package weblogic.t3.srvr;

import java.io.EOFException;
import java.io.File;
import java.io.IOException;
import java.io.InterruptedIOException;
import java.math.BigInteger;
import java.net.ServerSocket;
import java.net.Socket;
import java.net.SocketException;
import java.security.AccessController;
import java.security.KeyManagementException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import javax.management.InstanceNotFoundException;
import javax.management.MalformedObjectNameException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSocket;
import javax.security.cert.CertificateExpiredException;
import javax.security.cert.CertificateNotYetValidException;
import javax.security.cert.X509Certificate;
import weblogic.kernel.ExecuteRequest;
import weblogic.kernel.ExecuteThread;
import weblogic.kernel.Kernel;
import weblogic.logging.Loggable;
import weblogic.management.Admin;
import weblogic.management.WebLogicObjectName;
import weblogic.management.configuration.SSLMBean;
import weblogic.management.configuration.ServerDebugMBean;
import weblogic.management.configuration.ServerMBean;
import weblogic.protocol.configuration.NetworkChannel;
import weblogic.security.Entity;
import weblogic.security.SSL.SSLCertificate;
import weblogic.security.SecurityLogger;
import weblogic.security.X509;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.InvalidParameterException;
import weblogic.security.service.NotYetInitializedException;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SSLManager;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.utils.SSLCertUtility;
import weblogic.security.utils.SSLCipherUtility;
import weblogic.security.utils.SSLContextManager;
import weblogic.security.utils.SSLContextWrapper;
import weblogic.security.utils.SSLIOContextTable;
import weblogic.security.utils.SSLSetup;
import weblogic.security.utils.SSLTrustValidator;
import weblogic.server.Server;
import weblogic.socket.MuxableSocket;
import weblogic.socket.MuxableSocketDiscriminator;
import weblogic.socket.SSLFilter;
import weblogic.socket.SocketLogger;
import weblogic.socket.SocketMuxer;
import weblogic.utils.AssertionError;

/* loaded from: input_file:weblogic.jar:weblogic/t3/srvr/SSLListenThread.class */
public final class SSLListenThread extends ListenThread {
    private static final int ONE_DAY = 86400000;
    private static final int WARNING_PERIOD = 30;
    private static final String SSL_LISTEN_THREAD_NAME = "SSLListenThread";
    private static final String ADMIN_LISTEN_THREAD_NAME = "AdminListenThread";
    private static AuthenticatedSubject kernelID = null;
    private static SSLCertificate serverCert = null;
    private static boolean debugIsSet = false;
    private static SSLContextWrapper sslContext = null;

    public static String getServerCertificateFilePath(String str) {
        return getFilePath(getServerMBean(str).getSSL().getServerCertificateFileName());
    }

    public static String getServerCertificateChainFilePath(String str) {
        return getFilePath(getServerMBean(str).getSSL().getServerCertificateChainFileName());
    }

    private static String getFilePath(String str) {
        return new StringBuffer().append(Admin.getInstance().getLocalServer().getRootDirectory()).append(File.separator).append(str).toString();
    }

    private static ServerMBean getServerMBean(String str) {
        Admin.getInstance();
        if (!Admin.isAdminServer()) {
            throw new AssertionError("getServerMBean must be called from the admin server");
        }
        try {
            return (ServerMBean) Admin.getInstance().getAdminMBeanHome().getMBean(new WebLogicObjectName(str, "Server", Admin.getInstance().getDomainName()));
        } catch (InstanceNotFoundException e) {
            throw new AssertionError(new StringBuffer().append("Couldn't find server mbean for ").append(str).append(" ").append(e).toString());
        } catch (MalformedObjectNameException e2) {
            throw new AssertionError(new StringBuffer().append("Couldn't create server object name for ").append(str).append(" ").append(e2).toString());
        }
    }

    public static SSLCertificate getServerCert() {
        return serverCert;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SSLListenThread(NetworkChannel networkChannel, ThreadGroup threadGroup) throws IOException {
        this(networkChannel, threadGroup, 0);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SSLListenThread(NetworkChannel networkChannel, ThreadGroup threadGroup, int i) throws IOException {
        super(networkChannel, threadGroup, i == 0 ? SSL_LISTEN_THREAD_NAME : ADMIN_LISTEN_THREAD_NAME);
        this.port = i == 0 ? networkChannel.getSSLListenPort() : i;
        if (!debugIsSet) {
            setDebugFromProperties();
        }
        checkSSLLicense();
        if (sslContext == null) {
            initSSLContext();
        }
    }

