package weblogic.security.utils;

import java.security.AccessController;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import javax.net.ssl.SSLSocket;
import weblogic.management.configuration.SSLMBean;
import weblogic.management.provider.ManagementService;
import weblogic.security.SecurityLogger;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.pk.CertPathValidatorParameters;
import weblogic.security.service.ContextElement;
import weblogic.security.service.ContextHandler;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.shared.LoggerWrapper;

/* loaded from: input_file:weblogic/security/utils/CertPathTrustManagerUtils.class */
public final class CertPathTrustManagerUtils {
    public static final int CERT_PATH_VAL_IF_CONFIGURED = 0;
    public static final int CERT_PATH_VAL_ALWAYS = 1;
    public static final int CERT_PATH_VAL_NEVER = 2;
    private static final AuthenticatedSubject kernelId = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    private static boolean running = false;
    private static LoggerWrapper log = LoggerWrapper.getInstance("SecurityCertPath");
    private static String CLIENT_CERTS_ENFORCED = "weblogic.security.ClientCertificatesEnforced";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:weblogic/security/utils/CertPathTrustManagerUtils$CertPathTrustManagerRuntimeException.class */
    public static final class CertPathTrustManagerRuntimeException extends RuntimeException {
        public CertPathTrustManagerRuntimeException(Throwable th) {
            super(th);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:weblogic/security/utils/CertPathTrustManagerUtils$SSLPrevalidationContextParams.class */
    public static class SSLPrevalidationContextParams implements ContextHandler {
        ContextElement[] ctxElements = new ContextElement[4];

        public SSLPrevalidationContextParams(int i, String str, int i2, boolean z) {
            this.ctxElements[0] = new ContextElement("com.bea.contextelement.security.ChainPrevailidatedBySSL", new Boolean(i2 == 0));
            this.ctxElements[1] = new ContextElement("com.bea.contextelement.channel.RemotePort", new Integer(i));
            this.ctxElements[2] = new ContextElement("com.bea.contextelement.channel.RemoteAddress", str);
            this.ctxElements[3] = new ContextElement(CertPathTrustManagerUtils.CLIENT_CERTS_ENFORCED, new Boolean(z));
        }

        @Override // weblogic.security.service.ContextHandler
        public int size() {
            return this.ctxElements.length;
        }

        @Override // weblogic.security.service.ContextHandler
        public String[] getNames() {
            String[] strArr = new String[this.ctxElements.length];
            for (int i = 0; i < this.ctxElements.length; i++) {
                strArr[i] = this.ctxElements[i].getName();
            }
            return strArr;
        }

        @Override // weblogic.security.service.ContextHandler
        public Object getValue(String str) {
            for (int i = 0; i < this.ctxElements.length; i++) {
                if (this.ctxElements[i].getName().equals(str)) {
                    return this.ctxElements[i].getValue();
                }
            }
            return null;
        }

        @Override // weblogic.security.service.ContextHandler
        public ContextElement[] getValues(String[] strArr) {
            ArrayList arrayList = new ArrayList(this.ctxElements.length);
            for (int i = 0; strArr != null && i < strArr.length; i++) {
                int i2 = 0;
                while (true) {
                    if (i2 >= this.ctxElements.length) {
                        break;
                    }
                    if (this.ctxElements[i2].getName().equals(strArr[i])) {
                        arrayList.add(this.ctxElements[i2]);
                        break;
                    }
                    i2++;
                }
            }
            return (ContextElement[]) arrayList.toArray(new ContextElement[arrayList.size()]);
        }
    }

    public static synchronized void start() {
        running = true;
    }

    public static synchronized void stop() {
        running = false;
    }

    public static synchronized void halt() {
        running = false;
    }

    private static boolean isDebug() {
        return log.isDebugEnabled();
    }

    private static void debug(String str, String str2) {
        String str3 = "CertPathTrustManagerUtils." + str + ": " + str2;
        if (log.isDebugEnabled()) {
            log.debug(str3);
        }
        System.out.println(str3);
    }

