package com.aoindustries.aoserv.daemon.ssl;

import com.aoindustries.aoserv.client.distribution.OperatingSystemVersion;
import com.aoindustries.aoserv.client.linux.PosixPath;
import com.aoindustries.aoserv.client.linux.Server;
import com.aoindustries.aoserv.client.monitoring.AlertLevel;
import com.aoindustries.aoserv.client.pki.Certificate;
import com.aoindustries.aoserv.client.pki.CertificateName;
import com.aoindustries.aoserv.client.pki.CertificateOtherUse;
import com.aoindustries.aoserv.daemon.AOServDaemon;
import com.aoindustries.collections.AoCollections;
import com.aoindustries.concurrent.KeyedConcurrencyReducer;
import com.aoindustries.io.unix.Stat;
import com.aoindustries.io.unix.UnixFile;
import com.aoindustries.lang.Strings;
import com.aoindustries.util.Tuple2;
import com.aoindustries.util.concurrent.ExecutionExceptions;
import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
import java.io.InterruptedIOException;
import java.io.StringReader;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.sql.SQLException;
import java.text.DateFormat;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:com/aoindustries/aoserv/daemon/ssl/SslCertificateManager.class */
public final class SslCertificateManager {
    private static final String ALGORITHM = "SHA-256";
    private static final long CERTBOT_CACHE_DURATION = 3300000;
    private static final int CERTBOT_CRITICAL_DAYS = 0;
    private static final int CERTBOT_HIGH_DAYS = 7;
    private static final int CERTBOT_MEDIUM_DAYS = 10;
    private static final int CERTBOT_LOW_DAYS = 12;
    private static final int OTHER_CRITICAL_DAYS = 0;
    private static final int OTHER_HIGH_DAYS = 7;
    private static final int OTHER_MEDIUM_DAYS = 14;
    private static final int OTHER_LOW_DAYS = 30;
    private static final UnixFile CERTBOT_LOCK;
    private static final long CERTBOT_LOCKED_SLEEP = 6000;
    private static final int CERTBOT_LOCKED_ATTEMPTS = 10;
    private static final Map<Tuple2<UnixFile, String>, Tuple2<Long, String>> getHashedCache;
    private static final String FACTORY_TYPE = "X.509";
    private static final Map<UnixFile, X509Status> x509Cache;
    private static final Map<String, CertbotStatus> certbotCache;
    private static final KeyedConcurrencyReducer<Tuple2<Certificate, Boolean>, List<Certificate.Check>> checkSslCertificateConcurrencyLimiter;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/aoindustries/aoserv/daemon/ssl/SslCertificateManager$CertbotStatus.class */
    public static class CertbotStatus {
        private final long cacheTime;
        private final UnixFile certCanonicalFile;
        private final long certModifyTime;
        private final UnixFile chainCanonicalFile;
        private final long chainModifyTime;
        private final UnixFile fullchainCanonicalFile;
        private final long fullchainModifyTime;
        private final UnixFile privkeyCanonicalFile;
        private final long privkeyModifyTime;
        private final long renewalModifyTime;
        private final Set<String> domains;
        private final String status;
        private final int days;

        private CertbotStatus(long j, UnixFile unixFile, long j2, UnixFile unixFile2, long j3, UnixFile unixFile3, long j4, UnixFile unixFile4, long j5, long j6, Set<String> set, String str, int i) {
            this.cacheTime = j;
            this.certCanonicalFile = unixFile;
            this.certModifyTime = j2;
            this.chainCanonicalFile = unixFile2;
            this.chainModifyTime = j3;
            this.fullchainCanonicalFile = unixFile3;
            this.fullchainModifyTime = j4;
            this.privkeyCanonicalFile = unixFile4;
            this.privkeyModifyTime = j5;
            this.renewalModifyTime = j6;
            this.domains = set;
            this.status = str;
            this.days = i;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Set<String> getDomains() {
            return this.domains;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String getStatus() {
            return this.status;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public int getDays() {
            return this.days;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/aoindustries/aoserv/daemon/ssl/SslCertificateManager$X509Status.class */