    private static synchronized void initSSLContext() throws IOException {
        if (sslContext != null) {
            return;
        }
        try {
            SSLContextWrapper sSLContextWrapper = SSLContextWrapper.getInstance();
            try {
                SSLSetup.initRejectionLogging();
                SSLManager sSLManager = getSSLManager();
                PrivateKey serverPrivateKey = sSLManager.getServerPrivateKey(sSLContextWrapper);
                X509Certificate[] serverCertificate = sSLManager.getServerCertificate(sSLContextWrapper);
                checkIdentity(sSLContextWrapper, serverCertificate, serverPrivateKey);
                X509Certificate[] trustedCAs = sSLManager.getTrustedCAs(sSLContextWrapper);
                checkTrust(trustedCAs);
                sSLContextWrapper.addIdentity(serverCertificate, serverPrivateKey);
                if (trustedCAs != null) {
                    sSLContextWrapper.addTrustedCA(trustedCAs);
                }
                sSLContextWrapper.setProtocolVersion(SSLSetup.getProtocolVersion());
                SSLTrustValidator sSLTrustValidator = new SSLTrustValidator();
                sSLTrustValidator.setPeerCertsRequired(Server.getConfig().getSSL().isClientCertificateEnforced());
                sSLTrustValidator.setAllowOverride(false);
                sSLContextWrapper.setTrustManager(sSLTrustValidator);
                int exportKeyLifespan = Server.getConfig().getSSL().getExportKeyLifespan();
                sSLContextWrapper.setExportRefreshCount(exportKeyLifespan);
                T3SrvrLogger.logExportableKeyMaxLifespan(exportKeyLifespan);
                SSLContextManager.getInstance().setDefaultSSLContext(sSLContextWrapper);
                if (serverCert == null) {
                    serverCert = makeOldCertChain(serverCertificate);
                    T3SrvrLogger.logCertificateContents(serverCert.toString());
                }
                sslContext = sSLContextWrapper;
            } catch (Exception e) {
                T3SrvrLogger.logInconsistentSecurityConfig(e);
                SSLSetup.debug(1, e, "SSLListenThread: inconsistent configuration");
                throw new IOException(new StringBuffer().append("Inconsistent security configuration, ").append(e.getMessage()).toString());
            }
        } catch (ClassNotFoundException e2) {
            throw new SocketException("Class not Found");
        } catch (IllegalAccessException e3) {
            throw new SocketException("Illegal access on context wrapper class");
        } catch (InstantiationException e4) {
            throw new SocketException("Instantiation exception on context wraper class");
        }
    }

    private static SSLCertificate makeOldCertChain(X509Certificate[] x509CertificateArr) throws Exception {
        X509[] x509 = SSLCertUtility.toX509(x509CertificateArr);
        SSLCertificate sSLCertificate = new SSLCertificate(null);
        for (int i = 0; i < x509.length; i++) {
            if (i + 1 < x509.length) {
                x509[i].setIssuerCertificate(x509[i + 1]);
            } else if (x509[i].getIssuer().equals((Entity) x509[i].getSubject())) {
                x509[i].setIssuerCertificate(x509[i]);
            }
            sSLCertificate.certificateList.addElement(x509[i]);
        }
        return sSLCertificate;
    }

    private static boolean isDemoCertificate(X509Certificate x509Certificate) {
        String name = x509Certificate.getIssuerDN().getName();
        int lastIndexOf = name.lastIndexOf("CN=CACERT");
        return lastIndexOf >= 0 && (lastIndexOf + "CN=CACERT".length() >= name.length() || !Character.isLetter(name.charAt(lastIndexOf + "CN=CACERT".length())));
    }

    private static X509Certificate findDemoCert(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr == null) {
            return null;
        }
        for (int i = 0; i < x509CertificateArr.length; i++) {
            if (isDemoCertificate(x509CertificateArr[i])) {
                return x509CertificateArr[i];
            }
        }
        return null;
    }

