package com.sun.deploy.security;

import com.sun.deploy.resources.ResourceManager;
import com.sun.deploy.security.ruleset.DeploymentRuleSet;
import com.sun.deploy.trace.Trace;
import com.sun.deploy.ui.AppInfo;
import com.sun.deploy.util.PerfLogger;
import java.io.IOException;
import java.security.CodeSource;
import java.security.GeneralSecurityException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.Timestamp;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.List;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:jre/lib/deploy.jar:com/sun/deploy/security/CertValidator.class */
public final class CertValidator {
    CertValidator() {
    }

    public static boolean validate(CodeSource codeSource, AppInfo appInfo, Certificate[] certificateArr, int i, CertStore certStore, CertStore certStore2, CertStore certStore3, CertStore certStore4, CertStore certStore5, CertStore certStore6, DeploymentRuleSet deploymentRuleSet) throws CertificateEncodingException, CertificateExpiredException, CertificateNotYetValidException, CertificateParsingException, CertificateException, KeyStoreException, NoSuchAlgorithmException, IOException {
        String locString = TrustDecider.getLocString(codeSource.getLocation(), appInfo);
        PerfLogger.setTime("Security: Start CertValdator class");
        new HashMap();
        boolean z = false;
        boolean z2 = true;
        int i2 = 0;
        boolean z3 = false;
        int i3 = 0;
        int i4 = 0;
        HashMap certMap = getCertMap(certStore, certStore2);
        Date date = new Date();
        Certificate[] canonicalize = canonicalize(certificateArr, date, certMap);
        int i5 = 0;
        while (i4 < canonicalize.length) {
            CertificateExpiredException certificateExpiredException = null;
            CertificateNotYetValidException certificateNotYetValidException = null;
            int i6 = i3;
            while (i6 < canonicalize.length) {
                X509Certificate x509Certificate = null;
                if (canonicalize[i6] instanceof X509Certificate) {
                    x509Certificate = (X509Certificate) canonicalize[i6];
                }
                X509Certificate x509Certificate2 = (i6 + 1 >= canonicalize.length || !(canonicalize[i6 + 1] instanceof X509Certificate)) ? x509Certificate : (X509Certificate) canonicalize[i6 + 1];
                try {
                    x509Certificate.checkValidity();
                } catch (CertificateExpiredException e) {
                    if (certificateExpiredException == null) {
                        certificateExpiredException = e;
                    }
                } catch (CertificateNotYetValidException e2) {
                    if (certificateNotYetValidException == null) {
                        certificateNotYetValidException = e2;
                    }
                }
                if (!certStore.contains(x509Certificate) && i6 + 1 != canonicalize.length && CertUtils.isIssuerOf(x509Certificate, x509Certificate2) && (certStore2 == null || !certStore2.contains(x509Certificate))) {
                    CertUtils.checkUsageForCodeSigning(x509Certificate, i6 - i3);
                }
                if (!CertUtils.isIssuerOf(x509Certificate, x509Certificate2)) {
                    break;
                }
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    i6++;
                } catch (GeneralSecurityException e3) {
                    Trace.msgSecurityPrintln("trustdecider.check.signature");
                    throw new CertificateException(ResourceManager.getMessage("trustdecider.check.signature"));
                }
            }
            i4 = i6 < canonicalize.length ? i6 + 1 : i6;
            if (!deploymentRuleSet.isAskGrantShowSet()) {
                throw new CertificateException(ResourceManager.getMessage("trustdecider.user.cannot.grant.any"));
            }
            if (!(certStore.verify(canonicalize[i4 - 1]) || (certStore2 != null && certStore2.verify(canonicalize[i4 - 1])))) {
                if (!deploymentRuleSet.isAskGrantSelfSignedSet()) {
                    throw new CertificateException(ResourceManager.getMessage("trustdecider.user.cannot.grant.notinca"));
                }
                z = true;
            }
            if (certificateExpiredException != null) {
                z2 = false;
                i2 = -1;
            }
            if (certificateNotYetValidException != null) {
                z2 = false;
                i2 = 1;
            }
            Date date2 = null;
            try {
                Timestamp timestamp = codeSource.getCodeSigners()[i5].getTimestamp();
                if (timestamp != null) {
                    Trace.msgSecurityPrintln("trustdecider.check.timestamping.yes");
                    date2 = timestamp.getTimestamp();
                    CertPath signerCertPath = timestamp.getSignerCertPath();
                    if (z2) {
                        Trace.msgSecurityPrintln("trustdecider.check.timestamping.noneed");
                    } else {
                        Trace.msgSecurityPrintln("trustdecider.check.timestamping.need");
                        Date notAfter = ((X509Certificate) canonicalize[i4 - 1]).getNotAfter();
                        Date notBefore = ((X509Certificate) canonicalize[i4 - 1]).getNotBefore();
                        if (date2.before(notAfter) && date2.after(notBefore)) {
                            Trace.msgSecurityPrintln("trustdecider.check.timestamping.valid");
                            if (checkTSAPath(signerCertPath, date, certStore2, certStore, certMap)) {
                                z2 = true;
                                i2 = 0;
                            } else {
                                date2 = null;
                            }
                        } else {
                            Trace.msgSecurityPrintln("trustdecider.check.timestamping.invalid");
                        }
                    }
                } else {
                    Trace.msgSecurityPrintln("trustdecider.check.timestamping.no");
                }
            } catch (NoSuchMethodError e4) {
                Trace.msgSecurityPrintln("trustdecider.check.timestamping.notfound");
            }
            boolean z4 = false;
            if (certStore6.contains(canonicalize[i3])) {
                if (certStore6.contains(canonicalize[i3], locString, true)) {
                    z4 = true;
                } else {
                    z4 = !z2;
                }
            }
            if (!z4) {
                if (!z && certStore5.contains(canonicalize[i3]) && (z2 || !certStore5.contains(canonicalize[i3], locString, true))) {
                    return true;
                }
                if (certStore4.contains(canonicalize[i3]) && (z2 || !certStore4.contains(canonicalize[i3], locString, true))) {
                    return true;
                }
                if ((certStore3 != null && certStore3.contains(canonicalize[i3])) || deploymentRuleSet.isRuleRun()) {
                    return true;
                }
                int showSecurityDialog = X509Util.showSecurityDialog(canonicalize, codeSource.getLocation(), i3, i4, z, i2, date2, appInfo, false);
                if (showSecurityDialog == 0) {
                    Trace.msgSecurityPrintln("trustdecider.user.grant.session");
                    certStore4.add(canonicalize[i3], locString, z2);
                    certStore4.save();
                    z3 = true;
                } else if (showSecurityDialog == 2) {
                    Trace.msgSecurityPrintln("trustdecider.user.grant.forever");
                    CertStore userCertStore = DeploySigningCertStore.getUserCertStore();
                    userCertStore.load(true);
                    if (userCertStore.add(canonicalize[i3], locString, z2)) {
                        userCertStore.save();
                    }
                    z3 = true;
                } else {
                    Trace.msgSecurityPrintln("trustdecider.user.deny");
                    certStore6.add(canonicalize[i3], locString, z2);
                    certStore6.save();
                }
                PerfLogger.setTime("Security: End CertValdator class");
                if (z3) {
                    return true;
                }
            }
            i3 = i4;
            i5++;
        }
        return false;
    }

