package com.ibm.ws.ssl.core;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ssl.Constants;
import com.ibm.websphere.ssl.JSSEHelper;
import com.ibm.websphere.ssl.SSLConfig;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ssl.ConsoleWrapper;
import com.ibm.ws.ssl.config.KeyStoreManager;
import com.ibm.ws.ssl.config.SSLConfigManager;
import com.ibm.ws.ssl.config.ThreadManager;
import com.ibm.ws.ssl.config.WSKeyStore;
import com.ibm.ws.ssl.internal.TraceConstants;
import com.ibm.ws.ssl.provider.AbstractJSSEProvider;
import com.ibm.wsspi.ssl.TrustManagerExtendedInfo;
import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.File;
import java.io.IOException;
import java.io.PrintStream;
import java.net.Socket;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashSet;
import java.util.Map;
import java.util.Properties;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:com/ibm/ws/ssl/core/WSX509TrustManager.class */
public final class WSX509TrustManager extends X509ExtendedTrustManager {
    private static final TraceComponent tc = Tr.register(WSX509TrustManager.class, "SSL", TraceConstants.MESSAGE_BUNDLE);
    private static final int MAX_MSG_LEN = 79;
    private static final String INDENT = "           ";
    private final TrustManager[] tm;
    private final String tsCfgAlias;
    private final String tsFile;
    private Map<String, Object> extendedInfo;
    private String peerHost;
    private final SSLConfig config;
    boolean isDoubleByteSystem = false;
    boolean isServer;
    boolean autoAccept;
    private final ConsoleWrapper stdin;
    private final PrintStream stdout;

    protected WSX509TrustManager(TrustManager[] trustManagerArr, ConsoleWrapper consoleWrapper, PrintStream printStream, boolean z) {
        this.isServer = true;
        this.autoAccept = false;
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "WSX509TrustManager", new Object[0]);
        }
        this.isServer = z;
        this.stdin = consoleWrapper;
        this.stdout = printStream;
        this.config = null;
        this.tsCfgAlias = null;
        this.tsFile = null;
        this.tm = (TrustManager[]) trustManagerArr.clone();
        this.autoAccept = false;
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "WSX509TrustManager");
        }
    }

    public WSX509TrustManager(TrustManager[] trustManagerArr, Map<String, Object> map, SSLConfig sSLConfig, String str, String str2) {
        this.isServer = true;
        this.autoAccept = false;
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "WSX509TrustManager", new Object[]{map, str2});
        }
        this.tm = (TrustManager[]) trustManagerArr.clone();
        this.tsFile = str2;
        this.tsCfgAlias = str;
        this.config = sSLConfig;
        this.extendedInfo = map;
        this.isServer = SSLConfigManager.getInstance().isServerProcess();
        this.stdin = new ConsoleWrapper(System.console(), System.err);
        this.stdout = System.out;
        this.autoAccept = getAutoAccept();
        if (this.extendedInfo != null) {
            this.peerHost = (String) this.extendedInfo.get("com.ibm.ssl.remoteHost");
            for (TrustManager trustManager : trustManagerArr) {
                if (trustManager instanceof TrustManagerExtendedInfo) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Adding extended info to TrustManager " + trustManager.getClass().getName(), new Object[0]);
                    }
                    ((TrustManagerExtendedInfo) trustManager).setExtendedInfo(this.extendedInfo);
                    ((TrustManagerExtendedInfo) trustManager).setSSLConfig(sSLConfig);
                }
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "WSX509TrustManager");
        }
    }

