package com.sun.deploy.security;

import com.sun.applet2.preloader.CancelException;
import com.sun.applet2.preloader.Preloader;
import com.sun.applet2.preloader.event.UserDeclinedEvent;
import com.sun.deploy.appcontext.AppContext;
import com.sun.deploy.cache.Cache;
import com.sun.deploy.config.Config;
import com.sun.deploy.config.Platform;
import com.sun.deploy.model.LocalApplicationProperties;
import com.sun.deploy.model.Resource;
import com.sun.deploy.model.ResourceProvider;
import com.sun.deploy.net.JARSigningException;
import com.sun.deploy.resources.ResourceManager;
import com.sun.deploy.security.LazyRootStore;
import com.sun.deploy.security.RevocationChecker;
import com.sun.deploy.security.ValidationState;
import com.sun.deploy.security.ruleset.BlockRule;
import com.sun.deploy.security.ruleset.DeploymentRuleSet;
import com.sun.deploy.services.Service;
import com.sun.deploy.services.ServiceManager;
import com.sun.deploy.trace.Trace;
import com.sun.deploy.trace.TraceLevel;
import com.sun.deploy.ui.AppInfo;
import com.sun.deploy.uitoolkit.Applet2Adapter;
import com.sun.deploy.uitoolkit.ToolkitStore;
import com.sun.deploy.util.DeployLock;
import com.sun.deploy.util.JarUtil;
import com.sun.deploy.util.PerfLogger;
import com.sun.deploy.util.SecurityBaseline;
import com.sun.deploy.util.URLUtil;
import java.io.IOException;
import java.net.URL;
import java.security.CodeSigner;
import java.security.CodeSource;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Timestamp;
import java.security.cert.CRLException;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.jar.JarFile;
import sun.security.validator.PKIXValidator;
import sun.security.validator.Validator;
import sun.security.validator.ValidatorException;

/* loaded from: input_file:jre/Home/jre/lib/deploy.jar:com/sun/deploy/security/TrustDecider.class */
public class TrustDecider {
    public static final int TrustOption_GrantThisSession = 0;
    public static final int TrustOption_Deny = 1;
    public static final int TrustOption_GrantAlways = 2;
    static final String ROOT_CA_NOT_VALID = "self-signed";
    private static DeployLock deployLock;
    public static final long PERMISSION_DENIED = 0;
    public static final long PERMISSION_GRANTED_FOR_SESSION = 1;
    public static final long PERMISSION_UNKNOWN = 2;
    private static final String SUN_NAMESPACE = "OU=Java Signed Extensions,OU=Corporate Object Signing,O=Sun Microsystems Inc";
    private static final String ORACLE_NAMESPACE = "OU=Java Signed Extensions,OU=Corporate Object Signing,O=Oracle Corporation";
    private static final String[] PRE_TRUSTED_NAMESPACES;
    private static final List preTrustList;
    private static boolean storesLoaded;
    private static boolean reloadDeniedStore;
    private static final String MAIN_JAR_FOUND = "true";
    private static CertStore rootStore = null;
    private static CertStore permanentStore = null;
    private static CertStore sandboxStore = null;
    private static CertStore sessionStore = null;
    private static CertStore sessionRevocationStore = null;
    private static CertStore sessionSandboxStore = null;
    private static CertStore sessionDRSStore = null;
    private static CertStore deniedStore = null;
    private static CertStore browserRootStore = null;
    private static CertStore browserTrustedStore = null;
    private static CertStore browserUntrustedStore = null;
    private static LazyRootStore lazyRootStore = null;
    private static X509CRL crl509 = null;
    private static boolean ocspValidConfig = false;
    private static String ocspSigner = null;
    private static String ocspURL = null;
    private static String revType = null;
    private static boolean crlCheck = false;
    private static boolean ocspCheck = false;
    private static String timeout = null;
    private static String clockSkew = null;

    /* JADX INFO: Access modifiers changed from: protected */
    public static void grabDeployLock() throws InterruptedException {
        deployLock.lock();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void releaseDeployLock() {
        try {
            deployLock.unlock();
        } catch (IllegalMonitorStateException e) {
        }
    }

    public static void resetDenyStore() {
        Trace.msgSecurityPrintln("trustdecider.check.reset.denystore");
        try {
            try {
                grabDeployLock();
                deniedStore = new DeniedCertStore();
                reloadDeniedStore = true;
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        } finally {
            releaseDeployLock();
        }
    }

