package securecomputing.ssl;

import iaik.security.ssl.ChainVerifier;
import iaik.security.ssl.SSLTransport;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Properties;
import java.util.StringTokenizer;
import java.util.Vector;
import securecomputing.pki.SccX509Cert;
import securecomputing.ui.SimpleUIHandler;
import securecomputing.util.IPAddressRange;
import securecomputing.util.IPAddressRangeFactory;
import securecomputing.util.SccDebug;

/* loaded from: input_file:119465-07/SUNWamsci/reloc/SUNWam/lib/swec.jar:securecomputing/ssl/AddressBasedCertVerifier.class */
public class AddressBasedCertVerifier extends ChainVerifier {
    private static final String CLASS_NAME;
    private static final String STR_LINE_SEP;
    protected static final String FILE_SEP;
    protected static final String DIR_DEFAULT;
    protected static final String STR_KEYWORD_PREFIX;
    protected static final String KEY_ALWAYS;
    protected static final String KEY_PROMPT;
    protected static final String KEY_DEFAULT;
    protected static final String KEY_CERT_GROUP;
    protected static final String KEY_DOT_NOTATION;
    protected static final String ACC_ALWAYS;
    protected static final String ACC_NEVER;
    protected static final String ACC_PROMPT;
    protected String m_strPeerId;
    protected Properties m_policy;
    protected String m_strPath;
    protected String m_strPolicyFile;
    protected SimpleUIHandler m_handlerUI;
    protected Hashtable m_htAcceptAlways;
    protected Hashtable m_htAcceptPrompt;
    protected String m_strDefPolicy;
    protected Vector m_rgCertGroups;
    protected Hashtable m_htCertGroups;
    protected boolean m_bUseDotNotation;
    static Class class$securecomputing$ssl$AddressBasedCertVerifier;

    protected static void pl(String str, int i) {
        SccDebug.debugMsg(CLASS_NAME, i, (Object) str);
    }

    protected String storageFileHeader() {
        String property = System.getProperty("line.separator");
        return new StringBuffer().append("# This file stores certificate fingerprints of the various components").append(property).append("# that this component, at some point, has connected to.  The format of").append(property).append("# the entries is 'clientNameOrIP=CertificateFingerprint'").append(property).append("#").append(property).append("# There are several keywords that you can specify that will affect").append(property).append("# certificate checking behavior.  They are listed below.").append(property).append("#").append(property).append("# $AcceptNewCertsAlways=HOST_LIST").append(property).append("#   where HOST_LIST is a comma-separated list of hosts from which").append(property).append("#   new (updated) certificates will always be automatically accepted.").append(property).append("#").append(property).append("# $AcceptNewCertsPrompt=HOST_LIST").append(property).append("#   where HOST_LIST is a comma-separated list of hosts from which").append(property).append("#   new (updated) certificates will not be accepted unless interactively").append(property).append("#   confirmed by the user.").append(property).append("#").append(property).append("# $AcceptNewCertsDefaultPolicy=ACCEPT_OPTION").append(property).append("#   where ACCEPT_OPTION is one of 'always', 'never', or 'prompt'.").append(property).append("#   If 'always', then new certificates will always be automatically").append(property).append("#   accepted.  If 'prompt', then the user will be interactively prompted").append(property).append("#   whether to accept the certificate.  If 'never', then new (updated)").append(property).append("#   certificates will never be accepted.").append(property).append("#").append(property).append("# Note that for all of these, brand new certificates (i.e. those never").append(property).append("# seen before) will always be stored automatically, as long as the").append(property).append("# server is configured to allow more new certificates (see below).").append(property).append("#").append(property).append("# $CertificateGroup1=IP_RANGE_PATTERN").append(property).append("#   where IP_RANGE_PATTERN is a specification of a range of IP").append(property).append("#   addresses whose certificates are to be used interchangeably.").append(property).append("#   For example, if there are two client IP addresses that match").append(property).append("#   a specified range, and Client 2 presents a certificate that is").append(property).append("#   already stored as belonging to Client 1, the certificate will").append(property).append("#   still be accepted, even though it won't match the certificate").append(property).append("#   already stored for Client 2.  You can specify multiple").append(property).append("#   certificate groups by using $CertificateGroup1, $CertificateGroup2,").append(property).append("#   $CertificateGroup3, etc.").append(property).append("#").append(property).append("#   IP_RANGE_PATTERN is a string of the form 'a.b.c.d' (i.e. class C").append(property).append("#   network addresses).  Any one of the fields can be either:").append(property).append("#     o A number").append(property).append("#     o Two numbers separated by a hyphen which specify a range,").append(property).append("#     o An asterisk ('*')").append(property).append("#").append(property).append("#   For example, all of the following are valid range specifications:").append(property).append("#").append(property).append("#     o 192.168.24.218 ").append(property).append("#     o 192.168.24.210-218 ").append(property).append("#     o 192.168.*.* ").append(property).append("#").append(property).append("#   In addition, multiple ranges may be combined into one object").append(property).append("#   representing the given range collection, by specifying them in a").append(property).append("#   comma-separated list.  For example:").append(property).append("#").append(property).append("#   192.168.24.218,192.168.24.118,192.168.24.200-205,192.168.25.*.").append(property).append("#").append(property).append("# This last keyword is useful in environments where IP addresses of").append(property).append("# clients may change from connection to connection.  This could happen").append(property).append("# if, for example, DHCP or another dynamic IP address assignment scheme").append(property).append("# was used for client machines.").toString();
    }

