package com.ibm.ws.ssl.core;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ejs.util.am.AlarmListener;
import com.ibm.ejs.util.am.AlarmManager;
import com.ibm.ws.ssl.config.SSLConfig;
import com.ibm.ws.ssl.config.SSLConfigManager;
import com.ibm.wsspi.ssl.TrustManagerExtendedInfo;
import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Map;
import java.util.Properties;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:com.ibm.ws.admin.client_6.1.0.jar:com/ibm/ws/ssl/core/WSX509TrustManager.class */
public final class WSX509TrustManager implements X509TrustManager {
    private TrustManager[] tm;
    private KeyStore ts;
    private String tsFile;
    private String tsPass;
    private Map extendedInfo;
    private String peerHost;
    private SSLConfig config;
    boolean skipDefaultTMIfCustomTMDefined;
    public static final int MAX_MSG_LEN = 79;
    public static final String INDENT = "           ";
    private static final TraceComponent tc;
    private static final TimerAlarm timer;
    static Class class$com$ibm$ws$ssl$core$WSX509TrustManager;
    private String tsPw = null;
    private ArrayList signersAdded = new ArrayList();
    private ArrayList messagesPrinted = new ArrayList();
    boolean isDoubleByteSystem = false;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com.ibm.ws.admin.client_6.1.0.jar:com/ibm/ws/ssl/core/WSX509TrustManager$TimerAlarm.class */
    public static class TimerAlarm implements AlarmListener {
        private boolean certificateAuthenticationEnabled = true;

        @Override // com.ibm.ejs.util.am.AlarmListener
        public void alarm(Object obj) {
            if (WSX509TrustManager.tc.isEntryEnabled()) {
                Tr.entry(WSX509TrustManager.tc, "alarm", obj);
            }
            this.certificateAuthenticationEnabled = true;
            if (WSX509TrustManager.tc.isEntryEnabled()) {
                Tr.exit(WSX509TrustManager.tc, "alarm");
            }
        }

        protected void temporarilyDisableCertificateAuthentication(Long l) {
            if (WSX509TrustManager.tc.isEntryEnabled()) {
                Tr.entry(WSX509TrustManager.tc, "temporarilyDisableCertificateAuthentication");
            }
            this.certificateAuthenticationEnabled = false;
            AlarmManager.createDeferrable(l.longValue(), this);
            if (WSX509TrustManager.tc.isEntryEnabled()) {
                Tr.exit(WSX509TrustManager.tc, "temporarilyDisableCertificateAuthentication");
            }
        }

        protected boolean isCertificateAuthenticationDisabled() {
            if (WSX509TrustManager.tc.isEntryEnabled()) {
                Tr.entry(WSX509TrustManager.tc, "isCertificateAuthenticationDisabled");
            }
            if (WSX509TrustManager.tc.isEntryEnabled()) {
                Tr.exit(WSX509TrustManager.tc, new StringBuffer().append("isCertificateAuthenticationDisabled -> ").append(!this.certificateAuthenticationEnabled).toString());
            }
            return !this.certificateAuthenticationEnabled;
        }
    }