    public static void reset() {
        PerfLogger.setTime("Security: Start Reset call in TrustDecider class");
        try {
            try {
                grabDeployLock();
                storesLoaded = false;
                rootStore = RootCertStore.getCertStore();
                permanentStore = DeploySigningCertStore.getCertStore();
                sandboxStore = DeploySigningCertStore.getSandboxCertStore();
                sessionStore = new SessionCertStore("TrustDecider");
                sessionRevocationStore = new SessionCertStore("Revocation");
                sessionSandboxStore = new SessionCertStore("SandboxSecurity");
                sessionDRSStore = new SessionCertStore("DeploymentRuleSet");
                deniedStore = new DeniedCertStore();
                if (Config.getBooleanProperty(Config.SEC_USE_BROWSER_KEYSTORE_KEY)) {
                    Service service = ServiceManager.getService();
                    browserRootStore = service.getBrowserSigningRootCertStore();
                    browserTrustedStore = service.getBrowserTrustedCertStore();
                    browserUntrustedStore = service.getBrowserUntrustedCertStore();
                }
                try {
                    lazyRootStore = new LazyRootStore(browserRootStore, rootStore);
                } catch (Exception e) {
                    Trace.ignored(e);
                }
                revType = Config.getStringProperty(Config.SEC_REVOCATION_CHECK_TYPE_KEY);
                if (revType.equals(Config.NO_CERTIFICATES_CHECK)) {
                    crlCheck = false;
                    ocspCheck = false;
                    return;
                }
                timeout = Config.getStringProperty(Config.SEC_USE_VALIDATION_TIMEOUT_KEY);
                clockSkew = Config.getStringProperty(Config.SEC_USE_VALIDATION_CLOCK_SKEW_KEY);
                crlCheck = Config.getBooleanProperty(Config.SEC_USE_VALIDATION_CRL_KEY);
                if (crlCheck) {
                    crl509 = RevocationCheckHelper.retrieveCRL(Config.getStringProperty(Config.SEC_USE_VALIDATION_CRL_URL_KEY));
                }
                ocspCheck = Config.getBooleanProperty(Config.SEC_USE_VALIDATION_OCSP_KEY);
                if (ocspCheck) {
                    ocspSigner = Config.getStringProperty(Config.SEC_USE_VALIDATION_OCSP_SIGNER_KEY);
                    ocspURL = Config.getStringProperty(Config.SEC_USE_VALIDATION_OCSP_URL_KEY);
                    if (ocspSigner != null && ocspSigner.length() > 0 && ocspURL != null && ocspURL.length() > 0) {
                        ocspValidConfig = true;
                    }
                }
            } catch (InterruptedException e2) {
                throw new RuntimeException(e2);
            }
        } finally {
            releaseDeployLock();
            PerfLogger.setTime("Security: End Reset call in TrustDecider class");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void notifyOnUserDeclined(Preloader preloader, String str) {
        if (preloader == null) {
            preloader = (Preloader) ToolkitStore.get().getAppContext().get(Applet2Adapter.PRELOADER_KEY);
        }
        if (preloader != null) {
            try {
                preloader.handleEvent(new UserDeclinedEvent(str));
            } catch (CancelException e) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static List breakDownMultiSignerChains(Certificate[] certificateArr) {
        int i = 0;
        int i2 = 0;
        int i3 = 0;
        ArrayList arrayList = new ArrayList();
        while (i2 < certificateArr.length) {
            ArrayList arrayList2 = new ArrayList();
            int i4 = i;
            while (i4 + 1 < certificateArr.length && (certificateArr[i4] instanceof X509Certificate) && (certificateArr[i4 + 1] instanceof X509Certificate) && CertUtils.isIssuerOf((X509Certificate) certificateArr[i4], (X509Certificate) certificateArr[i4 + 1])) {
                i4++;
            }
            i2 = i4 + 1;
            for (int i5 = i; i5 < i2; i5++) {
                arrayList2.add(certificateArr[i5]);
            }
            arrayList.add(arrayList2);
            i = i2;
            i3++;
        }
        return arrayList;
    }

    private static boolean haveValidatorSupport() {
        if (!Config.isJavaVersionAtLeast16()) {
            return false;
        }
        try {
            return Class.forName("sun.security.validator.Validator", true, ClassLoader.getSystemClassLoader()) != null;
        } catch (ClassNotFoundException e) {
            Trace.msgSecurityPrintln("trustdecider.check.validate.notfound");
            return false;
        }
    }

    public static synchronized void validateChainForWarmup(X509Certificate[] x509CertificateArr, CodeSource codeSource, int i, AppInfo appInfo, DeploymentRuleSet deploymentRuleSet) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException, CRLException, InvalidAlgorithmParameterException {
        try {
            grabDeployLock();
            ensureBasicStoresLoaded();
            Trace.println("Warmup validation completed (res=" + validateChain(x509CertificateArr, codeSource, i, appInfo, deploymentRuleSet, null, true) + ")", TraceLevel.SECURITY);
        } catch (InterruptedException e) {
        } finally {
            releaseDeployLock();
        }
    }

