package weblogic.security.utils;

import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import java.util.Locale;
import java.util.concurrent.ConcurrentHashMap;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import weblogic.kernel.Kernel;
import weblogic.logging.Loggable;
import weblogic.management.configuration.KernelMBean;
import weblogic.management.configuration.SSLMBean;
import weblogic.management.configuration.TLSMBean;
import weblogic.protocol.ServerChannel;
import weblogic.security.SSL.HostnameVerifier;
import weblogic.security.SecurityLogger;
import weblogic.utils.NestedRuntimeException;

/* loaded from: input_file:weblogic/security/utils/SSLWLSHostnameVerifier.class */
public class SSLWLSHostnameVerifier implements SSLHostnameVerifier {
    private static final String IGNORE_VERIFICATION_PROP = "weblogic.security.SSL.ignoreHostnameVerification";
    private static final String IGNORE_VERIFICATION2_PROP = "weblogic.security.SSL.ignoreHostnameVerify";
    private static final String VERIFIER_CLASS_PROP = "weblogic.security.SSL.hostnameVerifier";
    private static final String REVERSE_DNS_ALLOWED_PROP = "weblogic.ReverseDNSAllowed";
    private static final String NULL_HOSTNAME_VERIFIER = "weblogic.security.utils.SSLWLSHostnameVerifier$NullHostnameVerifier";
    private static final String DEFAULT_HOSTNAME_VERIFIER_FLAG = "";
    private static final boolean ACCEPT_KSS_DEMOCERTS_ENABLED = Boolean.getBoolean("weblogic.ssl.AcceptKSSDemoCertsEnabled");
    private static final ConcurrentHashMap<String, HostnameVerifier> verifierCache = new ConcurrentHashMap<>(16);
    private String urlHostName;
    private String proxyHostName;
    private final HostnameVerifier defaultVerifier;
    private HostnameVerifier verifier;
    private String expectedName;
    public static final String URL_HOST_KEY = "wls_hostname_verifier_url_host";

    /* loaded from: input_file:weblogic/security/utils/SSLWLSHostnameVerifier$DefaultHostnameVerifier.class */
    public static class DefaultHostnameVerifier implements HostnameVerifier {
        private static final String LOCALHOST_HOSTNAME = "localhost";
        private static final String LOCALHOST_IPADDRESS = "127.0.0.1";
        private boolean allowReverseDNS;
        private static final String OPSS_DOMAIN_CA_COMMON_NAME = "cn=domainca";
        private static final String OPSS_DOMAIN_CA_ORG = "o=oracle";
        private static final boolean VERIFY_CN_AFTER_SAN = Boolean.parseBoolean(System.getProperty("weblogic.security.SSL.verifyCNAfterSAN", "true"));
        private static final boolean DEMO_CERT_CHECK_ENABLED = Boolean.valueOf(System.getProperty("weblogic.security.SSL.demoCertCheckEnabled", "true")).booleanValue();

        public DefaultHostnameVerifier() {
            this.allowReverseDNS = false;
            if (!Kernel.isApplet() && System.getProperty(SSLWLSHostnameVerifier.REVERSE_DNS_ALLOWED_PROP) != null) {
                this.allowReverseDNS = Boolean.getBoolean(SSLWLSHostnameVerifier.REVERSE_DNS_ALLOWED_PROP);
            } else if (Kernel.getConfig() != null) {
                this.allowReverseDNS = Kernel.getConfig().isReverseDNSAllowed();
            }
            if (SSLSetup.isDebugEnabled(3)) {
                SSLSetup.info("HostnameVerifier: allowReverseDNS=" + this.allowReverseDNS);
            }
        }

