package com.sun.deploy.security;

import com.sun.deploy.config.Config;
import com.sun.deploy.resources.ResourceManager;
import com.sun.deploy.services.Service;
import com.sun.deploy.services.ServiceManager;
import com.sun.deploy.ui.AppInfo;
import com.sun.deploy.util.Trace;
import java.io.IOException;
import java.security.CodeSource;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.Timestamp;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;

/* loaded from: input_file:com/sun/deploy/security/TrustDecider.class */
public class TrustDecider {
    private static Map trustedPrincipals;
    private static RootCertStore rootStore = null;
    private static CertStore permanentStore = null;
    private static CertStore sessionStore = null;
    private static CertStore deniedStore = null;
    private static CertStore browserRootStore = null;
    private static CertStore browserTrustedStore = null;
    private static boolean isBrowserRootStoreLoaded = false;
    private static Object _lock = new Object();

    public static synchronized void reset() {
        rootStore = RootCertStore.getInstance();
        permanentStore = new DeploySigningCertStore();
        sessionStore = new SessionCertStore();
        deniedStore = new DeniedCertStore();
        if (Config.getBooleanProperty(Config.SEC_USE_BROWSER_KEYSTORE_KEY)) {
            Service service = ServiceManager.getService();
            browserRootStore = service.getBrowserSigningRootCertStore();
            browserTrustedStore = service.getBrowserTrustedCertStore();
            isBrowserRootStoreLoaded = false;
        }
    }

    public static boolean isAllPermissionGranted(CodeSource codeSource) throws CertificateEncodingException, CertificateExpiredException, CertificateNotYetValidException, CertificateParsingException, CertificateException, KeyStoreException, NoSuchAlgorithmException, IOException {
        return isAllPermissionGranted(codeSource, new AppInfo(), false);
    }

    public static boolean isAllPermissionGranted(CodeSource codeSource, AppInfo appInfo) throws CertificateEncodingException, CertificateExpiredException, CertificateNotYetValidException, CertificateParsingException, CertificateException, KeyStoreException, NoSuchAlgorithmException, IOException {
        return isAllPermissionGranted(codeSource, appInfo, false);
    }