    public static class X509Status {
        private final long certModifyTime;
        private final Date notBefore;
        private final Date notAfter;
        private final String commonName;
        private final Set<String> altNames;

        private X509Status(long j, Date date, Date date2, String str, Set<String> set) {
            this.certModifyTime = j;
            this.notBefore = date;
            this.notAfter = date2;
            this.commonName = str;
            this.altNames = set;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Date getNotBefore() {
            return this.notBefore;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Date getNotAfter() {
            return this.notAfter;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String getCommonName() {
            return this.commonName;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Set<String> getAltNames() {
            return this.altNames;
        }
    }

    private static UnixFile getUnixFile(PosixPath posixPath) {
        if (posixPath == null) {
            return null;
        }
        return new UnixFile(posixPath.toString());
    }

    private static String getCommandHash(UnixFile unixFile, String str, long j, boolean z, String... strArr) throws IOException {
        try {
            Tuple2<UnixFile, String> tuple2 = new Tuple2<>(unixFile, str);
            synchronized (getHashedCache) {
                Tuple2<Long, String> tuple22 = z ? getHashedCache.get(tuple2) : null;
                if (tuple22 != null && ((Long) tuple22.getElement1()).longValue() == j) {
                    return (String) tuple22.getElement2();
                }
                String convertToHex = Strings.convertToHex(MessageDigest.getInstance(ALGORITHM).digest(AOServDaemon.execAndCaptureBytes(strArr)));
                getHashedCache.put(tuple2, new Tuple2<>(Long.valueOf(j), convertToHex));
                return convertToHex;
            }
        } catch (NoSuchAlgorithmException e) {
            throw new AssertionError("SHA-256 is expected to exist", e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Removed duplicated region for block: B:58:0x034d A[Catch: all -> 0x0494, TryCatch #8 {, blocks: (B:4:0x0006, B:6:0x0013, B:9:0x002a, B:12:0x0038, B:16:0x003a, B:17:0x0067, B:19:0x006f, B:21:0x00c1, B:23:0x00ee, B:25:0x00f9, B:26:0x0107, B:29:0x0152, B:30:0x0188, B:31:0x0191, B:33:0x019b, B:37:0x01b3, B:38:0x01d7, B:40:0x01db, B:42:0x01e5, B:43:0x0204, B:44:0x0205, B:46:0x0210, B:47:0x0239, B:48:0x023a, B:50:0x024b, B:52:0x02ef, B:54:0x02fc, B:55:0x0337, B:56:0x0343, B:58:0x034d, B:62:0x0366, B:65:0x037b, B:66:0x0396, B:68:0x0397, B:71:0x03c9, B:72:0x0469, B:73:0x0492, B:75:0x03d1, B:76:0x03e6, B:78:0x03f0, B:80:0x0412, B:85:0x042b, B:86:0x0446, B:88:0x044a, B:89:0x0465, B:93:0x03a3, B:94:0x03c3, B:98:0x030c, B:99:0x0336, B:102:0x025c, B:103:0x0285, B:106:0x015e, B:107:0x0187, B:111:0x010f, B:113:0x0122, B:116:0x0119, B:118:0x0128, B:119:0x0151, B:122:0x00cd, B:123:0x00ed, B:125:0x0289, B:127:0x0296, B:128:0x02a4, B:133:0x02ac, B:135:0x02bf, B:138:0x02b6, B:140:0x02c5, B:141:0x02ee, B:144:0x0046, B:145:0x0066), top: B:3:0x0006, inners: #0, #1, #2, #3, #4, #5, #9, #10 }] */
    /* JADX WARN: Removed duplicated region for block: B:65:0x037b A[Catch: all -> 0x0494, TryCatch #8 {, blocks: (B:4:0x0006, B:6:0x0013, B:9:0x002a, B:12:0x0038, B:16:0x003a, B:17:0x0067, B:19:0x006f, B:21:0x00c1, B:23:0x00ee, B:25:0x00f9, B:26:0x0107, B:29:0x0152, B:30:0x0188, B:31:0x0191, B:33:0x019b, B:37:0x01b3, B:38:0x01d7, B:40:0x01db, B:42:0x01e5, B:43:0x0204, B:44:0x0205, B:46:0x0210, B:47:0x0239, B:48:0x023a, B:50:0x024b, B:52:0x02ef, B:54:0x02fc, B:55:0x0337, B:56:0x0343, B:58:0x034d, B:62:0x0366, B:65:0x037b, B:66:0x0396, B:68:0x0397, B:71:0x03c9, B:72:0x0469, B:73:0x0492, B:75:0x03d1, B:76:0x03e6, B:78:0x03f0, B:80:0x0412, B:85:0x042b, B:86:0x0446, B:88:0x044a, B:89:0x0465, B:93:0x03a3, B:94:0x03c3, B:98:0x030c, B:99:0x0336, B:102:0x025c, B:103:0x0285, B:106:0x015e, B:107:0x0187, B:111:0x010f, B:113:0x0122, B:116:0x0119, B:118:0x0128, B:119:0x0151, B:122:0x00cd, B:123:0x00ed, B:125:0x0289, B:127:0x0296, B:128:0x02a4, B:133:0x02ac, B:135:0x02bf, B:138:0x02b6, B:140:0x02c5, B:141:0x02ee, B:144:0x0046, B:145:0x0066), top: B:3:0x0006, inners: #0, #1, #2, #3, #4, #5, #9, #10 }] */
