package com.ibm.ctg.server;

import com.ibm.ctg.client.GatewayRequest;
import com.ibm.ctg.client.SSLContextFactory;
import com.ibm.ctg.client.SafeIP;
import com.ibm.ctg.client.T;
import com.ibm.ctg.security.JSSEServerSecurity;
import com.ibm.ctg.security.SecureString;
import com.ibm.ctg.server.ProtocolHandler;
import com.ibm.ctg.server.logging.Log;
import com.ibm.ctg.util.OSInfo;
import com.ibm.ctg.util.OSVersion;
import com.ibm.icu.text.DateFormat;
import com.ibm.j2ca.peoplesoft.PeopleSoftAdapterConstants;
import java.io.IOException;
import java.io.InterruptedIOException;
import java.net.Socket;
import java.net.SocketTimeoutException;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.StringTokenizer;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import psft.pt8.cache.CacheConstants;

/* JADX INFO: Access modifiers changed from: package-private */
/* JADX WARN: Classes with same name are omitted:
  input_file:install/CICS32kSample.zip:cicseci9101/build/classes/ctgserver.jar:com/ibm/ctg/server/SslHandler.class
  input_file:install/CICS32kSample.zip:cicseci9101/connectorModule/ctgserver.jar:com/ibm/ctg/server/SslHandler.class
  input_file:install/taderc25.zip:cicseci9101/build/classes/ctgserver.jar:com/ibm/ctg/server/SslHandler.class
  input_file:install/taderc25.zip:cicseci9101/connectorModule/ctgserver.jar:com/ibm/ctg/server/SslHandler.class
  input_file:install/taderc99.zip:cicseci9101/build/classes/ctgserver.jar:com/ibm/ctg/server/SslHandler.class
  input_file:install/taderc99.zip:cicseci9101/connectorModule/ctgserver.jar:com/ibm/ctg/server/SslHandler.class
  input_file:install/taderc99command.zip:cicseci9101/build/classes/ctgserver.jar:com/ibm/ctg/server/SslHandler.class
 */
/* loaded from: input_file:install/taderc99command.zip:cicseci9101/connectorModule/ctgserver.jar:com/ibm/ctg/server/SslHandler.class */
public class SslHandler extends ExtendedSocketHandler {
    public static final String CLASS_VERSION = "@(#) java/com/ibm/ctg/server/SslHandler.java, cd_gw_protocolhandlers, c910-bsf c910-20150128-1005";
    static final String copyright_notice = "Licensed Materials - Property of IBM 5724-I81,5725-B65,5655-Y20 (c) Copyright IBM Corp. 1996, 2014 All Rights Reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.";
    private static final String strClientAuthentication = "clientauth=";
    private static final String strCipherSuites = "ciphersuites=";
    private static final String ESMUSERID = "esmuserid";
    private String strClientAuthenticationValue;
    private String[] cipherSuites;
    private SSLSocket socToClient;
    private boolean clientAuth;
    private boolean esmUserid;
    private X509Certificate clientCert;

    SslHandler() {
        this.strClientAuthenticationValue = "false";
        this.cipherSuites = null;
        T.ln(this, "SslHandler Default CTOR");
        this.portNumber = 8050;
    }

    SslHandler(SSLSocket sSLSocket, ProtocolHandler.ProtocolHandlerParameters protocolHandlerParameters, boolean z) throws IOException {
        super(sSLSocket, protocolHandlerParameters);
        Certificate[] peerCertificates;
        this.strClientAuthenticationValue = "false";
        this.cipherSuites = null;
        T.in(this, "SslHandler CTOR");
        this.portNumber = 8050;
        this.socToClient = sSLSocket;
        this.esmUserid = z;
        if (z && (peerCertificates = this.socToClient.getSession().getPeerCertificates()) != null && peerCertificates.length > 0 && (peerCertificates[0] instanceof X509Certificate)) {
            this.clientCert = (X509Certificate) peerCertificates[0];
        }
        T.out(this, "SslHandler CTOR");
    }