    private Hashtable parseList(String str) {
        Hashtable hashtable = new Hashtable();
        Boolean bool = new Boolean(true);
        if (null != str) {
            StringTokenizer stringTokenizer = new StringTokenizer(str, ", ");
            while (stringTokenizer.hasMoreTokens()) {
                hashtable.put(stringTokenizer.nextToken().toUpperCase(), bool);
            }
        }
        return hashtable;
    }

    public AddressBasedCertVerifier(String str, String str2, String str3, SimpleUIHandler simpleUIHandler) {
        IPAddressRange iPAddressRangeFactory;
        this.m_handlerUI = simpleUIHandler;
        this.m_strPath = null == str3 ? DIR_DEFAULT : str3;
        if (!this.m_strPath.endsWith(FILE_SEP)) {
            this.m_strPath = new StringBuffer().append(this.m_strPath).append(FILE_SEP).toString();
        }
        this.m_strPolicyFile = new StringBuffer().append(this.m_strPath).append(str2).toString();
        this.m_policy = new Properties();
        try {
            this.m_policy.load(new FileInputStream(this.m_strPolicyFile));
            this.m_htAcceptAlways = parseList(this.m_policy.getProperty(KEY_ALWAYS));
            this.m_htAcceptPrompt = parseList(this.m_policy.getProperty(KEY_PROMPT));
            this.m_strDefPolicy = this.m_policy.getProperty(KEY_DEFAULT);
            String property = this.m_policy.getProperty(KEY_DOT_NOTATION);
            this.m_bUseDotNotation = property != null && property.equalsIgnoreCase("yes");
            this.m_rgCertGroups = new Vector();
            boolean z = true;
            int i = 0;
            while (z) {
                String property2 = this.m_policy.getProperty(new StringBuffer().append(KEY_CERT_GROUP).append(i + 1).toString());
                z = property2 != null;
                if (z && null != (iPAddressRangeFactory = IPAddressRangeFactory.getInstance(property2))) {
                    this.m_rgCertGroups.addElement(iPAddressRangeFactory);
                }
                i++;
            }
        } catch (Exception e) {
            pl("Creating new server certificate fingerprint file.", 2);
        }
        if (null == this.m_strDefPolicy) {
            this.m_strDefPolicy = ACC_NEVER;
        }
        if (null == this.m_htAcceptPrompt) {
            this.m_htAcceptPrompt = new Hashtable();
        }
        if (null == this.m_htAcceptAlways) {
            this.m_htAcceptAlways = new Hashtable();
        }
        if (null != str) {
            this.m_strPeerId = str.toUpperCase();
            if (this.m_bUseDotNotation) {
                this.m_strPeerId = convertToDotNotation(this.m_strPeerId);
            }
        }
    }

    protected boolean storePolicy() {
        try {
            new File(this.m_strPath).mkdir();
            this.m_policy.store(new FileOutputStream(this.m_strPolicyFile), storageFileHeader());
            return true;
        } catch (Exception e) {
            pl(new StringBuffer().append("Unable to store policy/certificate info: ").append(e).toString(), 1);
            return false;
        }
    }

    protected boolean shouldStoreCert(SccX509Cert sccX509Cert, boolean z) {
        if (z || null != this.m_htAcceptAlways.get(this.m_strPeerId)) {
            return true;
        }
        String stringBuffer = new StringBuffer().append("The component with which you are establishing a connection sent a new certificate.\nThe certificate was issued to:\n").append(sccX509Cert.getSubjectDN()).append(".\nIts fingerprint is ").append(sccX509Cert.getFingerprint(true)).append(".\nDo you wish to accept it?").toString();
        if (null != this.m_htAcceptPrompt.get(this.m_strPeerId)) {
            if (null == this.m_handlerUI) {
                return false;
            }
            return this.m_handlerUI.askQuestion(stringBuffer);
        }
        if (this.m_strDefPolicy.equalsIgnoreCase(ACC_ALWAYS)) {
            return true;
        }
        if (this.m_strDefPolicy.equalsIgnoreCase(ACC_PROMPT)) {
            return this.m_handlerUI.askQuestion(stringBuffer);
        }
        return false;
    }