    /* JADX WARN: Removed duplicated region for block: B:67:0x0397 A[EXC_TOP_SPLITTER, SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:95:0x0376 A[EDGE_INSN: B:95:0x0376->B:63:0x0376 BREAK  A[LOOP:1: B:56:0x0343->B:60:0x0373], SYNTHETIC] */
    /* JADX WARN: Type inference failed for: r0v66, types: [java.util.Set] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private static com.aoindustries.aoserv.daemon.ssl.SslCertificateManager.X509Status getX509Status(com.aoindustries.io.unix.UnixFile r10, com.aoindustries.io.unix.UnixFile r11, boolean r12) throws java.io.IOException {
        /*
            Method dump skipped, instructions count: 1179
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.aoindustries.aoserv.daemon.ssl.SslCertificateManager.getX509Status(com.aoindustries.io.unix.UnixFile, com.aoindustries.io.unix.UnixFile, boolean):com.aoindustries.aoserv.daemon.ssl.SslCertificateManager$X509Status");
    }

    private static CertbotStatus getCertbotStatus(String str, boolean z) throws IOException {
        int indexOf;
        int indexOf2;
        synchronized (certbotCache) {
            long currentTimeMillis = System.currentTimeMillis();
            UnixFile unixFile = new UnixFile(new File("/etc/letsencrypt/live/" + str + "/cert.pem").getCanonicalFile());
            long modifyTime = unixFile.getStat().getModifyTime();
            UnixFile unixFile2 = new UnixFile(new File("/etc/letsencrypt/live/" + str + "/chain.pem").getCanonicalFile());
            long modifyTime2 = unixFile2.getStat().getModifyTime();
            UnixFile unixFile3 = new UnixFile(new File("/etc/letsencrypt/live/" + str + "/fullchain.pem").getCanonicalFile());
            long modifyTime3 = unixFile3.getStat().getModifyTime();
            UnixFile unixFile4 = new UnixFile(new File("/etc/letsencrypt/live/" + str + "/privkey.pem").getCanonicalFile());
            long modifyTime4 = unixFile4.getStat().getModifyTime();
            long modifyTime5 = new UnixFile("/etc/letsencrypt/renewal/" + str + ".conf").getStat().getModifyTime();
            CertbotStatus certbotStatus = z ? certbotCache.get(str) : null;
            if (certbotStatus != null && currentTimeMillis - certbotStatus.cacheTime < CERTBOT_CACHE_DURATION && certbotStatus.cacheTime - currentTimeMillis < CERTBOT_CACHE_DURATION && unixFile.equals(certbotStatus.certCanonicalFile) && modifyTime == certbotStatus.certModifyTime && unixFile2.equals(certbotStatus.chainCanonicalFile) && modifyTime2 == certbotStatus.chainModifyTime && unixFile3.equals(certbotStatus.fullchainCanonicalFile) && modifyTime3 == certbotStatus.fullchainModifyTime && unixFile4.equals(certbotStatus.privkeyCanonicalFile) && modifyTime4 == certbotStatus.privkeyModifyTime && modifyTime5 == certbotStatus.renewalModifyTime) {
                return certbotStatus;
            }
            Set emptySet = Collections.emptySet();
            String str2 = "UNKNOWN";
            int i = -1;
            int i2 = 0;
            while (CERTBOT_LOCK.getStat().exists()) {
                i2++;
                if (i2 >= 10) {
                    throw new IOException("certbot locked by " + CERTBOT_LOCK);
                }
                try {
                    Thread.sleep(CERTBOT_LOCKED_SLEEP);
                } catch (InterruptedException e) {
                    InterruptedIOException interruptedIOException = new InterruptedIOException("Interrupted waiting on " + CERTBOT_LOCK);
                    interruptedIOException.initCause(e);
                    throw interruptedIOException;
                }
            }
            BufferedReader bufferedReader = new BufferedReader(new StringReader(AOServDaemon.execAndCapture("certbot", "certificates", "--cert-name", str)));
            while (true) {
                try {
                    String readLine = bufferedReader.readLine();
                    if (readLine == null) {
                        bufferedReader.close();
                        CertbotStatus certbotStatus2 = new CertbotStatus(currentTimeMillis, unixFile, modifyTime, unixFile2, modifyTime2, unixFile3, modifyTime3, unixFile4, modifyTime4, modifyTime5, emptySet, str2, i);
