package com.ibm.ctg.server;

import com.ibm.ccl.util.Scrambler;
import com.ibm.ctg.client.GatewayRequest;
import com.ibm.ctg.client.JSSEUtils;
import com.ibm.ctg.client.SSLContextFactory;
import com.ibm.ctg.client.T;
import com.ibm.ctg.security.JSSEServerSecurity;
import com.ibm.ctg.server.ProtocolHandler;
import com.ibm.ctg.server.logging.Log;
import com.ibm.ctg.util.OSInfo;
import com.ibm.ctg.util.OSVersion;
import java.io.IOException;
import java.net.Socket;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.StringTokenizer;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import javax.security.cert.X509Certificate;

/* JADX WARN: Classes with same name are omitted:
  input_file:install/taderc25.zip:cicseci602/connectorModule/ctgserver.jar:com/ibm/ctg/server/SslHandler.class
  input_file:install/taderc99.zip:cicseci602/connectorModule/ctgserver.jar:com/ibm/ctg/server/SslHandler.class
  input_file:install/taderc99V60.zip:cicseci5101/connectorModule/ctgserver.jar:com/ibm/ctg/server/SslHandler.class
 */
/* loaded from: input_file:install/taderc99command.zip:cicseci602/connectorModule/ctgserver.jar:com/ibm/ctg/server/SslHandler.class */
class SslHandler extends SocketHandler {
    public static final String CLASS_VERSION = "@(#) java/com/ibm/ctg/server/SslHandler.java, client_java, c602, c602-20060418 1.52 04/10/13 16:10:35";
    private static final String COPYRIGHT_NOTICE = "(c) Copyright IBM Corporation 2000,2004.";
    private static final String strKeyRing = "keyring=";
    private static final String strKeyRingPW = "keyringpw=";
    private static final String strKeyRingPWScrambled = "keyringpwscrambled=";
    private static final String strClientAuthentication = "clientauth=";
    private static final String strCipherSuites = "ciphersuites=";
    private static final String strUseEsmKeyring = "esmkeyring";
    private static final String strUseHWCrypt = "hwcrypt";
    private String strKeyRingClass;
    private String strKeyRingClassPW;
    private boolean bKeyRingPWScrambled;
    private String strClientAuthenticationValue;
    private String[] cipherSuites;
    private boolean useEsmKeyring;
    private boolean useHwCrypt;
    private static final String str128bitOnly = "128bitonly";
    private static final String[] ciphersFor128Bit = {"SSL_RSA_WITH_RC4_128_MD5", "SSL_RSA_WITH_RC4_128_SHA", "SSL_DHE_DSS_WITH_RC4_128_SHA"};
    private SSLSocket socToClient;

    SslHandler() {
        this.strKeyRingClass = "";
        this.strKeyRingClassPW = "";
        this.bKeyRingPWScrambled = false;
        this.strClientAuthenticationValue = "false";
        this.cipherSuites = null;
        this.useEsmKeyring = false;
        this.useHwCrypt = false;
        T.ln(this, "SslHandler Default CTOR");
        this.portNumber = 8050;
    }