    private static void checkIdentity(SSLContextWrapper sSLContextWrapper, X509Certificate[] x509CertificateArr, PrivateKey privateKey) throws Exception {
        X509Certificate findDemoCert;
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new Exception(new Loggable(T3SrvrLogger.logNoCertificatesSpecified(), null).getMessageText());
        }
        X509Certificate x509Certificate = null;
        for (int i = 0; i < x509CertificateArr.length; i++) {
            try {
                x509Certificate = x509CertificateArr[i];
                x509Certificate.checkValidity();
                if (i + 1 < x509CertificateArr.length) {
                    x509Certificate.verify(x509CertificateArr[i + 1].getPublicKey());
                } else if (x509Certificate.getIssuerDN().equals(x509Certificate.getSubjectDN())) {
                    x509Certificate.verify(x509Certificate.getPublicKey());
                }
                warnIfExpiresSoon(x509Certificate);
            } catch (SignatureException e) {
                SecurityLogger.logIdentityCertificateNotValid(x509Certificate.toString());
                throw new Exception(new StringBuffer().append("Invalid certificate signature: ").append(x509Certificate).toString());
            } catch (CertificateExpiredException e2) {
                SecurityLogger.logIdentityCertificateExpired(x509Certificate.toString());
                throw new Exception(new StringBuffer().append("Certificate expired: ").append(x509Certificate).toString());
            } catch (CertificateNotYetValidException e3) {
                SecurityLogger.logIdentityCertificateNotYetValid(x509Certificate.toString());
                throw new Exception(new StringBuffer().append("Certificate not yet valid: ").append(x509Certificate).toString());
            } catch (Exception e4) {
                SecurityLogger.logUnableToVerifyIdentityCertificate(x509Certificate.toString());
                throw new Exception(new StringBuffer().append("Unable to verify certificate signature: ").append(x509Certificate).append("\n").append(e4.getMessage()).toString());
            }
        }
        if (Admin.getInstance().getDomain().isProductionModeEnabled() && (findDemoCert = findDemoCert(x509CertificateArr)) != null) {
            SecurityLogger.logDemoIdentityCertificateUsed(findDemoCert.toString());
        }
        boolean z = true;
        SSLCipherUtility sSLCipherUtility = SSLCipherUtility.getInstance();
        String[] ciphersuites = Server.getConfig().getSSL().getCiphersuites();
        for (int i2 = 0; i2 < ciphersuites.length && z; i2++) {
            if (!sSLCipherUtility.getCipherIsExportable(ciphersuites[i2])) {
                z = false;
            }
        }
        PublicKey publicKey = x509CertificateArr[0].getPublicKey();
        if (publicKey instanceof RSAPublicKey) {
            boolean z2 = ((RSAPublicKey) publicKey).getModulus().bitLength() >= 1000;
            boolean z3 = SSLSetup.getLicenseLevel() == 1;
            if (ciphersuites.length == 0) {
                z = !z3;
            }
            if (!z3 && (z2 || !z)) {
                if (z2) {
                    T3SrvrLogger.logStrongCertsWeakLicense();
                } else {
                    T3SrvrLogger.logStrongCiphersWeakLicense();
                }
                throw new Exception(new StringBuffer().append("Attempting to use a full strength (domestic) ").append(z3 ? "certificates" : "cipher suite").append(" without a full strength (domestic) license.").toString());
            }
            if (z2) {
                T3SrvrLogger.logExportableKeyMaxLifespan(Server.getConfig().getSSL().getExportKeyLifespan());
                if (z) {
                    T3SrvrLogger.logStrongCertsStrongLicenseWeakCiphers();
                } else {
                    T3SrvrLogger.logUsingFullStrengthSSL();
                }
            } else {
                if (z3) {
                    T3SrvrLogger.logStrongLicenseWeakCerts();
                }
                T3SrvrLogger.logUsingLowStrengthSSL();
            }
        }
        boolean z4 = false;
        boolean z5 = false;
        try {
            z4 = sSLContextWrapper.doKeysMatch(x509CertificateArr[0].getPublicKey(), privateKey);
            z5 = true;
        } catch (KeyManagementException e5) {
            SSLSetup.debug(3, "Key match check failed with exception, may not have access to private key data to perform this check");
            SecurityLogger.logCantCheckKeyMatch();
        }
        if (z5 && !z4) {
            throw new Exception(new Loggable(SecurityLogger.logCertificateAndPrivateKeyMismatched(), null).getMessageText());
        }
    }