    @Override // com.ibm.ctg.server.ExtendedSocketHandler, com.ibm.ctg.server.SocketHandler, com.ibm.ctg.server.ProtocolHandler
    String initialize(ManagedResources managedResources, String str, String str2) throws Exception {
        T.in(this, "initialize", managedResources, str, str2);
        StringBuffer stringBuffer = new StringBuffer();
        if (str != null) {
            StringTokenizer stringTokenizer = new StringTokenizer(str, ";");
            while (stringTokenizer.hasMoreTokens()) {
                String nextToken = stringTokenizer.nextToken();
                if (nextToken.toLowerCase().startsWith(strClientAuthentication)) {
                    this.strClientAuthenticationValue = nextToken.substring(strClientAuthentication.length());
                    T.ln(this, str2 + ": {0} = {1}", nextToken, this.strClientAuthenticationValue);
                } else if (nextToken.toLowerCase().startsWith(strCipherSuites)) {
                    this.cipherSuites = makeCipherSuiteArray(nextToken.substring(strCipherSuites.length()));
                } else {
                    stringBuffer.append(nextToken);
                    stringBuffer.append(';');
                }
            }
        }
        String initialize = super.initialize(managedResources, stringBuffer.toString(), str2);
        String property = System.getProperty("com.ibm.jsse2.sp800-131", "off");
        if ("strict".equals(property)) {
            Security.setProperty("jdk.tls.disabledAlgorithms", "RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224, MD5");
            Security.setProperty("jdk.certpath.disabledAlgorithms", "RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224, SHA1, MD5");
        } else if (!"transition".equals(property)) {
            SSLContextFactory.setProtocol("SSL_TLS");
        }
        SecureString keyRingPassword = GatewaySSL.getKeyRingPassword();
        if (keyRingPassword == null) {
            keyRingPassword = new SecureString("");
        }
        SSLServerSocket sSLServerSocket = (SSLServerSocket) (GatewaySSL.useEsmKeyRing() ? SSLContextFactory.getSSLContext(GatewaySSL.getKeyRing(), GatewaySSL.useHardwareCrypto()) : SSLContextFactory.getSSLContext(GatewaySSL.getKeyRing(), keyRingPassword, GatewaySSL.useHardwareCrypto())).getServerSocketFactory().createServerSocket(this.portNumber, 8192, this.bindAddress);
        if (this.cipherSuites != null) {
            HashSet hashSet = new HashSet();
            String[] filterCipherSuites = GatewaySSL.filterCipherSuites(sSLServerSocket.getSupportedCipherSuites(), this.cipherSuites, hashSet);
            if (filterCipherSuites.length == 0) {
                throw new IllegalArgumentException(ServerMessages.getMessage("6495"));
            }
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                Log.printWarningLn("6497", 0, new Object[]{(String) it.next()});
            }
            sSLServerSocket.setEnabledCipherSuites(filterCipherSuites);
            Log.printInfoLn("8401", 0, (Object[]) null);
            String[] enabledCipherSuites = sSLServerSocket.getEnabledCipherSuites();
            for (int i = 0; i < enabledCipherSuites.length; i++) {
                Log.printInfoLn(CacheConstants.TAB + enabledCipherSuites[i], i);
            }
        }
        List asList = Arrays.asList("true", "on", "yes", DateFormat.YEAR);
        List asList2 = Arrays.asList("false", "off", "no", "n");
        String lowerCase = this.strClientAuthenticationValue.toLowerCase(Locale.ENGLISH);
        if (ESMUSERID.equals(lowerCase) && OSVersion.OPERATING_SYSTEM.equals(OSInfo.ZOS)) {
            this.clientAuth = true;
            this.esmUserid = true;
            sSLServerSocket.setNeedClientAuth(true);
            T.ln(this, "Client authentication and SAF userid mapping enabled for {0}: protocol", this.handlerName);
        } else if (asList.contains(lowerCase)) {
            this.clientAuth = true;
            sSLServerSocket.setNeedClientAuth(true);
            T.ln(this, "Client authentication enabled for {0}: protocol", this.handlerName);
        } else {
            if (!asList2.contains(lowerCase)) {
                throw new IllegalArgumentException(strClientAuthentication + this.strClientAuthenticationValue);
            }
            sSLServerSocket.setNeedClientAuth(false);
            T.ln(this, "Server-only Authentication enabled for {0}: protocol", this.handlerName);
        }
        super.setServerSocket(new JSSEServerSocket(sSLServerSocket));
        T.out(this, "initialize", initialize.toString());
        return initialize;
    }

