package sun.plugin.security;

import java.io.IOException;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.GeneralSecurityException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.Vector;
import sun.plugin.resources.ResourceHandler;
import sun.plugin.usability.Trace;
import sun.security.action.GetPropertyAction;
import sun.security.util.DerInputStream;
import sun.security.util.DerValue;
import sun.security.x509.NetscapeCertTypeExtension;

/* loaded from: input_file:efixes/PK27564_Linux_i386/components/prereq.jdk/update.jar:/java/jre/lib/javaplugin.jar:sun/plugin/security/TrustDecider.class */
public class TrustDecider {
    private static CertificateStore rootStore = new RootCACertificateStore();
    private static CertificateStore permanentStore = new PluginCertificateStore();
    private static CertificateStore sessionStore = new SessionCertificateStore();
    private static final String OID_BASIC_CONSTRAINTS = "2.5.29.19";
    private static final String OID_KEY_USAGE = "2.5.29.15";
    private static final String OID_EXTENDED_KEY_USAGE = "2.5.29.37";
    private static final String OID_NETSCAPE_CERT_TYPE = "2.16.840.1.113730.1.1";
    private static final String OID_EKU_ANY_USAGE = "2.5.29.37.0";
    private static final String OID_EKU_CODE_SIGNING = "1.3.6.1.5.5.7.3.3";
    private static final String NSCT_OBJECT_SIGNING_CA = "object_signing_ca";
    private static final String NSCT_OBJECT_SIGNING = "object_signing";
    private static final String NSCT_SSL_CA = "ssl_ca";
    private static final String NSCT_S_MIME_CA = "s_mime_ca";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:efixes/PK27564_Linux_i386/components/prereq.jdk/update.jar:/java/jre/lib/javaplugin.jar:sun/plugin/security/TrustDecider$PrivilegedBlockAction.class */
    public static class PrivilegedBlockAction implements PrivilegedAction {
        Certificate[] certs;
        boolean rootCANotValid;
        boolean timeNotValid;

        PrivilegedBlockAction(CodeSource codeSource, boolean z, boolean z2) {
            this.rootCANotValid = false;
            this.timeNotValid = false;
            this.certs = codeSource.getCertificates();
            this.rootCANotValid = z;
            this.timeNotValid = z2;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            return new Integer(new TrustDeciderDialog(this.certs, this.rootCANotValid, this.timeNotValid).DoModal());
        }
    }

    public static void reset() {
        rootStore = new RootCACertificateStore();
        permanentStore = new PluginCertificateStore();
        sessionStore = new SessionCertificateStore();
    }

