package com.sun.deploy.security;

import com.sun.deploy.config.Config;
import com.sun.deploy.config.SecuritySettings;
import com.sun.deploy.security.RevocationChecker;
import com.sun.deploy.trace.Trace;
import java.io.IOException;
import java.security.AccessController;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.CertificateException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:jre/lib/deploy.jar:com/sun/deploy/security/RevocationCheckHelper.class */
public class RevocationCheckHelper {
    private final boolean crlCheck;
    private final boolean ocspCheck;
    private final String ocspSigner;
    private final String ocspURL;
    private final boolean ocspValidConfig;
    private final X509CRL crl509;
    private final boolean bestEffort;
    private final String timeout;
    private final String clockSkew;
    private volatile boolean sessionStoreLoaded;
    private final Object sessionStoreLock = new Object();
    private final CertStore sessionStore = new SessionCertStore("RevocationCheckHelper");
    private final String revType = Config.getStringProperty(Config.SEC_TLS_REVOCATION_CHECK_TYPE_KEY);

    /* JADX INFO: Access modifiers changed from: package-private */
    public RevocationCheckHelper() {
        boolean z = !this.revType.equals(Config.NO_CERTIFICATES_CHECK);
        this.timeout = Config.getStringProperty(Config.SEC_TLS_USE_VALIDATION_TIMEOUT_KEY);
        this.clockSkew = Config.getStringProperty(Config.SEC_TLS_USE_VALIDATION_CLOCK_SKEW_KEY);
        this.crlCheck = z && Config.getBooleanProperty(Config.SEC_TLS_USE_VALIDATION_CRL_KEY);
        this.crl509 = this.crlCheck ? retrieveCRL(Config.getStringProperty(Config.SEC_TLS_USE_VALIDATION_CRL_URL_KEY)) : null;
        this.ocspCheck = z && Config.getBooleanProperty(Config.SEC_TLS_USE_VALIDATION_OCSP_KEY);
        this.ocspSigner = this.ocspCheck ? Config.getStringProperty(Config.SEC_TLS_USE_VALIDATION_OCSP_SIGNER_KEY) : null;
        this.ocspURL = this.ocspCheck ? Config.getStringProperty(Config.SEC_TLS_USE_VALIDATION_OCSP_URL_KEY) : null;
        this.ocspValidConfig = this.ocspSigner != null && this.ocspSigner.length() > 0 && this.ocspURL != null && this.ocspURL.length() > 0;
        this.bestEffort = SecuritySettings.getManagedBooleanValue(Config.SEC_TLS_REVOCATION_BEST_EFFORT_KEY);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static X509CRL retrieveCRL(final String str) {
        final X509CRL[] x509crlArr = new X509CRL[1];
        try {
            AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.sun.deploy.security.RevocationCheckHelper.1
                /*  JADX ERROR: NullPointerException in pass: RegionMakerVisitor
                    java.lang.NullPointerException
                    */
                @Override // java.security.PrivilegedExceptionAction
                public java.lang.Object run() throws java.lang.Exception {
                    /*
                        r5 = this;
                        r0 = r5
                        java.lang.String r0 = java.lang.String.this
                        if (r0 == 0) goto L6d
                        r0 = r5
                        java.lang.String r0 = java.lang.String.this
                        int r0 = r0.length()
                        if (r0 <= 0) goto L6d
                        java.lang.String r0 = "X509"
                        java.security.cert.CertificateFactory r0 = java.security.cert.CertificateFactory.getInstance(r0)
                        r6 = r0
                        java.net.URL r0 = new java.net.URL
                        r1 = r0
                        r2 = r5
                        java.lang.String r2 = java.lang.String.this
                        r1.<init>(r2)
                        r7 = r0
                        r0 = r7
                        java.net.URLConnection r0 = r0.openConnection()
                        r8 = r0
                        r0 = r8
                        r1 = 1
                        r0.setDoInput(r1)
                        r0 = r8
                        r1 = 0
                        r0.setUseCaches(r1)
                        r0 = 0
                        r9 = r0
                        java.io.DataInputStream r0 = new java.io.DataInputStream     // Catch: java.lang.Throwable -> L57
                        r1 = r0
                        r2 = r8
                        java.io.InputStream r2 = r2.getInputStream()     // Catch: java.lang.Throwable -> L57
                        r1.<init>(r2)     // Catch: java.lang.Throwable -> L57
                        r9 = r0
                        r0 = r5
                        java.security.cert.X509CRL[] r0 = r5     // Catch: java.lang.Throwable -> L57
                        r1 = 0
                        r2 = r6
                        r3 = r9
                        java.security.cert.CRL r2 = r2.generateCRL(r3)     // Catch: java.lang.Throwable -> L57
                        java.security.cert.X509CRL r2 = (java.security.cert.X509CRL) r2     // Catch: java.lang.Throwable -> L57
                        r0[r1] = r2     // Catch: java.lang.Throwable -> L57
                        r0 = jsr -> L5f
                    L54:
                        goto L6d
                    L57:
                        r10 = move-exception
                        r0 = jsr -> L5f
                    L5c:
                        r1 = r10
                        throw r1
                    L5f:
                        r11 = r0
                        r0 = r9
                        if (r0 == 0) goto L6b
                        r0 = r9
                        r0.close()
                    L6b:
                        ret r11
                    L6d:
                        r0 = 0
                        return r0
                    */
                    throw new UnsupportedOperationException("Method not decompiled: com.sun.deploy.security.RevocationCheckHelper.AnonymousClass1.run():java.lang.Object");
                }
            });
        } catch (PrivilegedActionException e) {
            Trace.ignored(e);
        }
        return x509crlArr[0];
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean checkRevocationStatus(X509Certificate[] x509CertificateArr, X509Certificate x509Certificate, String str, List list, LazyRootStore lazyRootStore, boolean[] zArr) throws CertificateException {
        try {
            return doRevocationCheck(x509CertificateArr, x509Certificate, str, list, lazyRootStore, zArr);
        } catch (IOException e) {
            Trace.printException(e);
            throw new CertificateException(e);
        } catch (InvalidAlgorithmParameterException e2) {
            Trace.printException(e2);
            throw new CertificateException(e2);
        } catch (KeyStoreException e3) {
            Trace.printException(e3);
            throw new CertificateException(e3);
        } catch (NoSuchAlgorithmException e4) {
            Trace.printException(e4);
            throw new CertificateException(e4);
        }
    }