    SslHandler(SSLSocket sSLSocket, ProtocolHandler.ProtocolHandlerParameters protocolHandlerParameters) throws IOException {
        super(sSLSocket, protocolHandlerParameters);
        this.strKeyRingClass = "";
        this.strKeyRingClassPW = "";
        this.bKeyRingPWScrambled = false;
        this.strClientAuthenticationValue = "false";
        this.cipherSuites = null;
        this.useEsmKeyring = false;
        this.useHwCrypt = false;
        T.in(this, "SslHandler CTOR");
        this.portNumber = 8050;
        this.socToClient = sSLSocket;
        T.out(this, "SslHandler CTOR");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.ibm.ctg.server.SocketHandler, com.ibm.ctg.server.ProtocolHandler
    public String initialize(ManagedResources managedResources, String str, String str2) throws Exception {
        StringBuffer stringBuffer = new StringBuffer();
        StringBuffer stringBuffer2 = new StringBuffer();
        if (str != null) {
            StringTokenizer stringTokenizer = new StringTokenizer(str, ";");
            while (stringTokenizer.hasMoreTokens()) {
                String nextToken = stringTokenizer.nextToken();
                if (nextToken.toLowerCase().startsWith(strKeyRing)) {
                    this.strKeyRingClass = nextToken.substring(strKeyRing.length());
                    stringBuffer.append(nextToken.toString()).append(";");
                    T.ln(this, new StringBuffer().append(str2).append(": {0} = {1}").toString(), nextToken, this.strKeyRingClass);
                } else if (nextToken.toLowerCase().startsWith(strKeyRingPW)) {
                    this.strKeyRingClassPW = nextToken.substring(strKeyRingPW.length());
                    stringBuffer.append(new String("keyringpw=******;"));
                } else if (nextToken.toLowerCase().startsWith(strKeyRingPWScrambled)) {
                    String substring = nextToken.substring(strKeyRingPWScrambled.length());
                    stringBuffer.append(nextToken.toString()).append(";");
                    if (substring.equalsIgnoreCase("true") || substring.equalsIgnoreCase("on") || substring.equalsIgnoreCase("yes")) {
                        this.bKeyRingPWScrambled = true;
                    }
                    T.ln(this, new StringBuffer().append(str2).append(": {0} = {1}").toString(), nextToken, substring);
                } else if (nextToken.toLowerCase().startsWith(strClientAuthentication)) {
                    this.strClientAuthenticationValue = nextToken.substring(strClientAuthentication.length());
                    stringBuffer.append(nextToken.toString()).append(";");
                    T.ln(this, new StringBuffer().append(str2).append(": {0} = {1}").toString(), nextToken, this.strClientAuthenticationValue);
                } else if (nextToken.toLowerCase().startsWith(strCipherSuites)) {
                    String substring2 = nextToken.substring(strCipherSuites.length());
                    if (substring2.equalsIgnoreCase(str128bitOnly)) {
                        Log.printWarningLn("6496", 0, null);
                        this.cipherSuites = ciphersFor128Bit;
                    } else {
                        this.cipherSuites = makeCipherSuiteArray(substring2);
                    }
                } else if (nextToken.toLowerCase().startsWith(strUseEsmKeyring)) {
                    if (OSVersion.OPERATING_SYSTEM.equals(OSInfo.ZOS)) {
                        this.useEsmKeyring = true;
                        if (!this.strKeyRingClassPW.equals("")) {
                            Log.printWarningLn("6498", 0, null);
                        }
                        if (this.strKeyRingClass.equals("")) {
                            throw new IllegalArgumentException("keyring=''");
                        }
                    } else {
                        continue;
                    }
                } else if (!nextToken.toLowerCase().startsWith(strUseHWCrypt)) {
                    stringBuffer2.append(nextToken);
                    stringBuffer2.append(';');
                } else if (OSVersion.OPERATING_SYSTEM.equals(OSInfo.ZOS)) {
                    this.useHwCrypt = true;
                }
            }
        }
        stringBuffer.append(stringBuffer2.toString());
        T.in(this, "initialize", managedResources, stringBuffer.toString());
        String initialize = super.initialize(managedResources, stringBuffer2.toString(), str2);
        if (this.bKeyRingPWScrambled) {
            T.ln(this, "Unscrambling keyring password");
            try {
                this.strKeyRingClassPW = Scrambler.descramble(this.strKeyRingClassPW);
            } catch (IllegalArgumentException e) {
                T.ln(this, e.getMessage());
                this.strKeyRingClassPW = "";
            }
        }
        String jSSEInfo = JSSEUtils.getJSSEInfo();
        if (jSSEInfo != null) {
            Log.printInfoLn("8405", 0, new Object[]{jSSEInfo});
        } else {
            Log.printInfoLn("8404", 0, null);
        }
        SSLServerSocket sSLServerSocket = (SSLServerSocket) (this.useEsmKeyring ? SSLContextFactory.getSSLContext(this.strKeyRingClass, this.useHwCrypt) : SSLContextFactory.getSSLContext(this.strKeyRingClass, this.strKeyRingClassPW, this.useHwCrypt)).getServerSocketFactory().createServerSocket(this.portNumber, 8192);
        if (this.cipherSuites != null) {
            HashSet hashSet = new HashSet(Arrays.asList(sSLServerSocket.getSupportedCipherSuites()));
            HashSet hashSet2 = new HashSet(Arrays.asList(this.cipherSuites));
            hashSet2.retainAll(hashSet);
            String[] strArr = (String[]) hashSet2.toArray(new String[0]);
            if (strArr.length == 0) {
                throw new IllegalArgumentException(ServerMessages.getMessage("6495"));
            }
            if (strArr.length != this.cipherSuites.length) {
                HashSet hashSet3 = new HashSet(Arrays.asList(this.cipherSuites));
                hashSet3.removeAll(new HashSet(Arrays.asList(strArr)));
                Iterator it = hashSet3.iterator();
                while (it.hasNext()) {
                    String obj = it.next().toString();
                    if (obj.equals(str128bitOnly)) {
                        Log.printErrorLn("6489", 0, null);
                    } else {
                        Log.printWarningLn("6497", 0, new Object[]{obj});
                    }
                }
            }
            sSLServerSocket.setEnabledCipherSuites(strArr);
        }
        Log.printInfoLn("8401", 0, null);
        T.ln(this, "Enabled CipherSuites:");
        String[] enabledCipherSuites = sSLServerSocket.getEnabledCipherSuites();
        for (int i = 0; i < enabledCipherSuites.length; i++) {
            Log.printInfoLn(new StringBuffer().append("\t").append(enabledCipherSuites[i]).toString(), i);
            T.ln(this, "Algorithm: {0}", enabledCipherSuites[i]);
        }
        if (this.strClientAuthenticationValue.equalsIgnoreCase("true") || this.strClientAuthenticationValue.equalsIgnoreCase("on") || this.strClientAuthenticationValue.equalsIgnoreCase("yes")) {
            sSLServerSocket.setNeedClientAuth(true);
            T.ln(this, "Client Authentication enabled for ssl: protocol");
        } else {
            sSLServerSocket.setNeedClientAuth(false);
            T.ln(this, "Server-only Authentication enabled for ssl: protocol");
        }
        sSLServerSocket.setSoTimeout(this.iSoTimeout);
        super.setServerSocket(new JSSEServerSocket(sSLServerSocket));
        T.out(this, "initialize", initialize.toString());
        return initialize;
    }