    private String[] makeCipherSuiteArray(String str) {
        StringTokenizer stringTokenizer = new StringTokenizer(str, ",");
        String[] strArr = new String[stringTokenizer.countTokens()];
        for (int i = 0; i < strArr.length; i++) {
            strArr[i] = stringTokenizer.nextToken();
        }
        return strArr;
    }

    @Override // com.ibm.ctg.server.SocketHandler
    ProtocolHandler createHandler(Socket socket) throws IOException {
        SslHandler sslHandler = new SslHandler((SSLSocket) socket, this.parAms, this.esmUserid);
        sslHandler.setHandlerName(this.handlerName);
        return sslHandler;
    }

    @Override // com.ibm.ctg.server.ProtocolHandler
    void specificAfterDecode(GatewayRequest gatewayRequest) throws IOException {
        T.in(this, "specificAfterDecode", gatewayRequest);
        if (this.serSecurity != null) {
            T.ln(this, "Calling this connection's ServerSecurity handler");
            try {
                if (this.serSecurity instanceof JSSEServerSecurity) {
                    javax.security.cert.X509Certificate[] x509CertificateArr = null;
                    try {
                        x509CertificateArr = this.socToClient.getSession().getPeerCertificateChain();
                    } catch (IOException e) {
                        T.ln(this, "No certificate chain found for JSSE Socket");
                    }
                    T.ln(this, "invoking JSSEServerSecurity extended AfterDecode with certificate chain");
                    ((JSSEServerSecurity) this.serSecurity).afterDecode(gatewayRequest, x509CertificateArr);
                } else {
                    T.ln(this, "invoking JSSEServerSecurity standard AfterDecode");
                    this.serSecurity.afterDecode(gatewayRequest);
                }
            } catch (Exception e2) {
                T.ex(this, e2);
                throw new IOException(e2.getMessage());
            }
        }
        if (this.esmUserid) {
            gatewayRequest.setCertificate(this.clientCert);
        }
        T.out(this, "specificAfterDecode");
    }

    @Override // com.ibm.ctg.server.SocketHandler, com.ibm.ctg.server.ProtocolHandler
    public String toString() {
        return super.toString() + " using protocol " + this.socToClient.getSession().getProtocol();
    }