    private boolean getAutoAccept() {
        boolean z = false;
        String property = System.getProperty("autoAcceptSignerCertificate");
        if (property != null) {
            z = Boolean.valueOf(property).booleanValue();
        }
        return z;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "checkClientTrusted", new Object[0]);
        }
        this.extendedInfo = JSSEHelper.getInstance().getInboundConnectionInfo();
        if (this.extendedInfo != null) {
            this.peerHost = (String) this.extendedInfo.get("com.ibm.ssl.remoteHost");
        }
        if (this.peerHost == null || this.peerHost.equals("")) {
            this.peerHost = "unknown";
        }
        try {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                for (int i = 0; i < x509CertificateArr.length; i++) {
                    Tr.debug(tc, "chain[" + i + "]: " + x509CertificateArr[i].getSubjectDN(), new Object[0]);
                }
            }
            for (int i2 = 0; i2 < this.tm.length; i2++) {
                if (this.tm[i2] != null && (this.tm[i2] instanceof X509TrustManager)) {
                    try {
                        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                            Tr.debug(tc, "Delegating to X509TrustManager: " + this.tm[i2].getClass().getName(), new Object[0]);
                        }
                        ((X509TrustManager) this.tm[i2]).checkClientTrusted(x509CertificateArr, str);
                    } catch (Exception e) {
                        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                            Tr.debug(tc, "Certificate Exception occurred: " + e.getMessage(), new Object[0]);
                        }
                        Exception exc = e;
                        if (exc.getClass().toString().startsWith("class com.ibm.jsse2")) {
                            exc = (Exception) exc.getCause();
                        }
                        FFDCFilter.processException(exc, getClass().getName(), "checkClientTrusted", this, new Object[]{x509CertificateArr, str});
                        printClientHandshakeError(this.config, this.tsFile, e, x509CertificateArr, null, 0);
                        if (!(exc instanceof CertificateException)) {
                            throw new CertificateException(exc.getMessage());
                        }
                        throw ((CertificateException) exc);
                    }
                }
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                Tr.exit(tc, "checkClientTrusted");
            }
        } catch (Throwable th) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught exception in checkClientTrusted.", new Object[]{th});
            }
            FFDCFilter.processException(th, getClass().getName(), "checkClientTrusted", this, new Object[]{x509CertificateArr, str});
            if (th instanceof RuntimeException) {
                throw ((RuntimeException) th);
            }
            if (!(th instanceof CertificateException)) {
                throw new CertificateException(th);
            }
            throw ((CertificateException) th);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "checkServerTrusted", new Object[0]);
        }
        Map<String, Object> outboundConnectionInfoInternal = ThreadManager.getInstance().getOutboundConnectionInfoInternal();
        if (outboundConnectionInfoInternal != null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "original peerHost: " + this.peerHost, new Object[0]);
                Tr.debug(tc, "currentConnectionInfo: " + outboundConnectionInfoInternal, new Object[0]);
            }
            this.peerHost = (String) outboundConnectionInfoInternal.get("com.ibm.ssl.remoteHost");
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "current peerHost: " + this.peerHost, new Object[0]);
            }
        } else {
            Map<String, Object> map = this.extendedInfo;
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "currentConnectionInfo from extendedInfo: " + map, new Object[0]);
            }
        }
        this.extendedInfo = JSSEHelper.getInstance().getOutboundConnectionInfo();
        if (this.extendedInfo != null) {
            this.peerHost = (String) this.extendedInfo.get("com.ibm.ssl.remoteHost");
        }
        if (this.peerHost == null || 0 == this.peerHost.length()) {
            this.peerHost = "unknown";
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Target host: " + this.peerHost, new Object[0]);
            for (int i = 0; i < x509CertificateArr.length; i++) {
                Tr.debug(tc, "Certificate information:", new Object[0]);
                Tr.debug(tc, "  Subject DN: " + x509CertificateArr[i].getSubjectDN(), new Object[0]);
                Tr.debug(tc, "  Issuer DN: " + x509CertificateArr[i].getIssuerDN(), new Object[0]);
                Tr.debug(tc, "  Serial number: " + x509CertificateArr[i].getSerialNumber(), new Object[0]);
            }
        }
        for (int i2 = 0; i2 < this.tm.length; i2++) {
            if (this.tm[i2] != null && (this.tm[i2] instanceof X509TrustManager)) {
                try {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Delegating to X509TrustManager: " + this.tm[i2].getClass().getName(), new Object[0]);
                    }
                    ((X509TrustManager) this.tm[i2]).checkServerTrusted(x509CertificateArr, str);
                } catch (CertificateException e) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Certificate Exception occurred: " + e.getMessage(), new Object[0]);
                    }
                    boolean z = false;
                    if (!checkIfExpiredBeforeOrAfter(x509CertificateArr)) {
                        throw e;
                    }
                    if (e.getCause() != null && (e.getCause() instanceof CertPathValidatorException)) {
                        z = true;
                    }
                    if (!z) {
                        Tr.error(tc, "ssl.client.handshake.error.CWPKI0825E", new Object[]{e});
                        throw e;
                    }
                    try {
                        processCertPathException(x509CertificateArr, str, e, null, 0);
                    } catch (Exception e2) {
                        throw new CertificateException(e2.getMessage());
                    }
                    throw new CertificateException(e2.getMessage());
                }
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Server is trusted by all X509TrustManagers.", new Object[0]);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "checkServerTrusted");
        }
    }