                        certbotCache.put(str, certbotStatus2);
                        return certbotStatus2;
                    }
                    if (readLine.startsWith("  Certificate Name: ") && !str.equals(readLine.substring("  Certificate Name: ".length()))) {
                        throw new IOException("Unexpected certificate name: " + readLine);
                    }
                    if (readLine.startsWith("    Domains: ")) {
                        if (!emptySet.isEmpty()) {
                            throw new IOException("Domains already set: " + readLine);
                        }
                        String[] split = StringUtils.split(readLine.substring("    Domains: ".length()), ' ');
                        if (split.length == 0) {
                            throw new IOException("No domains: " + readLine);
                        }
                        emptySet = AoCollections.newLinkedHashSet(split.length);
                        for (String str3 : split) {
                            if (!emptySet.add(str3)) {
                                throw new IOException("Duplicate domain from certbot: " + readLine);
                            }
                        }
                    }
                    if (readLine.startsWith("    Expiry Date: ") && (indexOf = readLine.indexOf(40)) != -1 && (indexOf2 = readLine.indexOf(41, indexOf + 1)) != -1) {
                        String trim = readLine.substring(indexOf + 1, indexOf2).trim();
                        int indexOf3 = trim.indexOf(58);
                        if (indexOf3 == -1) {
                            str2 = trim.trim();
                            i = -1;
                        } else {
                            try {
                                String trim2 = trim.substring(indexOf3 + 1).trim();
                                if (trim2.endsWith(" days")) {
                                    trim2 = trim2.substring(0, trim2.length() - " days".length()).trim();
                                } else if (trim2.endsWith(" day")) {
                                    trim2 = trim2.substring(0, trim2.length() - " day".length()).trim();
                                }
                                i = Integer.parseInt(trim2);
                                if (i < -1) {
                                    i = -1;
                                }
                                str2 = trim.substring(0, indexOf3).trim();
                            } catch (NumberFormatException e2) {
                                str2 = trim;
                                i = -1;
                            }
                        }
                    }
                } finally {
                }
            }
        }
    }

    public static List<Certificate.Check> checkSslCertificate(Certificate certificate, boolean z) throws IOException, SQLException {
        boolean z2;
        try {
            Server thisServer = AOServDaemon.getThisServer();
            OperatingSystemVersion operatingSystemVersion = thisServer.getHost().getOperatingSystemVersion();
            switch (operatingSystemVersion.getPkey()) {
                case 63:
                case 64:
                case 67:
                    z2 = false;
                    break;
                case 65:
                case 66:
                case 68:
                default:
                    throw new AssertionError("Unsupported OperatingSystemVersion: " + operatingSystemVersion);
                case 69:
                case 70:
                    z2 = true;
                    break;
            }
            boolean z3 = z2;
            return (List) checkSslCertificateConcurrencyLimiter.executeSerialized(new Tuple2(certificate, Boolean.valueOf(z)), () -> {
                boolean z4;
                boolean z5;
                UnixFile unixFile;
                Stat stat;
                boolean z6;
                UnixFile unixFile2;
                Stat stat2;
                boolean z7;
                UnixFile unixFile3;
                Stat stat3;
                boolean z8;
                Stat stat4;
                boolean z9;
                boolean equals;
