package weblogic.security.utils;

import com.bea.utils.misc.ProcessBase;
import com.bea.utils.misc.ProcessException;
import com.bea.utils.misc.ProcessManager;
import java.io.FileInputStream;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.SocketException;
import java.security.AccessController;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PrivilegedAction;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.interfaces.RSAPrivateKey;
import java.util.ArrayList;
import java.util.Properties;
import javax.net.ssl.impl.SSLSocketImpl;
import javax.security.cert.CertificateException;
import javax.security.cert.X509Certificate;
import weblogic.apache.xerces.impl.xs.SchemaSymbols;
import weblogic.kernel.Kernel;
import weblogic.logging.LogOutputStream;
import weblogic.logging.Loggable;
import weblogic.management.Admin;
import weblogic.management.configuration.SSLMBean;
import weblogic.management.configuration.ServerMBean;
import weblogic.marathon.actions.ExportAction;
import weblogic.protocol.Protocol;
import weblogic.security.SSL.SSLClientInfo;
import weblogic.security.SecurityLogger;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.NotYetInitializedException;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SSLManager;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.servlet.internal.dd.UserDataConstraint;
import weblogic.utils.io.Chunk;
import weblogic.version;

/* loaded from: input_file:weblogic.jar:weblogic/security/utils/SSLSetup.class */
public final class SSLSetup {
    public static final int STANDARD_IO = 0;
    public static final int MUXING_IO = 1;
    public static final int LICENSE_NOT_CHECKED = -1;
    public static final int LICENSE_NONE = 0;
    public static final int LICENSE_DOMESTIC = 1;
    public static final int LICENSE_EXPORT = 2;
    public static final int DEBUG_FATAL = 0;
    public static final int DEBUG_ERROR = 1;
    public static final int DEBUG_WARN = 2;
    public static final int DEBUG_INFO = 3;
    public static final int UNKNOWN_PROTOCOL = -1;
    public static final int HTTP_PROTOCOL = 0;
    public static final int T3_PROTOCOL = 1;
    public static final int GIOP_PROTOCOL = 2;
    public static final int MAX_PROTOCOL_INDEX = 2;
    private static final String TRUST_KS_FILE_PROPERTY = "weblogic.security.SSL.trustedCAKeyStore";
    private static AuthenticatedSubject kernelID = null;
    private static LogOutputStream debugLog = null;
    private static final String[] protocolNames = {"HTTP", Protocol.PROTOCOL_T3_NAME, "GIOP"};
    private static boolean ioModelAccessed = false;
    private static int ioModel = 0;
    private static int licenseLevel = -1;
    private static int debugLevel = 0;
    private static boolean debugEaten = false;
    private static boolean usingJCE = false;
    private static boolean usingJsafeJCE = false;
    private static boolean checkedJCE = false;
    private static boolean protocolVersionChecked = false;
    private static int protocolVersion = 3;
    public static int CONSTRAINTS_OFF = 0;
    public static int CONSTRAINTS_STRONG = 1;
    public static int CONSTRAINTS_STRICT = 2;
    public static int CONSTRAINTS_DEFAULT = CONSTRAINTS_STRONG;
    private static int enforceConstraints = CONSTRAINTS_DEFAULT;
    private static boolean enforceConstraintsChecked = false;
    private static SSLMBean sslMBean = null;
    private static String wrapperClassName = "com.certicom.net.ssl.CerticomContextWrapper";
    private static X509Certificate[] trustedCAList = null;
    private static JCEUtility jceUtility = null;
    private static boolean overrideSSLFragmentSizeEnabled = false;
    private static int overrideSSLFragmentSize = 16384;
    private static boolean useJCEInKeyFactoryForRSA = false;
    private static boolean isSSLFatClient = false;