    protected boolean userAcceptedPrompt(X509Certificate[] x509CertificateArr) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "userAcceptedPrompt", new Object[0]);
        }
        boolean z = false;
        try {
            this.stdout.println("");
            this.stdout.println(TraceNLSHelper.getInstance().getString("ssl.trustmanager.signer.prompt.CWPKI0100I", "*** SSL SIGNER EXCHANGE PROMPT ***"));
            this.stdout.println(TraceNLSHelper.getInstance().getFormattedMessage("ssl.trustmanager.signer.prompt.CWPKI0101I", new Object[]{this.tsFile}, "SSL signer from target host is not found in trust store " + this.tsFile + ".\n\nHere's the signer information (verify the digest value matches what is displayed at the server):"));
            for (int i = 0; i < x509CertificateArr.length; i++) {
                this.stdout.println("");
                String generateDigest = KeyStoreManager.getInstance().generateDigest("SHA-1", x509CertificateArr[i]);
                this.stdout.println(TraceNLSHelper.getInstance().getString("ssl.trustmanager.signer.prompt.CWPKI0102I", "  Subject DN:    ") + x509CertificateArr[i].getSubjectDN());
                this.stdout.println(TraceNLSHelper.getInstance().getString("ssl.trustmanager.signer.prompt.CWPKI0103I", "  Issuer DN:     ") + x509CertificateArr[i].getIssuerDN());
                this.stdout.println(TraceNLSHelper.getInstance().getString("ssl.trustmanager.signer.prompt.CWPKI0104I", "  Serial number: ") + x509CertificateArr[i].getSerialNumber());
                this.stdout.println(TraceNLSHelper.getInstance().getString("ssl.trustmanager.signer.prompt.CWPKI0109I", "  Expires: ") + x509CertificateArr[i].getNotAfter());
                this.stdout.println(TraceNLSHelper.getInstance().getString("ssl.trustmanager.signer.prompt.CWPKI0105I", "  SHA-1 digest:  ") + generateDigest);
                this.stdout.println("");
            }
            String readText = this.stdin.readText(TraceNLSHelper.getInstance().getString("ssl.trustmanager.signer.prompt.CWPKI0107I", "Add signer to the trust store now? (y/n) "));
            if (readText != null) {
                readText = readText.trim().toLowerCase();
            }
            if (isYes(readText)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "User accepted the certificate, certificate added to the truststore.", new Object[0]);
                }
                z = true;
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "User did not accept the certificate so do not store it to the truststore.", new Object[0]);
            }
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Received the following while prompting user.", new Object[]{e});
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "userAcceptedPrompt", Boolean.valueOf(z));
        }
        return z;
    }

    boolean isYes(String str) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "isYes", new Object[]{str});
        }
        String string = TraceNLSHelper.getInstance().getString("ssl.trustmanager.signer.prompt.answer.yes", "y");
        String string2 = TraceNLSHelper.getInstance().getString("ssl.trustmanager.signer.prompt.answer.full.yes", "yes");
        boolean z = (string != null && string.length() > 0 && string.equalsIgnoreCase(str)) || (string2 != null && string2.length() > 0 && string2.equalsIgnoreCase(str));
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "isYes", Boolean.valueOf(z));
        }
        return z;
    }