    public WSX509TrustManager(TrustManager[] trustManagerArr, Map map, SSLConfig sSLConfig, KeyStore keyStore, String str, String str2) {
        this.tm = null;
        this.ts = null;
        this.tsFile = null;
        this.tsPass = null;
        this.extendedInfo = null;
        this.peerHost = null;
        this.config = null;
        this.skipDefaultTMIfCustomTMDefined = false;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "WSX509TrustManager", new Object[]{map, str});
        }
        this.tm = trustManagerArr;
        this.ts = keyStore;
        this.tsFile = str;
        this.tsPass = str2;
        this.config = sSLConfig;
        this.extendedInfo = map;
        String globalProperty = SSLConfigManager.getInstance().getGlobalProperty(Constants.SSLPROP_SKIP_DEFAULT_TM_WHEN_CUSTOM_TM_DEFINED);
        if (globalProperty != null && globalProperty.equalsIgnoreCase("true")) {
            this.skipDefaultTMIfCustomTMDefined = true;
        }
        if (this.extendedInfo != null) {
            this.peerHost = (String) this.extendedInfo.get(Constants.CONNECTION_INFO_REMOTE_HOST);
            for (int i = 0; i < trustManagerArr.length; i++) {
                if (trustManagerArr[i] != null && (trustManagerArr[i] instanceof TrustManagerExtendedInfo)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, new StringBuffer().append("Adding extended info to TrustManager ").append(trustManagerArr[i].getClass().getName()).toString());
                    }
                    ((TrustManagerExtendedInfo) trustManagerArr[i]).setExtendedInfo(this.extendedInfo);
                    ((TrustManagerExtendedInfo) trustManagerArr[i]).setSSLConfig(sSLConfig);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "WSX509TrustManager");
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkClientTrusted");
        }
        if (tc.isDebugEnabled()) {
            for (int i = 0; i < x509CertificateArr.length; i++) {
                Tr.debug(tc, new StringBuffer().append("chain[").append(i).append("]: ").append(x509CertificateArr[i].getSubjectDN()).toString());
            }
        }
        if (isCertificateAuthenticationDisabled()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Certificate authentication is temporarily disabled due to configuration change.");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "checkClientTrusted");
                return;
            }
            return;
        }
        for (int i2 = 0; i2 < this.tm.length; i2++) {
            if (this.tm[i2] != null && (this.tm[i2] instanceof X509TrustManager)) {
                if (!this.skipDefaultTMIfCustomTMDefined || i2 != 0 || this.tm.length <= 1) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, new StringBuffer().append("Delegating to X509TrustManager: ").append(this.tm[i2].getClass().getName()).toString());
                    }
                    ((X509TrustManager) this.tm[i2]).checkClientTrusted(x509CertificateArr, str);
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, new StringBuffer().append("Skipping default trust manager name: ").append(this.tm[i2].getClass().getName()).toString());
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkClientTrusted");
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:190:0x0861 A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:193:0x0863 A[SYNTHETIC] */
    @Override // javax.net.ssl.X509TrustManager
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void checkServerTrusted(java.security.cert.X509Certificate[] r9, java.lang.String r10) throws java.security.cert.CertificateException {
        /*
            Method dump skipped, instructions count: 2188
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.ssl.core.WSX509TrustManager.checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String):void");
    }

    private boolean checkIfExpiredBeforeOrAfter(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr == null || x509CertificateArr[0] == null) {
            return false;
        }
        long currentTimeMillis = System.currentTimeMillis();
        long time = x509CertificateArr[0].getNotBefore().getTime();
        long time2 = x509CertificateArr[0].getNotAfter().getTime();
        if (time > currentTimeMillis) {
            Tr.error(tc, "ssl.certificate.before.date.invalid.CWPKI0311E", new Object[]{x509CertificateArr[0].getSubjectDN(), new Date(time)});
            return false;
        }
        if (time2 >= currentTimeMillis) {
            return true;
        }
        Tr.error(tc, "ssl.certificate.end.date.invalid.CWPKI0312E", new Object[]{x509CertificateArr[0].getSubjectDN(), new Date(time2)});
        return false;
    }

    private void printClientHandshakeError(SSLConfig sSLConfig, Map map, String str, Exception exc, X509Certificate[] x509CertificateArr, String str2) {
        String message = exc.getMessage();
        String obj = x509CertificateArr[0] != null ? x509CertificateArr[0].getSubjectDN().toString() : "unknown";
        String property = getProperty(Constants.SSLPROP_ALIAS, sSLConfig, SSLConfigManager.getInstance().isServerProcess());
        String property2 = getProperty(Constants.SSLPROP_CONFIGURL_LOADED_FROM, sSLConfig, SSLConfigManager.getInstance().isServerProcess());
        String str3 = "unknown";
        String str4 = "0";
        if (map != null) {
            str3 = (String) map.get(Constants.CONNECTION_INFO_REMOTE_HOST);
            str4 = (String) map.get(Constants.CONNECTION_INFO_REMOTE_PORT);
        }
        String stringBuffer = new StringBuffer().append(str3).append(":").append(str4).toString();
        String formattedMessage = TraceNLSHelper.getInstance().getFormattedMessage("ssl.client.handshake.error.CWPKI0022E", new Object[]{obj, stringBuffer, str, property, property2, message}, new StringBuffer().append("CWPKI0022E: SSL handshake failure occurred.  A signer with SubjectDN ").append(obj).append(" was sent from target host/port ").append(stringBuffer).append(".  The signer may need to be added to local trust store ").append(str).append(" located in SSL configuration alias ").append(property).append(" loaded from configURL ").append(property2).append(".  The extended error message from the SSL handshake is: ").append(message).toString());
        if (!this.messagesPrinted.contains(formattedMessage)) {
            System.out.println("");
            System.out.println(formattedMessage);
            System.out.println("");
            if (this.messagesPrinted.size() > 20) {
                this.messagesPrinted.clear();
            }
            this.messagesPrinted.add(formattedMessage);
        }
        if (SSLConfigManager.getInstance().isServerProcess()) {
            return;
        }
        String string = TraceNLSHelper.getInstance().getString("ssl.handshake.failure.info.CWPKI0040I", "CWPKI0040I: An SSL handshake failure occurred from a client.  The server's SSL signer needs to be added to the client trust store.  A retrieveSigners utility is provided for this function.  Check with your administrator to have this utility run to setup the secure enviroment before running the client.   Additional, the com.ibm.ssl.enableSignerExchangePrompt can be enabled in ssl.client.props for DefaultSSLSettings in order to allow acceptance of the signer during the connection attempt.");
        if (this.messagesPrinted.contains(string)) {
            return;
        }
        System.out.println("");
        System.out.println(string);
        System.out.println("");
        if (this.messagesPrinted.size() > 20) {
            this.messagesPrinted.clear();
        }
        this.messagesPrinted.add(string);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAcceptedIssuers");
        }
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < this.tm.length; i++) {
            if (this.tm[i] instanceof X509TrustManager) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, new StringBuffer().append("Delegating to X509TrustManager: ").append(this.tm[i].getClass().getName()).toString());
                }
                X509Certificate[] acceptedIssuers = ((X509TrustManager) this.tm[i]).getAcceptedIssuers();
                if (acceptedIssuers != null) {
                    for (int i2 = 0; i2 < acceptedIssuers.length; i2++) {
                        if (!arrayList.contains(acceptedIssuers[i2])) {
                            arrayList.add(acceptedIssuers[i2]);
                        }
                    }
                }
            }
        }
        if (arrayList.size() <= 0) {
            return null;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getAcceptedIssuers");
        }
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
    }