    private static long validateChain(X509Certificate[] x509CertificateArr, CodeSource codeSource, int i, AppInfo appInfo, DeploymentRuleSet deploymentRuleSet, Preloader preloader, boolean z) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException, CRLException, InvalidAlgorithmParameterException {
        boolean isRevocationCheckBestEffort = deploymentRuleSet.isRevocationCheckBestEffort();
        boolean isRuleRun = deploymentRuleSet.isRuleRun();
        ValidationState validationState = getValidationState(x509CertificateArr, codeSource, i, ValidationState.TYPE.ALL_PERMISSIONS, isRevocationCheckBestEffort, isRuleRun, appInfo, deploymentRuleSet, z);
        LocalApplicationProperties localApplicationProperties = Cache.getLocalApplicationProperties(appInfo.getLapURL());
        if (localApplicationProperties != null) {
            localApplicationProperties.storeMainPublisherAndTitle(validationState.getPublisher(), appInfo.getDisplayTitle());
        }
        if (isRuleRun) {
            validationState.trustDecision = 1L;
            sessionDRSStore.add(x509CertificateArr[0], getLocString(codeSource.getLocation(), appInfo), validationState.timeValid);
        }
        String str = null;
        SecurityException securityException = null;
        if (validationState.trustDecision == 2) {
            if (!validationState.rootCAValid) {
                if (!deploymentRuleSet.isAskGrantSelfSignedSet()) {
                    str = "deployment.grant.notinca.never.text";
                } else if (SecurityBaseline.isExpired() && deploymentRuleSet.isSSVModeNever()) {
                    str = "deployment.ssv2.mode.never.selfsigned";
                }
            }
            if (str == null && !validationState.timeValid && deploymentRuleSet.isExpiredBlocked()) {
                str = "deployment.block.expired.text";
            }
            if (str == null && !deploymentRuleSet.isAskGrantShowSet()) {
                str = "deployment.grant.signed.never.text";
            }
        }
        if (str == null && validationState.trustDecision != 0) {
            try {
                checkMainJarManifest(deploymentRuleSet, codeSource.getLocation(), appInfo, true);
            } catch (SecurityException e) {
                str = "deployment.blocked.permissions";
                securityException = e;
            }
        }
        if (str != null) {
            deniedStore.add(x509CertificateArr[0], getLocString(codeSource.getLocation(), appInfo), validationState.timeValid);
            deniedStore.save();
            BlockedDialog.show(appInfo, null, str, securityException, codeSource, deploymentRuleSet);
        }
        if (validationState.trustDecision == 2) {
            if (DecisionTime.withinTime(codeSource.getLocation(), appInfo, x509CertificateArr[0], LocalApplicationProperties.ALSIGNED_KEY)) {
                validationState.trustDecision = 1L;
            } else {
                validationState.trustDecision = askUser(x509CertificateArr, codeSource, validationState, appInfo, deploymentRuleSet, preloader);
                if (validationState.trustDecision == 1 && !Platform.get().isNativeSandbox()) {
                    DecisionTime.setTime(codeSource.getLocation(), appInfo, x509CertificateArr[0], LocalApplicationProperties.ALSIGNED_KEY);
                }
            }
        }
        return validationState.trustDecision;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ValidationState getValidationState(X509Certificate[] x509CertificateArr, CodeSource codeSource, int i, ValidationState.TYPE type, boolean z, boolean z2, AppInfo appInfo, DeploymentRuleSet deploymentRuleSet, boolean z3) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException, CRLException, InvalidAlgorithmParameterException {
        PerfLogger.setTime("Security: begin getValidationState()");
        boolean z4 = crlCheck;
        boolean z5 = ocspCheck;
        String locString = getLocString(codeSource.getLocation(), appInfo);
        boolean[] zArr = new boolean[x509CertificateArr.length];
        ValidationState validationState = new ValidationState(type);
        for (int i2 = 0; i2 < x509CertificateArr.length; i2++) {
            long time = x509CertificateArr[i2].getNotAfter().getTime();
            if (time < validationState.expirationDate) {
                validationState.expirationDate = time;
            }
            try {
                zArr[i2] = true;
                x509CertificateArr[i2].checkValidity();
                zArr[i2] = false;
            } catch (CertificateExpiredException e) {
                if (validationState.certExpiredException == null) {
                    validationState.certExpiredException = e;
                    validationState.certValidity = -1;
                    validationState.certValidityNoTS = -1;
                    validationState.timeValid = false;
                }
            } catch (CertificateNotYetValidException e2) {
                if (validationState.certNotYetValidException == null) {
                    validationState.certNotYetValidException = e2;
                    validationState.certValidity = 1;
                    validationState.certValidityNoTS = 1;
                    validationState.timeValid = false;
                }
            }
        }
        validationState.timeStampInfo = getTimeStampInfo(codeSource, i, x509CertificateArr, lazyRootStore);
        if (!validationState.timeValid && validationState.timeStampInfo != null) {
            validationState.timeValid = true;
            validationState.certValidity = 0;
        }
        int length = x509CertificateArr.length;
        X509Certificate x509Certificate = x509CertificateArr[length - 1];
        LazyRootStore.TrustedRootResult trustAnchors = lazyRootStore.getTrustAnchors(x509Certificate);
        List<X509Certificate> matchedCAList = trustAnchors == null ? null : trustAnchors.getMatchedCAList();
        if (matchedCAList == null) {
            validationState.rootCAValid = false;
            setSelfSignedUsage();
            matchedCAList = new ArrayList();
            matchedCAList.add(x509Certificate);
        }
        PerfLogger.setTime("Security: End replace CA check and start timestamp check");
        PKIXBuilderParameters pKIXBuilderParameters = null;
        X509Certificate[] x509CertificateArr2 = null;
        try {
            PerfLogger.setTime("Security: Start getting validator class");
            Validator validator = Validator.getInstance("PKIX", "plugin code signing", matchedCAList);
            PKIXValidator pKIXValidator = (PKIXValidator) validator;
            pKIXBuilderParameters = pKIXValidator.getParameters();
            pKIXBuilderParameters.addCertPathChecker(new DeployCertPathChecker(pKIXValidator));
            pKIXBuilderParameters.setDate(new Date());
            PerfLogger.setTime("Security: End getting validator class and start validator class");
            X509Certificate[] x509CertificateArr3 = new X509Certificate[length];
            for (int i3 = 0; i3 < length; i3++) {
                x509CertificateArr3[i3] = new X509CertificateWrapper(x509CertificateArr[i3]);
            }
            x509CertificateArr2 = validator.validate(x509CertificateArr3);
            PerfLogger.setTime("Security: End call validator class");
        } catch (CertificateException e3) {
            if (!(e3 instanceof ValidatorException)) {
                throw e3;
            }
            ValidatorException validatorException = (ValidatorException) e3;
            if (!ValidatorException.T_NO_TRUST_ANCHOR.equals(validatorException.getErrorType())) {
                throw validatorException;
            }
            validationState.rootCAValid = false;
            setSelfSignedUsage();
        }
        PerfLogger.setTime("Security: End certificate validation and start blacklist and revocation check");
        if (validationState.rootCAValid) {
            validationState.setPublisher(CertUtils.extractSubjectAliasName(x509CertificateArr[0]));
        }
        if (validationState.type != ValidationState.TYPE.SPECIAL && !z3) {
            ensureAllJarEntriesSigned(codeSource.getLocation(), deploymentRuleSet);
        }
        if (sessionStore.contains(x509CertificateArr[0], locString, validationState.timeValid) || ((validationState.type == ValidationState.TYPE.SANDBOX_PERMISSIONS && sessionSandboxStore.contains(x509CertificateArr[0], locString, validationState.timeValid)) || (z2 && sessionDRSStore.contains(x509CertificateArr[0], locString, validationState.timeValid)))) {
            validationState.trustDecision = 1L;
            return validationState;
        }
        ArrayList<X509Certificate> arrayList = new ArrayList(Arrays.asList(x509CertificateArr));
        if (matchedCAList != null && validationState.rootCAValid) {
            arrayList.addAll(matchedCAList);
        }
        for (X509Certificate x509Certificate2 : arrayList) {
            BlacklistedCerts.check(x509Certificate2);
            if (browserUntrustedStore != null && browserUntrustedStore.contains(x509Certificate2)) {
                String message = ResourceManager.getMessage("security.dialog.unverified.signed.publisher");
                Trace.println(message, TraceLevel.SECURITY);
                throw new CertificateException(message);
            }
        }
        if (!sessionRevocationStore.contains(x509CertificateArr[0], locString, false)) {
            if (sessionRevocationStore.contains(x509CertificateArr[0], locString, true)) {
                validationState.revStatusUnknown = true;
            } else if (!willBlock(validationState, deploymentRuleSet)) {
                checkRevocationStatus(z5, z4, x509CertificateArr2, pKIXBuilderParameters, validationState, z, zArr);
                sessionRevocationStore.add(x509CertificateArr[0], locString, validationState.revStatusUnknown);
                sessionRevocationStore.save();
            }
        }
        if (deniedStore.contains(x509CertificateArr[0], locString, validationState.timeValid)) {
            validationState.trustDecision = 0L;
            return validationState;
        }
        if (!validationState.rootCAValid) {
            validationState.trustDecision = 2L;
            return validationState;
        }
        if (permanentStore.contains(x509CertificateArr[0], locString, validationState.timeValid)) {
            validationState.trustDecision = validationState.expirationDate;
            sessionStore.add(x509CertificateArr[0], locString, validationState.timeValid);
            sessionStore.save();
            return validationState;
        }
        if (validationState.type == ValidationState.TYPE.SANDBOX_PERMISSIONS && sandboxStore.contains(x509CertificateArr[0], locString, validationState.timeValid)) {
            validationState.trustDecision = validationState.expirationDate;
            sessionSandboxStore.add(x509CertificateArr[0], locString, validationState.timeValid);
            sessionSandboxStore.save();
            return validationState;
        }
        if (browserTrustedStore == null || !browserTrustedStore.contains(x509CertificateArr[0])) {
            validationState.trustDecision = 2L;
            return validationState;
        }
        validationState.trustDecision = 1L;
        return validationState;
    }