    void setCertificateToTruststore(X509Certificate[] x509CertificateArr) throws Exception {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "setCertificateToTruststore", new Object[0]);
        }
        try {
            WSKeyStore keyStore = KeyStoreManager.getInstance().getKeyStore(this.tsCfgAlias);
            if (keyStore == null) {
                throw new Exception("Keystore " + this.tsCfgAlias + " does not exist in the configuration.");
            }
            if (keyStore.getReadOnly().booleanValue()) {
                issueMessage("ssl.keystore.readonly.CWPKI0810I", new Object[]{this.tsCfgAlias}, "The " + this.tsCfgAlias + " keystore is read only and the certificate will not be written to the keystore file.  Trust will be accepted only for this connection.");
            } else {
                for (X509Certificate x509Certificate : x509CertificateArr) {
                    String trim = x509Certificate.getSubjectDN().getName().trim();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Adding alias \"" + trim + "\" to truststore \"" + this.tsFile + "\".", new Object[0]);
                    }
                    keyStore.setCertificateEntry(trim, x509CertificateArr[x509CertificateArr.length - 1]);
                    String generateDigest = KeyStoreManager.getInstance().generateDigest("SHA-1", x509CertificateArr[x509CertificateArr.length - 1]);
                    issueMessage("ssl.signer.add.to.local.truststore.CWPKI0308I", new Object[]{trim, this.tsFile, generateDigest}, "CWPKI0308I: Adding signer alias \"" + trim + "\" to local keystore \"" + this.tsFile + "\" with the following SHA digest: " + generateDigest);
                    if (!keyStore.getTrigger().equalsIgnoreCase("disabled")) {
                        clearSSLCachesAndResetDefault();
                    }
                }
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                Tr.exit(tc, "setCertificateToTruststore");
            }
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception while trying to write certificate to the truststore. Exception is " + e.getMessage(), new Object[0]);
            }
            throw e;
        }
    }

    private String incrementAlias(KeyStore keyStore, String str) throws KeyStoreException {
        String str2;
        String str3;
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "incrementAlias: " + str, new Object[0]);
        }
        int i = 0;
        int lastIndexOf = str.lastIndexOf(95);
        if (-1 == lastIndexOf) {
            str2 = str + '_';
        } else if (lastIndexOf == str.length() - 1) {
            str2 = str;
        } else {
            try {
                int i2 = lastIndexOf + 1;
                i = Integer.parseInt(str.substring(i2));
                str2 = str.substring(0, i2);
            } catch (NumberFormatException e) {
                str2 = str + '_';
            }
        }
        int i3 = i + 1;
        String str4 = str2 + Integer.toString(i3);
        while (true) {
            str3 = str4;
            if (!keyStore.containsAlias(str3)) {
                break;
            }
            i3++;
            str4 = str2 + Integer.toString(i3);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "incrementAlias: " + str3);
        }
        return str3;
    }

    private void clearSSLCachesAndResetDefault() {
        HashSet hashSet = new HashSet();
        hashSet.add(new File(this.tsFile));
        try {
            AbstractJSSEProvider.clearSSLContextCache();
            KeyStoreManager.getInstance().clearJavaKeyStoresFromKeyStoreMap();
            SSLConfigManager.getInstance().resetDefaultSSLContextIfNeeded(hashSet);
            Tr.audit(tc, "ssl.keystore.modified.CWPKI0811I", hashSet.toArray());
        } catch (Exception e) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception while trying to reload keystore file, exception is: " + e.getMessage(), new Object[0]);
            }
        }
    }

    protected boolean checkIfExpiredBeforeOrAfter(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr == null || x509CertificateArr[0] == null) {
            return false;
        }
        long currentTimeMillis = System.currentTimeMillis();
        long time = x509CertificateArr[0].getNotBefore().getTime();
        long time2 = x509CertificateArr[0].getNotAfter().getTime();
        if (time > currentTimeMillis) {
            Tr.error(tc, "ssl.certificate.before.date.invalid.CWPKI0311E", new Object[]{x509CertificateArr[0].getSubjectDN(), new Date(time)});
            return false;
        }
        if (time2 >= currentTimeMillis) {
            return true;
        }
        Tr.error(tc, "ssl.certificate.end.date.invalid.CWPKI0312E", new Object[]{x509CertificateArr[0].getSubjectDN(), new Date(time2)});
        return false;
    }