    @Override // com.ibm.ctg.server.SocketHandler, java.lang.Runnable
    public void run() {
        T.in(this, PeopleSoftAdapterConstants.RUN);
        this.bProtocolOpen = true;
        int i = 0;
        while (true) {
            try {
                try {
                    Socket accept = this.socListenOn.accept();
                    if (OSVersion.OPERATING_SYSTEM.equals(OSInfo.ZOS) && accept.getReceiveBufferSize() < 65536) {
                        accept.setReceiveBufferSize(65536);
                        T.ln(this, "Receive buffer size set to 64k");
                    }
                    if (i > 0) {
                        T.ln(this, "Reset accept error count, was {0}", new Integer(i));
                        i = 0;
                    }
                    String iPInformation = SafeIP.getIPInformation(accept);
                    Date date = new Date();
                    try {
                        if (this.lConnectTimeout == 0) {
                            accept.setSoTimeout(2000);
                        } else {
                            accept.setSoTimeout((int) this.lConnectTimeout);
                        }
                        ((SSLSocket) accept).startHandshake();
                        SSLSession session = ((SSLSocket) accept).getSession();
                        if (session == null) {
                            T.ln(this, reportFailedConnection(iPInformation, null));
                            accept.close();
                        } else {
                            T.ln(this, "Client {0} connected using cipher suite {1} and protocol {2}", iPInformation, session.getCipherSuite(), session.getProtocol());
                            try {
                                ProtocolHandler createHandler = createHandler(accept);
                                Date date2 = new Date();
                                long j = 0;
                                if (this.lConnectTimeout > 0) {
                                    j = this.lConnectTimeout - (date2.getTime() - date.getTime());
                                }
                                ConnectionManager allocateConnectionManager = this.mgrResources.allocateConnectionManager(j);
                                if (allocateConnectionManager == null) {
                                    Log.printErrorLn("6562", 1, new Object[]{this.handlerName + ":@" + SafeIP.getIPInformation(accept)});
                                    try {
                                        accept.close();
                                    } catch (IOException e) {
                                        T.ex(this, e);
                                    }
                                } else {
                                    if (T.getLinesOn()) {
                                        T.ln(this, "Accepted connection to {0}", SafeIP.getIPInformation(accept));
                                    }
                                    allocateConnectionManager.kick(createHandler, this.mgrResources);
                                }
                            } catch (IOException e2) {
                                T.ex(this, e2);
                                if (T.bTrace) {
                                    T.ln(this, TraceMessages.getMessage(55, this.handlerName + ":@" + SafeIP.getIPInformation(accept), e2));
                                }
                                try {
                                    accept.close();
                                } catch (Exception e3) {
                                    T.ex(this, e3);
                                }
                            }
                        }
                    } catch (IOException e4) {
                        T.ex(this, e4);
                        T.ln(this, reportFailedConnection(iPInformation, e4));
                        accept.close();
                    }
                } catch (InterruptedIOException e5) {
                    synchronized (this) {
                        if (!this.bProtocolOpen) {
                            T.ln(this, "SO_TIMEOUT popped and handler has been closed");
                            break;
                        }
                    }
                } catch (IOException e6) {
                    T.ex(this, e6);
                    if (!this.bProtocolOpen) {
                        T.ln(this, "Closing the protocol handler as the Gateway is stopping");
                        break;
                    }
                    if (!(e6 instanceof ProtocolHandlerAbortException)) {
                        if (OSVersion.OPERATING_SYSTEM.equals(OSInfo.ZOS)) {
                            i++;
                            if (i >= ACCEPT_ERROR_LIMIT) {
                                Log.printErrorLn("6564", 1, new Object[]{this.handlerName});
                                this.bNeedsRestart = true;
                                break;
                            }
                        }
                    } else {
                        T.ln(this, "Protocol listener failed with fatal error. The Protocol handler will be closed.");
                        Log.printErrorLn("6563", 2, new Object[]{this.handlerName + ":", e6});
                        break;
                    }
                }
            } catch (Exception e7) {
                T.ex(this, e7);
                Log.printErrorLn("6563", 3, new Object[]{this.handlerName + ":", e7});
            }
        }
        synchronized (this) {
            this.bProtocolOpen = false;
        }
        T.out(this, PeopleSoftAdapterConstants.RUN);
    }

    private String reportFailedConnection(String str, IOException iOException) {
        String str2 = "possible handshake failure";
        if (iOException != null) {
            str2 = iOException.getMessage();
            if ((iOException instanceof SocketTimeoutException) && ConnectionManager.isConnectionLoggingEnabled()) {
                Log.printErrorLn("6566", 0, new Object[]{str, Long.valueOf(this.lConnectTimeout)});
            }
        }
        String str3 = "Client " + str + " failed to connect, " + str2;
        T.ln(this, str3);
        return str3;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.ibm.ctg.server.ProtocolHandler
    public void logHandlerStartSuccess(int i) {
        T.in(this, "logHandlerStartSuccess", Integer.valueOf(i));
        if (this.clientAuth) {
            String num = Integer.toString(getPortNumber());
            if (getBindAddress() == null) {
                Log.printInfoLn("6570", i, new Object[]{this.handlerName, num});
            } else {
                Log.printInfoLn("6474", i, new Object[]{this.handlerName, num, getBindAddress()});
            }
            if (this.esmUserid) {
                Log.printInfoLn("6571", i, new Object[]{this.handlerName});
            }
        } else {
            super.logHandlerStartSuccess(i);
        }
        T.out(this, "logHandlerStartSuccess");
    }
}