    private static void ensureAllJarEntriesSigned(URL url, DeploymentRuleSet deploymentRuleSet) throws CertificateException {
        String str = (String) ToolkitStore.get().getAppContext().get(Config.APPCONTEXT_KEY_PREFIX + ((Object) url));
        Resource resource = null;
        int i = 2;
        try {
            resource = ResourceProvider.get().getCachedResource(url, str);
            if (resource == null) {
                resource = ResourceProvider.get().getResource(url, str);
            }
        } catch (IOException e) {
            Trace.ignored(e);
        }
        if (resource != null) {
            JarFile jarFile = resource.getJarFile();
            if (jarFile != null) {
                try {
                    if (JarUtil.isBlobSigned(jarFile)) {
                        return;
                    }
                    if (JarUtil.allJarEntriesSigned(jarFile, deploymentRuleSet != null && deploymentRuleSet.skipMetaInfDirectory())) {
                        return;
                    } else {
                        i = 3;
                    }
                } catch (IOException e2) {
                    throw new CertificateException(e2.getMessage(), e2);
                }
            } else {
                Trace.println("getJarFile() returned null from resource: " + ((Object) resource), TraceLevel.SECURITY);
            }
        } else {
            Trace.println("Unable to retrieve resource from: " + ((Object) url) + ", " + str, TraceLevel.SECURITY);
        }
        JARSigningException jARSigningException = new JARSigningException(url, str, i);
        Trace.ignored(jARSigningException);
        throw new CertificateException(jARSigningException.getRealMessage(), jARSigningException);
    }

    public static ValidationState getJarValidationState(CodeSource codeSource, AppInfo appInfo, DeploymentRuleSet deploymentRuleSet) {
        return getJarValidationState(codeSource, appInfo, ValidationState.TYPE.SPECIAL, deploymentRuleSet);
    }

    public static ValidationState getJarValidationState(CodeSource codeSource, AppInfo appInfo, ValidationState.TYPE type, DeploymentRuleSet deploymentRuleSet) {
        Certificate[] certificates = codeSource.getCertificates();
        if (certificates != null) {
            try {
                ensureBasicStoresLoaded();
                List breakDownMultiSignerChains = breakDownMultiSignerChains(certificates);
                if (haveValidatorSupport()) {
                    Iterator it = breakDownMultiSignerChains.iterator();
                    if (it.hasNext()) {
                        List list = (List) it.next();
                        try {
                            return getValidationState((X509Certificate[]) list.toArray(new X509Certificate[list.size()]), codeSource, 0, type, true, false, appInfo, deploymentRuleSet, false);
                        } catch (Exception e) {
                            Trace.ignored(e);
                        }
                    } else {
                        Trace.println("Canot validate certificate - unsigned", TraceLevel.SECURITY);
                    }
                } else {
                    Trace.msgSecurityPrintln("trustdecider.check.validate.legacy.algorithm");
                    rootStore.load();
                    if (browserRootStore != null) {
                        browserRootStore.load();
                    }
                    if (CertValidator.validate(codeSource, appInfo, certificates, breakDownMultiSignerChains.size(), rootStore, browserRootStore, browserTrustedStore, sessionStore, permanentStore, deniedStore, deploymentRuleSet)) {
                        ValidationState validationState = new ValidationState(type);
                        validationState.rootCAValid = true;
                        return validationState;
                    }
                }
            } catch (Exception e2) {
                Trace.ignored(e2);
            }
        }
        ValidationState validationState2 = new ValidationState(type);
        validationState2.trustDecision = 0L;
        return validationState2;
    }

