package sun.plugin.security;

import com.ibm.security.util.DerInputStream;
import com.ibm.security.util.DerValue;
import com.ibm.security.x509.NetscapeCertTypeExtension;
import java.io.IOException;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import sun.plugin.resources.ResourceHandler;
import sun.plugin.usability.PluginSysAction;
import sun.plugin.usability.PluginSysUtil;
import sun.plugin.usability.Trace;

/* loaded from: input_file:efixes/PQ88973_aix/components/prereq.jdk/update.jar:/java/jre/lib/javaplugin.jar:sun/plugin/security/TrustDecider.class */
public class TrustDecider {
    private static CertificateStore rootStore = new RootCACertificateStore();
    private static CertificateStore permanentStore = new PluginCertificateStore();
    private static CertificateStore sessionStore = new SessionCertificateStore();
    private static CertificateStore deniedStore = new DeniedCertificateStore();
    private static Map trustedX500Principals;
    private static final String OID_BASIC_CONSTRAINTS = "2.5.29.19";
    private static final String OID_KEY_USAGE = "2.5.29.15";
    private static final String OID_EXTENDED_KEY_USAGE = "2.5.29.37";
    private static final String OID_NETSCAPE_CERT_TYPE = "2.16.840.1.113730.1.1";
    private static final String OID_EKU_ANY_USAGE = "2.5.29.37.0";
    private static final String OID_EKU_CODE_SIGNING = "1.3.6.1.5.5.7.3.3";
    private static final String NSCT_OBJECT_SIGNING_CA = "object_signing_ca";
    private static final String NSCT_OBJECT_SIGNING = "object_signing";
    private static final String NSCT_SSL_CA = "ssl_ca";
    private static final String NSCT_S_MIME_CA = "s_mime_ca";
    static Class class$sun$plugin$security$TrustDecider;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:efixes/PQ88973_aix/components/prereq.jdk/update.jar:/java/jre/lib/javaplugin.jar:sun/plugin/security/TrustDecider$PrivilegedBlockAction.class */
    public static class PrivilegedBlockAction implements PrivilegedAction {
        Certificate[] certs;
        int start;
        int end;
        boolean rootCANotValid;
        boolean timeNotValid;
        static final boolean $assertionsDisabled;

        PrivilegedBlockAction(Certificate[] certificateArr, int i, int i2, boolean z, boolean z2) {
            this.rootCANotValid = false;
            this.timeNotValid = false;
            this.certs = certificateArr;
            this.start = i;
            this.end = i2;
            this.rootCANotValid = z;
            this.timeNotValid = z2;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            int i = 0;
            try {
                i = ((Integer) PluginSysUtil.execute(new PluginSysAction(this) { // from class: sun.plugin.security.TrustDecider.1
                    private final PrivilegedBlockAction this$0;

                    {
                        this.this$0 = this;
                    }

                    @Override // sun.plugin.usability.PluginSysAction
                    public Object execute() throws Exception {
                        return new Integer(new TrustDeciderDialog(this.this$0.certs, this.this$0.start, this.this$0.end, this.this$0.rootCANotValid, this.this$0.timeNotValid).DoModal());
                    }
                })).intValue();
            } catch (Exception e) {
                if (!$assertionsDisabled) {
                    throw new AssertionError();
                }
            }
            return new Integer(i);
        }

        static {
            Class cls;
            if (TrustDecider.class$sun$plugin$security$TrustDecider == null) {
                cls = TrustDecider.class$("sun.plugin.security.TrustDecider");
                TrustDecider.class$sun$plugin$security$TrustDecider = cls;
            } else {
                cls = TrustDecider.class$sun$plugin$security$TrustDecider;
            }
            $assertionsDisabled = !cls.desiredAssertionStatus();
        }
    }

    public static void reset() {
        rootStore = new RootCACertificateStore();
        permanentStore = new PluginCertificateStore();
        sessionStore = new SessionCertificateStore();
        deniedStore = new DeniedCertificateStore();
    }