    private void printClientHandshakeError(SSLConfig sSLConfig, String str, Exception exc, X509Certificate[] x509CertificateArr, String str2, int i) {
        String message = exc.getMessage();
        String principal = x509CertificateArr[0] != null ? x509CertificateArr[0].getSubjectDN().toString() : "unknown";
        String property = getProperty(Constants.SSLPROP_ALIAS, sSLConfig, SSLConfigManager.getInstance().isServerProcess());
        if (str2 == null || i <= 0) {
            Tr.error(tc, "ssl.client.handshake.error.CWPKI0022E", new Object[]{principal, str, property, message});
        } else {
            Tr.error(tc, "ssl.client.handshake.error.CWPKI0823E", new Object[]{principal, str2 + ":" + i, str, property, message});
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "getAcceptedIssuers", new Object[0]);
        }
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < this.tm.length; i++) {
            if (this.tm[i] instanceof X509TrustManager) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Delegating to X509TrustManager: " + this.tm[i].getClass().getName(), new Object[0]);
                }
                X509Certificate[] acceptedIssuers = ((X509TrustManager) this.tm[i]).getAcceptedIssuers();
                if (acceptedIssuers != null) {
                    for (int i2 = 0; i2 < acceptedIssuers.length; i2++) {
                        if (!arrayList.contains(acceptedIssuers[i2])) {
                            arrayList.add(acceptedIssuers[i2]);
                        }
                    }
                }
            }
        }
        X509Certificate[] x509CertificateArr = new X509Certificate[0];
        if (arrayList.size() > 0) {
            x509CertificateArr = (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "getAcceptedIssuers", x509CertificateArr);
        }
        return x509CertificateArr;
    }

    protected void issueMessage(String str, Object[] objArr, String str2) {
        printMessage(TraceNLSHelper.getInstance().getFormattedMessage(str, objArr, str2));
    }

    protected void printMessage(String str) {
        int i = MAX_MSG_LEN;
        if (isDoubleByteSystem(str)) {
            i /= 2;
        }
        printMessage(str, i, false);
    }

    private boolean isDoubleByteSystem(String str) {
        DataOutputStream dataOutputStream = new DataOutputStream(new ByteArrayOutputStream());
        try {
            dataOutputStream.writeUTF(str);
            dataOutputStream.flush();
            try {
                dataOutputStream.close();
            } catch (IOException e) {
            }
            if (r0.toByteArray().length > str.length() + (str.length() * 0.1d)) {
                this.isDoubleByteSystem = true;
            } else {
                this.isDoubleByteSystem = false;
            }
            return this.isDoubleByteSystem;
        } catch (IOException e2) {
            try {
                dataOutputStream.close();
            } catch (IOException e3) {
            }
            return false;
        } catch (Throwable th) {
            try {
                dataOutputStream.close();
            } catch (IOException e4) {
            }
            throw th;
        }
    }

    private void printMessage(String str, int i, boolean z) {
        int i2 = i;
        if (z) {
            System.out.print(INDENT);
            i2 -= INDENT.length();
        }
        if (str.length() <= i2) {
            System.out.println(str);
            return;
        }
        int lastIndexOf = str.lastIndexOf(32, i2);
        if (lastIndexOf == -1) {
            lastIndexOf = str.indexOf(32);
            if (lastIndexOf == -1) {
                System.out.println(str);
                return;
            }
        }
        printMessage(str.substring(0, lastIndexOf), i, false);
        printMessage(str.substring(lastIndexOf + 1), i, true);
    }