        @Override // weblogic.security.SSL.HostnameVerifier
        public boolean verify(String str, SSLSession sSLSession) {
            boolean z = false;
            if (str != null && str.length() > 0 && sSLSession != null) {
                Collection dNSSubjAltNames = SSLCertUtility.getDNSSubjAltNames(sSLSession, false, true);
                String commonName = SSLCertUtility.getCommonName(sSLSession);
                if (dNSSubjAltNames == null || dNSSubjAltNames.size() <= 0) {
                    z = doVerify(str, sSLSession, commonName);
                } else {
                    z = verifyCNAfterSAN() ? doDNSSubjAltNamesVerify(str, dNSSubjAltNames) || doVerify(str, sSLSession, commonName) : doDNSSubjAltNamesVerify(str, dNSSubjAltNames);
                }
            }
            return z;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public boolean verifyCNAfterSAN() {
            return VERIFY_CN_AFTER_SAN;
        }

        private boolean doVerify(String str, SSLSession sSLSession, String str2) {
            if (SSLSetup.isDebugEnabled(3)) {
                SSLSetup.info("doVerify: urlhostname=" + str + " certhostname=" + str2);
            }
            if (str2 == null || str2.length() == 0) {
                return false;
            }
            if (str.equalsIgnoreCase(str2)) {
                return true;
            }
            if (DEMO_CERT_CHECK_ENABLED && isDemoCert(SSLCertUtility.getPeerLeafCert(sSLSession))) {
                if (SSLSetup.isDebugEnabled(3)) {
                    SSLSetup.info("isDemocert true: check urlhostname=" + str.toLowerCase(Locale.ENGLISH) + " and certhostname=" + str2.toLowerCase(Locale.ENGLISH));
                }
                if (str.toLowerCase(Locale.ENGLISH).startsWith(str2.toLowerCase(Locale.ENGLISH) + ".") || str2.toLowerCase(Locale.ENGLISH).startsWith(str.toLowerCase(Locale.ENGLISH) + ".")) {
                    return true;
                }
                if (((Kernel.getConfig() != null && Kernel.getConfig().getSSL().isAcceptKSSDemoCertsEnabled()) || (Kernel.getConfig() == null && SSLWLSHostnameVerifier.ACCEPT_KSS_DEMOCERTS_ENABLED)) && str2.startsWith("DemoCertFor_")) {
                    return true;
                }
            }
            try {
                InetAddress localHost = InetAddress.getLocalHost();
                if (!localHost.getHostName().equalsIgnoreCase(str2)) {
                    return false;
                }
                if (localHost.getHostAddress().equalsIgnoreCase(str)) {
                    return true;
                }
                return this.allowReverseDNS ? InetAddress.getByName(str).isLoopbackAddress() : "localhost".equalsIgnoreCase(str) || LOCALHOST_IPADDRESS.equalsIgnoreCase(str);
            } catch (UnknownHostException e) {
                SSLSetup.info("HostnameVerifier: unknown host");
                return false;
            }
        }

        private boolean doDNSSubjAltNamesVerify(String str, Collection collection) {
            if (collection == null || collection.isEmpty()) {
                return false;
            }
            Iterator it = collection.iterator();
            while (it.hasNext()) {
                String str2 = (String) it.next();
                if (SSLSetup.isDebugEnabled(3)) {
                    SSLSetup.info("doDNSSubjAltNamesVerify: compare dnsName=" + str2 + " to urlhostname=" + str);
                }
                if (str2.equalsIgnoreCase(str)) {
                    return true;
                }
            }
            return false;
        }

        private static boolean isDemoCert(X509Certificate x509Certificate) {
            boolean isDebugEnabled = SSLSetup.isDebugEnabled(3);
            if (null == x509Certificate) {
                if (!isDebugEnabled) {
                    return false;
                }
                SSLSetup.info("Hostname Verification detected null certificate.");
                return false;
            }
            String name = x509Certificate.getIssuerX500Principal().getName("RFC2253");
            String name2 = x509Certificate.getSubjectX500Principal().getName("RFC2253");
            boolean z = name.equals("CN=CertGenCA,OU=FOR TESTING ONLY,O=MyOrganization,L=MyTown,ST=MyState,C=US") || name.equals("CN=CertGenCAB,OU=FOR TESTING ONLY,O=MyOrganization,L=MyTown,ST=MyState,C=US") || isIssuerOPSSDomainCA(name);
            boolean z2 = name2.endsWith(",OU=FOR TESTING ONLY,O=MyOrganization,L=MyTown,ST=MyState,C=US") || name2.startsWith("C=US,ST=MyState,L=MyTown,O=MyOrganization,OU=FOR TESTING ONLY,") || name2.startsWith("CN=DemoCertFor_");
            if (z && z2) {
                if (!isDebugEnabled) {
                    return true;
                }
                SSLSetup.info("Hostname Verification detected a Demo certificate.");
                return true;
            }
            if (!isDebugEnabled) {
                return false;
            }
            SSLSetup.info("Hostname Verification did not detect a Demo certificate.");
            return false;
        }