    public static synchronized int getLicenseLevel() {
        if (licenseLevel > -1) {
            return licenseLevel;
        }
        setDebugLevel();
        setDebugEaten();
        if (jceUtility == null) {
            setJCEUtility();
        }
        Properties properties = new Properties();
        properties.put("product", version.getPLInfo()[0]);
        properties.put(ProcessBase.PROP_RELEASE, version.getPLInfo()[1]);
        if (Kernel.isServer()) {
            properties.put(ProcessBase.PROP_IP, "");
        }
        String str = null;
        if (Kernel.isApplet()) {
            try {
                String netCheckStrength = ProcessManager.netCheckStrength();
                if (netCheckStrength.equals("domestic")) {
                    licenseLevel = 1;
                } else if (netCheckStrength.equals(ExportAction.EXPORT)) {
                    licenseLevel = 2;
                }
            } catch (Exception e) {
                str = e.getMessage();
            }
        } else {
            properties.put("component", "SSL/Domestic");
            try {
                ProcessManager.memCheck(properties);
                licenseLevel = 1;
            } catch (ProcessException e2) {
                properties.put("component", "SSL/Export");
                try {
                    ProcessManager.memCheck(properties);
                    licenseLevel = 2;
                } catch (ProcessException e3) {
                    str = e3.getMessage();
                }
            }
        }
        if (debugLevel >= 3) {
            switch (licenseLevel) {
                case 1:
                    debug(3, "SSL/Domestic license found");
                    break;
                case 2:
                    debug(3, "SSL/Export license found");
                    break;
                default:
                    debug(3, "No SSL license found");
                    break;
            }
        }
        if (licenseLevel <= 0) {
            throw new RuntimeException(str);
        }
        if (Kernel.isServer()) {
            properties.put("component", "SSL/RSA");
            try {
                ProcessManager.memCheck(properties);
                debug(3, "RSA SSL license found");
                wrapperClassName = "com.rsa.ssl.WeblogicContextWrapper";
            } catch (ProcessException e4) {
                debug(3, "Certicom SSL license found");
            }
        } else {
            debug(3, "Not in server, Certicom SSL license found");
        }
        return licenseLevel;
    }

    public static synchronized void initForServer() {
        setDebugLevel();
        setDebugEaten();
        setIOModel(1);
        debug(3, "Enabled muxing IO for SSL in server");
    }

    public static synchronized String getWrapperClass() {
        if (licenseLevel == -1) {
            getLicenseLevel();
        }
        return wrapperClassName;
    }

    public static synchronized int getIOModel() {
        ioModelAccessed = true;
        return ioModel;
    }

    public static synchronized boolean getDebugEaten() {
        return debugEaten;
    }

    public static void setDebugLevel() {
        try {
            if (Boolean.getBoolean("ssl.debug") || Boolean.getBoolean("weblogic.security.SSL.verbose") || Boolean.getBoolean("weblogic.security.ssl.verbose")) {
                setDebugLevel(3);
            }
        } catch (SecurityException e) {
        }
    }

    public static void setDebugEaten() {
        try {
            debugEaten = Boolean.getBoolean("ssl.debugEaten") || Boolean.getBoolean("weblogic.security.SSL.debugEaten") || Boolean.getBoolean("weblogic.security.ssl.debugEaten");
        } catch (SecurityException e) {
        }
    }

    public static void debug(int i, String str) {
        if (i <= debugLevel) {
            debug(i, (Throwable) null, str);
        }
    }

    public static void debug(int i, boolean z, String str) {
        if (i <= debugLevel) {
            debug(i, z ? new Throwable("Stack trace") : null, str);
        }
    }

    public static synchronized void debug(int i, Throwable th, String str) {
        if (i > debugLevel || i < 0 || str == null) {
            return;
        }
        try {
            if (debugLog == null) {
                debugLog = new LogOutputStream("TLS");
            }
            if (th == null) {
                debugLog.debug(str);
            } else {
                debugLog.debug(str, th);
            }
        } catch (Throwable th2) {
        }
    }

    public static void initRejectionLogging() {
        sslMBean = Admin.getInstance().getLocalServer().getSSL();
    }

    public static boolean logSSLRejections() {
        if (Kernel.isApplet()) {
            return false;
        }
        if (sslMBean == null) {
            return true;
        }
        return sslMBean.isSSLRejectionLoggingEnabled();
    }

    public static String transformTrustBits(int i) {
        String str;
        if (i == 0) {
            return UserDataConstraint.NONE;
        }
        str = " ";
        str = (i & 1) != 0 ? str.concat(" CERT_CHAIN_INVALID") : " ";
        if ((i & 2) != 0) {
            str = str.concat(" CERT_CHAIN_INVALID");
        }
        if ((i & 4) != 0) {
            str = str.concat(" CERT_CHAIN_INCOMPLETE");
        }
        if ((i & 8) != 0) {
            str = str.concat(" SIGNATURE_INVALID");
        }
        if ((i & 16) != 0) {
            str = str.concat(" CERT_CHAIN_UNTRUSTED");
        }
        if ((i & 32) != 0) {
            str = str.concat(" VALIDATION_FAILED");
        }
        return str;
    }

    public static synchronized void setDebugLevel(int i) {
        if (i < 0 || i > 3) {
            return;
        }
        debugLevel = i;
    }

    public static synchronized int getDebugLevel() {
        return debugLevel;
    }