    private String getProperty(String str, Properties properties, boolean z) {
        String str2 = null;
        if (properties != null) {
            if (!z) {
                str2 = System.getProperty(str);
                if (str2 == null) {
                    str2 = SSLConfigManager.getInstance().getGlobalProperty(str);
                }
            }
            if (str2 == null) {
                str2 = properties.getProperty(str);
            }
        } else {
            str2 = System.getProperty(str);
            if (str2 == null) {
                str2 = SSLConfigManager.getInstance().getGlobalProperty(str);
            }
        }
        return str2;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v17, types: [java.lang.Exception] */
    /* JADX WARN: Type inference failed for: r9v0, types: [com.ibm.ws.ssl.core.WSX509TrustManager, java.lang.Object] */
    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        Tr.entry(tc, "checkClientTrusted", new Object[]{x509CertificateArr, str, socket});
        for (int i = 0; i < this.tm.length; i++) {
            try {
                if (this.tm[i] != null && (this.tm[i] instanceof X509TrustManager)) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Delegating to X509TrustManager: " + this.tm[i].getClass().getName(), new Object[0]);
                    }
                    ((X509ExtendedTrustManager) this.tm[i]).checkClientTrusted(x509CertificateArr, str, socket);
                }
            } catch (CertificateException e) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Certificate Exception occurred: " + e.getMessage(), new Object[0]);
                }
                CertificateException certificateException = e;
                if (certificateException.getClass().toString().startsWith("class com.ibm.jsse2")) {
                    certificateException = (Exception) certificateException.getCause();
                }
                FFDCFilter.processException(certificateException, getClass().getName(), "checkClientTrusted", (Object) this, new Object[]{x509CertificateArr, str});
                printClientHandshakeError(this.config, this.tsFile, e, x509CertificateArr, null, 0);
                if (!(certificateException instanceof CertificateException)) {
                    throw new CertificateException(certificateException.getMessage());
                }
                throw certificateException;
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "checkClientTrusted");
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v17, types: [java.lang.Exception] */
    /* JADX WARN: Type inference failed for: r9v0, types: [com.ibm.ws.ssl.core.WSX509TrustManager, java.lang.Object] */
    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        Tr.entry(tc, "checkClientTrusted", new Object[]{x509CertificateArr, str, sSLEngine});
        for (int i = 0; i < this.tm.length; i++) {
            try {
                if (this.tm[i] != null && (this.tm[i] instanceof X509TrustManager)) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Delegating to X509TrustManager: " + this.tm[i].getClass().getName(), new Object[0]);
                    }
                    ((X509ExtendedTrustManager) this.tm[i]).checkClientTrusted(x509CertificateArr, str, sSLEngine);
                }
            } catch (CertificateException e) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Certificate Exception occurred: " + e.getMessage(), new Object[0]);
                }
                CertificateException certificateException = e;
                if (certificateException.getClass().toString().startsWith("class com.ibm.jsse2")) {
                    certificateException = (Exception) certificateException.getCause();
                }
                FFDCFilter.processException(certificateException, getClass().getName(), "checkClientTrusted", (Object) this, new Object[]{x509CertificateArr, str});
                printClientHandshakeError(this.config, this.tsFile, e, x509CertificateArr, null, 0);
                if (!(certificateException instanceof CertificateException)) {
                    throw new CertificateException(certificateException.getMessage());
                }
                throw certificateException;
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "checkClientTrusted");
        }
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "checkServerTrusted", new Object[]{x509CertificateArr, str, socket});
        }
        String str2 = null;
        int i = 0;
        if (socket instanceof SSLSocket) {
            SSLSession handshakeSession = ((SSLSocket) socket).getHandshakeSession();
            str2 = handshakeSession.getPeerHost();
            i = handshakeSession.getPeerPort();
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Target host: " + str2, new Object[0]);
            for (int i2 = 0; i2 < x509CertificateArr.length; i2++) {
                Tr.debug(tc, "Certificate information:", new Object[0]);
                Tr.debug(tc, "  Subject DN: " + x509CertificateArr[i2].getSubjectDN(), new Object[0]);
                Tr.debug(tc, "  Issuer DN: " + x509CertificateArr[i2].getIssuerDN(), new Object[0]);
                Tr.debug(tc, "  Serial number: " + x509CertificateArr[i2].getSerialNumber(), new Object[0]);
            }
        }
        for (int i3 = 0; i3 < this.tm.length; i3++) {
            try {
                if (this.tm[i3] != null && (this.tm[i3] instanceof X509TrustManager)) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Delegating to X509TrustManager: " + this.tm[i3].getClass().getName(), new Object[0]);
                    }
                    ((X509ExtendedTrustManager) this.tm[i3]).checkServerTrusted(x509CertificateArr, str, socket);
                }
            } catch (CertificateException e) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Certificate Exception occurred: " + e.getMessage(), new Object[0]);
                }
                if (!checkIfExpiredBeforeOrAfter(x509CertificateArr)) {
                    throw e;
                }
                try {
                    if (!isCertPathError(e)) {
                        Tr.error(tc, "ssl.client.handshake.error.CWPKI0824E", new Object[]{str2, "\"" + e.getMessage().trim() + "\""});
                        throw e;
                    }
                    processCertPathException(x509CertificateArr, str, e, str2, i);
                } catch (Exception e2) {
                    throw new CertificateException(e2.getMessage());
                }
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Server is trusted by all X509ExtendedTrustManager.", new Object[0]);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "checkServerTrusted");
        }
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "checkServerTrusted", new Object[]{x509CertificateArr, str, sSLEngine});
        }
        String str2 = null;
        int i = 0;
        if (sSLEngine != null) {
            SSLSession handshakeSession = sSLEngine.getHandshakeSession();
            str2 = handshakeSession.getPeerHost();
            i = handshakeSession.getPeerPort();
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Target host: " + str2, new Object[0]);
            for (int i2 = 0; i2 < x509CertificateArr.length; i2++) {
                Tr.debug(tc, "Certificate information:", new Object[0]);
                Tr.debug(tc, "  Subject DN: " + x509CertificateArr[i2].getSubjectDN(), new Object[0]);
                Tr.debug(tc, "  Issuer DN: " + x509CertificateArr[i2].getIssuerDN(), new Object[0]);
                Tr.debug(tc, "  Serial number: " + x509CertificateArr[i2].getSerialNumber(), new Object[0]);
            }
        }
        for (int i3 = 0; i3 < this.tm.length; i3++) {
            try {
                if (this.tm[i3] != null && (this.tm[i3] instanceof X509TrustManager)) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Delegating to X509TrustManager: " + this.tm[i3].getClass().getName(), new Object[0]);
                    }
                    ((X509ExtendedTrustManager) this.tm[i3]).checkServerTrusted(x509CertificateArr, str, sSLEngine);
                }
            } catch (CertificateException e) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Certificate Exception occurred: " + e.getMessage(), new Object[0]);
                }
                if (!checkIfExpiredBeforeOrAfter(x509CertificateArr)) {
                    throw e;
                }
                try {
                    if (!isCertPathError(e)) {
                        Tr.error(tc, "ssl.client.handshake.error.CWPKI0824E", new Object[]{str2, e.getMessage().trim()});
                        throw e;
                    }
                    processCertPathException(x509CertificateArr, str, e, str2, i);
                } catch (Exception e2) {
                    throw new CertificateException(e2.getMessage());
                }
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Server is trusted by all X509ExtendedTrustManager.", new Object[0]);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "checkServerTrusted");
        }
    }