    private static void checkTrust(X509Certificate[] x509CertificateArr) throws Exception {
        X509Certificate findDemoCert;
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            if (Server.getConfig().getSSL().isClientCertificateEnforced()) {
                throw new Exception(new Loggable(SecurityLogger.logClientCertEnforcedNoTrustedCA(), null).getMessageText());
            }
            SecurityLogger.logNoTrustedCAsLoaded();
            return;
        }
        for (int i = 0; i < x509CertificateArr.length; i++) {
            try {
                x509CertificateArr[i].checkValidity();
                warnIfExpiresSoon(x509CertificateArr[i]);
            } catch (CertificateExpiredException e) {
                if (!(x509CertificateArr[i].getIssuerDN().getName().equals("OU=Class 4 Public Primary Certification Authority, O=\"VeriSign, Inc.\", C=US") && x509CertificateArr[i].getSerialNumber().equals(BigInteger.valueOf(11374952449L)))) {
                    SecurityLogger.logTrustCertificateExpired(x509CertificateArr[i].toString());
                }
            } catch (CertificateNotYetValidException e2) {
                SecurityLogger.logTrustCertificateNotYetValid(x509CertificateArr[i].toString());
            }
        }
        if (!Admin.getInstance().getDomain().isProductionModeEnabled() || (findDemoCert = findDemoCert(x509CertificateArr)) == null) {
            return;
        }
        SecurityLogger.logDemoTrustCertificateUsed(findDemoCert.toString());
    }

    private static void warnIfExpiresSoon(X509Certificate x509Certificate) {
        long time = (x509Certificate.getNotAfter().getTime() - System.currentTimeMillis()) / 86400000;
        if (time <= 30) {
            T3SrvrLogger.logCertificateExpiresSoon(time, x509Certificate.toString());
        }
    }

    @Override // weblogic.t3.srvr.ListenThread
    ServerSocket newServerSocket(int i) throws IOException {
        SSLServerSocketFactory sSLServerSocketFactory = sslContext.getSSLServerSocketFactory();
        int acceptBacklog = Server.getConfig().getAcceptBacklog();
        ServerSocket createServerSocket = getListenAddress() == null ? sSLServerSocketFactory.createServerSocket(i, acceptBacklog) : sSLServerSocketFactory.createServerSocket(i, acceptBacklog, getListenAddress());
        SSLMBean ssl = Server.getConfig().getSSL();
        SSLCipherUtility sSLCipherUtility = SSLCipherUtility.getInstance();
        String[] removeLegacySuites = removeLegacySuites(ssl.getCiphersuites());
        SSLServerSocket sSLServerSocket = (SSLServerSocket) createServerSocket;
        if (removeLegacySuites != null && removeLegacySuites.length > 0) {
            sSLServerSocket.setEnabledCipherSuites(sSLCipherUtility.changeCipherPrefix(removeLegacySuites, "TLS_"));
        }
        if (SSLSetup.getDebugLevel() >= 3) {
            SSLSetup.debug(3, "Cipher suites enabled:");
            for (String str : sSLServerSocket.getEnabledCipherSuites()) {
                SSLSetup.debug(3, new StringBuffer().append("   ").append(str).toString());
            }
        }
        sSLServerSocket.setNeedClientAuth(ssl.isClientCertificateEnforced() || ssl.isTwoWaySSLEnabled());
        getWhenBound().done();
        return createServerSocket;
    }

    private String[] removeLegacySuites(String[] strArr) {
        if (strArr == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList(strArr.length);
        for (int i = 0; i < strArr.length; i++) {
            if (strArr[i] != null) {
                if (strArr[i].equals("SSL_NULL_WITH_NULL_NULL") || strArr[i].equals("TLS_NULL_WITH_NULL_NULL")) {
                    SSLSetup.debug(3, new StringBuffer().append("Ignoring cipher ").append(strArr[i]).toString());
                } else {
                    arrayList.add(strArr[i]);
                }
            }
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    @Override // weblogic.t3.srvr.ListenThread
    public void registerSocket(NetworkChannel networkChannel, Socket socket) {
        if (SocketMuxer.getMuxer().isNioMuxer()) {
            SocketLogger.logNioNotSupportSSL();
            return;
        }
        ExecuteRequest executeRequest = new ExecuteRequest(this, (SSLSocket) socket, networkChannel, this.loginTimeout) { // from class: weblogic.t3.srvr.SSLListenThread.1
            SSLSocket theSock;
            NetworkChannel theChannel;
            long timeout;
            private final SSLSocket val$ssl_sock;
            private final NetworkChannel val$finalChannel;
            private final long val$finalTimeout;
            private final SSLListenThread this$0;