        private static boolean isIssuerOPSSDomainCA(String str) {
            boolean z = false;
            if (str != null) {
                String lowerCase = str.toLowerCase();
                if (lowerCase.startsWith(OPSS_DOMAIN_CA_COMMON_NAME) && lowerCase.endsWith(OPSS_DOMAIN_CA_ORG)) {
                    z = true;
                }
            }
            return z;
        }
    }

    public SSLWLSHostnameVerifier() {
        this((ServerChannel) null);
    }

    public SSLWLSHostnameVerifier(ServerChannel serverChannel) {
        this.urlHostName = null;
        this.proxyHostName = null;
        this.verifier = null;
        this.expectedName = null;
        this.defaultVerifier = getDefaultVerifier(serverChannel);
        this.verifier = this.defaultVerifier;
    }

    public SSLWLSHostnameVerifier(TLSMBean tLSMBean) {
        this.urlHostName = null;
        this.proxyHostName = null;
        this.verifier = null;
        this.expectedName = null;
        this.defaultVerifier = getDefaultVerifier(tLSMBean);
        this.verifier = this.defaultVerifier;
    }

    @Override // weblogic.security.utils.SSLHostnameVerifier
    public boolean hostnameValidationCallback(String str, SSLSocket sSLSocket) {
        SSLSession session = sSLSocket.getSession();
        boolean isProxying = isProxying(str, sSLSocket);
        if (isProxying) {
            str = this.urlHostName;
            if (session != null) {
                session.putValue(URL_HOST_KEY, this.urlHostName);
            }
        }
        try {
            boolean isDebugEnabled = SSLSetup.isDebugEnabled(3);
            if (isDebugEnabled) {
                SSLSetup.info("Performing hostname validation checks: " + str);
                if (isProxying) {
                    SSLSetup.info("Proxying through " + this.proxyHostName);
                }
            }
            if (!this.verifier.verify(str, session)) {
                if (SSLSetup.logSSLRejections()) {
                    Loggable logHostnameVerificationErrorLoggable = SecurityLogger.logHostnameVerificationErrorLoggable(getPeerName(isProxying, sSLSocket), SSLCertUtility.getCommonName(session), str);
                    logHostnameVerificationErrorLoggable.log();
                    SSLSetup.setFailureDetails(session, logHostnameVerificationErrorLoggable.getMessage());
                }
                if (!isDebugEnabled) {
                    return false;
                }
                SSLSetup.info("Hostname Verification failed for certificate with CommonName '" + SSLCertUtility.getCommonName(session) + "' against hostname: " + str);
                return false;
            }
            if (this.expectedName == null) {
                return true;
            }
            if (SSLCertUtility.getPeerLeafCert(sSLSocket) == null) {
                if (SSLSetup.logSSLRejections()) {
                    Loggable logHostnameVerificationNoCertificateErrorLoggable = SecurityLogger.logHostnameVerificationNoCertificateErrorLoggable(getPeerName(isProxying, sSLSocket));
                    logHostnameVerificationNoCertificateErrorLoggable.log();
                    SSLSetup.setFailureDetails(session, logHostnameVerificationNoCertificateErrorLoggable.getMessage());
                }
                if (!isDebugEnabled) {
                    return false;
                }
                SSLSetup.info("No identity certificate, cannot verify expected name: " + this.expectedName);
                return false;
            }
            String commonName = SSLCertUtility.getCommonName(session);
            if (this.expectedName.equals(commonName)) {
                return true;
            }
            if (SSLSetup.logSSLRejections()) {
                Loggable logHostnameVerificationErrorLoggable2 = SecurityLogger.logHostnameVerificationErrorLoggable(getPeerName(isProxying, sSLSocket), commonName, this.expectedName);
                logHostnameVerificationErrorLoggable2.log();
                SSLSetup.setFailureDetails(session, logHostnameVerificationErrorLoggable2.getMessage());
            }
            if (!isDebugEnabled) {
                return false;
            }
            SSLSetup.info("Hostname Verification failed since certificate CommonName '" + commonName + "' does not match expected name: " + this.expectedName);
            return false;
        } catch (Exception e) {
            if (SSLSetup.logSSLRejections()) {
                Loggable logHostnameVerificationExceptionErrorLoggable = SecurityLogger.logHostnameVerificationExceptionErrorLoggable(getPeerName(isProxying, sSLSocket));
                logHostnameVerificationExceptionErrorLoggable.log();
                SSLSetup.setFailureDetails(session, logHostnameVerificationExceptionErrorLoggable.getMessage());
            }
            SSLSetup.debug(1, e, "Hostname Verification error");
            return false;
        }
    }

