package com.ibm.ws.ssl.core;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.crypto.KeyException;
import com.ibm.websphere.management.AdminContext;
import com.ibm.websphere.management.dynamicproxy.InvocationHandler;
import com.ibm.websphere.management.dynamicproxy.StateObject;
import com.ibm.websphere.ssl.JSSEHelper;
import com.ibm.websphere.ssl.SSLException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.config.AuditConfig;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.SecurityConfigObject;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.ssl.config.KeyStoreManager;
import com.ibm.ws.ssl.config.ThreadManager;
import com.ibm.ws.ssl.config.WSKeyStore;
import com.ibm.ws.ssl.model.KeyStoreInfo;
import com.ibm.ws.ssl.provider.AbstractJSSEProvider;
import java.io.FileOutputStream;
import java.io.OutputStream;
import java.net.URL;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.HashMap;
import javax.management.ObjectName;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;

/* loaded from: input_file:wasJars/cryptoimpl.jar:com/ibm/ws/ssl/core/SSLAdmin.class */
public final class SSLAdmin implements InvocationHandler {
    private static final TraceComponent tc = Tr.register(SSLAdmin.class, "SSL", "com.ibm.ws.ssl.resources.ssl");

    public SSLAdmin() throws Exception {
        initialize();
    }

    public void initialize() throws Exception {
    }

    @Override // com.ibm.websphere.management.dynamicproxy.InvocationHandler
    public void preInvoke(String str, Object[] objArr, String[] strArr, StateObject stateObject, int i) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "preInvoke() -> " + str);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "preInvoke");
        }
    }

    @Override // com.ibm.websphere.management.dynamicproxy.InvocationHandler
    public void postInvoke(String str, Object[] objArr, String[] strArr, StateObject stateObject, int i, Throwable th, boolean z) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "postInvoke -> " + str);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "postInvoke()");
        }
    }

    public HashMap retrieveSigners(String str, String str2) throws Exception {
        WSKeyStore keyStore;
        Certificate certificate;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "retrieveSigners", new Object[]{str, str2});
        }
        HashMap hashMap = new HashMap();
        try {
            if (str == null) {
                hashMap.put("remoteAliases", KeyStoreManager.getInstance().getKeyStoreAliases());
                return hashMap;
            }
            String peek = AdminContext.peek();
            if (peek != null) {
                SecurityConfigObject keyStore2 = KeyStoreManager.getKeyStore(str, null);
                keyStore = keyStore2 != null ? new WSKeyStore(keyStore2) : KeyStoreManager.getInstance().getKeyStore(str + "-" + peek);
            } else {
                keyStore = KeyStoreManager.getInstance().getKeyStore(str);
            }
            if (keyStore == null) {
                throw new SSLException(TraceNLSHelper.getInstance().getFormattedMessage("ssl.signer.remote.truststore.not.found.CWPKI0304E", new Object[]{str}, "The <remoteTrustStoreName> specified as \"" + str + "\" was not found on the server."));
            }
            KeyStore keyStore3 = keyStore.getKeyStore(false, false);
            if (keyStore3 != null) {
                if (str2 == null) {
                    Enumeration<String> aliases = keyStore3.aliases();
                    while (aliases.hasMoreElements()) {
                        String nextElement = aliases.nextElement();
                        if (keyStore3.isCertificateEntry(nextElement) && (certificate = keyStore3.getCertificate(nextElement)) != null) {
                            hashMap.put(nextElement, certificate);
                        }
                    }
                } else {
                    Certificate certificate2 = keyStore3.getCertificate(str2);
                    if (certificate2 == null) {
                        throw new SSLException(TraceNLSHelper.getInstance().getFormattedMessage("ssl.signer.alias.not.found.CWPKI0305E", new Object[]{str2}, "The <aliasFromRemoteStore> specified as \"" + str2 + "\" was not found in keystore \"" + str + "\" on the server."));
                    }
                    hashMap.put(str2, certificate2);
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "retrieveSigners");
            }
            return hashMap;
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception caught during retrieveSigners, " + e);
            }
            FFDCFilter.processException(e, "com.ibm.ws.ssl.core.SSLAdmin.retrieveSigners", "153", this);
            throw e;
        }
    }