    public static boolean willBlock(ValidationState validationState, DeploymentRuleSet deploymentRuleSet) {
        if (!validationState.timeValid && (deploymentRuleSet == null || deploymentRuleSet.isExpiredBlocked())) {
            return true;
        }
        if (!validationState.rootCAValid) {
            if (deploymentRuleSet == null) {
                return true;
            }
            if (deploymentRuleSet.isSSVModeNever() && SecurityBaseline.isExpired()) {
                return true;
            }
        }
        switch (validationState.type) {
            case SANDBOX_PERMISSIONS:
                return deploymentRuleSet == null || (!validationState.rootCAValid ? !deploymentRuleSet.isSelfSignedNever() : !deploymentRuleSet.isCaSignedNever());
            case ALL_PERMISSIONS:
                return deploymentRuleSet == null || (!validationState.rootCAValid ? deploymentRuleSet.isAskGrantSelfSignedSet() : deploymentRuleSet.isAskGrantShowSet());
            case SPECIAL:
                return !validationState.rootCAValid;
            default:
                return false;
        }
    }

    private static void checkRevocationStatus(boolean z, boolean z2, X509Certificate[] x509CertificateArr, PKIXParameters pKIXParameters, ValidationState validationState, boolean z3, boolean[] zArr) throws CertificateException {
        if (z) {
            Trace.msgSecurityPrintln("trustdecider.check.validation.ocsp.on");
        } else {
            Trace.msgSecurityPrintln("trustdecider.check.validation.ocsp.off");
        }
        if (z2) {
            Trace.msgSecurityPrintln("trustdecider.check.validation.crl.on");
        } else {
            Trace.msgSecurityPrintln("trustdecider.check.validation.crl.off");
        }
        if (!z && !z2) {
            Trace.msgSecurityPrintln("Revocation check disabled");
            return;
        }
        if (!Config.isJavaVersionAtLeast17()) {
            Trace.msgSecurityPrintln("Revocation check skipped: Java version < 1.7");
            return;
        }
        if (x509CertificateArr.length < 2) {
            return;
        }
        X509Certificate x509Certificate = null;
        if (z && ocspValidConfig) {
            try {
                lazyRootStore.containSubject(ocspSigner);
                x509Certificate = lazyRootStore.getOCSPCert();
            } catch (Exception e) {
                Trace.ignored(e);
            }
        }
        RevocationChecker revocationChecker = new RevocationChecker(x509CertificateArr[x509CertificateArr.length - 1], pKIXParameters, z, z2, ocspURL, x509Certificate, revType.equals(Config.PUBLISHER_ONLY), crl509, validationState.timeStampInfo, timeout, clockSkew);
        for (int length = x509CertificateArr.length - 2; length >= 0; length--) {
            try {
                revocationChecker.check(x509CertificateArr[length], zArr[length]);
            } catch (CertificateException e2) {
                if (!(e2 instanceof RevocationChecker.StatusUnknownException) || !z3) {
                    throw e2;
                }
                Trace.msgSecurityPrintln("Revocation Status Unknown");
                Trace.ignored(e2);
                validationState.revStatusUnknown = true;
            }
        }
        if (validationState.revStatusUnknown) {
            return;
        }
        Trace.msgSecurityPrintln("trustdecider.check.revocation.succeed");
    }

    static boolean checkTrustedExtension(X509Certificate x509Certificate) {
        Trace.msgSecurityPrintln("trustdecider.check.trustextension.jurisdiction");
        String name = x509Certificate.getSubjectX500Principal().getName();
        Iterator it = preTrustList.iterator();
        while (it.hasNext()) {
            if (name.endsWith((String) it.next())) {
                Trace.msgSecurityPrintln("trustdecider.check.trustextension.jurisdiction.found");
                return true;
            }
        }
        return false;
    }

