package com.ibm.msg.client.jakarta.wmq.compat.network;

import com.ibm.mq.MQException;
import com.ibm.mq.ese.core.SecurityProvider;
import com.ibm.mq.jmqi.JmqiUtils;
import com.ibm.msg.client.commonservices.cssystem.CSSystem;
import com.ibm.msg.client.commonservices.trace.Trace;
import java.io.IOException;
import java.net.Socket;
import java.security.Provider;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collection;
import javax.net.ssl.HandshakeCompletedEvent;
import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;

/* loaded from: input_file:com/ibm/msg/client/jakarta/wmq/compat/network/SSLHelper.class */
public class SSLHelper implements HandshakeCompletedListener {
    private static Certificate[] certs;
    private static final String CLSNAME = "SSLHelper";
    private static Boolean inFipsMode;
    static final String sccsid = "@(#) MQMBID sn=p930-020-240613 su=_e_IHCSl7Ee-nc-kqTO-cfg pn=com.ibm.msg.client.jakarta.wmq.compat/src/com.ibm.msg.client.jakarta.wmq/compat/network/SSLHelper.java";
    private boolean certSet = false;
    private X509Certificate serverCert = null;

    private static SSLSocketFactory chooseSocketFactory(Object obj) throws MQException {
        SSLSocketFactory sSLSocketFactory;
        Class<?> dynamicLoadClass;
        if (Trace.isOn) {
            Trace.entry("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "chooseSocketFactory(Object)", new Object[]{obj});
        }
        if (inFipsMode != null && inFipsMode.booleanValue()) {
            if (Trace.isOn) {
                Trace.traceData(CLSNAME, "FIPS mode has been selected", (Object) null);
            }
            System.setProperty("com.ibm.jsse2.JSSEFIPS", "true");
            try {
                CSSystem.dynamicLoadClass("com.ibm.jsse2.IBMJSSEProvider2", SSLHelper.class);
                String implementationVersion = Package.getPackage("com.ibm.jsse2").getImplementationVersion();
                int indexOf = implementationVersion.indexOf("_");
                String str = null;
                if (indexOf != -1) {
                    str = implementationVersion.substring(indexOf + 1);
                }
                int i = 0;
                if (str != null && !str.equals("")) {
                    i = Integer.parseInt(str);
                }
                if (Trace.isOn) {
                    Trace.traceData(CLSNAME, "JSSE VERSION: " + i, (Object) null);
                }
                if (i >= 20041026) {
                    if (Trace.isOn) {
                        Trace.traceData(CLSNAME, "SR1a or greater available", (Object) null);
                    }
                    if (Security.getProvider(SecurityProvider.Provider.IBMJCEPlusFIPS) != null) {
                        dynamicLoadClass = CSSystem.dynamicLoadClass("com.ibm.crypto.plus.provider.IBMJCEPlusFIPS", SSLHelper.class);
                        if (Trace.isOn) {
                            Trace.traceData(CLSNAME, "JSSE2 using IBMJCEPlusFIPS for FIPS", (Object) null);
                        }
                    } else {
                        dynamicLoadClass = CSSystem.dynamicLoadClass("com.ibm.crypto.fips.provider.IBMJCEFIPS", SSLHelper.class);
                        if (Trace.isOn) {
                            Trace.traceData(CLSNAME, "JSSE2 using IBMJCEFIPS for FIPS", (Object) null);
                        }
                    }
                    Security.insertProviderAt((Provider) dynamicLoadClass.newInstance(), 1);
                    sSLSocketFactory = (SSLSocketFactory) CSSystem.dynamicLoadClass("com.ibm.jsse2.SSLSocketFactoryImpl", SSLHelper.class).newInstance();
                    if (Trace.isOn) {
                        Trace.traceData(CLSNAME, "Using JSSE2 for FIPS", (Object) null);
                    }
                } else {
                    if (Trace.isOn) {
                        Trace.traceData(CLSNAME, "1.4.2 or lower available", (Object) null);
                    }
                    try {
                        sSLSocketFactory = (SSLSocketFactory) CSSystem.dynamicLoadClass("com.ibm.fips.jsse.JSSESocketFactory", SSLHelper.class).newInstance();
                        if (Trace.isOn) {
                            Trace.traceData(CLSNAME, "Using old JSSE for FIPS", (Object) null);
                        }
                    } catch (Exception e) {
                        if (Trace.isOn) {
                            Trace.catchBlock("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "chooseSocketFactory(Object)", e, 1);
                        }
                        if (Trace.isOn) {
                            Trace.traceData(CLSNAME, "JVM does not contain a FIPS compliant JSSE", (Object) null);
                        }
                        MQException mQException = new MQException(2, 2393, CLSNAME);
                        if (Trace.isOn) {
                            Trace.throwing("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "chooseSocketFactory(Object)", mQException, 1);
                        }
                        throw mQException;
                    }
                }
            } catch (RuntimeException e2) {
                throw e2;
            } catch (Exception e3) {
                if (Trace.isOn) {
                    Trace.catchBlock("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "chooseSocketFactory(Object)", e3, 2);
                }
                if (Trace.isOn) {
                    Trace.traceData(CLSNAME, "1.4.2 or lower available", (Object) null);
                }
                try {
                    sSLSocketFactory = (SSLSocketFactory) CSSystem.dynamicLoadClass("com.ibm.fips.jsse.JSSESocketFactory", SSLHelper.class).newInstance();
                    if (Trace.isOn) {
                        Trace.traceData(CLSNAME, "Using old JSSE for FIPS", (Object) null);
                    }
                } catch (Exception e4) {
                    if (Trace.isOn) {
                        Trace.catchBlock("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "chooseSocketFactory(Object)", e4, 3);
                    }
                    if (Trace.isOn) {
                        Trace.traceData(CLSNAME, "JVM does not contain a FIPS compliant JSSE", (Object) null);
                    }
                    MQException mQException2 = new MQException(2, 2393, CLSNAME);
                    if (Trace.isOn) {
                        Trace.throwing("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "chooseSocketFactory(Object)", mQException2, 2);
                    }
                    throw mQException2;
                }
            }
        } else if (obj == null) {
            if (Trace.isOn) {
                Trace.traceData(CLSNAME, "using default SSLSocketFactory", (Object) null);
            }
            sSLSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
        } else {
            if (!(obj instanceof SSLSocketFactory)) {
                MQException mQException3 = new MQException(2, 2046, Thread.currentThread(), MQException.MQJE066, "sslSocketFactory");
                if (Trace.isOn) {
                    Trace.throwing("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "chooseSocketFactory(Object)", mQException3, 3);
                }
                throw mQException3;
            }
            if (Trace.isOn) {
                Trace.traceData(CLSNAME, "using supplied SSLSocketFactory", (Object) null);
            }
            sSLSocketFactory = (SSLSocketFactory) obj;
        }
        if (Trace.isOn) {
            Trace.exit("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "chooseSocketFactory(Object)", sSLSocketFactory);
        }
        return sSLSocketFactory;
    }