    public static synchronized boolean getUsingJCE() {
        if (jceUtility == null) {
            setJCEUtility();
        }
        return usingJCE;
    }

    private static synchronized void setJCEUtility() {
        String providerToUse;
        jceUtility = JCEUtility.getInstance();
        if (jceUtility.getCryptoToUse("RSA") != 0 && (providerToUse = jceUtility.getProviderToUse("RSA")) != null && !providerToUse.startsWith(JCEUtility.SUNRSASIGNPROVIDER)) {
            debug(3, new StringBuffer().append("Allowing JCE for RSA key agreement using provider ").append(providerToUse).toString());
            useJCEInKeyFactoryForRSA = true;
        }
        try {
            usingJCE = jceUtility.isJCEUsedForSomeSSL();
            usingJsafeJCE = jceUtility.isJsafeJCEUsedForSomeSSL();
            debug(3, new StringBuffer().append("usingJCE = ").append(usingJCE).toString());
            debug(3, new StringBuffer().append("usingJsafeJCE = ").append(usingJsafeJCE).toString());
            if (usingJCE) {
                if (jceUtility.getProviderToUse("DES/CBC/NoPadding").startsWith(JCEUtility.NCIPHERJCEPROVIDER) || jceUtility.getProviderToUse("DESede/CBC/NoPadding").startsWith(JCEUtility.NCIPHERJCEPROVIDER)) {
                    overrideSSLFragmentSizeEnabled = true;
                    overrideSSLFragmentSize = Chunk.DEFAULT_CHUNK_SIZE;
                    debug(3, new StringBuffer().append("Detected nCipherKM for DES support, limiting SSL fragment size to: ").append(overrideSSLFragmentSize).toString());
                }
                int i = -1;
                try {
                    i = new Integer(System.getProperty("weblogic.security.SSL.overrideFragmentSize")).intValue();
                } catch (SecurityException e) {
                } catch (Exception e2) {
                }
                if (i != -1) {
                    if (i < 512) {
                        i = 512;
                    }
                    if (i > 16384) {
                        i = 16384;
                    }
                    overrideSSLFragmentSizeEnabled = true;
                    overrideSSLFragmentSize = i;
                    debug(3, new StringBuffer().append("Limiting SSL fragment size to: ").append(overrideSSLFragmentSize).toString());
                }
            }
        } catch (Exception e3) {
        }
        checkedJCE = true;
    }

    public static synchronized boolean getOverrideSSLFragmentSizeEnabled() {
        return overrideSSLFragmentSizeEnabled;
    }

    public static synchronized int getOverrideSSLFragmentSize() {
        return overrideSSLFragmentSize;
    }

    public static synchronized boolean getUsingJsafeJCE() {
        return false;
    }

    public static synchronized boolean getUseJCEInKeyFactoryForRSA() {
        return useJCEInKeyFactoryForRSA;
    }

    public static synchronized void debugPrivateKey(PrivateKey privateKey) {
        debug(3, "Private key dump");
        debug(3, new StringBuffer().append("   Key info: ").append(privateKey).toString());
        if (privateKey instanceof RSAPrivateCrtKey) {
            debug(3, "   is a java.security.interfaces.RSAPrivateCrtKey");
        } else if (privateKey instanceof RSAPrivateKey) {
            debug(3, "   is a java.security.interfaces.RSAPrivateKey");
        }
    }

    public static synchronized void setIOModel(int i) {
        if (i != 0 && i != 1) {
            debug(2, "Attempt to change SSL IO model to invalid setting");
        } else if (ioModelAccessed) {
            debug(2, "Attempt to change SSL IO model after access");
        } else {
            ioModel = i;
        }
    }

    public static synchronized SSLTruster getDefaultTruster() {
        return new SSLTrustValidator();
    }

    public static synchronized int getProtocolVersion() {
        if (!protocolVersionChecked) {
            protocolVersionChecked = true;
            try {
                String property = System.getProperty(Admin.ADMIN_SSLVERSION_PROP);
                if (property != null) {
                    if (property.equalsIgnoreCase("SSL3")) {
                        protocolVersion = 1;
                    } else if (property.equalsIgnoreCase("TLS1")) {
                        protocolVersion = 0;
                    } else if (property.equalsIgnoreCase("ALL")) {
                        protocolVersion = 3;
                    }
                }
            } catch (SecurityException e) {
            }
        }
        return protocolVersion;
    }