    public static boolean isAllPermissionGranted(CodeSource codeSource) throws CertificateEncodingException, CertificateExpiredException, CertificateNotYetValidException, CertificateParsingException, CertificateException, KeyStoreException, NoSuchAlgorithmException, IOException {
        Certificate[] certificates = codeSource.getCertificates();
        String url = codeSource.getLocation().toString();
        if (certificates == null) {
            if (isBrowserMozilla()) {
                return isAllPermissionGranted(codeSource, url, null, null, 0, null, 0, "");
            }
            return false;
        }
        rootStore.load();
        permanentStore.load();
        sessionStore.load();
        int i = 0;
        int i2 = 0;
        while (i2 < certificates.length) {
            CertificateExpiredException certificateExpiredException = null;
            CertificateNotYetValidException certificateNotYetValidException = null;
            int i3 = i;
            while (i3 < certificates.length) {
                X509Certificate x509Certificate = certificates[i3] instanceof X509Certificate ? (X509Certificate) certificates[i3] : null;
                X509Certificate x509Certificate2 = (i3 + 1 >= certificates.length || !(certificates[i3 + 1] instanceof X509Certificate)) ? x509Certificate : (X509Certificate) certificates[i3 + 1];
                try {
                    x509Certificate.checkValidity();
                } catch (CertificateExpiredException e) {
                    if (certificateExpiredException == null) {
                        certificateExpiredException = e;
                    }
                } catch (CertificateNotYetValidException e2) {
                    if (certificateNotYetValidException == null) {
                        certificateNotYetValidException = e2;
                    }
                }
                if (!rootStore.contains(x509Certificate)) {
                    Set criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
                    if (criticalExtensionOIDs == null) {
                        criticalExtensionOIDs = Collections.EMPTY_SET;
                    }
                    if (!checkBasicConstraints(x509Certificate, criticalExtensionOIDs, i3 - i)) {
                        return false;
                    }
                    if (i3 == i) {
                        if (!checkLeafKeyUsage(x509Certificate, criticalExtensionOIDs)) {
                            return false;
                        }
                    } else if (!checkSignerKeyUsage(x509Certificate, criticalExtensionOIDs)) {
                        return false;
                    }
                    if (!criticalExtensionOIDs.isEmpty()) {
                        return false;
                    }
                }
                if (!isIssuerOf(x509Certificate, x509Certificate2)) {
                    break;
                }
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    i3++;
                } catch (GeneralSecurityException e3) {
                    return false;
                }
            }
            i2 = i3 < certificates.length ? i3 + 1 : i3;
            if (!isBrowserMozilla()) {
                boolean z = false;
                if (!rootStore.verify(certificates[i2 - 1])) {
                    Trace.securityPrintln("JRE CA Root Verify failed, use IE Win32 APIs", 2);
                    byte[][] makeChain = makeChain(certificates, i, i2);
                    if (makeChain == null) {
                        throw new CertificateException("Unable to verify the certificate with root CA");
                    }
                    int[] iArr = new int[makeChain.length];
                    for (int i4 = 0; i4 < makeChain.length; i4++) {
                        iArr[i4] = makeChain[i4].length;
                    }
                    X509Certificate x509Certificate3 = (X509Certificate) certificates[0];
                    byte[] signature = x509Certificate3.getSignature();
                    String name = x509Certificate3.getSubjectDN().getName();
                    try {
                        r20 = ((String) AccessController.doPrivileged(new GetPropertyAction("os.name"))).indexOf("Windows") != -1;
                    } catch (Exception e4) {
                        Trace.printException(e4);
                    }
                    r17 = r20 ? isRootVerifiedByIE(codeSource, url, makeChain, iArr, makeChain.length, signature, signature.length, name) : false;
                    if (!r17) {
                        z = true;
                    }
                }
                if (permanentStore.contains(certificates[i]) || sessionStore.contains(certificates[i])) {
                    return true;
                }
                int showSecurityDialog = showSecurityDialog(codeSource, z, (certificateExpiredException == null && certificateNotYetValidException == null) ? false : true);
                if (showSecurityDialog == 0) {
                    Trace.securityPrintln(ResourceHandler.getMessage("trustdecider.user.grant.session"), 2);
                    sessionStore.add(certificates[i]);
                    sessionStore.save();
                    r17 = true;
                } else if (showSecurityDialog == 2) {
                    Trace.securityPrintln(ResourceHandler.getMessage("trustdecider.user.grant.forever"), 2);
                    permanentStore.add(certificates[i]);
                    permanentStore.save();
                    r17 = true;
                } else {
                    Trace.securityPrintln(ResourceHandler.getMessage("trustdecider.user.deny"), 2);
                }
                return r17;
            }
            byte[][] makeChain2 = makeChain(certificates, i, i2);
            if (makeChain2 != null) {
                int[] iArr2 = new int[makeChain2.length];
                for (int i5 = 0; i5 < makeChain2.length; i5++) {
                    iArr2[i5] = makeChain2[i5].length;
                }
                X509Certificate x509Certificate4 = (X509Certificate) certificates[0];
                byte[] signature2 = x509Certificate4.getSignature();
                if (isAllPermissionGranted(codeSource, url, makeChain2, iArr2, makeChain2.length, signature2, signature2.length, x509Certificate4.getSubjectDN().getName())) {
                    return true;
                }
            }
            i = i2;
        }
        return false;
    }

    private static boolean checkBasicConstraints(X509Certificate x509Certificate, Set set, int i) throws CertificateException, IOException {
        int basicConstraints;
        set.remove(OID_BASIC_CONSTRAINTS);
        set.remove(OID_NETSCAPE_CERT_TYPE);
        if (i == 0) {
            return true;
        }
        return x509Certificate.getExtensionValue(OID_BASIC_CONSTRAINTS) == null ? x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) != null && getNetscapeCertTypeBit(x509Certificate, "object_signing_ca") : (x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) == null || (!(getNetscapeCertTypeBit(x509Certificate, "ssl_ca") || getNetscapeCertTypeBit(x509Certificate, "s_mime_ca") || getNetscapeCertTypeBit(x509Certificate, "object_signing_ca")) || getNetscapeCertTypeBit(x509Certificate, "object_signing_ca"))) && (basicConstraints = x509Certificate.getBasicConstraints()) >= 0 && i - 1 <= basicConstraints;
    }