                boolean equals2;
                long currentTimeMillis = System.currentTimeMillis();
                String certbotName = certificate.getCertbotName();
                String name = certificate.getCommonName().getName();
                List altNames = certificate.getAltNames();
                LinkedHashSet newLinkedHashSet = AoCollections.newLinkedHashSet(altNames.size());
                LinkedHashSet newLinkedHashSet2 = AoCollections.newLinkedHashSet(altNames.size());
                Iterator it = altNames.iterator();
                while (it.hasNext()) {
                    String name2 = ((CertificateName) it.next()).getName();
                    if (!newLinkedHashSet.add(name2)) {
                        throw new SQLException("Duplicate alt name: " + name2);
                    }
                    String lowerCase = name2.toLowerCase(Locale.ROOT);
                    if (!newLinkedHashSet2.add(lowerCase)) {
                        throw new SQLException("Duplicate lower alt name: " + lowerCase);
                    }
                }
                ArrayList arrayList = new ArrayList();
                UnixFile unixFile4 = getUnixFile(certificate.getKeyFile());
                UnixFile unixFile5 = getUnixFile(certificate.getCsrFile());
                UnixFile unixFile6 = getUnixFile(certificate.getCertFile());
                UnixFile unixFile7 = getUnixFile(certificate.getChainFile());
                Stat stat5 = unixFile4.getStat();
                Stat stat6 = unixFile5 == null ? null : unixFile5.getStat();
                Stat stat7 = unixFile6.getStat();
                Stat stat8 = unixFile7 == null ? null : unixFile7.getStat();
                boolean exists = stat5.exists();
                arrayList.add(new Certificate.Check("Key exists?", Boolean.toString(exists), exists ? AlertLevel.NONE : AlertLevel.CRITICAL, unixFile4.toString()));
                if (stat6 == null) {
                    z4 = false;
                } else {
                    if (!$assertionsDisabled && unixFile5 == null) {
                        throw new AssertionError();
                    }
                    z4 = stat6.exists();
                    arrayList.add(new Certificate.Check("CSR exists?", Boolean.toString(z4), z4 ? AlertLevel.NONE : AlertLevel.MEDIUM, unixFile5.toString()));
                }
                boolean exists2 = stat7.exists();
                arrayList.add(new Certificate.Check("Cert exists?", Boolean.toString(exists2), exists2 ? AlertLevel.NONE : AlertLevel.CRITICAL, unixFile6.toString()));
                if (stat8 == null) {
                    z5 = false;
                } else {
                    if (!$assertionsDisabled && unixFile7 == null) {
                        throw new AssertionError();
                    }
                    z5 = stat8.exists();
                    arrayList.add(new Certificate.Check("Chain exists?", Boolean.toString(z5), z5 ? AlertLevel.NONE : AlertLevel.CRITICAL, unixFile7.toString()));
                }
                if (exists && stat5.isSymLink()) {
                    unixFile = new UnixFile(unixFile4.getFile().getCanonicalPath());
                    stat = unixFile.getStat();
                    z6 = stat.exists();
                    arrayList.add(new Certificate.Check("Canonical key exists?", Boolean.toString(z6), z6 ? AlertLevel.NONE : AlertLevel.CRITICAL, unixFile.toString()));
                } else {
                    unixFile = unixFile4;
                    stat = stat5;
                    z6 = exists;
                }
                if (z4 && stat6.isSymLink()) {
                    unixFile2 = new UnixFile(unixFile5.getFile().getCanonicalPath());
                    stat2 = unixFile2.getStat();
                    z7 = stat2.exists();
                    arrayList.add(new Certificate.Check("Canonical CSR exists?", Boolean.toString(z7), z7 ? AlertLevel.NONE : AlertLevel.MEDIUM, unixFile2.toString()));
                } else {
                    unixFile2 = unixFile5;
                    stat2 = stat6;
                    z7 = z4;
                }
                if (exists2 && stat7.isSymLink()) {
                    unixFile3 = new UnixFile(unixFile6.getFile().getCanonicalPath());