    public static synchronized int getEnforceConstraints() {
        if (!enforceConstraintsChecked) {
            enforceConstraintsChecked = true;
            try {
                String property = System.getProperty(Admin.ADMIN_SSLENFORCECONSTRAINT_PROP);
                if (property != null) {
                    if (property.equalsIgnoreCase("off") || property.equalsIgnoreCase("false")) {
                        enforceConstraints = CONSTRAINTS_OFF;
                    } else if (property.equalsIgnoreCase("strong") || property.equalsIgnoreCase("true")) {
                        enforceConstraints = CONSTRAINTS_STRONG;
                    } else if (property.equalsIgnoreCase(SchemaSymbols.ATTVAL_STRICT)) {
                        enforceConstraints = CONSTRAINTS_STRICT;
                    }
                }
            } catch (SecurityException e) {
            }
        }
        return enforceConstraints;
    }

    public static SSLContextWrapper getSSLContext() throws SocketException {
        return getSSLContext(null);
    }

    public static SSLContextWrapper getSSLContext(SSLClientInfo sSLClientInfo) throws SocketException {
        X509Certificate[] trustedCAs;
        try {
            SSLContextWrapper sSLContextWrapper = SSLContextWrapper.getInstance();
            if (!Kernel.isApplet() && (trustedCAs = getTrustedCAs(sSLContextWrapper)) != null) {
                try {
                    sSLContextWrapper.addTrustedCA(trustedCAs);
                } catch (Exception e) {
                    debug(2, e, "Failure loading trusted CA list");
                }
            }
            if (sSLClientInfo != null) {
                applySSLClientInfo(sSLContextWrapper, sSLClientInfo);
            }
            return sSLContextWrapper;
        } catch (ClassNotFoundException e2) {
            throw new SocketException(SecurityLogger.getClassNotFound(e2.getMessage()));
        } catch (IllegalAccessException e3) {
            throw new SocketException(SecurityLogger.getIllegalAccessOnContextWrapper(e3.getMessage()));
        } catch (InstantiationException e4) {
            throw new SocketException(SecurityLogger.getInstantiationExcOnContextWrapper(e4.getMessage()));
        }
    }

    public static void applySSLClientInfo(SSLContextWrapper sSLContextWrapper, SSLClientInfo sSLClientInfo) throws SocketException {
        InputStream[] sSLClientCertificate = sSLClientInfo.getSSLClientCertificate();
        if (sSLClientCertificate != null && sSLClientCertificate.length >= 2) {
            debug(3, "clientInfo has old style certificate and key");
            try {
                String sSLClientKeyPassword = sSLClientInfo.getSSLClientKeyPassword();
                PrivateKey inputPrivateKey = sSLContextWrapper.inputPrivateKey(sSLClientCertificate[0], sSLClientKeyPassword == null ? null : sSLClientKeyPassword.toCharArray());
                X509Certificate[] x509CertificateArr = new X509Certificate[sSLClientCertificate.length - 1];
                for (int i = 1; i < sSLClientCertificate.length; i++) {
                    x509CertificateArr[i - 1] = X509Certificate.getInstance(sSLClientCertificate[i]);
                }
                sSLContextWrapper.addIdentity(x509CertificateArr, inputPrivateKey);
                debug(3, "client identity added");
            } catch (KeyManagementException e) {
                debug(3, e, "Problem accessing private key");
                throw new SocketException(SecurityLogger.getProblemAccessingPrivateKey());
            } catch (CertificateException e2) {
                debug(3, e2, "Problem with certificate chain");
                throw new SocketException(SecurityLogger.getProblemWithCertificateChain(e2.getMessage()));
            }
        }
        X509Certificate[] clientLocalIdentityCert = sSLClientInfo.getClientLocalIdentityCert();
        PrivateKey clientLocalIdentityKey = sSLClientInfo.getClientLocalIdentityKey();
        if (clientLocalIdentityCert != null && clientLocalIdentityKey != null) {
            debug(3, "clientInfo has new style certificate and key");
            sSLContextWrapper.addIdentity(clientLocalIdentityCert, clientLocalIdentityKey);
        }
        SSLTrustValidator sSLTrustValidator = new SSLTrustValidator();
        if (sSLClientInfo.getTrustManager() != null) {
            debug(3, "clientInfo has programmatic TrustManager");
            sSLTrustValidator.setUserTrustManager(sSLClientInfo.getTrustManager());
        }
        if (sSLClientInfo.getTrustManagerJSSE() != null) {
            debug(3, "clientInfo has programmatic TrustManagerJSSE");
            sSLTrustValidator.setUserTrustManagerJSSE(sSLClientInfo.getTrustManagerJSSE());
        }
        byte[][] rootCAfingerprints = sSLClientInfo.getRootCAfingerprints();
        if (rootCAfingerprints != null) {
            debug(3, "Adding legacy rootCA fingerprints");
            sSLTrustValidator.setRootCAFingerPrints(rootCAfingerprints);
        }
        sSLContextWrapper.setTrustManager(sSLTrustValidator);
        SSLHostnameVerifier hostnameVerifier = sSLContextWrapper.getHostnameVerifier();
        if (hostnameVerifier != null && (hostnameVerifier instanceof SSLWLSHostnameVerifier)) {
            SSLWLSHostnameVerifier sSLWLSHostnameVerifier = (SSLWLSHostnameVerifier) hostnameVerifier;
            if (sSLClientInfo.getExpectedName() != null) {
                debug(3, "Adding legacy expected name");
                sSLWLSHostnameVerifier.setExpectedName(sSLClientInfo.getExpectedName());
            }
            if (sSLClientInfo.getHostnameVerifier() != null) {
                debug(3, "clientInfo has programmatic HostnameVerifier");
                sSLWLSHostnameVerifier.setProgrammaticVerifier(sSLClientInfo.getHostnameVerifier());
            }
            if (sSLClientInfo.getHostnameVerifierJSSE() != null) {
                debug(3, "clientInfo has programmatic HostnameVerifierJSSE");
                sSLWLSHostnameVerifier.setProgrammaticVerifierJSSE(sSLClientInfo.getHostnameVerifierJSSE());
            }
        }
        debug(3, "clientInfo settings applied");
    }