    private static long askUser(X509Certificate[] x509CertificateArr, CodeSource codeSource, ValidationState validationState, AppInfo appInfo, DeploymentRuleSet deploymentRuleSet, Preloader preloader) throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException {
        String locString = getLocString(codeSource.getLocation(), appInfo);
        releaseDeployLock();
        int showSecurityDialog = X509Util.showSecurityDialog(x509CertificateArr, codeSource.getLocation(), 0, x509CertificateArr.length, !validationState.rootCAValid, validationState.certValidity, validationState.timeStampInfo, new AppInfo(appInfo), validationState.revStatusUnknown);
        try {
            grabDeployLock();
            PerfLogger.setTime("Security: Start take action on security dialog box");
            if (showSecurityDialog == 0) {
                Trace.msgSecurityPrintln("trustdecider.user.grant.session");
                sessionStore.add(x509CertificateArr[0], locString, validationState.timeValid);
                sessionStore.save();
                validationState.trustDecision = 1L;
            } else if (showSecurityDialog == 2) {
                Trace.msgSecurityPrintln("trustdecider.user.grant.forever");
                CertStore userCertStore = DeploySigningCertStore.getUserCertStore();
                userCertStore.load(true);
                if (userCertStore.add(x509CertificateArr[0], locString, validationState.timeValid)) {
                    userCertStore.save();
                }
                storesLoaded = false;
                validationState.trustDecision = validationState.expirationDate;
            } else {
                Trace.msgSecurityPrintln("trustdecider.user.deny");
                deniedStore.add(x509CertificateArr[0], locString, validationState.timeValid);
                deniedStore.save();
                notifyOnUserDeclined(preloader, codeSource.getLocation() != null ? codeSource.getLocation().toString() : null);
                validationState.trustDecision = 0L;
            }
            PerfLogger.setTime("Security: End take action on security dialog box");
            return validationState.trustDecision;
        } catch (InterruptedException e) {
            throw new RuntimeException("Intermediate error trying to perform security validation");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void recordSandboxAnswer(Certificate[] certificateArr, CodeSource codeSource, ValidationState validationState, Preloader preloader, int i, AppInfo appInfo) {
        boolean z = false;
        try {
            String locString = getLocString(codeSource.getLocation(), appInfo);
            if (i == 0) {
                sessionSandboxStore.add(certificateArr[0], locString, validationState.timeValid);
                sessionSandboxStore.save();
                validationState.trustDecision = 1L;
            } else if (i == 2) {
                sandboxStore.load(true);
                if (sandboxStore.add(certificateArr[0], locString, validationState.timeValid)) {
                    sandboxStore.save();
                }
                validationState.trustDecision = validationState.expirationDate;
            } else {
                deniedStore.add(certificateArr[0], locString, validationState.timeValid);
                deniedStore.save();
                z = true;
                String url = codeSource.getLocation() != null ? codeSource.getLocation().toString() : null;
                validationState.trustDecision = 0L;
                notifyOnUserDeclined(preloader, url);
            }
        } catch (Exception e) {
            Trace.ignored(e);
        }
        if (z) {
            throw new UserDeclinedException("user declined to run signed sandbox app");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void ensureBasicStoresLoaded() throws InterruptedException, IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
        if (reloadDeniedStore || !storesLoaded) {
            deniedStore.load();
            reloadDeniedStore = false;
        }
        if (storesLoaded) {
            return;
        }
        storesLoaded = true;
        PerfLogger.setTime("Security: Start loading JRE permanent certStore");
        permanentStore.load();
        sandboxStore.load();
        PerfLogger.setTime("Security: End loading JRE permanent certStore");
        sessionStore.load();
        sessionRevocationStore.load();
        sessionSandboxStore.load();
        sessionDRSStore.load();
        PerfLogger.setTime("Security: start loading browser Trust certStore");
        if (browserTrustedStore != null) {
            browserTrustedStore.load();
        }
        PerfLogger.setTime("Security: End loading browser Trust certStore");
        PerfLogger.setTime("Security: start loading browser Untrust certStore");
        if (browserUntrustedStore != null) {
            browserUntrustedStore.load();
        }
        PerfLogger.setTime("Security: End loading browser Untrust certStore");
    }

    /*  JADX ERROR: NullPointerException in pass: RegionMakerVisitor
        java.lang.NullPointerException: Cannot invoke "java.util.List.isEmpty()" because "s" is null
        	at jadx.core.utils.BlockUtils.getNextBlock(BlockUtils.java:411)
        	at jadx.core.dex.visitors.regions.RegionMaker.traverse(RegionMaker.java:172)
        	at jadx.core.dex.visitors.regions.RegionMaker.makeRegion(RegionMaker.java:91)
        	at jadx.core.dex.visitors.regions.RegionMaker.processIf(RegionMaker.java:735)
        	at jadx.core.dex.visitors.regions.RegionMaker.traverse(RegionMaker.java:152)
        	at jadx.core.dex.visitors.regions.RegionMaker.makeRegion(RegionMaker.java:91)
        	at jadx.core.dex.visitors.regions.RegionMaker.processIf(RegionMaker.java:740)
        	at jadx.core.dex.visitors.regions.RegionMaker.traverse(RegionMaker.java:152)
        	at jadx.core.dex.visitors.regions.RegionMaker.makeRegion(RegionMaker.java:91)
        	at jadx.core.dex.visitors.regions.RegionMakerVisitor.visit(RegionMakerVisitor.java:52)
        */
    public static long isAllPermissionGranted(java.security.CodeSource r5, com.sun.deploy.ui.AppInfo r6, com.sun.deploy.security.ruleset.DeploymentRuleSet r7, com.sun.applet2.preloader.Preloader r8) throws java.security.cert.CertificateException, java.security.KeyStoreException, java.security.NoSuchAlgorithmException, java.io.IOException, java.security.cert.CRLException, java.security.InvalidAlgorithmParameterException {
        /*
            com.sun.deploy.util.DeploymentHooks r0 = com.sun.deploy.config.Config.getHooks()
            r1 = r6
            r2 = r7
            r0.trackUsage(r1, r2)
            r0 = 1
            r9 = r0
            r0 = r5
            java.net.URL r0 = r0.getLocation()     // Catch: java.lang.Throwable -> L51
            r1 = 1
            boolean r0 = com.sun.deploy.security.TrustRecorder.isGranted(r0, r1)     // Catch: java.lang.Throwable -> L51
            if (r0 == 0) goto L22
            r0 = 0
            r9 = r0
            r0 = 1
            r10 = r0
            r0 = jsr -> L59
        L1f:
            r1 = r10
            return r1
        L22:
            r0 = r5
            r1 = r6
            r2 = r7
            r3 = r8
            long r0 = isAllPermissionGrantedInt(r0, r1, r2, r3)     // Catch: java.lang.Throwable -> L51
            r10 = r0
            r0 = 0
            r9 = r0
            r0 = r10
            r1 = 0
            int r0 = (r0 > r1 ? 1 : (r0 == r1 ? 0 : -1))
            if (r0 != 0) goto L3f
            com.sun.deploy.util.DeploymentHooks r0 = com.sun.deploy.config.Config.getHooks()     // Catch: java.lang.Throwable -> L51
            r1 = r7
            r0.confirmAppDenied(r1)     // Catch: java.lang.Throwable -> L51
            goto L47
        L3f:
            r0 = r5
            java.net.URL r0 = r0.getLocation()     // Catch: java.lang.Throwable -> L51
            r1 = 1
            com.sun.deploy.security.TrustRecorder.grant(r0, r1)     // Catch: java.lang.Throwable -> L51
        L47:
            r0 = r10
            r12 = r0
            r0 = jsr -> L59
        L4e:
            r1 = r12
            return r1
        L51:
            r14 = move-exception
            r0 = jsr -> L59
        L56:
            r1 = r14
            throw r1
        L59:
            r15 = r0
            r0 = r9
            if (r0 == 0) goto L67
            com.sun.deploy.util.DeploymentHooks r0 = com.sun.deploy.config.Config.getHooks()
            r1 = r7
            r0.confirmAppBlocked(r1)
        L67:
            ret r15
        */
        throw new UnsupportedOperationException("Method not decompiled: com.sun.deploy.security.TrustDecider.isAllPermissionGranted(java.security.CodeSource, com.sun.deploy.ui.AppInfo, com.sun.deploy.security.ruleset.DeploymentRuleSet, com.sun.applet2.preloader.Preloader):long");
    }