                    stat3 = unixFile3.getStat();
                    z8 = stat3.exists();
                    arrayList.add(new Certificate.Check("Canonical cert exists?", Boolean.toString(z8), z8 ? AlertLevel.NONE : AlertLevel.CRITICAL, unixFile3.toString()));
                } else {
                    unixFile3 = unixFile6;
                    stat3 = stat7;
                    z8 = exists2;
                }
                if (z5 && stat8.isSymLink()) {
                    UnixFile unixFile8 = new UnixFile(unixFile7.getFile().getCanonicalPath());
                    stat4 = unixFile8.getStat();
                    z9 = stat4.exists();
                    arrayList.add(new Certificate.Check("Canonical chain exists?", Boolean.toString(z9), z9 ? AlertLevel.NONE : AlertLevel.CRITICAL, unixFile8.toString()));
                } else {
                    stat4 = stat8;
                    z9 = z5;
                }
                long modifyTime = z6 ? stat.getModifyTime() : 0L;
                long modifyTime2 = z7 ? stat2.getModifyTime() : 0L;
                long modifyTime3 = z8 ? stat3.getModifyTime() : 0L;
                long modifyTime4 = z9 ? stat4.getModifyTime() : 0L;
                String commandHash = z6 ? getCommandHash(unixFile, z3 ? "pkey" : "rsa", modifyTime, z, z3 ? new String[]{"openssl", "pkey", "-outform", "PEM", "-in", unixFile.getPath(), "-pubout"} : new String[]{"openssl", "rsa", "-in", unixFile.getPath(), "-noout", "-modulus"}) : null;
                String commandHash2 = z7 ? getCommandHash(unixFile2, "req", modifyTime2, z, z3 ? new String[]{"openssl", "req", "-outform", "PEM", "-in", unixFile2.getPath(), "-pubkey", "-noout"} : new String[]{"openssl", "req", "-in", unixFile2.getPath(), "-noout", "-modulus"}) : null;
                String commandHash3 = z8 ? getCommandHash(unixFile3, "x509", modifyTime3, z, z3 ? new String[]{"openssl", "x509", "-outform", "PEM", "-in", unixFile3.getPath(), "-pubkey", "-noout"} : new String[]{"openssl", "x509", "-in", unixFile3.getPath(), "-noout", "-modulus"}) : null;
                if (commandHash != null) {
                    arrayList.add(new Certificate.Check("Key SHA-256", commandHash, AlertLevel.NONE, (String) null));
                }
                if (commandHash2 != null) {
                    if (commandHash == null || commandHash.equals(commandHash2)) {
                        arrayList.add(new Certificate.Check("CSR SHA-256", commandHash2, AlertLevel.NONE, (String) null));
                    } else {
                        arrayList.add(new Certificate.Check("CSR SHA-256", commandHash2, AlertLevel.MEDIUM, "CSR does not match Key"));
                    }
                }
                if (commandHash3 != null) {
                    if (commandHash == null || commandHash.equals(commandHash3)) {
                        arrayList.add(new Certificate.Check("Cert SHA-256", commandHash3, AlertLevel.NONE, (String) null));
                    } else {
                        arrayList.add(new Certificate.Check("Cert SHA-256", commandHash3, AlertLevel.CRITICAL, "Cert does not match Key"));
                    }
                }
                if (z8) {
                    DateFormat dateTimeInstance = DateFormat.getDateTimeInstance(2, 1);
                    dateTimeInstance.setTimeZone(thisServer.getTimeZone().getTimeZone());
                    X509Status x509Status = getX509Status(unixFile3, unixFile, z);
                    Date notBefore = x509Status.getNotBefore();
                    if (notBefore != null) {
                        arrayList.add(new Certificate.Check("X.509 Not Before", dateTimeInstance.format(notBefore), currentTimeMillis < notBefore.getTime() ? AlertLevel.CRITICAL : AlertLevel.NONE, (String) null));
                    }
                    Date notAfter = x509Status.getNotAfter();
                    if (notAfter != null) {
                        long time = (notAfter.getTime() - currentTimeMillis) / 86400000;
                        String format = dateTimeInstance.format(notAfter);
                        AlertLevel alertLevel = time <= (certbotName != null ? 0 : 0) ? AlertLevel.CRITICAL : time <= (certbotName != null ? 7 : 7) ? AlertLevel.HIGH : time <= (certbotName != null ? 10 : OTHER_MEDIUM_DAYS) ? AlertLevel.MEDIUM : time <= ((long) (certbotName != null ? CERTBOT_LOW_DAYS : OTHER_LOW_DAYS)) ? AlertLevel.LOW : AlertLevel.NONE;
