(Tr.formatMessage(tc, "CWPKI2029E", new Object[]{file, AcmeConstants.DEFAULT_ALIAS, e.getMessage()}), e);
                    }
                }
                this.acmeHistory.updateAcmeFile(getLeafCertificate(convertToX509CertChain), acmeConfig.getDirectoryURI(), acmeClient.getAccount().getLocation().toString(), this.wslocation);
            }
        } catch (AcmeCaException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.acme.internal.AcmeProviderImpl", "917", this, new Object[]{keyStore, file, "<sensitive java.lang.String>"});
            throw new CertificateException(e2.getMessage(), e2);
        } catch (Exception e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.acme.internal.AcmeProviderImpl", "919", this, new Object[]{keyStore, file, "<sensitive java.lang.String>"});
            throw e3;
        }
    }

    public static SSLConfig getSSLConfig() {
        return acmeConfig.getSSLConfig();
    }

    @Reference(cardinality = ReferenceCardinality.MANDATORY, updated = "updateAcmeConfigService")
    public void setAcmeConfigService(AcmeConfigService acmeConfigService, Map<String, Object> map) {
        try {
            acmeConfig = new AcmeConfig(map);
            acmeClient = new AcmeClient(acmeConfig);
            acmeClient.updateAccount();
            this.acmeCertChecker = new AcmeCertCheckerTask(this);
        } catch (AcmeCaException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.acme.internal.AcmeProviderImpl", "963", this, new Object[]{acmeConfigService, map});
            Tr.error(tc, e.getMessage(), new Object[0]);
        }
    }

    protected void unsetAcmeConfigService(AcmeConfigService acmeConfigService) {
        if (this.acmeCertChecker != null) {
            this.acmeCertChecker.stop();
        }
        acmeConfig = null;
        acmeClient = null;
    }

    protected void updateAcmeConfigService(AcmeConfigService acmeConfigService, Map<String, Object> map) {
        try {
            if (this.acmeCertChecker == null) {
                this.acmeCertChecker = new AcmeCertCheckerTask(this);
            }
            acmeConfig = new AcmeConfig(map);
            acmeClient = new AcmeClient(acmeConfig);
            boolean directoryURIChanged = this.acmeHistory.directoryURIChanged(acmeConfig.getDirectoryURI(), this.wslocation, acmeConfig.isDisableRenewOnNewHistory());
            checkAndInstallCertificate(directoryURIChanged, null, null, null);
            if (directoryURIChanged) {
                this.acmeHistory.updateAcmeFile(getLeafCertificate(getConfiguredDefaultCertificateChain()), acmeConfig.getDirectoryURI(), acmeClient.getAccount().getLocation().toString(), this.wslocation);
            }
            acmeClient.updateAccount();
        } catch (AcmeCaException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.acme.internal.AcmeProviderImpl", "1018", this, new Object[]{acmeConfigService, map});
            Tr.error(tc, e.getMessage(), new Object[0]);
        }
    }

    @Reference(cardinality = ReferenceCardinality.MANDATORY)
    public void setAcmeApplicationStateListener(AcmeApplicationStateListener acmeApplicationStateListener) {
        applicationStateListenerRef.set(acmeApplicationStateListener);
    }

    @Reference(name = "scheduledExecutorService", service = ScheduledExecutorService.class, target = "(deferrable=false)")
    protected void setScheduledExecutorService(ServiceReference<ScheduledExecutorService> serviceReference) {
        this.scheduledExecutorServiceRef.setReference(serviceReference);
    }

    protected void unsetScheduledExecutorService(ServiceReference<ScheduledExecutorService> serviceReference) {
        if (this.acmeCertChecker != null) {
            this.acmeCertChecker.stop();
        }
        this.scheduledExecutorServiceRef.unsetReference(serviceReference);
    }

    public ScheduledExecutorService getScheduledExecutorService() {
        return (ScheduledExecutorService) this.scheduledExecutorServiceRef.getService();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Trivial
    public void acquireWriteLock() {
        this.rwRenewCertLock.writeLock().lock();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Trivial
    public void releaseWriteLock() {
        this.rwRenewCertLock.writeLock().unlock();
    }

    @Override // com.ibm.ws.security.acme.AcmeProvider
    public void checkCertificateRenewAllowed() throws CertificateRenewRequestBlockedException {
        long currentTimeMillis = System.currentTimeMillis() - this.lastCertificateRenewalTimestamp;
        if (acmeConfig.isDisableMinRenewWindow() || this.lastCertificateRenewalTimestamp == -1 || currentTimeMillis >= acmeConfig.getRenewCertMin()) {
            return;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Too soon to renew, last certificate renewal was " + this.lastCertificateRenewalTimestamp, new Object[0]);
        }
        throw new CertificateRenewRequestBlockedException("Too soon to renew, last certificate renewal was " + this.lastCertificateRenewalTimestamp, acmeConfig.getRenewCertMin() - currentTimeMillis);
    }
}