    private static boolean checkTSAPath(CertPath certPath, Date date, CertStore certStore, CertStore certStore2, HashMap hashMap) {
        Trace.msgSecurityPrintln("trustdecider.check.timestamping.tsapath");
        try {
            Object[] array = certPath.getCertificates().toArray();
            int length = array.length;
            Certificate[] certificateArr = new Certificate[length];
            for (int i = 0; i < length; i++) {
                certificateArr[i] = (Certificate) array[i];
            }
            Certificate[] canonicalize = canonicalize(certificateArr, date, hashMap);
            int length2 = canonicalize.length;
            Certificate certificate = canonicalize[length2 - 1];
            if (!certStore2.verify(certificate) && (certStore == null || !certStore.verify(certificate))) {
                Trace.msgSecurityPrintln("trustdecider.check.timestamping.notinca");
                return false;
            }
            Trace.msgSecurityPrintln("trustdecider.check.timestamping.inca");
            for (int i2 = 0; i2 < length2 - 1; i2++) {
                X509Certificate x509Certificate = (X509Certificate) canonicalize[i2];
                X509Certificate x509Certificate2 = (X509Certificate) canonicalize[i2 + 1];
                try {
                    CertUtils.checkUsageForCodeSigning(x509Certificate, i2, true);
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                } catch (GeneralSecurityException e) {
                    Trace.msgSecurityPrintln("trustdecider.check.signature");
                    return false;
                }
            }
            return true;
        } catch (Exception e2) {
            return false;
        }
    }