    private boolean isProxying(String str, SSLSocket sSLSocket) {
        if (this.proxyHostName == null || this.urlHostName == null) {
            return false;
        }
        if (this.proxyHostName.equals(str)) {
            return true;
        }
        InetAddress inetAddress = sSLSocket.getInetAddress();
        if (inetAddress != null) {
            return this.proxyHostName.equals(inetAddress.getHostAddress()) || this.proxyHostName.equals(inetAddress.getHostName());
        }
        return false;
    }

    private String getPeerName(boolean z, SSLSocket sSLSocket) {
        String peerName = SSLSetup.getPeerName(sSLSocket);
        if (z) {
            peerName = peerName + " --> " + this.urlHostName;
        }
        return peerName;
    }

    @Deprecated
    public void setExpectedName(String str) {
        this.expectedName = str;
    }

    public void setHostnameVerifier(HostnameVerifier hostnameVerifier) {
        this.verifier = hostnameVerifier != null ? hostnameVerifier : this.defaultVerifier;
    }

    private static HostnameVerifier getDefaultVerifier(ServerChannel serverChannel) {
        return getDefaultVerifier(serverChannel != null ? serverChannel.getHostnameVerifier() : null, serverChannel == null, serverChannel != null ? serverChannel.isHostnameVerificationIgnored() : false);
    }

    private static HostnameVerifier getDefaultVerifier(TLSMBean tLSMBean) {
        return getDefaultVerifier(tLSMBean != null ? tLSMBean.getHostnameVerifier() : null, tLSMBean == null, tLSMBean != null ? tLSMBean.isHostnameVerificationIgnored() : false);
    }

    private static HostnameVerifier getDefaultVerifier(String str, boolean z, boolean z2) {
        KernelMBean config = Kernel.getConfig();
        SSLMBean sSLMBean = null;
        if (config != null) {
            sSLMBean = config.getSSL();
        }
        String hostnameVerifierClassName = isHostnameVerificationIgnored(sSLMBean, z, z2) ? NULL_HOSTNAME_VERIFIER : getHostnameVerifierClassName(sSLMBean, str);
        HostnameVerifier hostnameVerifier = null == hostnameVerifierClassName ? verifierCache.get(DEFAULT_HOSTNAME_VERIFIER_FLAG) : verifierCache.get(hostnameVerifierClassName);
        if (null == hostnameVerifier) {
            hostnameVerifier = createHostnameVerifier(hostnameVerifierClassName);
            if (null == hostnameVerifier) {
                throw new IllegalStateException("Unable to create HostnameVerifier.");
            }
            if (sSLMBean != null || !Kernel.isServer()) {
                if (null == hostnameVerifierClassName) {
                    verifierCache.put(DEFAULT_HOSTNAME_VERIFIER_FLAG, hostnameVerifier);
                } else {
                    verifierCache.put(hostnameVerifierClassName, hostnameVerifier);
                }
            }
        }
        return hostnameVerifier;
    }

