package com.tibco.tibjms;

import com.tibco.security.AXSecurityException;
import com.tibco.security.Cert;
import com.tibco.security.Identity;
import com.tibco.security.TrustedCerts;
import com.tibco.security.ocsp.OCSPProvider;
import com.tibco.security.ssl.CertificateVerifier;
import com.tibco.security.ssl.ExtendedCertificateVerifier;
import com.tibco.security.ssl.HostNameVerifier;
import com.tibco.security.ssl.NullCertificateVerifier;
import com.tibco.security.ssl.SSLClient;
import com.tibco.security.ssl.SSLConstants;
import com.tibco.security.ssl.SSLFactory;
import com.tibco.tibjms.TibjmsxLink;
import com.tibco.tibjms.naming.TibjmsNamingConstants;
import java.io.BufferedInputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.PrintStream;
import java.net.Socket;
import java.util.Map;
import javax.jms.JMSException;
import javax.jms.JMSSecurityException;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/tibco/tibjms/TibjmsxLinkSSL.class */
public class TibjmsxLinkSSL extends TibjmsxLinkTcp {
    CertificateVerifier _serverVerifier;
    TrustedCerts _trustedCerts;
    SSLClient _sslClient;
    TibjmsSSLHostNameVerifier _verifier;
    boolean _verifyHostName;
    Socket _originalSocket;
    DataInputStream _originalInput;
    DataOutputStream _originalOutput;
    Socket _sslSocket;
    DataInputStream _sslInput;
    DataOutputStream _sslOutput;
    boolean _auth_only;
    boolean _request_cancel_ssl;
    boolean _cancelled;
    PrintStream _ssl_tracer;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/tibco/tibjms/TibjmsxLinkSSL$CV.class */
    public class CV extends ExtendedCertificateVerifier {
        CV(TrustedCerts trustedCerts, String str) throws AXSecurityException, JMSSecurityException {
            super(trustedCerts, (OCSPProvider) null);
            setHostNameVerifier(new HV(), null, str);
        }

        public void trace(Cert[] certArr) {
            PrintStream _getTracer = TibjmsxLinkSSL.this._getTracer();
            if (_getTracer != null) {
                if (certArr == null) {
                    TibjmsSSL._sslTrace(_getTracer, "server did not send any certificates", null);
                    return;
                }
                for (Cert cert : certArr) {
                    TibjmsSSL._sslTrace(_getTracer, "received server certificate [" + TibjmsSSL.getCertDescription(cert) + "]", null);
                }
            }
        }

        public void setExpectedHostName(String str) {
            setHostNameVerifier(new HV(), null, str);
        }
    }

    /* loaded from: input_file:com/tibco/tibjms/TibjmsxLinkSSL$HV.class */
    class HV implements HostNameVerifier {
        HV() {
        }

        public void verify(Cert[] certArr, Cert cert, String str) throws AXSecurityException {
            String str2 = null;
            Cert cert2 = null;
            PrintStream _getTracer = TibjmsxLinkSSL.this._getTracer();
            if (!TibjmsxLinkSSL.this._verifyHostName) {
                if (_getTracer != null) {
                    TibjmsSSL._sslTrace(_getTracer, "Host Name Verification is disabled, accepting without verification", null);
                    return;
                }
                return;
            }
            if (certArr != null && certArr.length != 0) {
                cert2 = certArr[0];
            }
            if (cert2 != null) {
                str2 = TibjmsSSL.getCertCN(cert2);
            }
            if (_getTracer != null) {
                TibjmsSSL._sslTrace(_getTracer, "VerifyHostName: expected CN: [" + str + "], certificate CN: [" + str2 + "]", null);
            }
            if (cert2 != null) {
                if (TibjmsxLinkSSL.this._verifier != null) {
                    try {
                        TibjmsxLinkSSL.this._verifier.verifyHostName(TibjmsxLinkSSL.this._linkURL.host, str, str2, cert2.getCertificate());
                        return;
                    } catch (JMSSecurityException e) {
                        if (_getTracer != null) {
                            TibjmsSSL._sslTrace(_getTracer, "host name verification by custom verifier has failed  with exception message: " + e.getMessage(), null);
                        }
                        throw new AXSecurityException(e.getMessage());
                    }
                }
                if (str != null) {
                    if (str2 == null || str.compareTo(str2) != 0) {
                        String str3 = "Common name in the certificate [" + str2 + "] does not match expected host name [" + str + "]";
                        if (_getTracer != null) {
                            TibjmsSSL._sslTrace(_getTracer, str3, null);
                        }
                        throw new AXSecurityException(str3);
                    }
                    return;
                }
                if (str2 == null || TibjmsxLinkSSL.this._linkURL.host.compareTo(str2) != 0) {
                    String str4 = "Common name in the certificate [" + str2 + "] does not match connected host name [" + TibjmsxLinkSSL.this._linkURL.host + "]";
                    if (_getTracer != null) {
                        TibjmsSSL._sslTrace(_getTracer, str4, null);
                    }
                    throw new AXSecurityException(str4);
                }
            }
        }
    }