    public static synchronized boolean isAllPermissionGranted(CodeSource codeSource, AppInfo appInfo, boolean z) throws CertificateEncodingException, CertificateExpiredException, CertificateNotYetValidException, CertificateParsingException, CertificateException, KeyStoreException, NoSuchAlgorithmException, IOException {
        int showDialog;
        Certificate[] certificates = codeSource.getCertificates();
        if (certificates == null) {
            return false;
        }
        int i = 0;
        int i2 = 0;
        int i3 = 0;
        LinkedList linkedList = new LinkedList();
        rootStore.load();
        permanentStore.load();
        sessionStore.load();
        deniedStore.load();
        if (browserRootStore != null && !isBrowserRootStoreLoaded) {
            browserRootStore.load();
            isBrowserRootStoreLoaded = true;
        }
        if (browserTrustedStore != null) {
            browserTrustedStore.load();
        }
        while (i2 < certificates.length) {
            int i4 = i;
            while (i4 + 1 < certificates.length && (certificates[i4] instanceof X509Certificate) && (certificates[i4 + 1] instanceof X509Certificate) && CertUtils.isIssuerOf((X509Certificate) certificates[i4], (X509Certificate) certificates[i4 + 1])) {
                i4++;
            }
            i2 = i4 + 1;
            if (deniedStore.contains(certificates[i])) {
                linkedList.add(i3, new Boolean(true));
            } else {
                linkedList.add(i3, new Boolean(false));
                if (permanentStore.contains(certificates[i]) || sessionStore.contains(certificates[i])) {
                    return true;
                }
                if (browserTrustedStore != null && browserTrustedStore.contains(certificates[i])) {
                    return true;
                }
            }
            i = i2;
            i3++;
        }
        boolean z2 = false;
        boolean z3 = false;
        boolean z4 = false;
        int i5 = 0;
        int i6 = 0;
        getCertMap(rootStore.getKeyStore(0), rootStore.getKeyStore(1));
        Date date = new Date();
        Certificate[] canonicalize = canonicalize(certificates, date);
        int i7 = 0;
        while (i6 < canonicalize.length) {
            CertificateExpiredException certificateExpiredException = null;
            CertificateNotYetValidException certificateNotYetValidException = null;
            int i8 = i5;
            while (i8 < canonicalize.length) {
                X509Certificate x509Certificate = null;
                if (canonicalize[i8] instanceof X509Certificate) {
                    x509Certificate = (X509Certificate) canonicalize[i8];
                }
                X509Certificate x509Certificate2 = (i8 + 1 >= canonicalize.length || !(canonicalize[i8 + 1] instanceof X509Certificate)) ? x509Certificate : (X509Certificate) canonicalize[i8 + 1];
                try {
                    x509Certificate.checkValidity();
                } catch (CertificateExpiredException e) {
                    if (certificateExpiredException == null) {
                        certificateExpiredException = e;
                    }
                } catch (CertificateNotYetValidException e2) {
                    if (certificateNotYetValidException == null) {
                        certificateNotYetValidException = e2;
                    }
                }
                if (!rootStore.contains(x509Certificate) && i8 + 1 != canonicalize.length && CertUtils.isIssuerOf(x509Certificate, x509Certificate2) && (browserRootStore == null || !browserRootStore.contains(x509Certificate))) {
                    CertUtils.checkUsageForCodeSigning(x509Certificate, i8 - i5);
                }
                if (!CertUtils.isIssuerOf(x509Certificate, x509Certificate2)) {
                    break;
                }
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    i8++;
                } catch (GeneralSecurityException e3) {
                    Trace.msgSecurityPrintln("trustdecider.check.signature");
                    throw new CertificateException(ResourceManager.getMessage("trustdecider.check.signature"));
                }
            }
            i6 = i8 < canonicalize.length ? i8 + 1 : i8;
            if (!((Boolean) linkedList.get(i7)).booleanValue()) {
                if (!Config.getBooleanProperty(Config.SEC_ASKGRANT_SHOW_KEY)) {
                    throw new CertificateException(ResourceManager.getMessage("trustdecider.user.cannot.grant.any"));
                }
                if (!(rootStore.verify(canonicalize[i6 - 1]) || (browserRootStore != null && browserRootStore.verify(canonicalize[i6 - 1])))) {
                    if (!Config.getBooleanProperty(Config.SEC_ASKGRANT_NOTCA_KEY)) {
                        throw new CertificateException(ResourceManager.getMessage("trustdecider.user.cannot.grant.notinca"));
                    }
                    z2 = true;
                }
                if (certificateExpiredException != null || certificateNotYetValidException != null) {
                    z3 = true;
                }
                Date date2 = null;
                try {
                    Timestamp timestamp = codeSource.getCodeSigners()[i7].getTimestamp();
                    if (timestamp != null) {
                        Trace.msgSecurityPrintln("trustdecider.check.timestamping.yes");
                        date2 = timestamp.getTimestamp();
                        CertPath signerCertPath = timestamp.getSignerCertPath();
                        if (z3) {
                            Trace.msgSecurityPrintln("trustdecider.check.timestamping.need");
                            Date notAfter = ((X509Certificate) canonicalize[i6 - 1]).getNotAfter();
                            Date notBefore = ((X509Certificate) canonicalize[i6 - 1]).getNotBefore();
                            if (date2.before(notAfter) && date2.after(notBefore)) {
                                Trace.msgSecurityPrintln("trustdecider.check.timestamping.valid");
                                if (checkTSAPath(signerCertPath, date)) {
                                    z3 = false;
                                } else {
                                    date2 = null;
                                }
                            } else {
                                Trace.msgSecurityPrintln("trustdecider.check.timestamping.invalid");
                            }
                        } else {
                            Trace.msgSecurityPrintln("trustdecider.check.timestamping.noneed");
                        }
                    } else {
                        Trace.msgSecurityPrintln("trustdecider.check.timestamping.no");
                    }
                } catch (NoSuchMethodError e4) {
                    Trace.msgSecurityPrintln("trustdecider.check.timestamping.notfound");
                }
                synchronized (_lock) {
                    showDialog = TrustDeciderDialog.showDialog(canonicalize, codeSource.getLocation(), i5, i6, z2, z3, date2, appInfo, false, z);
                }
                if (showDialog == 0) {
                    Trace.msgSecurityPrintln("trustdecider.user.grant.session");
                    sessionStore.add(canonicalize[i5]);
                    sessionStore.save();
                    z4 = true;
                } else if (showDialog == 2) {
                    Trace.msgSecurityPrintln("trustdecider.user.grant.forever");
                    permanentStore.add(canonicalize[i5]);
                    permanentStore.save();
                    z4 = true;
                } else {
                    Trace.msgSecurityPrintln("trustdecider.user.deny");
                    deniedStore.add(canonicalize[i5]);
                    deniedStore.save();
                }
                if (z4) {
                    return true;
                }
            }
            i5 = i6;
            i7++;
        }
        return false;
    }

    private static boolean checkTSAPath(CertPath certPath, Date date) {
        Trace.msgSecurityPrintln("trustdecider.check.timestamping.tsapath");
        try {
            Object[] array = certPath.getCertificates().toArray();
            int length = array.length;
            Certificate[] certificateArr = new Certificate[length];
            for (int i = 0; i < length; i++) {
                certificateArr[i] = (Certificate) array[i];
            }
            Certificate[] canonicalize = canonicalize(certificateArr, date);
            int length2 = canonicalize.length;
            Certificate certificate = canonicalize[length2 - 1];
            if (!rootStore.verify(certificate) && (browserRootStore == null || !browserRootStore.verify(certificate))) {
                Trace.msgSecurityPrintln("trustdecider.check.timestamping.notinca");
                return false;
            }
            Trace.msgSecurityPrintln("trustdecider.check.timestamping.inca");
            for (int i2 = 0; i2 < length2 - 1; i2++) {
                X509Certificate x509Certificate = (X509Certificate) canonicalize[i2];
                X509Certificate x509Certificate2 = (X509Certificate) canonicalize[i2 + 1];
                try {
                    CertUtils.checkUsageForCodeSigning(x509Certificate, i2, true);
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                } catch (GeneralSecurityException e) {
                    Trace.msgSecurityPrintln("trustdecider.check.signature");
                    return false;
                }
            }
            return true;
        } catch (Exception e2) {
            return false;
        }
    }