    private static String configureSSLSocket(SSLSocket sSLSocket, String str, String str2, Collection collection, boolean z) throws MQException {
        if (Trace.isOn) {
            Trace.entry("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "configureSSLSocket(SSLSocket,String,String,Collection,boolean)", new Object[]{sSLSocket, str, str2, collection, Boolean.valueOf(z)});
        }
        try {
            sSLSocket.setEnabledCipherSuites(new String[]{str});
            String substring = str.substring(0, 3);
            String[] strArr = new String[1];
            if (z || substring.equals("TLS")) {
                strArr[0] = JmqiUtils.protocol_TLS10;
                if (Trace.isOn) {
                    Trace.traceData(CLSNAME, "Setting protocol to TLSv1", (Object) null);
                }
            } else {
                strArr[0] = JmqiUtils.protocol_SSLV3;
                if (Trace.isOn) {
                    Trace.traceData(CLSNAME, "Setting protocol to SSLv3", (Object) null);
                }
            }
            if (Trace.isOn) {
                String[] supportedProtocols = sSLSocket.getSupportedProtocols();
                StringBuilder sb = new StringBuilder();
                for (int i = 0; i < supportedProtocols.length; i++) {
                    if (i > 0) {
                        sb.append(", ");
                    }
                    sb.append(supportedProtocols[i]);
                }
                Trace.traceData(CLSNAME, "Supported Protocols are " + ((Object) sb), (Object) null);
            }
            sSLSocket.setEnabledProtocols(strArr);
            SSLHelper sSLHelper = new SSLHelper();
            sSLSocket.addHandshakeCompletedListener(sSLHelper);
            if (Trace.isOn) {
                Trace.traceData(CLSNAME, "calling startHandshake", (Object) null);
            }
            try {
                sSLSocket.startHandshake();
                String name = sSLHelper.getServerCert().getSubjectX500Principal().getName();
                if (str2 != null && !str2.equals("")) {
                    if (Trace.isOn) {
                        Trace.traceData(CLSNAME, "checking peername", (Object) null);
                    }
                    PeerName peerName = new PeerName(str2, true);
                    PeerName peerName2 = new PeerName(name, false);
                    if (!peerName.isMatchingPeerName(peerName2)) {
                        if (Trace.isOn) {
                            Trace.traceData(CLSNAME, "peerName " + peerName.getDN() + " doesn't match " + peerName2.getDN(), (Object) null);
                        }
                        try {
                            sSLSocket.close();
                            MQException mQException = new MQException(2, 2398, "static method in SSL code", MQException.MQJE067, peerName.getDN(), peerName2.getDN());
                            if (Trace.isOn) {
                                Trace.throwing("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "configureSSLSocket(SSLSocket,String,String,Collection,boolean)", mQException, 5);
                            }
                            throw mQException;
                        } catch (IOException e) {
                            if (Trace.isOn) {
                                Trace.catchBlock("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "configureSSLSocket(SSLSocket,String,String,Collection,boolean)", e, 4);
                            }
                            MQException mQException2 = new MQException(2, 2059, "static method in SSL code", MQException.MQJE013);
                            if (Trace.isOn) {
                                Trace.throwing("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "configureSSLSocket(SSLSocket,String,String,Collection,boolean)", mQException2, 4);
                            }
                            throw mQException2;
                        }
                    }
                    if (Trace.isOn) {
                        Trace.traceData(CLSNAME, "peerName matches", (Object) null);
                    }
                }
                if (collection != null) {
                    SSLCRLHelper.check(certs[0], collection);
                }
                if (Trace.isOn) {
                    Trace.exit("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "configureSSLSocket(SSLSocket,String,String,Collection,boolean)", (Object) name);
                }
                return name;
            } catch (SSLException e2) {
                if (Trace.isOn) {
                    Trace.catchBlock("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "configureSSLSocket(SSLSocket,String,String,Collection,boolean)", e2, 2);
                }
                MQException mQException3 = new MQException(2, 2397, "static method in SSL code", MQException.MQJE056);
                mQException3.initCause(e2);
                if (Trace.isOn) {
                    Trace.throwing("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "configureSSLSocket(SSLSocket,String,String,Collection,boolean)", mQException3, 2);
                }
                throw mQException3;
            } catch (IOException e3) {
                if (Trace.isOn) {
                    Trace.catchBlock("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "configureSSLSocket(SSLSocket,String,String,Collection,boolean)", e3, 3);
                }
                MQException mQException4 = new MQException(2, 2397, "static method in SSL code", MQException.MQJE030);
                mQException4.initCause(e3);
                if (Trace.isOn) {
                    Trace.throwing("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "configureSSLSocket(SSLSocket,String,String,Collection,boolean)", mQException4, 3);
                }
                throw mQException4;
            }
        } catch (IllegalArgumentException e4) {
            if (Trace.isOn) {
                Trace.catchBlock("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "configureSSLSocket(SSLSocket,String,String,Collection,boolean)", e4, 1);
            }
            MQException mQException5 = new MQException(2, 2400, "static method in SSL code", MQException.MQJE011);
            if (Trace.isOn) {
                Trace.throwing("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "configureSSLSocket(SSLSocket,String,String,Collection,boolean)", mQException5, 1);
            }
            throw mQException5;
        }
    }