    protected void issueMessage(String str, Object[] objArr, String str2) {
        printMessage(TraceNLSHelper.getInstance().getFormattedMessage(str, objArr, str2));
    }

    protected void printMessage(String str) {
        int i = 79;
        if (isDoubleByteSystem(str)) {
            i = 79 / 2;
        }
        printMessage(str, i, false);
    }

    private boolean isDoubleByteSystem(String str) {
        DataOutputStream dataOutputStream = new DataOutputStream(new ByteArrayOutputStream());
        try {
            dataOutputStream.writeUTF(str);
            dataOutputStream.flush();
            try {
                dataOutputStream.close();
            } catch (IOException e) {
            }
            if (r0.toByteArray().length > str.length() + (str.length() * 0.1d)) {
                this.isDoubleByteSystem = true;
            } else {
                this.isDoubleByteSystem = false;
            }
            return this.isDoubleByteSystem;
        } catch (IOException e2) {
            try {
                dataOutputStream.close();
            } catch (IOException e3) {
            }
            return false;
        } catch (Throwable th) {
            try {
                dataOutputStream.close();
            } catch (IOException e4) {
            }
            throw th;
        }
    }

    private void printMessage(String str, int i, boolean z) {
        int i2 = i;
        if (z) {
            System.out.print("           ");
            i2 -= "           ".length();
        }
        if (str.length() <= i2) {
            System.out.println(str);
            return;
        }
        int lastIndexOf = str.lastIndexOf(32, i2);
        if (lastIndexOf == -1) {
            lastIndexOf = str.indexOf(32);
            if (lastIndexOf == -1) {
                System.out.println(str);
                return;
            }
        }
        printMessage(str.substring(0, lastIndexOf), i, false);
        printMessage(str.substring(lastIndexOf + 1), i, true);
    }

    private String getProperty(String str, Properties properties, boolean z) {
        String str2 = null;
        if (properties != null) {
            if (!z) {
                str2 = System.getProperty(str);
                if (str2 == null) {
                    str2 = SSLConfigManager.getInstance().getGlobalProperty(str);
                }
            }
            if (str2 == null) {
                str2 = properties.getProperty(str);
            }
        } else {
            str2 = System.getProperty(str);
            if (str2 == null) {
                str2 = SSLConfigManager.getInstance().getGlobalProperty(str);
            }
        }
        return str2;
    }

    private boolean isCertificateAuthenticationDisabled() {
        return timer.isCertificateAuthenticationDisabled();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void temporarilyDisableCertificateAuthentication(Long l) {
        timer.temporarilyDisableCertificateAuthentication(l);
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$com$ibm$ws$ssl$core$WSX509TrustManager == null) {
            cls = class$("com.ibm.ws.ssl.core.WSX509TrustManager");
            class$com$ibm$ws$ssl$core$WSX509TrustManager = cls;
        } else {
            cls = class$com$ibm$ws$ssl$core$WSX509TrustManager;
        }
        tc = Tr.register(cls, "SSL", "com.ibm.ws.ssl.resources.ssl");
        timer = new TimerAlarm();
    }
}
