package com.sun.javaws.security;

import com.ibm.security.util.DerInputStream;
import com.ibm.security.util.DerValue;
import com.ibm.security.x509.NetscapeCertTypeExtension;
import com.sun.javaws.debug.Debug;
import com.sun.javaws.debug.Globals;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.Vector;

/* loaded from: input_file:efixes/PK01142_nd_linux_i386/components/prereq.jdk/update.jar:/java/jre/javaws/javaws.jar:com/sun/javaws/security/SunSecurityUtil.class */
public class SunSecurityUtil {
    private static final String OID_BASIC_CONSTRAINTS = "2.5.29.19";
    private static final String OID_KEY_USAGE = "2.5.29.15";
    private static final String OID_EXTENDED_KEY_USAGE = "2.5.29.37";
    private static final String OID_NETSCAPE_CERT_TYPE = "2.16.840.1.113730.1.1";
    private static final String OID_EKU_CODE_SIGNING = "1.3.6.1.5.5.7.3.3";
    private static final String OID_EKU_ANY_USAGE = "2.5.29.37.0";
    private static final String NSCT_OBJECT_SIGNING_CA = "object_signing_ca";
    private static final String NSCT_OBJECT_SIGNING = "object_signing";
    private static final String NSCT_SSL_CA = "ssl_ca";
    private static final String NSCT_S_MIME_CA = "s_mime_ca";

    public static String getBeginCert() {
        return "";
    }

    public static String getEndCert() {
        return "";
    }

    public static void checkTrustedChain(Certificate[] certificateArr) throws CertificateException {
        int i = 0;
        while (i < certificateArr.length && !KeyStoreManager.isCertificateTrusted(certificateArr[i])) {
            try {
                checkExtensions((X509Certificate) certificateArr[i], i);
                int i2 = i < certificateArr.length - 1 ? i + 1 : i;
                if (!((X509Certificate) certificateArr[i2]).getSubjectDN().equals(((X509Certificate) certificateArr[i]).getIssuerDN())) {
                    throw new CertificateException("Incomplete certificate chain");
                }
                try {
                    certificateArr[i].verify(certificateArr[i2].getPublicKey());
                    i++;
                } catch (Exception e) {
                    if (Globals.TraceSecurity) {
                        Debug.println(new StringBuffer().append("exception checking extensions: ").append(e).toString());
                    }
                    if (!(e instanceof CertificateException)) {
                        throw new CertificateException("Invalid certificate chain");
                    }
                    throw ((CertificateException) e);
                }
            } catch (Exception e2) {
                if (Globals.TraceSecurity) {
                    Debug.println(new StringBuffer().append("failed extension check: ").append(certificateArr[i]).toString());
                    Debug.println(new StringBuffer().append("exception was: ").append(e2).toString());
                }
                if (!(e2 instanceof CertificateException)) {
                    throw new CertificateException("failed extensions check");
                }
                throw ((CertificateException) e2);
            }
        }
        if (Globals.TraceSecurity) {
            Debug.println("certificate chain validated");
        }
    }

    private static void checkExtensions(X509Certificate x509Certificate, int i) throws CertificateException, IOException {
        Set criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs == null) {
            criticalExtensionOIDs = Collections.EMPTY_SET;
        }
        checkBasicConstraints(x509Certificate, criticalExtensionOIDs, i);
        if (i == 0) {
            checkLeafKeyUsage(x509Certificate, criticalExtensionOIDs);
        } else {
            checkSignerKeyUsage(x509Certificate, criticalExtensionOIDs);
        }
        if (!criticalExtensionOIDs.isEmpty()) {
            throw new CertificateException(new StringBuffer().append("Certificate contains unknown critical extensions: ").append(criticalExtensionOIDs).toString());
        }
    }

    private static void checkBasicConstraints(X509Certificate x509Certificate, Set set, int i) throws CertificateException, IOException {
        set.remove("2.5.29.19");
        set.remove(OID_NETSCAPE_CERT_TYPE);
        if (i == 0) {
            return;
        }
        if (x509Certificate.getExtensionValue("2.5.29.19") == null) {
            if (x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) == null) {
                throw new CertificateException("CA certificate does not include basic constraints extension or netscape cert type extension");
            }
            if (!getNetscapeCertTypeBit(x509Certificate, "object_signing_ca")) {
                throw new CertificateException("Invalid Netscape CertType extension");
            }
            return;
        }
        if (x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) != null && ((getNetscapeCertTypeBit(x509Certificate, "ssl_ca") || getNetscapeCertTypeBit(x509Certificate, "s_mime_ca")) && !getNetscapeCertTypeBit(x509Certificate, "object_signing_ca"))) {
            throw new CertificateException("Invalid Netscape CertType extension");
        }
        int basicConstraints = x509Certificate.getBasicConstraints();
        if (basicConstraints < 0) {
            throw new CertificateException("End user tried to act as a CA");
        }
        if (i - 1 > basicConstraints) {
            throw new CertificateException("Violated path length constraints");
        }
    }

    private static void checkLeafKeyUsage(X509Certificate x509Certificate, Set set) throws CertificateException, IOException {
        set.remove("2.5.29.15");
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null) {
            if (keyUsage.length == 0) {
                throw new CertificateException("Invalid key usage extension.");
            }
            if (!keyUsage[0]) {
                throw new CertificateException("Wrong key usage. Expected digitalSignature.");
            }
        }
        List extendedKeyUsage = getExtendedKeyUsage(x509Certificate);
        if (extendedKeyUsage != null && set.contains("2.5.29.37") && !extendedKeyUsage.contains(OID_EKU_ANY_USAGE) && !extendedKeyUsage.contains(OID_EKU_CODE_SIGNING)) {
            throw new CertificateException("Extended key usage does not permit use");
        }
        set.remove("2.5.29.37");
        if (x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) != null && !getNetscapeCertTypeBit(x509Certificate, "object_signing")) {
            throw new CertificateException("Invalid Netscape CertType extension");
        }
    }

    private static void checkSignerKeyUsage(X509Certificate x509Certificate, Set set) throws CertificateException, IOException {
        set.remove("2.5.29.15");
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null && (keyUsage.length < 6 || !keyUsage[5])) {
            throw new CertificateException("Wrong key usage: expect keyCertSign");
        }
        List extendedKeyUsage = getExtendedKeyUsage(x509Certificate);
        if (extendedKeyUsage != null && set.contains("2.5.29.37") && !extendedKeyUsage.contains(OID_EKU_ANY_USAGE)) {
            throw new CertificateException("Extended key usage in CA certificates must include anyExtendedKeyUsage");
        }
        set.remove("2.5.29.37");
    }

    private static List getExtendedKeyUsage(X509Certificate x509Certificate) throws CertificateException, IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue("2.5.29.37");
        if (extensionValue == null) {
            return null;
        }
        DerValue derValue = new DerValue(new DerInputStream(extensionValue).getOctetString());
        Vector vector = new Vector(1, 1);
        while (derValue.getData().available() != 0) {
            vector.addElement(derValue.getData().getDerValue().getOID());
        }
        ArrayList arrayList = new ArrayList(vector.size());
        for (int i = 0; i < vector.size(); i++) {
            arrayList.add(vector.elementAt(i).toString());
        }
        return arrayList;
    }

    private static boolean getNetscapeCertTypeBit(X509Certificate x509Certificate, String str) throws CertificateException, IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE);
        if (extensionValue == null) {
            return false;
        }
        return ((Boolean) new NetscapeCertTypeExtension(new DerValue(new DerInputStream(extensionValue).getOctetString()).getUnalignedBitString().toByteArray()).get(str)).booleanValue();
    }
}
