package weblogic.security.service;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.regex.Pattern;
import weblogic.management.configuration.NetworkAccessPointMBean;
import weblogic.management.configuration.SSLMBean;
import weblogic.security.SecurityLogger;

/* loaded from: input_file:weblogic/security/service/SSLConfigChecker.class */
public class SSLConfigChecker {
    private SSLMBean sslmBean;
    private NetworkAccessPointMBean[] networkAccessPointMBeans;
    private static final String WEAK_CIPHER_REGEX = "^\\S+(_ANON_|_EXPORT_|_NULL_|_MD5|_DES_|_RC2_|_RC4_|_PSK_)\\S*$";
    private static final Pattern WEAK_CIPHER_PATTERN = Pattern.compile(WEAK_CIPHER_REGEX, 2);
    private final String ignoreHostNameVerificationSysProp1 = "weblogic.security.SSL.ignoreHostnameVerification";
    private final String ignoreHostNameVerificationSysProp2 = "weblogic.security.SSL.ignoreHostnameVerify";
    private final boolean ignoreHostNameVerification1 = Boolean.getBoolean("weblogic.security.SSL.ignoreHostnameVerification");
    private final boolean ignoreHostNameVerification2 = Boolean.getBoolean("weblogic.security.SSL.ignoreHostnameVerify");
    private final String sslVersion = System.getProperty("weblogic.security.SSL.protocolVersion");
    private final String minSSLVersion = System.getProperty("weblogic.security.SSL.minimumProtocolVersion");
    private final String enforceConstraint = System.getProperty("weblogic.security.SSL.enforceConstraints");
    private final String disableNullCipherSysProp = "weblogic.security.disableNullCipher";
    private final boolean disableNullCipherSetToFalse = "false".equalsIgnoreCase(System.getProperty("weblogic.security.disableNullCipher"));
    private final String allowNullCipherSysProp = "weblogic.ssl.AllowUnencryptedNullCipher";
    private final boolean allowNullCipherSetToTrue = "true".equalsIgnoreCase(System.getProperty("weblogic.ssl.AllowUnencryptedNullCipher"));
    private final String allowAnonymousCipherSysProp = "weblogic.security.SSL.AllowAnonymousCipher";
    private final boolean allowAnonymousCipher = Boolean.getBoolean("weblogic.security.SSL.AllowAnonymousCipher");

    public SSLConfigChecker(SSLMBean sSLMBean, NetworkAccessPointMBean[] networkAccessPointMBeanArr) {
        this.sslmBean = sSLMBean;
        this.networkAccessPointMBeans = networkAccessPointMBeanArr;
    }

    public boolean checkAndLog() {
        boolean z = checkSSLMBeanPropertiesAndLog() && checkSystemPropertiesAndLog();
        if (this.networkAccessPointMBeans != null && this.networkAccessPointMBeans.length > 0) {
            for (NetworkAccessPointMBean networkAccessPointMBean : this.networkAccessPointMBeans) {
                z = checkNetworkAccessPointMBeanPropertiesAndLog(networkAccessPointMBean) && z;
            }
        }
        return z;
    }

    private boolean checkSystemPropertiesAndLog() {
        boolean z = true;
        if (this.ignoreHostNameVerification1) {
            SecurityLogger.logHostNameVerificationDisabledBySysProp("-Dweblogic.security.SSL.ignoreHostnameVerification=true");
            z = false;
        }
        if (this.ignoreHostNameVerification2) {
            SecurityLogger.logHostNameVerificationDisabledBySysProp("-Dweblogic.security.SSL.ignoreHostnameVerify=true");
            z = false;
        }
        if ("SSLv3".equalsIgnoreCase(this.sslVersion)) {
            SecurityLogger.logSSLv3EnabledBySysProp("-Dweblogic.security.SSL.protocolVersion=" + this.sslVersion);
            z = false;
        }
        if ("SSLv3".equalsIgnoreCase(this.minSSLVersion)) {
            SecurityLogger.logSSLv3MinProtocolEnabledBySysProp("-Dweblogic.security.SSL.minimumProtocolVersion=" + this.minSSLVersion);
            z = false;
        }
        if ("off".equalsIgnoreCase(this.enforceConstraint) || "false".equalsIgnoreCase(this.enforceConstraint)) {
            SecurityLogger.logBasicConstraintsValidationEnabledBySysProp("-Dweblogic.security.SSL.enforceConstraints");
            z = false;
        }
        if (this.allowAnonymousCipher) {
            SecurityLogger.logAllowAnonymousCiphersBySysProp("-Dweblogic.security.SSL.AllowAnonymousCipher=" + this.allowAnonymousCipher);
            z = false;
        }
        if (this.disableNullCipherSetToFalse) {
            SecurityLogger.logNullCipherAllowedBySysProp("-Dweblogic.security.disableNullCipher=false");
            z = false;
        }
        if (this.allowNullCipherSetToTrue) {
            SecurityLogger.logNullCipherAllowedBySysProp("-Dweblogic.ssl.AllowUnencryptedNullCipher=true");
            z = false;
        }
        return z;
    }