    public static boolean isAllPermissionGranted(CodeSource codeSource) throws CertificateEncodingException, CertificateExpiredException, CertificateNotYetValidException, CertificateParsingException, CertificateException, KeyStoreException, NoSuchAlgorithmException, IOException {
        Certificate[] certificates = codeSource.getCertificates();
        codeSource.getLocation().toString();
        if (certificates == null) {
            return false;
        }
        int i = 0;
        int i2 = 0;
        int i3 = 0;
        LinkedList linkedList = new LinkedList();
        rootStore.load();
        permanentStore.load();
        sessionStore.load();
        deniedStore.load();
        while (i2 < certificates.length) {
            int i4 = i;
            while (i4 + 1 < certificates.length && (certificates[i4] instanceof X509Certificate) && (certificates[i4 + 1] instanceof X509Certificate) && isIssuerOf((X509Certificate) certificates[i4], (X509Certificate) certificates[i4 + 1])) {
                i4++;
            }
            i2 = i4 + 1;
            if (deniedStore.contains(certificates[i])) {
                linkedList.add(i3, new Boolean(true));
            } else {
                linkedList.add(i3, new Boolean(false));
                if (permanentStore.contains(certificates[i]) || sessionStore.contains(certificates[i])) {
                    return true;
                }
            }
            i = i2;
            i3++;
        }
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        int i5 = 0;
        int i6 = 0;
        getCertMap(rootStore.getKeyStore());
        Certificate[] canonicalize = canonicalize(certificates, new Date());
        int i7 = 0;
        while (i6 < canonicalize.length) {
            CertificateExpiredException certificateExpiredException = null;
            CertificateNotYetValidException certificateNotYetValidException = null;
            int i8 = i5;
            while (i8 < canonicalize.length) {
                X509Certificate x509Certificate = null;
                if (canonicalize[i8] instanceof X509Certificate) {
                    x509Certificate = (X509Certificate) canonicalize[i8];
                }
                X509Certificate x509Certificate2 = (i8 + 1 >= canonicalize.length || !(canonicalize[i8 + 1] instanceof X509Certificate)) ? x509Certificate : (X509Certificate) canonicalize[i8 + 1];
                try {
                    x509Certificate.checkValidity();
                } catch (CertificateExpiredException e) {
                    if (certificateExpiredException == null) {
                        certificateExpiredException = e;
                    }
                } catch (CertificateNotYetValidException e2) {
                    if (certificateNotYetValidException == null) {
                        certificateNotYetValidException = e2;
                    }
                }
                if (!rootStore.contains(x509Certificate) && i8 + 1 != canonicalize.length && isIssuerOf(x509Certificate, x509Certificate2)) {
                    Set criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
                    if (criticalExtensionOIDs == null) {
                        criticalExtensionOIDs = Collections.EMPTY_SET;
                    }
                    if (!checkBasicConstraints(x509Certificate, criticalExtensionOIDs, i8 - i5)) {
                        Trace.securityPrintln("trustdecider.check.basicconstraints");
                        throw new CertificateException(ResourceHandler.getMessage("trustdecider.check.basicconstraints"));
                    }
                    if (i8 == i5) {
                        if (!checkLeafKeyUsage(x509Certificate, criticalExtensionOIDs)) {
                            Trace.securityPrintln("trustdecider.check.leafkeyusage");
                            throw new CertificateException(ResourceHandler.getMessage("trustdecider.check.leafkeyusage"));
                        }
                    } else if (!checkSignerKeyUsage(x509Certificate, criticalExtensionOIDs)) {
                        Trace.securityPrintln("trustdecider.check.signerkeyusage");
                        throw new CertificateException(ResourceHandler.getMessage("trustdecider.check.signerkeyusage"));
                    }
                    if (!criticalExtensionOIDs.isEmpty()) {
                        Trace.securityPrintln("trustdecider.check.extensions");
                        throw new CertificateException(ResourceHandler.getMessage("trustdecider.check.extensions"));
                    }
                }
                if (!isIssuerOf(x509Certificate, x509Certificate2)) {
                    break;
                }
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    i8++;
                } catch (GeneralSecurityException e3) {
                    Trace.securityPrintln("trustdecider.check.signature");
                    throw new CertificateException(ResourceHandler.getMessage("trustdecider.check.signature"));
                }
            }
            i6 = i8 < canonicalize.length ? i8 + 1 : i8;
            if (!((Boolean) linkedList.get(i7)).booleanValue()) {
                if (!rootStore.verify(canonicalize[i6 - 1])) {
                    z = true;
                }
                if (certificateExpiredException != null || certificateNotYetValidException != null) {
                    z2 = true;
                }
                int showSecurityDialog = showSecurityDialog(canonicalize, i5, i6, z, z2);
                if (showSecurityDialog == 0) {
                    Trace.msgSecurityPrintln("trustdecider.user.grant.session");
                    sessionStore.add(canonicalize[i5]);
                    sessionStore.save();
                    z3 = true;
                } else if (showSecurityDialog == 2) {
                    Trace.msgSecurityPrintln("trustdecider.user.grant.forever");
                    permanentStore.add(canonicalize[i5]);
                    permanentStore.save();
                    z3 = true;
                } else {
                    Trace.msgSecurityPrintln("trustdecider.user.deny");
                    deniedStore.add(canonicalize[i5]);
                    deniedStore.save();
                }
                if (z3) {
                    return true;
                }
            }
            i5 = i6;
            i7++;
        }
        return false;
    }