    private static boolean checkLeafKeyUsage(X509Certificate x509Certificate, Set set) throws CertificateException, IOException {
        set.remove(OID_KEY_USAGE);
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null && (keyUsage.length == 0 || !keyUsage[0])) {
            return false;
        }
        List extendedKeyUsage = getExtendedKeyUsage(x509Certificate);
        if (extendedKeyUsage != null && set.contains(OID_EXTENDED_KEY_USAGE)) {
            set.remove(OID_EXTENDED_KEY_USAGE);
            if (!extendedKeyUsage.contains(OID_EKU_ANY_USAGE) && !extendedKeyUsage.contains(OID_EKU_CODE_SIGNING)) {
                return false;
            }
        }
        return x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) == null || getNetscapeCertTypeBit(x509Certificate, "object_signing");
    }

    private static boolean checkSignerKeyUsage(X509Certificate x509Certificate, Set set) throws CertificateException, IOException {
        set.remove(OID_KEY_USAGE);
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null && (keyUsage.length < 6 || !keyUsage[5])) {
            return false;
        }
        List extendedKeyUsage = getExtendedKeyUsage(x509Certificate);
        if (extendedKeyUsage == null || !set.contains(OID_EXTENDED_KEY_USAGE)) {
            return true;
        }
        set.remove(OID_EXTENDED_KEY_USAGE);
        return extendedKeyUsage.contains(OID_EKU_ANY_USAGE);
    }

    private static boolean getNetscapeCertTypeBit(X509Certificate x509Certificate, String str) throws CertificateException, IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE);
        if (extensionValue == null) {
            return false;
        }
        return ((Boolean) new NetscapeCertTypeExtension(new DerValue(new DerInputStream(extensionValue).getOctetString()).getUnalignedBitString().toByteArray()).get(str)).booleanValue();
    }

    private static List getExtendedKeyUsage(X509Certificate x509Certificate) throws CertificateException, IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue(OID_EXTENDED_KEY_USAGE);
        if (extensionValue == null) {
            return null;
        }
        DerValue derValue = new DerValue(new DerInputStream(extensionValue).getOctetString());
        Vector vector = new Vector(1, 1);
        while (derValue.data.available() != 0) {
            vector.addElement(derValue.data.getDerValue().getOID());
        }
        ArrayList arrayList = new ArrayList(vector.size());
        for (int i = 0; i < vector.size(); i++) {
            arrayList.add(vector.elementAt(i).toString());
        }
        return arrayList;
    }

    private static native boolean isBrowserMozilla();

    private static native boolean isAllPermissionGranted(CodeSource codeSource, String str, byte[][] bArr, int[] iArr, int i, byte[] bArr2, int i2, String str2);

    private static native boolean isRootVerifiedByIE(CodeSource codeSource, String str, byte[][] bArr, int[] iArr, int i, byte[] bArr2, int i2, String str2);

    /* JADX WARN: Type inference failed for: r0v3, types: [byte[], byte[][]] */
    private static byte[][] makeChain(Certificate[] certificateArr, int i, int i2) throws CertificateEncodingException {
        if (i == i2) {
            return null;
        }
        ?? r0 = new byte[i2 - i];
        for (int i3 = i; i3 < i2; i3++) {
            r0[i3 - i] = certificateArr[i3].getEncoded();
        }
        return r0;
    }

    private static boolean isIssuerOf(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        return x509Certificate.getIssuerDN().equals(x509Certificate2.getSubjectDN());
    }

    static int showSecurityDialog(CodeSource codeSource, boolean z, boolean z2) {
        Integer num = (Integer) AccessController.doPrivileged(new PrivilegedBlockAction(codeSource, z, z2));
        int i = 2;
        if (num != null) {
            i = num.intValue();
        }
        return i;
    }
}