            {
                this.this$0 = this;
                this.val$ssl_sock = r6;
                this.val$finalChannel = networkChannel;
                this.val$finalTimeout = r8;
                this.theSock = this.val$ssl_sock;
                this.theChannel = this.val$finalChannel;
                this.timeout = this.val$finalTimeout;
            }

            @Override // weblogic.kernel.ExecuteRequest
            public void execute(ExecuteThread executeThread) {
                try {
                    this.theSock.setSoTimeout(this.this$0.loginTimeout);
                    MuxableSocket muxableSocketDiscriminator = new MuxableSocketDiscriminator(this.theSock, this.theChannel);
                    SSLListenThread.sslContext.forceHandshakeOnAcceptedSocket(this.val$ssl_sock);
                    SSLFilter sSLFilter = (SSLFilter) SSLIOContextTable.findContext(this.theSock).getFilter();
                    sSLFilter.setDelegate(muxableSocketDiscriminator);
                    sSLFilter.activateNoRegister();
                    muxableSocketDiscriminator.setReRegisterMX(sSLFilter);
                    SocketMuxer.getMuxer().register(sSLFilter);
                    SocketMuxer.getMuxer().read(sSLFilter);
                } catch (EOFException e) {
                    this.this$0.rejectCatastrophe(this.val$ssl_sock, new StringBuffer().append("Client closed socket '").append(this.this$0.socketInfo(this.val$ssl_sock)).append("' before completing connection.").toString(), e);
                } catch (InterruptedIOException e2) {
                    this.this$0.rejectCatastrophe(this.val$ssl_sock, new StringBuffer().append("Login timed out after: '").append(this.timeout).append("' ms on socket: '").append(this.this$0.socketInfo(this.val$ssl_sock)).append("'").toString(), e2);
                } catch (IOException e3) {
                    this.this$0.rejectCatastrophe(this.val$ssl_sock, new StringBuffer().append("Unable to read from socket: '").append(this.this$0.socketInfo(this.val$ssl_sock)).append("'").toString(), e3);
                }
            }
        };
        if (networkChannel.isAdminOnly()) {
            Kernel.execute(executeRequest, "weblogic.kernel.System");
        } else {
            Kernel.execute(executeRequest);
        }
    }

    private static void setDebugFromProperties() {
        boolean z;
        ServerDebugMBean serverDebug;
        boolean z2 = false;
        ServerMBean localServer = Admin.getInstance().getLocalServer();
        if (localServer != null && (serverDebug = localServer.getServerDebug()) != null) {
            z2 = serverDebug.getDebugSSL();
        }
        if (!z2) {
            try {
                if (!Boolean.getBoolean("ssl.debug") && !Boolean.getBoolean("weblogic.security.SSL.verbose")) {
                    if (!Boolean.getBoolean("weblogic.security.ssl.verbose")) {
                        z = false;
                        z2 = z;
                    }
                }
                z = true;
                z2 = z;
            } catch (SecurityException e) {
            }
        }
        if (z2) {
            SSLSetup.setDebugLevel(3);
        }
        debugIsSet = true;
    }

    private static void checkSSLLicense() {
        try {
            switch (SSLSetup.getLicenseLevel()) {
                case 0:
                default:
                    throw new RuntimeException("No SSL license found");
                case 1:
                    T3SrvrLogger.logSSLDomesticLicense();
                    break;
                case 2:
                    T3SrvrLogger.logSSLExportLicense();
                    break;
            }
        } catch (RuntimeException e) {
            T3SrvrLogger.logSSLLicenseKeyNotFound(e);
            throw e;
        }
    }

    private static SSLManager getSSLManager() throws InvalidParameterException, NotYetInitializedException {
        SSLSetup.debug(3, "SSLListenThread.getSSLManager()");
        while (!SecurityServiceManager.isSecurityServiceInitialized()) {
            try {
                Thread.currentThread();
                Thread.sleep(100L);
            } catch (InterruptedException e) {
            }
        }
        return (SSLManager) SecurityServiceManager.getSecurityService(getKernelID(), SecurityServiceManager.defaultRealmName, SecurityService.ServiceType.SSLMANAGER);
    }

    private static AuthenticatedSubject getKernelID() {
        if (kernelID == null) {
            kernelID = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
        }
        return kernelID;
    }
}