    public Object[] invokeRemoteKeyStoreCommand(String str, String str2, Object[] objArr) throws KeyException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "invokeRemoteKeyStoreCommand", new Object[]{str, str2, printParms(objArr)});
        }
        try {
            WSKeyStore wSKeyStore = null;
            String peek = AdminContext.peek();
            if (objArr != null && objArr.length > 0 && objArr[0].equals("audit_keystore")) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "This is an audit keystore so get the audit configuration infomation");
                }
                AuditConfig auditConfig = SecurityObjectLocator.getAuditConfig();
                if (auditConfig != null) {
                    wSKeyStore = new WSKeyStore(auditConfig.getAuditKeystore(str).getSCO());
                    if (objArr.length == 1) {
                        objArr = null;
                    } else {
                        Object[] objArr2 = new Object[objArr.length - 1];
                        for (int i = 0; i < objArr2.length; i++) {
                            objArr2[i] = objArr[i + 1];
                        }
                        objArr = objArr2;
                    }
                }
            } else if (peek != null) {
                SecurityConfigObject keyStore = KeyStoreManager.getKeyStore(str, null);
                wSKeyStore = keyStore != null ? new WSKeyStore(keyStore) : KeyStoreManager.getInstance().getKeyStore(str + "-" + peek);
            } else {
                wSKeyStore = KeyStoreManager.getInstance().getKeyStore(str);
            }
            if (str2.equals("createRemoteKeyring")) {
                wSKeyStore = null;
            }
            if (wSKeyStore != null) {
                return wSKeyStore.invokeKeyStoreCommand(str2, objArr);
            }
            if (str2.equals("createRemoteKeyStore")) {
                if (objArr == null || objArr.length != 9) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Invalid parameters for the KeyStore method.");
                    }
                    throw new KeyException("Invalid parameters for the KeyStore method: " + str2);
                }
                String str3 = (String) objArr[0];
                String str4 = (String) objArr[1];
                String str5 = (String) objArr[2];
                String str6 = (String) objArr[3];
                String str7 = (String) objArr[4];
                String str8 = (String) objArr[5];
                X509Certificate x509Certificate = (X509Certificate) objArr[6];
                String str9 = (String) objArr[7];
                X509Certificate x509Certificate2 = (X509Certificate) objArr[8];
                KeyStore keyStore2 = KeyStoreManager.getInstance().getKeyStore(str3, str4, str5, str6, str7, null, true, null);
                if (keyStore2 == null) {
                    return null;
                }
                FileOutputStream fileOutputStream = new FileOutputStream(str6);
                if (keyStore2 != null) {
                    if (x509Certificate != null) {
                        keyStore2.setCertificateEntry(str8, x509Certificate);
                    }
                    if (x509Certificate2 != null) {
                        keyStore2.setCertificateEntry(str9, x509Certificate2);
                    }
                }
                keyStore2.store(fileOutputStream, str7.toCharArray());
                if (fileOutputStream == null) {
                    return null;
                }
                fileOutputStream.close();
                return null;
            }
            if (!str2.equals("createRemoteKeyring")) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Cannot find \"" + str + "\" on the local node.");
                }
                throw new KeyException("Cannot find \"" + str + "\" in the local node configuration.");
            }
            if (objArr == null || objArr.length != 9) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Invalid parameters for the KeyStore method.");
                }
                throw new KeyException("Invalid parameters for the KeyStore method: " + str2);
            }
            String str10 = (String) objArr[0];
            ObjectName objectName = (ObjectName) objArr[1];
            String str11 = (String) objArr[2];
            String str12 = (String) objArr[3];
            String str13 = (String) objArr[4];
            String str14 = (String) objArr[5];
            String str15 = (String) objArr[6];
            boolean booleanValue = ((Boolean) objArr[7]).booleanValue();
            HashMap hashMap = (HashMap) objArr[8];
            KeyStoreManager.getInstance().addKeyStoreIfNotDuplicate(peek != null ? str10 + "-" + peek : str10, new WSKeyStore(new KeyStoreInfo(str10, str12, str15, str14, str13, false, null, str11, objectName, Boolean.valueOf(booleanValue), false, false, null, null, false, null, "Temporary keystore until a save is performed")));
            if (booleanValue) {
                if (!tc.isDebugEnabled()) {
                    return null;
                }
                Tr.debug(tc, "Keystore is read-only, skipping keyring creation.");
                return null;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Keystore is writable, creating keyring.");
            }
            KeyStore keyStore3 = KeyStore.getInstance(str13, str14);
            keyStore3.load(null, str15.toCharArray());
            OutputStream outputStream = new URL(str12).openConnection().getOutputStream();
            keyStore3.store(outputStream, str15.toCharArray());
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Keystore created, adding default signers.");
            }
            for (String str16 : hashMap.keySet()) {
                keyStore3.setCertificateEntry(str16, (X509Certificate) hashMap.get(str16));
            }
            keyStore3.store(outputStream, str15.toCharArray());
            if (outputStream != null) {
                outputStream.close();
            }
            return null;
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception executing KeyStore method on keystore " + str + ".", new Object[]{e});
            }
            FFDCFilter.processException(e, "com.ibm.ws.ssl.core.SSLAdmin.invokeKeyStoreCommand", "391", this);
            if (e instanceof KeyException) {
                throw ((KeyException) e);
            }
            throw new KeyException(e.getMessage(), e);
        }
    }