    PrintStream _getTracer() {
        PrintStream printStream = this._ssl_tracer;
        if (printStream == null) {
            printStream = TibjmsSSL.getDefaultParameters().tracer;
        }
        return printStream;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TibjmsxLinkSSL(TibjmsxLink.LinkEventHandler linkEventHandler) throws JMSException {
        super(linkEventHandler);
        this._serverVerifier = null;
        this._trustedCerts = null;
        this._sslClient = null;
        this._verifier = null;
        this._verifyHostName = true;
        this._originalSocket = null;
        this._originalInput = null;
        this._originalOutput = null;
        this._sslSocket = null;
        this._sslInput = null;
        this._sslOutput = null;
        this._auth_only = false;
        this._request_cancel_ssl = false;
        this._cancelled = false;
        this._ssl_tracer = null;
    }

    void _initSSL() throws JMSException {
        TibjmsSSLParams defaultParameters;
        Identity identity = null;
        if (this._sslClient != null) {
            return;
        }
        try {
            Map map = this._properties;
            if (map != null && !TibjmsSSL._hasSSLParams(map)) {
                map = null;
            }
            if (map != null) {
                defaultParameters = new TibjmsSSLParams();
                TibjmsSSL.initFromEnvironment(map, defaultParameters);
                if ((defaultParameters.password == null || defaultParameters.password.length == 0 || defaultParameters.password[0] == 0) && defaultParameters.identity_data != null) {
                    TibjmsSSLParams defaultParameters2 = TibjmsSSL.getDefaultParameters();
                    if (defaultParameters2.password != null && defaultParameters2.password.length > 0 && defaultParameters2.password[0] != 0) {
                        defaultParameters.password = new char[defaultParameters2.password.length];
                        System.arraycopy(defaultParameters2.password, 0, defaultParameters.password, 0, defaultParameters2.password.length);
                    } else if (this._password != null) {
                        defaultParameters.password = this._password.toCharArray();
                    }
                }
            } else {
                defaultParameters = TibjmsSSL.getDefaultParameters();
            }
            this._ssl_tracer = defaultParameters.tracer;
            this._auth_only = defaultParameters.auth_only;
            boolean z = defaultParameters.debug_trace;
            if (!z) {
                z = TibjmsSSL.getDefaultParameters().debug_trace;
            }
            TibjmsSSL._enableVendorTrace(z);
            TibjmsSSL.initialize(defaultParameters, defaultParameters.vendor);
            PrintStream printStream = null;
            if (this._serverVerifier == null) {
                if (defaultParameters.disable_verify_host) {
                    PrintStream _getTracer = _getTracer();
                    printStream = _getTracer;
                    if (_getTracer != null) {
                        TibjmsSSL._sslTrace(printStream, "WARNING: server verification is disabled, will trust any server.", null);
                    }
                    this._serverVerifier = new NullCertificateVerifier();
                } else {
                    this._trustedCerts = TibjmsSSL._createTrustedCerts(defaultParameters);
                    if (this._trustedCerts == null) {
                        this._ssl_failed = true;
                        throw new JMSSecurityException("Can not initialize SSL client: no trusted certificates are set");
                    }
                    this._verifier = TibjmsSSL.getHostNameVerifier();
                    this._verifyHostName = !defaultParameters.disable_verify_hostname;
                    String str = defaultParameters.expected_hostname;
                    if (str == null) {
                        str = this._linkURL.host;
                    }
                    this._serverVerifier = new CV(this._trustedCerts, str);
                }
            }
            SSLFactory sSLFactory = SSLFactory.getInstance();
            int[] _getCipherSuites = TibjmsSSL._getCipherSuites(defaultParameters);
            Identity createIdentity = TibjmsSSL.createIdentity(defaultParameters);
            this._sslClient = sSLFactory.createSSLClient(createIdentity, this._serverVerifier, _getCipherSuites, z ? printStream : null);
            if (map != null) {
                TibjmsSSL._erasePass(defaultParameters.password);
            }
            if (createIdentity != null) {
                try {
                    createIdentity.dispose();
                } catch (Exception e) {
                }
            }
        } catch (AXSecurityException e2) {
            this._ssl_failed = true;
            if (0 != 0) {
                identity.dispose();
            }
            this._sslClient = null;
            JMSSecurityException jMSSecurityException = new JMSSecurityException("Failed to initialize SSL client: " + e2.getMessage());
            jMSSecurityException.setLinkedException(e2);
            throw jMSSecurityException;
        }
    }