    @Override // iaik.security.ssl.ChainVerifier
    public boolean verifyChain(X509Certificate[] x509CertificateArr, SSLTransport sSLTransport) {
        if (null == this.m_strPeerId) {
            this.m_strPeerId = hostToPeerId(sSLTransport.getRemotePeerName(), x509CertificateArr[0].getSubjectDN().toString());
        }
        pl(new StringBuffer().append("Verifying cert chain... Cert originated from ").append(this.m_strPeerId).toString(), 3);
        if (null == this.m_policy) {
            return false;
        }
        try {
            ((iaik.x509.X509Certificate) x509CertificateArr[0]).checkValidity();
            SccX509Cert sccX509Cert = new SccX509Cert((iaik.x509.X509Certificate) x509CertificateArr[0]);
            String fingerprint = sccX509Cert.getFingerprint(true);
            String property = this.m_policy.getProperty(this.m_strPeerId);
            if (null != property && (fingerprint.equals(property) || haveMatchInGroup(fingerprint))) {
                return true;
            }
            if (!shouldStoreCert(sccX509Cert, null == property)) {
                pl(new StringBuffer().append("Unable to find match for certificate received from ").append(this.m_strPeerId).append(". Not allowed to store new certificate.").toString(), 1);
                return false;
            }
            addPeerFingerprint(this.m_strPeerId, fingerprint);
            if (storePolicy()) {
                return true;
            }
            pl(new StringBuffer().append("Unable to find match for certificate received from ").append(this.m_strPeerId).append(". Unable to store new certificate.").toString(), 1);
            return false;
        } catch (Exception e) {
            pl(new StringBuffer().append("Invalid certificate received from ").append(this.m_strPeerId).append(": ").append(e).toString(), 1);
            return false;
        }
    }

    private void addPeerFingerprint(String str, String str2) {
        this.m_policy.put(str, str2);
    }

    protected String hostToPeerId(String str, String str2) {
        String upperCase = str.toUpperCase();
        if (this.m_bUseDotNotation) {
            upperCase = convertToDotNotation(upperCase);
        }
        return new StringBuffer().append(upperCase).append(':').append(str2).toString();
    }

    protected String hostFromPeerId(String str) {
        int indexOf = str.indexOf(58);
        if (indexOf > 0) {
            str = str.substring(0, indexOf);
        }
        return str;
    }

    private boolean haveMatchInGroup(String str) {
        pl(new StringBuffer().append("Trying to find an existing match for fingerprint ").append(str).toString(), 3);
        Enumeration elements = this.m_rgCertGroups.elements();
        while (elements.hasMoreElements()) {
            String hostFromPeerId = hostFromPeerId(this.m_strPeerId);
            IPAddressRange iPAddressRange = (IPAddressRange) elements.nextElement();
            pl(new StringBuffer().append("Trying ").append(hostFromPeerId).append(" against group ").append(iPAddressRange.description()).toString(), 3);
            if (iPAddressRange.isAddressInRange(hostFromPeerId)) {
                pl("Found a match...  Trying existing peers", 3);
                Enumeration keys = this.m_policy.keys();
                while (keys.hasMoreElements()) {
                    String str2 = (String) keys.nextElement();
                    if (!str2.startsWith(STR_KEYWORD_PREFIX)) {
                        pl(new StringBuffer().append("Trying peer ").append(str2).toString(), 3);
                        if (iPAddressRange.isAddressInRange(hostFromPeerId(str2))) {
                            pl("Checking certificate...", 3);
                            if (str.equals(this.m_policy.getProperty(str2))) {
                                pl("Certificate matched!", 3);
                                return true;
                            }
                        } else {
                            continue;
                        }
                    }
                }
            }
        }
        pl("Unable to find a match", 3);
        return false;
    }

    protected String convertToDotNotation(String str) {
        try {
            str = ((str.equalsIgnoreCase("localhost") || str.equalsIgnoreCase("127.0.0.1")) ? InetAddress.getLocalHost() : InetAddress.getByName(str)).getHostAddress();
        } catch (UnknownHostException e) {
            pl(new StringBuffer().append("convertToDotNotation - Address not valid or invalid host name").append(str).toString(), 1);
        }
        return str;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        if (class$securecomputing$ssl$AddressBasedCertVerifier == null) {
            cls = class$("securecomputing.ssl.AddressBasedCertVerifier");
            class$securecomputing$ssl$AddressBasedCertVerifier = cls;
        } else {
            cls = class$securecomputing$ssl$AddressBasedCertVerifier;
        }
        CLASS_NAME = cls.getName();
        STR_LINE_SEP = System.getProperty("line.separator");
        FILE_SEP = System.getProperty("file.separator");
        DIR_DEFAULT = new StringBuffer().append(System.getProperty("user.dir")).append(FILE_SEP).append("certificates").append(FILE_SEP).toString();
        STR_KEYWORD_PREFIX = STR_KEYWORD_PREFIX;
        KEY_ALWAYS = KEY_ALWAYS;
        KEY_PROMPT = KEY_PROMPT;
        KEY_DEFAULT = KEY_DEFAULT;
        KEY_CERT_GROUP = KEY_CERT_GROUP;
        KEY_DOT_NOTATION = KEY_DOT_NOTATION;
        ACC_ALWAYS = ACC_ALWAYS;
        ACC_NEVER = ACC_NEVER;
        ACC_PROMPT = ACC_PROMPT;
    }
}