                        arrayList.add(new Certificate.Check("X.509 Not After", format, alertLevel, alertLevel == AlertLevel.NONE ? null : (alertLevel == AlertLevel.CRITICAL ? "Certificate expired " : "Certificate expires ") + format));
                    }
                    String commonName = x509Status.getCommonName();
                    boolean equals3 = commonName.equals(name);
                    arrayList.add(new Certificate.Check("X.509 Subject CN", commonName, equals3 ? AlertLevel.NONE : commonName.equalsIgnoreCase(name) ? AlertLevel.LOW : AlertLevel.HIGH, equals3 ? null : "Expected: " + name));
                    Set altNames2 = x509Status.getAltNames();
                    boolean equals4 = newLinkedHashSet.equals(altNames2);
                    if (equals4) {
                        equals2 = true;
                    } else {
                        LinkedHashSet newLinkedHashSet3 = AoCollections.newLinkedHashSet(altNames2.size());
                        Iterator it2 = altNames2.iterator();
                        while (it2.hasNext()) {
                            String lowerCase2 = ((String) it2.next()).toLowerCase(Locale.ROOT);
                            if (!newLinkedHashSet3.add(lowerCase2)) {
                                throw new IOException("Duplicate lower alt name: " + lowerCase2);
                            }
                        }
                        equals2 = newLinkedHashSet2.equals(newLinkedHashSet3);
                    }
                    arrayList.add(new Certificate.Check("X.509 Subject Alternative Name", StringUtils.join(altNames2, ' '), equals4 ? AlertLevel.NONE : equals2 ? AlertLevel.LOW : AlertLevel.HIGH, equals4 ? null : "Expected: " + StringUtils.join(newLinkedHashSet, ' ')));
                }
                if (certbotName != null) {
                    CertbotStatus certbotStatus = getCertbotStatus(certbotName, z);
                    String status = certbotStatus.getStatus();
                    arrayList.add(new Certificate.Check("Certbot status", status, "VALID".equals(status) ? AlertLevel.NONE : AlertLevel.CRITICAL, (String) null));
                    int days = certbotStatus.getDays();
                    arrayList.add(new Certificate.Check("Certbot days left", days == -1 ? "EXPIRED" : Integer.toString(days), (days == -1 || days <= 0) ? AlertLevel.CRITICAL : days <= 7 ? AlertLevel.HIGH : days <= 10 ? AlertLevel.MEDIUM : days <= CERTBOT_LOW_DAYS ? AlertLevel.LOW : AlertLevel.NONE, (String) null));
                    Set domains = certbotStatus.getDomains();
                    if (domains.isEmpty()) {
                        arrayList.add(new Certificate.Check("Certbot Subject Alternative Name", "(empty)", AlertLevel.HIGH, "No domains from certbot"));
                    } else {
                        String str = (String) domains.iterator().next();
                        boolean equals5 = str.equals(name);
                        arrayList.add(new Certificate.Check("Certbot Subject CN", str, equals5 ? AlertLevel.NONE : str.equalsIgnoreCase(name) ? AlertLevel.LOW : AlertLevel.HIGH, equals5 ? null : "Expected: " + name));
                        boolean equals6 = newLinkedHashSet.equals(domains);
                        if (equals6) {
                            equals = true;
                        } else {
                            LinkedHashSet newLinkedHashSet4 = AoCollections.newLinkedHashSet(domains.size());
                            Iterator it3 = domains.iterator();
                            while (it3.hasNext()) {
                                String lowerCase3 = ((String) it3.next()).toLowerCase(Locale.ROOT);
                                if (!newLinkedHashSet4.add(lowerCase3)) {
                                    throw new IOException("Duplicate lower domain: " + lowerCase3);
                                }
                            }
                            equals = newLinkedHashSet2.equals(newLinkedHashSet4);
                        }