    public static int getSSLSessionTTL() {
        int i = 0;
        try {
            i = Integer.getInteger("weblogic.security.SSL.sessionCache.ttl", 90000).intValue();
        } catch (Exception e) {
        }
        return i;
    }

    private static X509Certificate[] getTrustedCAs(SSLContextWrapper sSLContextWrapper) {
        X509Certificate[] x509CertificateArr = trustedCAList;
        if (x509CertificateArr == null) {
            if (Kernel.isServer()) {
                debug(3, "SSLSetup: loading trusted CA certificates");
                try {
                    x509CertificateArr = (X509Certificate[]) SecurityServiceManager.runAs(getKernelID(), getKernelID(), new PrivilegedAction((SSLManager) SecurityServiceManager.getSecurityService(getKernelID(), SecurityServiceManager.defaultRealmName, SecurityService.ServiceType.SSLMANAGER), sSLContextWrapper) { // from class: weblogic.security.utils.SSLSetup.1
                        private final SSLManager val$sslMgr;
                        private final SSLContextWrapper val$sslContext;

                        {
                            this.val$sslMgr = r4;
                            this.val$sslContext = sSLContextWrapper;
                        }

                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            return this.val$sslMgr.getTrustedCAs(this.val$sslContext);
                        }
                    });
                    trustedCAList = x509CertificateArr;
                } catch (NotYetInitializedException e) {
                    debug(2, e, "SSLSetup: SSLManager not yet initialized");
                    String property = System.getProperty("weblogic.security.SSL.trustedCAKeyStore");
                    x509CertificateArr = SSLManager.getTrustedCAs(property != null ? new KeyStoreInfo[]{new KeyStoreInfo(property, "jks", null)} : new KeyStoreConfigurationHelper(PreMBeanKeyStoreConfiguration.getInstance()).getTrustKeyStores());
                } catch (Exception e2) {
                    debug(2, e2, "Failure loading trusted CA list");
                }
            } else {
                isSSLFatClient = true;
                String property2 = System.getProperty("weblogic.security.SSL.trustedCAKeyStore");
                KeyStoreInfo[] trustKeyStores = property2 != null ? new KeyStoreInfo[]{new KeyStoreInfo(property2, "jks", null)} : new KeyStoreConfigurationHelper(ClientKeyStoreConfiguration.getInstance()).getTrustKeyStores();
                ArrayList arrayList = new ArrayList();
                for (int i = 0; trustKeyStores != null && i < trustKeyStores.length; i++) {
                    debug(3, new StringBuffer().append("Trusted CA keystore: ").append(trustKeyStores[i].getFileName()).toString());
                    try {
                        KeyStore keyStore = KeyStore.getInstance(trustKeyStores[i].getType());
                        FileInputStream fileInputStream = new FileInputStream(trustKeyStores[i].getFileName());
                        keyStore.load(fileInputStream, null);
                        arrayList.addAll(SSLCertUtility.getXCertificates(keyStore));
                        fileInputStream.close();
                    } catch (Exception e3) {
                        debug(2, e3, new StringBuffer().append("Failure loading trusted CA list from: ").append(trustKeyStores[i].getFileName()).toString());
                    }
                    x509CertificateArr = (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
                }
                trustedCAList = x509CertificateArr;
            }
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            return null;
        }
        return x509CertificateArr;
    }