    private boolean isCertPathError(CertificateException certificateException) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "isCertPathError", new Object[]{certificateException});
        }
        if (certificateException.getCause() != null && (certificateException.getCause() instanceof CertPathValidatorException)) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "isCertPathError cause is CertPathValidatorException true");
            return true;
        }
        if (certificateException.getMessage().contains("SunCertPathBuilderException") || certificateException.getMessage().contains("CertPathBuilderException")) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "isCertPathError, SunCertPathBuildException or CertPathBuilderException true");
            return true;
        }
        if (!TraceComponent.isAnyTracingEnabled() || !tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "isCertPathError false");
        return false;
    }

    private void processCertPathException(X509Certificate[] x509CertificateArr, String str, Exception exc, String str2, int i) throws Exception {
        if (this.isServer) {
            Exception exc2 = exc;
            if (exc2.getClass().toString().startsWith("class com.ibm.jsse2")) {
                exc2 = (Exception) exc.getCause();
            }
            FFDCFilter.processException(exc2, getClass().getName(), "checkServerTrusted", this, new Object[]{x509CertificateArr, str});
            printClientHandshakeError(this.config, this.tsFile, exc2, x509CertificateArr, str2, i);
            throw exc2;
        }
        if (this.autoAccept) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "autoacceptsigner - adding certificate to the truststore.", new Object[0]);
            }
            setCertificateToTruststore(x509CertificateArr);
            return;
        }
        if (!userAcceptedPrompt(x509CertificateArr)) {
            printClientHandshakeError(this.config, this.tsFile, exc, x509CertificateArr, str2, i);
            throw exc;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "prompt user - adding certificate to the truststore.", new Object[0]);
        }
        setCertificateToTruststore(x509CertificateArr);
    }
}