                        arrayList.add(new Certificate.Check("Certbot Subject Alternative Name", StringUtils.join(domains, ' '), equals6 ? AlertLevel.NONE : equals ? AlertLevel.LOW : AlertLevel.HIGH, equals6 ? null : "Expected: " + StringUtils.join(newLinkedHashSet, ' ')));
                    }
                }
                List cyrusImapdBinds = certificate.getCyrusImapdBinds();
                List cyrusImapdServers = certificate.getCyrusImapdServers();
                List httpdSiteBinds = certificate.getHttpdSiteBinds();
                List sendmailServersByServerCertificate = certificate.getSendmailServersByServerCertificate();
                List sendmailServersByClientCertificate = certificate.getSendmailServersByClientCertificate();
                List<CertificateOtherUse> otherUses = certificate.getOtherUses();
                int i = 0;
                StringBuilder sb = new StringBuilder();
                if (!cyrusImapdBinds.isEmpty()) {
                    int size = cyrusImapdBinds.size();
                    i = 0 + size;
                    sb.append(size).append(size == 1 ? " CyrusImapdBind" : " CyrusImapdBinds");
                }
                if (!cyrusImapdServers.isEmpty()) {
                    if (sb.length() > 0) {
                        sb.append(", ");
                    }
                    int size2 = cyrusImapdServers.size();
                    i += size2;
                    sb.append(size2).append(size2 == 1 ? " CyrusImapdServer" : " CyrusImapdServer");
                }
                if (!httpdSiteBinds.isEmpty()) {
                    if (sb.length() > 0) {
                        sb.append(", ");
                    }
                    int size3 = httpdSiteBinds.size();
                    i += size3;
                    sb.append(size3).append(size3 == 1 ? " VirtualHost" : " VirtualHost");
                }
                if (!sendmailServersByServerCertificate.isEmpty()) {
                    if (sb.length() > 0) {
                        sb.append(", ");
                    }
                    int size4 = sendmailServersByServerCertificate.size();
                    i += size4;
                    sb.append(size4).append(size4 == 1 ? " SendmailServer(Host)" : " SendmailServers(Host)");
                }
                if (!sendmailServersByClientCertificate.isEmpty()) {
                    if (sb.length() > 0) {
                        sb.append(", ");
                    }
                    int size5 = sendmailServersByClientCertificate.size();
                    i += size5;
                    sb.append(size5).append(size5 == 1 ? " SendmailServer(Client)" : " SendmailServers(Client)");
                }
                for (CertificateOtherUse certificateOtherUse : otherUses) {
                    if (sb.length() > 0) {
                        sb.append(", ");
                    }
                    i += certificateOtherUse.getCount();
                    sb.append(certificateOtherUse.toString());
                }
                arrayList.add(new Certificate.Check("Certificate used?", Integer.toString(i), i == 0 ? AlertLevel.LOW : AlertLevel.NONE, sb.length() == 0 ? "Certificate appears to be unused" : sb.toString()));
                return arrayList;
            });
        } catch (InterruptedException e) {
            InterruptedIOException interruptedIOException = new InterruptedIOException();
            interruptedIOException.initCause(e);
            throw interruptedIOException;
        } catch (ExecutionException e2) {
            ExecutionExceptions.wrapAndThrow(e2, IOException.class, (v1, v2) -> {
                return new IOException(v1, v2);
            });
            ExecutionExceptions.wrapAndThrow(e2, SQLException.class, (v1, v2) -> {
                return new SQLException(v1, v2);
            });
            throw new IOException(e2);
        }
    }

    private SslCertificateManager() {
    }

    static {
        $assertionsDisabled = !SslCertificateManager.class.desiredAssertionStatus();
        CERTBOT_LOCK = new UnixFile("/var/lib/letsencrypt/.certbot.lock");
        getHashedCache = new HashMap();
        x509Cache = new HashMap();
        certbotCache = new HashMap();
        checkSslCertificateConcurrencyLimiter = new KeyedConcurrencyReducer<>();
    }
}