    private static synchronized long isAllPermissionGrantedInt(CodeSource codeSource, AppInfo appInfo, DeploymentRuleSet deploymentRuleSet, Preloader preloader) throws CertificateException, KeyStoreException, NoSuchAlgorithmException, IOException, CRLException, InvalidAlgorithmParameterException {
        if (deploymentRuleSet.isRuleBlock()) {
            String str = "deployment.blocked.by.rule";
            if ((deploymentRuleSet instanceof BlockRule) && ((BlockRule) deploymentRuleSet).isFromExceptionList()) {
                str = "deployment.blocked.by.exception.list";
            }
            BlockedDialog.show(appInfo, deploymentRuleSet.getMessage(), str, deploymentRuleSet.getException(), codeSource, deploymentRuleSet);
        }
        try {
            try {
                grabDeployLock();
                Certificate[] certificates = codeSource.getCertificates();
                if (certificates == null) {
                    return 0L;
                }
                try {
                    DeployManifestChecker.verify(deploymentRuleSet, codeSource.getLocation(), true, appInfo);
                } catch (SecurityException e) {
                    Trace.ignored(e);
                    BlockedDialog.show(appInfo, null, null, e, codeSource, deploymentRuleSet);
                }
                ensureBasicStoresLoaded();
                List breakDownMultiSignerChains = breakDownMultiSignerChains(certificates);
                PerfLogger.setTime("Security: End break certificate chain");
                if (haveValidatorSupport()) {
                    Trace.msgSecurityPrintln("trustdecider.check.validate.certpath.algorithm");
                    long j = 0;
                    Iterator it = breakDownMultiSignerChains.iterator();
                    int i = 0;
                    while (it.hasNext()) {
                        List list = (List) it.next();
                        X509Certificate[] x509CertificateArr = (X509Certificate[]) list.toArray(new X509Certificate[list.size()]);
                        if (it.hasNext() && deploymentRuleSet.skipThisCertArray(x509CertificateArr)) {
                            Trace.println("Skipping cert chain - using DRS run rule for differand cert hash", TraceLevel.RULESET);
                        } else {
                            j = validateChain(x509CertificateArr, codeSource, i, appInfo, deploymentRuleSet, preloader, false);
                            if (j != 0) {
                                if (deploymentRuleSet.isRuleRun()) {
                                    SandboxSecurity.checkRunRuleMessage(deploymentRuleSet, codeSource.getLocation(), appInfo, x509CertificateArr[0]);
                                }
                                return j;
                            }
                        }
                        i++;
                    }
                    if (j == 0) {
                        notifyOnUserDeclined(preloader, codeSource.getLocation() != null ? codeSource.getLocation().toString() : null);
                    }
                } else {
                    Trace.msgSecurityPrintln("trustdecider.check.validate.legacy.algorithm");
                    rootStore.load();
                    if (browserRootStore != null) {
                        browserRootStore.load();
                    }
                    if (CertValidator.validate(codeSource, appInfo, certificates, breakDownMultiSignerChains.size(), rootStore, browserRootStore, browserTrustedStore, sessionStore, permanentStore, deniedStore, deploymentRuleSet)) {
                        if (deploymentRuleSet.isRuleRun()) {
                            SandboxSecurity.checkRunRuleMessage(deploymentRuleSet, codeSource.getLocation(), appInfo, certificates[0] instanceof X509Certificate ? (X509Certificate) certificates[0] : null);
                        }
                        return 1L;
                    }
                }
                return 0L;
            } finally {
                releaseDeployLock();
            }
        } catch (InterruptedException e2) {
            throw new RuntimeException(e2);
        }
    }