    public void temporarilyDisableCertificateAuthentication(Long l) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "temporarilyDisableCertificateAuthentication", new Object[]{l});
        }
        WSX509TrustManager.temporarilyDisableCertificateAuthentication(l);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "temporarilyDisableCertificateAuthentication");
        }
    }

    public X509Certificate getAdminRSAPropagationCertificate() throws CertificateExpiredException, CertificateNotYetValidException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAdminRSAPropagationCertificate");
        }
        Certificate[] certificateArr = (Certificate[]) SecurityObjectLocator.getSecurityConfig("security").getAuthMechanism(AuthMechanismConfig.TYPE_RSATOKEN).getObject(AuthMechanismConfig.RSA_TOKEN_CERTIFICATE);
        for (Certificate certificate : certificateArr) {
            try {
                ((X509Certificate) certificate).checkValidity();
            } catch (CertificateExpiredException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception checking the validity of the RSA token ", new Object[]{e});
                }
                FFDCFilter.processException(e, "com.ibm.ws.ssl.core.SSLAdmin.getAdminRSAPropagationCertificate", "442", this);
                throw e;
            } catch (CertificateNotYetValidException e2) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception checking the validity of the RSA token ", new Object[]{e2});
                }
                FFDCFilter.processException(e2, "com.ibm.ws.ssl.core.SSLAdmin.getAdminRSAPropagationCertificate", "447", this);
                throw e2;
            }
        }
        return (X509Certificate) certificateArr[0];
    }

    public Certificate[] retrieveSignerFromPort(String str, Integer num, String str2) throws Exception {
        Certificate[] signerChain;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "retrieveSignerFromPort", new Object[]{str, num, str2});
        }
        SSLSocketFactory socketFactory = JSSEHelper.getInstance().getSSLContext(str2, null, null).getSocketFactory();
        SSLSocket sSLSocket = null;
        try {
            try {
                ThreadManager.getInstance().setSetSignerOnThread(true);
                ThreadManager.getInstance().setSignerChain(null);
                sSLSocket = (SSLSocket) socketFactory.createSocket(str, num.intValue());
                sSLSocket.startHandshake();
                signerChain = ThreadManager.getInstance().getSignerChain();
                ThreadManager.getInstance().setSignerChain(null);
                ThreadManager.getInstance().setSetSignerOnThread(false);
                if (signerChain == null) {
                    try {
                        signerChain = sSLSocket.getSession().getPeerCertificates();
                    } catch (Exception e) {
                    }
                }
                if (sSLSocket != null) {
                    sSLSocket.close();
                }
            } catch (Exception e2) {
                signerChain = ThreadManager.getInstance().getSignerChain();
                ThreadManager.getInstance().setSignerChain(null);
                ThreadManager.getInstance().setSetSignerOnThread(false);
                if (signerChain == null) {
                    try {
                        signerChain = sSLSocket.getSession().getPeerCertificates();
                    } catch (Exception e3) {
                    }
                }
                if (sSLSocket != null) {
                    sSLSocket.close();
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "retrieveSignerFromPort", signerChain);
            }
            return signerChain;
        } catch (Throwable th) {
            X509Certificate[] signerChain2 = ThreadManager.getInstance().getSignerChain();
            ThreadManager.getInstance().setSignerChain(null);
            ThreadManager.getInstance().setSetSignerOnThread(false);
            if (signerChain2 == null) {
                try {
                    sSLSocket.getSession().getPeerCertificates();
                } catch (Exception e4) {
                }
            }
            if (sSLSocket != null) {
                sSLSocket.close();
            }
            throw th;
        }
    }

    private String printParms(Object[] objArr) {
        StringBuffer stringBuffer = new StringBuffer();
        if (objArr == null || objArr.length == 0) {
            stringBuffer.append("null or empty parms");
            return stringBuffer.toString();
        }
        for (int i = 0; i < objArr.length; i++) {
            stringBuffer.append("parm ");
            stringBuffer.append(i);
            stringBuffer.append(": ");
            stringBuffer.append(objArr[i]);
            stringBuffer.append(", ");
        }
        String stringBuffer2 = stringBuffer.toString();
        if (stringBuffer2.endsWith(", ")) {
            stringBuffer2 = stringBuffer2.substring(0, stringBuffer2.length() - 2);
        }
        return stringBuffer2;
    }

    public void clearSSLContextCache() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "clearSSLContextCache");
        }
        KeyStoreManager.getInstance().clearJavaKeyStoresFromKeyStoreMap();
        AbstractJSSEProvider.clearSSLContextCache();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "clearSSLContextCache");
        }
    }
}