    public static int matchPlainText(int i, int i2, int i3, InputStream inputStream) {
        if (i == 71 || i == 103) {
            if ((i2 == 73 || i2 == 73) && (i3 == 79 || i3 == 111)) {
                debug(2, "Appears to be using plaintext GIOP protocol");
                return 0;
            }
            if (i2 != 69 && i2 != 101) {
                return -1;
            }
            if (i3 != 84 && i3 != 116) {
                return -1;
            }
            debug(2, "Appears to be using plaintext HTTP protocol");
            return 0;
        }
        if ((i == 80 || i == 112) && ((i2 == 85 || i2 == 117) && (i3 == 84 || i3 == 116))) {
            debug(2, "Appears to be using plaintext HTTP protocol");
            return 0;
        }
        if (i != 116 || i2 != 51) {
            return -1;
        }
        debug(2, "Appears to be using plaintext T3 protocol");
        if (i3 != 117) {
            return 1;
        }
        debug(2, "It is also an incompatable version of the T3 protocol");
        return 1;
    }

    public static void logPlaintextProtocolClientError(SSLSocketImpl sSLSocketImpl, int i) {
        String peerName = getPeerName(sSLSocketImpl);
        if (i < 0 || i > 2) {
            debug(2, new StringBuffer().append("Connection to SSL port from ").append(peerName).append(" was made using plaintext protocol, no details").toString());
            return;
        }
        debug(2, new StringBuffer().append("Connection to SSL port was made from ").append(peerName).append(" using plaintext protocol: ").append(protocolNames[i]).toString());
        if (logSSLRejections()) {
            Loggable logPlaintextProtocolClientErrorLoggable = SecurityLogger.logPlaintextProtocolClientErrorLoggable(protocolNames[i], peerName);
            logPlaintextProtocolClientErrorLoggable.log();
            sSLSocketImpl.setFailureDetails(logPlaintextProtocolClientErrorLoggable.getMessage());
        }
    }

    public static void logProtocolVersionError(SSLSocketImpl sSLSocketImpl) {
        String peerName = getPeerName(sSLSocketImpl);
        debug(2, new StringBuffer().append("Connection to SSL port from ").append(peerName).append(" appears to be either unknown SSL version or maybe is plaintext").toString());
        if (logSSLRejections()) {
            Loggable logProtocolVersionErrorLoggable = SecurityLogger.logProtocolVersionErrorLoggable(peerName);
            logProtocolVersionErrorLoggable.log();
            sSLSocketImpl.setFailureDetails(logProtocolVersionErrorLoggable.getMessage());
        }
    }

    public static void logCertificateChainConstraintsStrictNonCriticalFailure(SSLSocketImpl sSLSocketImpl) {
        String peerName = getPeerName(sSLSocketImpl);
        debug(2, new StringBuffer().append("The certificate chain received from ").append(peerName).append(" contained a V3 CA certificate which had basic constraints which were not marked critical, ").append("this is being rejected due to the strict enforcement of basic constraints.").toString());
        if (logSSLRejections()) {
            Loggable logCertificateChainConstraintsStrictNonCriticalFailureLoggable = SecurityLogger.logCertificateChainConstraintsStrictNonCriticalFailureLoggable(peerName);
            logCertificateChainConstraintsStrictNonCriticalFailureLoggable.log();
            sSLSocketImpl.setFailureDetails(logCertificateChainConstraintsStrictNonCriticalFailureLoggable.getMessage());
        }
    }

    public static void logCertificateChainMissingConstraintsFailure(SSLSocketImpl sSLSocketImpl) {
        String peerName = getPeerName(sSLSocketImpl);
        debug(2, new StringBuffer().append("The certificate chain received from ").append(peerName).append(" contained a V3 CA certificate which was missing the basic constraints extension").toString());
        if (logSSLRejections()) {
            Loggable logCertificateChainMissingConstraintsFailureLoggable = SecurityLogger.logCertificateChainMissingConstraintsFailureLoggable(peerName);
            logCertificateChainMissingConstraintsFailureLoggable.log();
            sSLSocketImpl.setFailureDetails(logCertificateChainMissingConstraintsFailureLoggable.getMessage());
        }
    }