    private boolean checkSSLMBeanPropertiesAndLog() {
        boolean z = true;
        if (this.sslmBean != null && this.sslmBean.isEnabled()) {
            if (this.sslmBean.isAllowUnencryptedNullCipher()) {
                SecurityLogger.logNullCipherAllowedBySSLMBean(this.sslmBean.getName());
                z = false;
            }
            z = checkCiphersuites(this.sslmBean.getName(), true, this.sslmBean.getCiphersuites()) && z;
            if (this.sslmBean.isHostnameVerificationIgnored()) {
                SecurityLogger.logHostNameVerificationDisabledBySSLMBean(this.sslmBean.getName());
                z = false;
            }
            if ("SSLv3".equalsIgnoreCase(this.sslmBean.getMinimumTLSProtocolVersion())) {
                SecurityLogger.logSSLv3MinProtocolEnabledBySSLMBean(this.sslmBean.getName());
                z = false;
            }
            if (this.sslmBean.isClientInitSecureRenegotiationAccepted()) {
                SecurityLogger.logTLSClientInitSecureRenegotiationBySSLMBean(this.sslmBean.getName());
                z = false;
            }
        }
        return z;
    }

    private boolean checkNetworkAccessPointMBeanPropertiesAndLog(NetworkAccessPointMBean networkAccessPointMBean) {
        boolean z = true;
        if (networkAccessPointMBean != null && networkAccessPointMBean.isEnabled()) {
            if (networkAccessPointMBean.isAllowUnencryptedNullCipher()) {
                SecurityLogger.logNullCipherAllowedByNetworkAccessPointMBean(networkAccessPointMBean.getName());
                z = false;
            }
            z = checkCiphersuites(networkAccessPointMBean.getName(), false, networkAccessPointMBean.getCiphersuites()) && z;
            if (networkAccessPointMBean.isHostnameVerificationIgnored()) {
                SecurityLogger.logHostNameVerificationDisabledByNetworkAccessPointMBean(networkAccessPointMBean.getName());
                z = false;
            }
            if ("SSLv3".equalsIgnoreCase(networkAccessPointMBean.getMinimumTLSProtocolVersion())) {
                SecurityLogger.logSSLv3MinProtocolEnabledByNetworkAccessPointMBean(networkAccessPointMBean.getName());
                z = false;
            }
            if (networkAccessPointMBean.isClientInitSecureRenegotiationAccepted()) {
                SecurityLogger.logTLSClientInitSecureRenegotiationByNetworkAccessPointMBean(networkAccessPointMBean.getName());
                z = false;
            }
        }
        return z;
    }

    private boolean checkCiphersuites(String str, boolean z, String[] strArr) {
        boolean z2 = true;
        ArrayList arrayList = new ArrayList();
        if (strArr != null && strArr.length > 0) {
            for (String str2 : strArr) {
                if (WEAK_CIPHER_PATTERN.matcher(str2).matches()) {
                    z2 = false;
                    arrayList.add(str2);
                }
            }
            if (!z2) {
                if (z) {
                    SecurityLogger.logWeakCipherSuitesBySSLMBean(str, joinStrings(arrayList));
                } else {
                    SecurityLogger.logWeakCipherSuitesByNetworkAccessPointMBean(str, joinStrings(arrayList));
                }
            }
        }
        return z2;
    }

    private static String joinStrings(List<String> list) {
        String str = "";
        if (list != null && list.size() > 0) {
            str = Arrays.toString(list.toArray());
        }
        return str;
    }
}