    @Override // com.tibco.tibjms.TibjmsxLinkTcp, com.tibco.tibjms.TibjmsxLink
    void connect(TibjmsxURL tibjmsxURL) throws JMSException {
        this._linkURL = tibjmsxURL;
        this._ssl_failed = false;
        this._request_cancel_ssl = false;
        _initSSL();
        _createSocket();
        try {
            Socket createSocket = this._sslClient.createSocket(this._socket);
            this._sslClient.doHandshake(createSocket, false);
            this._originalSocket = this._socket;
            this._originalInput = this._input;
            this._originalOutput = this._output;
            this._socket = createSocket;
            this._socket.setTcpNoDelay(true);
            this._socket.setSoLinger(false, 0);
            this._input = new DataInputStream(new BufferedInputStream(this._socket.getInputStream(), 32768));
            this._output = new DataOutputStream(this._socket.getOutputStream());
            this._state = 1;
            _doHandshake(true);
        } catch (Exception e) {
            disconnect();
            this._ssl_failed = true;
            JMSSecurityException jMSSecurityException = new JMSSecurityException("Failed to connect via SSL to [" + this._linkURL.url + "]" + (e.getMessage() != null ? ": " + e.getMessage() : ""));
            jMSSecurityException.setLinkedException(e);
            throw jMSSecurityException;
        }
    }

    @Override // com.tibco.tibjms.TibjmsxLinkTcp, com.tibco.tibjms.TibjmsxLink
    void closeSocket() {
        if (this._sslSocket != null) {
            this._socket = this._sslSocket;
        }
        super.closeSocket();
    }

    void cancelSSL() {
        this._sslSocket = this._socket;
        this._sslInput = this._input;
        this._sslOutput = this._output;
        this._socket = this._originalSocket;
        this._input = this._originalInput;
        this._output = this._originalOutput;
        this._cancelled = true;
        this._request_cancel_ssl = false;
    }

    @Override // com.tibco.tibjms.TibjmsxLinkTcp
    void traceAfterSent() {
        PrintStream _getTracer = _getTracer();
        if (_getTracer != null) {
            try {
                TibjmsSSL._sslTrace(_getTracer, "selected cipher: " + SSLConstants.getSuiteName(this._sslClient.getSSLInfo(this._socket).getCipherSuite()), null);
            } catch (Exception e) {
            }
        }
        if (this._request_cancel_ssl) {
            cancelSSL();
            if (_getTracer != null) {
                TibjmsSSL._sslTrace(_getTracer, "SSL reset to TCP for connID=" + this._linkId + ", user='" + (this._userName != null ? this._userName : "???") + TibjmsNamingConstants.SYNTAX_QUOTE, null);
            }
        }
    }

    @Override // com.tibco.tibjms.TibjmsxLinkTcp, com.tibco.tibjms.TibjmsxLink
    void disconnect() {
        super.disconnect();
        if (this._trustedCerts != null) {
            this._trustedCerts.dispose();
        }
        this._trustedCerts = null;
        this._sslClient = null;
    }
}