    private String[] makeCipherSuiteArray(String str) {
        StringTokenizer stringTokenizer = new StringTokenizer(str, ",");
        String[] strArr = new String[stringTokenizer.countTokens()];
        for (int i = 0; i < strArr.length; i++) {
            strArr[i] = stringTokenizer.nextToken();
        }
        return strArr;
    }

    @Override // com.ibm.ctg.server.SocketHandler
    ProtocolHandler createHandler(Socket socket) throws IOException {
        SslHandler sslHandler = new SslHandler((SSLSocket) socket, this.parAms);
        sslHandler.setHandlerName(this.handlerName);
        return sslHandler;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.ibm.ctg.server.ProtocolHandler
    public void afterDecode(GatewayRequest gatewayRequest) throws IOException {
        T.in(this, "afterDecode", gatewayRequest);
        if (this.serSecurity != null) {
            T.ln(this, "Calling this connection's ServerSecurity handler");
            try {
                if (this.serSecurity instanceof JSSEServerSecurity) {
                    X509Certificate[] x509CertificateArr = null;
                    try {
                        x509CertificateArr = this.socToClient.getSession().getPeerCertificateChain();
                    } catch (IOException e) {
                        T.ln(this, "No certificate chain found for JSSE Socket");
                    }
                    T.ln(this, "invoking JSSEServerSecurity extended AfterDecode with certificate chain");
                    ((JSSEServerSecurity) this.serSecurity).afterDecode(gatewayRequest, x509CertificateArr);
                } else {
                    T.ln(this, "invoking JSSEServerSecurity standard AfterDecode");
                    this.serSecurity.afterDecode(gatewayRequest);
                }
            } catch (Exception e2) {
                T.ex(this, e2);
                throw new IOException(e2.getMessage());
            }
        }
        T.out(this, "afterDecode");
    }
}