    private static boolean checkTSAPath(CertPath certPath, LazyRootStore lazyRootStore2) {
        Trace.msgSecurityPrintln("trustdecider.check.timestamping.tsapath");
        List<? extends Certificate> certificates = certPath.getCertificates();
        X509Certificate[] x509CertificateArr = (X509Certificate[]) certificates.toArray(new X509Certificate[certificates.size()]);
        try {
            LazyRootStore.TrustedRootResult trustAnchors = lazyRootStore2.getTrustAnchors(x509CertificateArr[x509CertificateArr.length - 1]);
            List<X509Certificate> matchedCAList = trustAnchors == null ? null : trustAnchors.getMatchedCAList();
            if (matchedCAList == null) {
                return false;
            }
            Validator.getInstance("PKIX", "tsa server", matchedCAList).validate(x509CertificateArr);
            return true;
        } catch (IOException e) {
            Trace.msgSecurityPrintln(e.getMessage());
            return false;
        } catch (KeyStoreException e2) {
            Trace.msgSecurityPrintln(e2.getMessage());
            return false;
        } catch (NoSuchAlgorithmException e3) {
            Trace.msgSecurityPrintln(e3.getMessage());
            return false;
        } catch (CertificateException e4) {
            Trace.msgSecurityPrintln(e4.getMessage());
            return false;
        }
    }

    private static Date getTimeStampInfo(CodeSource codeSource, int i, X509Certificate[] x509CertificateArr, LazyRootStore lazyRootStore2) {
        try {
            Trace.msgSecurityPrintln("trustdecider.check.timestamping.need");
            CodeSigner[] codeSigners = codeSource.getCodeSigners();
            if (codeSigners == null || codeSigners.length < i + 1) {
                return null;
            }
            Timestamp timestamp = codeSigners[i].getTimestamp();
            if (timestamp == null) {
                Trace.msgSecurityPrintln("trustdecider.check.timestamping.no");
                return null;
            }
            Trace.msgSecurityPrintln("trustdecider.check.timestamping.yes");
            Date timestamp2 = timestamp.getTimestamp();
            CertPath signerCertPath = timestamp.getSignerCertPath();
            Date notAfter = x509CertificateArr[0].getNotAfter();
            Date notBefore = x509CertificateArr[0].getNotBefore();
            if (!timestamp2.before(notAfter) || !timestamp2.after(notBefore)) {
                Trace.msgSecurityPrintln("trustdecider.check.timestamping.invalid");
                return null;
            }
            Trace.msgSecurityPrintln("trustdecider.check.timestamping.valid");
            if (checkTSAPath(signerCertPath, lazyRootStore2)) {
                Trace.msgSecurityPrintln("trustdecider.check.timestamping.inca");
                return timestamp2;
            }
            Trace.msgSecurityPrintln("trustdecider.check.timestamping.notinca");
            return null;
        } catch (NoSuchMethodError e) {
            Trace.msgSecurityPrintln("trustdecider.check.timestamping.notfound");
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String getLocString(URL url, AppInfo appInfo) {
        String urlToLocation;
        StringBuffer stringBuffer = new StringBuffer();
        String urlToLocation2 = URLUtil.urlToLocation(url);
        if (urlToLocation2 != null) {
            stringBuffer.append(urlToLocation2);
        }
        if (appInfo != null) {
            if (appInfo.isJNLPSourceUnknown()) {
                urlToLocation = CertUtils.hashToAlias(appInfo.getAppArgsHashString());
            } else {
                URL mainJNLP = appInfo.getMainJNLP();
                urlToLocation = mainJNLP == null ? null : URLUtil.urlToLocation(mainJNLP);
            }
            if (urlToLocation != null) {
                stringBuffer.append("##jnlp:");
                stringBuffer.append(urlToLocation);
            }
            if (appInfo.getDocumentBase() != null) {
                stringBuffer.append("##docbase:");
                stringBuffer.append(URLUtil.urlToLocation(appInfo.getDocumentBase()));
            }
            if (appInfo.getFrom() != null) {
                stringBuffer.append("##from:");
                stringBuffer.append(URLUtil.urlToLocation(appInfo.getFrom()));
            }
        }
        return stringBuffer.toString();
    }

    private static void setSelfSignedUsage() {
        ToolkitStore.get().getAppContext().put(ROOT_CA_NOT_VALID, "true");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void checkMainJarManifest(DeploymentRuleSet deploymentRuleSet, URL url, AppInfo appInfo, boolean z) {
        if (deploymentRuleSet.isPermissionsManifestRequired()) {
            AppContext appContext = ToolkitStore.get().getAppContext();
            String str = (String) appContext.get(Config.APPCONTEXT_MAIN_CLASS_KEY);
            String str2 = (String) appContext.get(Config.APPCONTEXT_KEY_PREFIX + ((Object) url));
            if (str == null || str.equals("true")) {
                return;
            }
            try {
                JarFile jarFile = new JarFile(ResourceProvider.get().getCachedResourceFilePath(url, str2), false);
                if (jarFile == null) {
                    throw new SecurityException("could not construct jar file for jar: " + ((Object) url));
                }
                if (str.endsWith(".class")) {
                    str = str.substring(0, str.length() - ".class".length());
                }
                if (jarFile.getJarEntry(str.replace('.', '/') + ".class") == null) {
                    Trace.println("Verified non-main jar: " + ((Object) url), TraceLevel.SECURITY);
                    return;
                }
                Trace.println("Verifying permission attribute in main jar: " + ((Object) url), TraceLevel.SECURITY);
                DeployManifestChecker.verifyMainJar(deploymentRuleSet, url, z, appInfo);
                appContext.put(Config.APPCONTEXT_MAIN_CLASS_KEY, "true");
            } catch (IOException e) {
            }
        }
    }

    static {
        deployLock = null;
        deployLock = new DeployLock();
        reset();
        PRE_TRUSTED_NAMESPACES = new String[]{SUN_NAMESPACE, ORACLE_NAMESPACE};
        preTrustList = Arrays.asList(PRE_TRUSTED_NAMESPACES);
        storesLoaded = false;
        reloadDeniedStore = false;
    }
}