    private static synchronized HashMap getCertMap(CertStore certStore, CertStore certStore2) throws KeyStoreException {
        HashMap hashMap = new HashMap();
        if (certStore != null) {
            for (Certificate certificate : certStore.getCertificates()) {
                if (certificate instanceof X509Certificate) {
                    hashMap = addTrustedCert((X509Certificate) certificate, hashMap);
                }
            }
        }
        if (certStore2 != null) {
            for (Certificate certificate2 : certStore2.getCertificates()) {
                if (certificate2 instanceof X509Certificate) {
                    hashMap = addTrustedCert((X509Certificate) certificate2, hashMap);
                }
            }
        }
        return hashMap;
    }

    private static HashMap addTrustedCert(X509Certificate x509Certificate, HashMap hashMap) {
        Principal subjectPrincipal = X509Util.getSubjectPrincipal(x509Certificate);
        Collection collection = (Collection) hashMap.get(subjectPrincipal);
        if (collection == null) {
            collection = new ArrayList();
            hashMap.put(subjectPrincipal, collection);
        }
        collection.add(x509Certificate);
        return hashMap;
    }

    private static Certificate[] canonicalize(Certificate[] certificateArr, Date date, HashMap hashMap) throws CertificateException {
        X509Certificate trustedIssuerCertificate;
        ArrayList arrayList = new ArrayList(certificateArr.length);
        boolean z = false;
        if (certificateArr.length == 0) {
            return certificateArr;
        }
        for (int i = 0; i < certificateArr.length; i++) {
            X509Certificate x509Certificate = (X509Certificate) certificateArr[i];
            X509Certificate trustedCertificate = getTrustedCertificate(x509Certificate, date, hashMap);
            if (trustedCertificate != null) {
                Trace.msgSecurityPrintln("trustdecider.check.canonicalize.updatecert");
                x509Certificate = trustedCertificate;
                z = true;
            }
            arrayList.add(x509Certificate);
            Principal subjectPrincipal = X509Util.getSubjectPrincipal(certificateArr[i]);
            Principal issuerPrincipal = X509Util.getIssuerPrincipal(certificateArr[i]);
            Principal subjectPrincipal2 = i < certificateArr.length - 1 ? X509Util.getSubjectPrincipal(certificateArr[i + 1]) : null;
            if (!issuerPrincipal.equals(subjectPrincipal) && !issuerPrincipal.equals(subjectPrincipal2) && (trustedIssuerCertificate = getTrustedIssuerCertificate((X509Certificate) certificateArr[i], date, hashMap)) != null) {
                Trace.msgSecurityPrintln("trustdecider.check.canonicalize.missing");
                z = true;
                arrayList.add(trustedIssuerCertificate);
            }
        }
        return z ? (Certificate[]) arrayList.toArray(new Certificate[arrayList.size()]) : certificateArr;
    }

    private static X509Certificate getTrustedCertificate(X509Certificate x509Certificate, Date date, HashMap hashMap) {
        List<X509Certificate> list = (List) hashMap.get(X509Util.getSubjectPrincipal(x509Certificate));
        if (list == null) {
            return null;
        }
        Principal issuerPrincipal = X509Util.getIssuerPrincipal(x509Certificate);
        PublicKey publicKey = x509Certificate.getPublicKey();
        for (X509Certificate x509Certificate2 : list) {
            if (!x509Certificate2.equals(x509Certificate) && X509Util.getIssuerPrincipal(x509Certificate2).equals(issuerPrincipal) && x509Certificate2.getPublicKey().equals(publicKey)) {
                try {
                    x509Certificate2.checkValidity(date);
                    Trace.msgSecurityPrintln("trustdecider.check.gettrustedcert.find");
                    return x509Certificate2;
                } catch (Exception e) {
                }
            }
        }
        return null;
    }

    private static X509Certificate getTrustedIssuerCertificate(X509Certificate x509Certificate, Date date, HashMap hashMap) {
        List<X509Certificate> list = (List) hashMap.get(X509Util.getIssuerPrincipal(x509Certificate));
        if (list == null) {
            return null;
        }
        for (X509Certificate x509Certificate2 : list) {
            try {
                x509Certificate2.checkValidity(date);
                Trace.msgSecurityPrintln("trustdecider.check.gettrustedissuercert.find");
                return x509Certificate2;
            } catch (Exception e) {
            }
        }
        return null;
    }

    public static boolean isSigner(Certificate certificate, Certificate certificate2) {
        try {
            certificate.verify(certificate2.getPublicKey());
            return true;
        } catch (Exception e) {
            return false;
        }
    }
}