    public static void logCertificateChainNotACaConstraintsFailure(SSLSocketImpl sSLSocketImpl) {
        String peerName = getPeerName(sSLSocketImpl);
        debug(2, new StringBuffer().append("The certificate chain received from ").append(peerName).append(" contained a V3 CA certificate which didn't indicate it really is a CA").toString());
        if (logSSLRejections()) {
            Loggable logCertificateChainNotACaConstraintsFailureLoggable = SecurityLogger.logCertificateChainNotACaConstraintsFailureLoggable(peerName);
            logCertificateChainNotACaConstraintsFailureLoggable.log();
            sSLSocketImpl.setFailureDetails(logCertificateChainNotACaConstraintsFailureLoggable.getMessage());
        }
    }

    public static void logCertificateChainPathLenExceededConstraintsFailure(SSLSocketImpl sSLSocketImpl) {
        String peerName = getPeerName(sSLSocketImpl);
        debug(2, new StringBuffer().append("The certificate chain received from ").append(peerName).append(" contained a V3 CA certificate which indicated a certificate chain path length in the basic constraints that was exceeded").toString());
        if (logSSLRejections()) {
            Loggable logCertificateChainPathLenExceededConstraintsFailureLoggable = SecurityLogger.logCertificateChainPathLenExceededConstraintsFailureLoggable(peerName);
            logCertificateChainPathLenExceededConstraintsFailureLoggable.log();
            sSLSocketImpl.setFailureDetails(logCertificateChainPathLenExceededConstraintsFailureLoggable.getMessage());
        }
    }

    public static void logCertificateChainConstraintsConversionFailure(SSLSocketImpl sSLSocketImpl) {
        String peerName = getPeerName(sSLSocketImpl);
        debug(2, new StringBuffer().append("The certificate chain received from ").append(peerName).append(" contained a V3 CA certificate which couldn't be converted to be checked for basic constraints.").toString());
        if (logSSLRejections()) {
            Loggable logCertificateChainConstraintsConversionFailureLoggable = SecurityLogger.logCertificateChainConstraintsConversionFailureLoggable(peerName);
            logCertificateChainConstraintsConversionFailureLoggable.log();
            sSLSocketImpl.setFailureDetails(logCertificateChainConstraintsConversionFailureLoggable.getMessage());
        }
    }

    public static String getPeerName(SSLSocketImpl sSLSocketImpl) {
        InetAddress inetAddress;
        String hostAddress;
        if (sSLSocketImpl == null || (inetAddress = sSLSocketImpl.getInetAddress()) == null) {
            return "unknown";
        }
        try {
            hostAddress = new StringBuffer().append(inetAddress.getHostName()).append(" - ").append(inetAddress.getHostAddress()).toString();
        } catch (SecurityException e) {
            hostAddress = inetAddress.getHostAddress();
        }
        if (hostAddress == null) {
            hostAddress = inetAddress.toString();
        }
        return hostAddress;
    }

    public static void logAlertReceivedFromPeer(SSLSocketImpl sSLSocketImpl, int i) {
        Loggable logAlertReceivedFromPeerLoggable;
        if (!logSSLRejections() || i == 0 || i == 90) {
            return;
        }
        String peerName = getPeerName(sSLSocketImpl);
        switch (i) {
            case 10:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logUnexpectedMessageAlertReceivedFromPeerLoggable(peerName);
                break;
            case 11:
            case 12:
            case 13:
            case 14:
            case 15:
            case 16:
            case 17:
            case 18:
            case 19:
            case 23:
            case 24:
            case 25:
            case 26:
            case 27:
            case 28:
            case 29:
            case 31:
            case 32:
            case 33:
            case 34:
            case 35:
            case 36:
            case 37:
            case 38:
            case 39:
            case 52:
            case 53:
            case 54:
            case 55:
            case 56:
            case 57:
            case 58:
            case 59:
            case 61:
            case 62:
            case 63:
            case 64:
            case 65:
            case 66:
            case 67:
            case 68:
            case 69:
            case 72:
            case 73:
            case 74:
            case 75:
            case 76:
            case 77:
            case 78:
            case 79:
            case 81:
            case 82:
            case 83:
            case 84:
            case 85:
            case 86:
            case 87:
            case 88:
            case 89:
            case 90:
            case 91:
            case 92:
            case 93:
            case 94:
            case 95:
            case 96:
            case 97:
            case 98:
            case 99:
            default:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logAlertReceivedFromPeerLoggable(peerName, Integer.toString(i));
                break;
            case 20:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logBadRecordMacAlertReceivedFromPeerLoggable(peerName);
                break;
            case 21:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logDecryptionFailedAlertReceivedFromPeerLoggable(peerName);
                break;
            case 22:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logRecordOverFlowAlertReceivedFromPeerLoggable(peerName);
                break;
            case 30:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logDecompressionFailureAlertReceivedFromPeerLoggable(peerName);
                break;
            case 40:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logHandshakeFailureAlertReceivedFromPeerLoggable(peerName);
                break;
            case 41:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logNoCertificateAlertReceivedFromPeerLoggable(peerName);
                break;
            case 42:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logBadCertificateAlertReceivedFromPeerLoggable(peerName);
                break;
            case 43:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logUnsupportedCertificateAlertReceivedFromPeerLoggable(peerName);
                break;
            case 44:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logCertificateRevokedAlertReceivedFromPeerLoggable(peerName);
                break;
            case 45:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logCertificateExpiredAlertReceivedFromPeerLoggable(peerName);
                break;
            case 46:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logCertificateUnknownAlertReceivedFromPeerLoggable(peerName);
                break;
            case 47:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logIllegalParameterAlertReceivedFromPeerLoggable(peerName);
                break;
            case 48:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logUnknownCAAlertReceivedFromPeerLoggable(peerName);
                break;
            case 49:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logAccessDeniedAlertReceivedFromPeerLoggable(peerName);
                break;
            case 50:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logDecodeErrorAlertReceivedFromPeerLoggable(peerName);
                break;
            case 51:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logDecryptErrorAlertReceivedFromPeerLoggable(peerName);
                break;
            case 60:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logExportRestrictionAlertReceivedFromPeerLoggable(peerName);
                break;
            case 70:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logProtocolVersionAlertReceivedFromPeerLoggable(peerName);
                break;
            case 71:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logInsufficientSecurityAlertReceivedFromPeerLoggable(peerName);
                break;
            case 80:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logInternalErrorAlertReceivedFromPeerLoggable(peerName);
                break;
            case 100:
                logAlertReceivedFromPeerLoggable = SecurityLogger.logNoRenegotiationAlertReceivedFromPeerLoggable(peerName);
                break;
        }
        logAlertReceivedFromPeerLoggable.log();
        sSLSocketImpl.setFailureDetails(logAlertReceivedFromPeerLoggable.getMessage());
    }