    public static boolean certificateCallback(int i, X509Certificate[] x509CertificateArr, int i2) {
        if (isDebug()) {
            debug("certificateCallback", "certPathValStype = " + i);
            debug("certificateCallback", "validateErr = " + i2);
            for (int i3 = 0; x509CertificateArr != null && i3 < x509CertificateArr.length; i3++) {
                debug("certificateCallback", "chain[" + i3 + "] = " + x509CertificateArr[i3]);
            }
        }
        boolean z = Boolean.getBoolean("weblogic.security.dontValidateIfSSLErrors");
        if (z && i2 != 0) {
            if (!isDebug()) {
                return false;
            }
            debug("certificateCallback", "returning false because of built-in SSL validation errors");
            return false;
        }
        if (0 == i2 && (x509CertificateArr == null || x509CertificateArr.length < 1)) {
            if (!isDebug()) {
                return true;
            }
            debug("certificateCallback", "returning true because there is no chain and the chain is not required");
            return true;
        }
        if (!doCertPathValidation(i)) {
            boolean z2 = i2 == 0;
            if (isDebug()) {
                debug("certificateCallback", "returning " + z2 + " because the CertPathValidators should not be called");
            }
            return z2;
        }
        boolean z3 = false;
        if (!z && ManagementService.getRuntimeAccess(kernelId).getServer().getSSL().isClientCertificateEnforced()) {
            z3 = true;
        }
        boolean performCertPathValidation = performCertPathValidation(x509CertificateArr, i2, z3);
        if (isDebug()) {
            debug("certificateCallback", "returning results of CertPathValidators = " + performCertPathValidation);
        }
        return performCertPathValidation;
    }

    private static boolean doCertPathValidation(int i) {
        if (isDebug()) {
            debug("doCertPathValidation", "");
        }
        if (!running) {
            if (!isDebug()) {
                return false;
            }
            debug("doCertPathValidation", "returning false because cert path validation is not yet available in this server");
            return false;
        }
        if (i == 1) {
            if (!isDebug()) {
                return true;
            }
            debug("doCertPathValidation", "returning true because configured to always call the cert path validators");
            return true;
        }
        if (i == 2) {
            if (!isDebug()) {
                return false;
            }
            debug("doCertPathValidation", "returning false because configured to never call the cert path validators");
            return false;
        }
        if (isDebug()) {
            debug("doCertPathValidation", "configured to defer to the admin");
        }
        boolean useClientMode = TrustManagerEnvironment.getSSLSocket().getUseClientMode();
        if (isDebug()) {
            debug("doCertPathValidation", "outbound = " + useClientMode);
        }
        SSLMBean ssl = ManagementService.getRuntimeAccess(kernelId).getServer().getSSL();
        String outboundCertificateValidation = useClientMode ? ssl.getOutboundCertificateValidation() : ssl.getInboundCertificateValidation();
        if (isDebug()) {
            debug("doCertPathValidation", "style = " + outboundCertificateValidation);
        }
        boolean equals = SSLMBean.BUILTIN_SSL_VALIDATION_AND_CERT_PATH_VALIDATORS.equals(outboundCertificateValidation);
        if (isDebug()) {
            debug("doCertPathValidation", "returning " + equals);
        }
        return equals;
    }

    private static boolean performCertPathValidation(X509Certificate[] x509CertificateArr, int i, boolean z) {
        int length;
        if (isDebug()) {
            debug("performCertPathValidation", "");
        }
        if (null == x509CertificateArr) {
            length = 0;
        } else {
            try {
                length = x509CertificateArr.length;
            } catch (Exception e) {
                if (isDebug()) {
                    debug("performCertPathValidation", "unexpected exception: " + e);
                }
                throw new CertPathTrustManagerRuntimeException(e);
            }
        }
        int i2 = length;
        ArrayList arrayList = new ArrayList(i2);
        for (int i3 = 0; i3 < i2; i3++) {
            arrayList.add(x509CertificateArr[i3]);
        }
        CertPath generateCertPath = CertificateFactory.getInstance("X509").generateCertPath(arrayList);
        SSLSocket sSLSocket = TrustManagerEnvironment.getSSLSocket();
        try {
            CertPathValidator.getInstance("WLSCertPathValidator").validate(generateCertPath, new CertPathValidatorParameters(SecurityServiceManager.getDefaultRealmName(), TrustManagerEnvironment.getTrustedCAs(), new SSLPrevalidationContextParams(sSLSocket.getPort(), sSLSocket.getInetAddress().toString(), i, z)));
            if (!isDebug()) {
                return true;
            }
            debug("performCertPathValidation", "the chain was validated by the cert path validators");
            return true;
        } catch (IllegalArgumentException e2) {
            if (!isDebug()) {
                return false;
            }
            debug("performCertPathValidation", "the chain was not validated by the cert path validators:" + e2);
            return false;
        } catch (CertPathValidatorException e3) {
            SecurityLogger.logSSLCertPathNotValidated(generateCertPath.toString(), e3);
            if (!isDebug()) {
                return false;
            }
            debug("performCertPathValidation", "the chain was not validated by the cert path validators:" + e3);
            return false;
        }
    }
}