    public static SSLSocket createSSLSocket(String str, int i, String str2, String str3, Collection collection, Object obj, Socket socket, boolean z, boolean z2) throws MQException {
        if (Trace.isOn) {
            Trace.entry("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "createSSLSocket(String,int,String,String,Collection,Object,Socket,boolean,boolean)", new Object[]{str, Integer.valueOf(i), str2, str3, collection, obj, socket, Boolean.valueOf(z), Boolean.valueOf(z2)});
        }
        SSLSocketFactory chooseSocketFactory = chooseSocketFactory(obj);
        if (Trace.isOn) {
            Trace.traceData(CLSNAME, "creating SSL socket from non-SSL one", (Object) null);
        }
        try {
            SSLSocket sSLSocket = (SSLSocket) chooseSocketFactory.createSocket(socket, str, i, false);
            sSLSocket.setNeedClientAuth(z);
            sSLSocket.setUseClientMode(!z2);
            boolean z3 = false;
            if (inFipsMode != null) {
                z3 = inFipsMode.booleanValue();
            }
            configureSSLSocket(sSLSocket, str2, str3, collection, z3);
            if (Trace.isOn) {
                Trace.exit("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "createSSLSocket(String,int,String,String,Collection,Object,Socket,boolean,boolean)", sSLSocket);
            }
            return sSLSocket;
        } catch (IOException e) {
            if (Trace.isOn) {
                Trace.catchBlock("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "createSSLSocket(String,int,String,String,Collection,Object,Socket,boolean,boolean)", e);
            }
            MQException mQException = new MQException(2, 2397, "static method in SSL code", MQException.MQJE030);
            mQException.initCause(e);
            if (Trace.isOn) {
                Trace.throwing("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "createSSLSocket(String,int,String,String,Collection,Object,Socket,boolean,boolean)", mQException);
            }
            throw mQException;
        }
    }