    private static HostnameVerifier createHostnameVerifier(String str) {
        HostnameVerifier hostnameVerifier;
        if (str == null) {
            if (SSLSetup.isDebugEnabled(3)) {
                SSLSetup.info("HostnameVerifier: using default hostnameverifier");
            }
            hostnameVerifier = new DefaultHostnameVerifier();
            SecurityLogger.logUsingDefaultHVLoggable().log();
        } else {
            try {
                Object newInstance = Class.forName(str).newInstance();
                if (!(newInstance instanceof HostnameVerifier)) {
                    Loggable logHostnameVerifierInvalidErrorLoggable = SecurityLogger.logHostnameVerifierInvalidErrorLoggable(str);
                    logHostnameVerifierInvalidErrorLoggable.log();
                    throw new NestedRuntimeException(logHostnameVerifierInvalidErrorLoggable.getMessage());
                }
                hostnameVerifier = (HostnameVerifier) newInstance;
                if (SSLSetup.isDebugEnabled(3)) {
                    SSLSetup.info("HostnameVerifier: using configured hostnameverifier: " + hostnameVerifier.getClass().getName());
                }
                SecurityLogger.logUsingConfiguredHVLoggable(hostnameVerifier.getClass().getName()).log();
            } catch (Exception e) {
                Loggable logHostnameVerifierInitErrorLoggable = SecurityLogger.logHostnameVerifierInitErrorLoggable(str);
                logHostnameVerifierInitErrorLoggable.log();
                throw new NestedRuntimeException(logHostnameVerifierInitErrorLoggable.getMessage(), e);
            }
        }
        return hostnameVerifier;
    }

    private static boolean isHostnameVerificationIgnored(SSLMBean sSLMBean, ServerChannel serverChannel) {
        return isHostnameVerificationIgnored(sSLMBean, serverChannel == null, serverChannel != null ? serverChannel.isHostnameVerificationIgnored() : false);
    }

    private static boolean isHostnameVerificationIgnored(SSLMBean sSLMBean, TLSMBean tLSMBean) {
        return isHostnameVerificationIgnored(sSLMBean, tLSMBean == null, tLSMBean != null ? tLSMBean.isHostnameVerificationIgnored() : false);
    }

    private static boolean isHostnameVerificationIgnored(SSLMBean sSLMBean, boolean z, boolean z2) {
        boolean z3;
        boolean z4;
        boolean z5 = false;
        if (z) {
            if (sSLMBean != null) {
                try {
                    if (sSLMBean.isHostnameVerificationIgnored()) {
                        z3 = true;
                        z5 = z3;
                    }
                } catch (SecurityException e) {
                }
            }
            z3 = false;
            z5 = z3;
        } else {
            z5 = z2;
        }
        if (!z5) {
            if (!Boolean.getBoolean(IGNORE_VERIFICATION_PROP)) {
                if (!Boolean.getBoolean(IGNORE_VERIFICATION2_PROP)) {
                    z4 = false;
                    z5 = z4;
                }
            }
            z4 = true;
            z5 = z4;
        }
        return z5;
    }

    public void setProxyMapping(String str, String str2) {
        this.urlHostName = str2;
        this.proxyHostName = str;
    }

    private static String getHostnameVerifierClassName(SSLMBean sSLMBean, ServerChannel serverChannel) {
        return getHostnameVerifierClassName(sSLMBean, serverChannel != null ? serverChannel.getHostnameVerifier() : null);
    }

    private static String getHostnameVerifierClassName(SSLMBean sSLMBean, TLSMBean tLSMBean) {
        return getHostnameVerifierClassName(sSLMBean, tLSMBean != null ? tLSMBean.getHostnameVerifier() : null);
    }

    private static String getHostnameVerifierClassName(SSLMBean sSLMBean, String str) {
        String str2 = null;
        try {
            str2 = System.getProperty(VERIFIER_CLASS_PROP);
        } catch (SecurityException e) {
        }
        if (null == str2) {
            if (null != str) {
                str2 = str;
            } else if (sSLMBean != null) {
                str2 = sSLMBean.getHostnameVerifier();
            }
        }
        return str2;
    }
}