    private static synchronized void getCertMap(KeyStore keyStore, KeyStore keyStore2) throws KeyStoreException {
        trustedPrincipals = new HashMap();
        if (keyStore != null) {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (keyStore.isCertificateEntry(nextElement)) {
                    Certificate certificate = keyStore.getCertificate(nextElement);
                    if (certificate instanceof X509Certificate) {
                        addTrustedCert((X509Certificate) certificate);
                    }
                }
            }
        }
        if (keyStore2 != null) {
            Enumeration<String> aliases2 = keyStore2.aliases();
            while (aliases2.hasMoreElements()) {
                String nextElement2 = aliases2.nextElement();
                if (keyStore2.isCertificateEntry(nextElement2)) {
                    Certificate certificate2 = keyStore2.getCertificate(nextElement2);
                    if (certificate2 instanceof X509Certificate) {
                        addTrustedCert((X509Certificate) certificate2);
                    }
                }
            }
        }
    }

    private static synchronized void addTrustedCert(X509Certificate x509Certificate) {
        Principal subjectPrincipal = X509Util.getSubjectPrincipal(x509Certificate);
        Collection collection = (Collection) trustedPrincipals.get(subjectPrincipal);
        if (collection == null) {
            collection = new ArrayList();
            trustedPrincipals.put(subjectPrincipal, collection);
        }
        collection.add(x509Certificate);
    }

    private static Certificate[] canonicalize(Certificate[] certificateArr, Date date) throws CertificateException {
        X509Certificate trustedIssuerCertificate;
        ArrayList arrayList = new ArrayList(certificateArr.length);
        boolean z = false;
        if (certificateArr.length == 0) {
            return certificateArr;
        }
        for (int i = 0; i < certificateArr.length; i++) {
            X509Certificate x509Certificate = (X509Certificate) certificateArr[i];
            X509Certificate trustedCertificate = getTrustedCertificate(x509Certificate, date);
            if (trustedCertificate != null) {
                Trace.msgSecurityPrintln("trustdecider.check.canonicalize.updatecert");
                x509Certificate = trustedCertificate;
                z = true;
            }
            arrayList.add(x509Certificate);
            Principal subjectPrincipal = X509Util.getSubjectPrincipal(certificateArr[i]);
            Principal issuerPrincipal = X509Util.getIssuerPrincipal(certificateArr[i]);
            Principal subjectPrincipal2 = i < certificateArr.length - 1 ? X509Util.getSubjectPrincipal(certificateArr[i + 1]) : null;
            if (!issuerPrincipal.equals(subjectPrincipal) && !issuerPrincipal.equals(subjectPrincipal2) && (trustedIssuerCertificate = getTrustedIssuerCertificate((X509Certificate) certificateArr[i], date)) != null) {
                Trace.msgSecurityPrintln("trustdecider.check.canonicalize.missing");
                z = true;
                arrayList.add(trustedIssuerCertificate);
            }
        }
        return z ? (Certificate[]) arrayList.toArray(new Certificate[arrayList.size()]) : certificateArr;
    }

    private static synchronized X509Certificate getTrustedCertificate(X509Certificate x509Certificate, Date date) {
        List<X509Certificate> list = (List) trustedPrincipals.get(X509Util.getSubjectPrincipal(x509Certificate));
        if (list == null) {
            return null;
        }
        Principal issuerPrincipal = X509Util.getIssuerPrincipal(x509Certificate);
        PublicKey publicKey = x509Certificate.getPublicKey();
        for (X509Certificate x509Certificate2 : list) {
            if (!x509Certificate2.equals(x509Certificate) && X509Util.getIssuerPrincipal(x509Certificate2).equals(issuerPrincipal) && x509Certificate2.getPublicKey().equals(publicKey)) {
                try {
                    x509Certificate2.checkValidity(date);
                    Trace.msgSecurityPrintln("trustdecider.check.gettrustedcert.find");
                    return x509Certificate2;
                } catch (Exception e) {
                }
            }
        }
        return null;
    }

    private static synchronized X509Certificate getTrustedIssuerCertificate(X509Certificate x509Certificate, Date date) {
        List<X509Certificate> list = (List) trustedPrincipals.get(X509Util.getIssuerPrincipal(x509Certificate));
        if (list == null) {
            return null;
        }
        for (X509Certificate x509Certificate2 : list) {
            try {
                x509Certificate2.checkValidity(date);
                Trace.msgSecurityPrintln("trustdecider.check.gettrustedissuercert.find");
                return x509Certificate2;
            } catch (Exception e) {
            }
        }
        return null;
    }

    public static synchronized boolean isSigner(Certificate certificate, Certificate certificate2) {
        try {
            certificate.verify(certificate2.getPublicKey());
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    static {
        reset();
    }
}