    private synchronized X509Certificate getServerCert() {
        while (!this.certSet) {
            try {
                wait(5000L);
            } catch (InterruptedException e) {
                if (Trace.isOn) {
                    Trace.catchBlock(this, "com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "getServerCert()", e);
                }
            }
        }
        if (Trace.isOn) {
            Trace.data(this, "com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "getServerCert()", "getter", this.serverCert);
        }
        return this.serverCert;
    }

    @Override // javax.net.ssl.HandshakeCompletedListener
    public void handshakeCompleted(HandshakeCompletedEvent handshakeCompletedEvent) {
        if (Trace.isOn) {
            Trace.entry(this, "com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "handshakeCompleted(HandshakeCompletedEvent)", new Object[]{handshakeCompletedEvent});
        }
        try {
            certs = handshakeCompletedEvent.getPeerCertificates();
            if (certs == null || certs.length <= 0 || !(certs[0] instanceof X509Certificate)) {
                if (Trace.isOn) {
                    Trace.traceData(this, "no peer certificates", (Object) null);
                }
                setServerCert(null);
            } else {
                X509Certificate x509Certificate = (X509Certificate) certs[0];
                setServerCert(x509Certificate);
                if (Trace.isOn) {
                    Trace.traceData(CLSNAME, "Remote peer name = " + x509Certificate.getSubjectX500Principal(), (Object) null);
                    Trace.traceData(CLSNAME, "Remote issuer    = " + x509Certificate.getIssuerX500Principal(), (Object) null);
                }
            }
        } catch (Exception e) {
            if (Trace.isOn) {
                Trace.catchBlock(this, "com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "handshakeCompleted(HandshakeCompletedEvent)", e);
            }
        }
        if (Trace.isOn) {
            Trace.exit(this, "com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "handshakeCompleted(HandshakeCompletedEvent)");
        }
    }

    private synchronized void setServerCert(X509Certificate x509Certificate) {
        if (Trace.isOn) {
            Trace.data(this, "com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "setServerCert(X509Certificate)", "setter", x509Certificate);
        }
        this.serverCert = x509Certificate;
        this.certSet = true;
        notifyAll();
    }

    static {
        if (Trace.isOn) {
            Trace.data("com.ibm.msg.client.jakarta.wmq.compat.network.SSLHelper", "static", "SCCS id", (Object) sccsid);
        }
        inFipsMode = null;
    }
}