    public static Properties getSSLTrustProperties(ServerMBean serverMBean) {
        Properties properties = new Properties();
        String keyStores = serverMBean.getKeyStores();
        if (KeyStoreConstants.DEMO_IDENTITY_AND_DEMO_TRUST.equals(keyStores)) {
            add(properties, KeyStoreConstants.TRUST_KEYSTORE_BOOT_PROP, KeyStoreConstants.DEMO_TRUST);
            add(properties, KeyStoreConstants.JAVA_STANDARD_TRUST_KEYSTORE_PASSPHRASE_BOOT_PROP, serverMBean.getJavaStandardTrustKeyStorePassPhrase());
        } else if (KeyStoreConstants.CUSTOM_IDENTITY_AND_JAVA_STANDARD_TRUST.equals(keyStores)) {
            add(properties, KeyStoreConstants.TRUST_KEYSTORE_BOOT_PROP, KeyStoreConstants.JAVA_STANDARD_TRUST);
            add(properties, KeyStoreConstants.JAVA_STANDARD_TRUST_KEYSTORE_PASSPHRASE_BOOT_PROP, serverMBean.getJavaStandardTrustKeyStorePassPhrase());
        } else if (KeyStoreConstants.CUSTOM_IDENTITY_AND_CUSTOM_TRUST.equals(keyStores)) {
            add(properties, KeyStoreConstants.TRUST_KEYSTORE_BOOT_PROP, KeyStoreConstants.CUSTOM_TRUST);
            add(properties, KeyStoreConstants.CUSTOM_TRUST_KEYSTORE_FILENAME_BOOT_PROP, serverMBean.getCustomTrustKeyStoreFileName());
            add(properties, KeyStoreConstants.CUSTOM_TRUST_KEYSTORE_TYPE_BOOT_PROP, serverMBean.getCustomTrustKeyStoreType());
            add(properties, KeyStoreConstants.CUSTOM_TRUST_KEYSTORE_PASSPHRASE_BOOT_PROP, serverMBean.getCustomTrustKeyStorePassPhrase());
        } else if (!KeyStoreConstants.CUSTOM_IDENTITY_AND_COMMAND_LINE_TRUST.equals(keyStores)) {
            throw new RuntimeException(SecurityLogger.getAssertionIllegalKeystoresValue(keyStores));
        }
        return properties;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isFatClient() {
        return isSSLFatClient;
    }

    private static void add(Properties properties, String str, String str2) {
        if (str2 != null) {
            properties.setProperty(str, str2);
        }
    }

    private static AuthenticatedSubject getKernelID() {
        if (kernelID == null) {
            kernelID = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
        }
        return kernelID;
    }
}