    private boolean doRevocationCheck(X509Certificate[] x509CertificateArr, X509Certificate x509Certificate, String str, List list, LazyRootStore lazyRootStore, boolean[] zArr) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException, InvalidAlgorithmParameterException {
        if (!this.ocspCheck && !this.crlCheck) {
            Trace.msgSecurityPrintln("Revocation check disabled");
            return false;
        }
        if (!Config.isJavaVersionAtLeast17()) {
            Trace.msgSecurityPrintln("Revocation check skipped: Java version < 1.7");
            return false;
        }
        synchronized (this.sessionStoreLock) {
            if (!this.sessionStoreLoaded) {
                this.sessionStore.load();
                this.sessionStoreLoaded = true;
            }
            if (this.sessionStore.contains(x509CertificateArr[0], str, false)) {
                return false;
            }
            HashSet hashSet = new HashSet(list.size());
            Iterator it = list.iterator();
            while (it.hasNext()) {
                hashSet.add(new TrustAnchor((X509Certificate) it.next(), null));
            }
            PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
            pKIXParameters.setDate(new Date());
            boolean doRevocationCheck = doRevocationCheck(x509CertificateArr, x509Certificate, pKIXParameters, zArr, lazyRootStore);
            if (!doRevocationCheck) {
                synchronized (this.sessionStoreLock) {
                    this.sessionStore.add(x509CertificateArr[0], str, false);
                }
            }
            return doRevocationCheck;
        }
    }

    private boolean doRevocationCheck(X509Certificate[] x509CertificateArr, X509Certificate x509Certificate, PKIXParameters pKIXParameters, boolean[] zArr, LazyRootStore lazyRootStore) throws CertificateException {
        boolean z = false;
        X509Certificate x509Certificate2 = null;
        if (this.ocspCheck && this.ocspValidConfig) {
            try {
                lazyRootStore.containSubject(this.ocspSigner);
                x509Certificate2 = lazyRootStore.getOCSPCert();
            } catch (Exception e) {
                Trace.ignored(e);
            }
        }
        RevocationChecker revocationChecker = new RevocationChecker(x509Certificate, pKIXParameters, this.ocspCheck, this.crlCheck, this.ocspURL, x509Certificate2, this.revType.equals(Config.SERVER_CERTIFICATE_ONLY), this.crl509, null, this.timeout, this.clockSkew);
        for (int length = x509CertificateArr.length - 1; length >= 0; length--) {
            try {
                revocationChecker.check(x509CertificateArr[length], zArr[length]);
            } catch (CertificateException e2) {
                if (!(e2 instanceof RevocationChecker.StatusUnknownException) || !this.bestEffort) {
                    throw e2;
                }
                z = true;
                Trace.msgSecurityPrintln("Revocation Status Unknown");
                Trace.ignored(e2);
            }
        }
        return z;
    }
}