    private static boolean checkBasicConstraints(X509Certificate x509Certificate, Set set, int i) throws CertificateException, IOException {
        set.remove("2.5.29.19");
        set.remove(OID_NETSCAPE_CERT_TYPE);
        if (i == 0) {
            return true;
        }
        if (x509Certificate.getExtensionValue("2.5.29.19") == null) {
            if (x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) == null) {
                Trace.securityPrintln("trustdecider.check.basicconstraints.extensionvalue");
                return false;
            }
            if (getNetscapeCertTypeBit(x509Certificate, "object_signing_ca")) {
                return true;
            }
            Trace.securityPrintln("trustdecider.check.basicconstraints.certtypebit");
            return false;
        }
        if (x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) != null && ((getNetscapeCertTypeBit(x509Certificate, "ssl_ca") || getNetscapeCertTypeBit(x509Certificate, "s_mime_ca") || getNetscapeCertTypeBit(x509Certificate, "object_signing_ca")) && !getNetscapeCertTypeBit(x509Certificate, "object_signing_ca"))) {
            Trace.securityPrintln("trustdecider.check.basicconstraints.bitvalue");
            return false;
        }
        int basicConstraints = x509Certificate.getBasicConstraints();
        if (basicConstraints < 0) {
            Trace.securityPrintln("trustdecider.check.basicconstraints.enduser");
            return false;
        }
        if (i - 1 <= basicConstraints) {
            return true;
        }
        Trace.securityPrintln("trustdecider.check.basicconstraints.pathlength");
        return false;
    }

    private static boolean checkLeafKeyUsage(X509Certificate x509Certificate, Set set) throws CertificateException, IOException {
        set.remove("2.5.29.15");
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null) {
            if (keyUsage.length == 0) {
                Trace.securityPrintln("trustdecider.check.leafkeyusage.length");
                return false;
            }
            if (!keyUsage[0]) {
                Trace.securityPrintln("trustdecider.check.leafkeyusage.digitalsignature");
                return false;
            }
        }
        List extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
        if (extendedKeyUsage != null && set.contains("2.5.29.37")) {
            set.remove("2.5.29.37");
            if (!extendedKeyUsage.contains(OID_EKU_ANY_USAGE) && !extendedKeyUsage.contains(OID_EKU_CODE_SIGNING)) {
                Trace.securityPrintln("trustdecider.check.leafkeyusage.extkeyusageinfo");
                return false;
            }
        }
        if (x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) == null || getNetscapeCertTypeBit(x509Certificate, "object_signing")) {
            return true;
        }
        Trace.securityPrintln("trustdecider.check.leafkeyusage.certtypebit");
        return false;
    }

    private static boolean checkSignerKeyUsage(X509Certificate x509Certificate, Set set) throws CertificateException, IOException {
        set.remove("2.5.29.15");
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null && (keyUsage.length < 6 || !keyUsage[5])) {
            Trace.securityPrintln("trustdecider.check.signerkeyusage.lengthandbit");
            return false;
        }
        List extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
        if (extendedKeyUsage == null || !set.contains("2.5.29.37")) {
            return true;
        }
        set.remove("2.5.29.37");
        if (extendedKeyUsage.contains(OID_EKU_ANY_USAGE)) {
            return true;
        }
        Trace.securityPrintln("trustdecider.check.signerkeyusage.keyusage");
        return false;
    }

    private static boolean getNetscapeCertTypeBit(X509Certificate x509Certificate, String str) throws CertificateException, IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE);
        if (extensionValue == null) {
            return false;
        }
        return ((Boolean) new NetscapeCertTypeExtension(new DerValue(new DerInputStream(extensionValue).getOctetString()).getUnalignedBitString().toByteArray()).get(str)).booleanValue();
    }

    private static boolean isIssuerOf(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        return x509Certificate.getIssuerDN().equals(x509Certificate2.getSubjectDN());
    }

    private static synchronized void getCertMap(KeyStore keyStore) throws KeyStoreException {
        trustedX500Principals = new HashMap();
        if (keyStore == null) {
            return;
        }
        Enumeration aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            String str = (String) aliases.nextElement();
            if (keyStore.isCertificateEntry(str)) {
                Certificate certificate = keyStore.getCertificate(str);
                if (certificate instanceof X509Certificate) {
                    addTrustedCert((X509Certificate) certificate);
                }
            }
        }
    }

    private static void addTrustedCert(X509Certificate x509Certificate) {
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        Collection collection = (Collection) trustedX500Principals.get(subjectX500Principal);
        if (collection == null) {
            collection = new ArrayList();
            trustedX500Principals.put(subjectX500Principal, collection);
        }
        collection.add(x509Certificate);
    }

    private static Certificate[] canonicalize(Certificate[] certificateArr, Date date) throws CertificateException {
        X509Certificate trustedIssuerCertificate;
        ArrayList arrayList = new ArrayList(certificateArr.length);
        boolean z = false;
        if (certificateArr.length == 0) {
            return certificateArr;
        }
        for (int i = 0; i < certificateArr.length; i++) {
            X509Certificate x509Certificate = (X509Certificate) certificateArr[i];
            X509Certificate trustedCertificate = getTrustedCertificate(x509Certificate, date);
            if (trustedCertificate != null) {
                Trace.msgSecurityPrintln("trustdecider.check.canonicalize.updatecert");
                x509Certificate = trustedCertificate;
                z = true;
            }
            arrayList.add(x509Certificate);
            X500Principal subjectX500Principal = ((X509Certificate) certificateArr[i]).getSubjectX500Principal();
            X500Principal issuerX500Principal = ((X509Certificate) certificateArr[i]).getIssuerX500Principal();
            X500Principal subjectX500Principal2 = i < certificateArr.length - 1 ? ((X509Certificate) certificateArr[i + 1]).getSubjectX500Principal() : null;
            if (!issuerX500Principal.equals(subjectX500Principal) && !issuerX500Principal.equals(subjectX500Principal2) && (trustedIssuerCertificate = getTrustedIssuerCertificate((X509Certificate) certificateArr[i], date)) != null) {
                Trace.msgSecurityPrintln("trustdecider.check.canonicalize.missing");
                z = true;
                arrayList.add(trustedIssuerCertificate);
            }
        }
        return z ? (Certificate[]) arrayList.toArray(new Certificate[arrayList.size()]) : certificateArr;
    }

    private static X509Certificate getTrustedCertificate(X509Certificate x509Certificate, Date date) {
        List<X509Certificate> list = (List) trustedX500Principals.get(x509Certificate.getSubjectX500Principal());
        if (list == null) {
            return null;
        }
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        PublicKey publicKey = x509Certificate.getPublicKey();
        for (X509Certificate x509Certificate2 : list) {
            if (!x509Certificate2.equals(x509Certificate) && x509Certificate2.getIssuerX500Principal().equals(issuerX500Principal) && x509Certificate2.getPublicKey().equals(publicKey)) {
                try {
                    x509Certificate2.checkValidity(date);
                    Trace.msgSecurityPrintln("trustdecider.check.gettrustedcert.find");
                    return x509Certificate2;
                } catch (Exception e) {
                }
            }
        }
        return null;
    }

    private static X509Certificate getTrustedIssuerCertificate(X509Certificate x509Certificate, Date date) {
        List<X509Certificate> list = (List) trustedX500Principals.get(x509Certificate.getIssuerX500Principal());
        if (list == null) {
            return null;
        }
        for (X509Certificate x509Certificate2 : list) {
            try {
                x509Certificate2.checkValidity(date);
                Trace.msgSecurityPrintln("trustdecider.check.gettrustedissuercert.find");
                return x509Certificate2;
            } catch (Exception e) {
            }
        }
        return null;
    }

    static int showSecurityDialog(Certificate[] certificateArr, int i, int i2, boolean z, boolean z2) {
        Integer num = (Integer) AccessController.doPrivileged(new PrivilegedBlockAction(certificateArr, i, i2, z, z2));
        int i3 = 1;
        if (num != null) {
            i3 = num.intValue();
        }
        return i3;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }
}
