package com.sun.deploy.security;

import com.sun.deploy.config.Config;
import com.sun.deploy.resources.ResourceManager;
import com.sun.deploy.trace.Trace;
import com.sun.deploy.trace.TraceLevel;
import java.io.File;
import java.io.IOException;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Random;
import java.util.Set;
import sun.security.util.DerInputStream;
import sun.security.util.DerValue;
import sun.security.x509.AccessDescription;
import sun.security.x509.AuthorityInfoAccessExtension;
import sun.security.x509.CRLDistributionPointsExtension;
import sun.security.x509.NetscapeCertTypeExtension;
import sun.security.x509.X509CertImpl;

/* loaded from: input_file:com/sun/deploy/security/CertUtils.class */
public class CertUtils {
    private static final String OID_BASIC_CONSTRAINTS = "2.5.29.19";
    private static final String OID_KEY_USAGE = "2.5.29.15";
    private static final String OID_EXTENDED_KEY_USAGE = "2.5.29.37";
    private static final String OID_NETSCAPE_CERT_TYPE = "2.16.840.1.113730.1.1";
    private static final String OID_EKU_ANY_USAGE = "2.5.29.37.0";
    private static final String OID_EKU_CODE_SIGNING = "1.3.6.1.5.5.7.3.3";
    private static final String OID_EKU_SERVER_AUTH = "1.3.6.1.5.5.7.3.1";
    private static final String OID_EKU_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2";
    private static final String OID_EKU_TIME_STAMPING = "1.3.6.1.5.5.7.3.8";
    private static final String OID_CRL = "2.5.29.31";
    private static final String OID_AIA = "1.3.6.1.5.5.7.1.1";
    private static final String NSCT_OBJECT_SIGNING_CA = "object_signing_ca";
    private static final String NSCT_OBJECT_SIGNING = "object_signing";
    private static final String NSCT_SSL_CA = "ssl_ca";
    private static final String NSCT_S_MIME_CA = "s_mime_ca";
    private static final String NSCT_S_MIME = "s_mime";
    private static final String NSCT_SSL_CLIENT = "ssl_client";
    private static final String NSCT_SSL_SERVER = "ssl_server";
    private static final int KU_SIGNATURE = 0;
    static final String TSFLAG = "$tsflag";
    static final String LOCFLAG = "$loc=";
    static Class class$java$lang$String;
    static Class class$sun$security$x509$NetscapeCertTypeExtension;

    public static KeyStore createEmptyKeyStore() {
        KeyStore keyStore = null;
        try {
            keyStore = KeyStore.getInstance("JKS");
            keyStore.load(null, null);
        } catch (Exception e) {
            Trace.ignoredException(e);
        }
        return keyStore;
    }

    public static void checkUsageForCodeSigning(X509Certificate x509Certificate, int i) throws CertificateException, IOException {
        checkUsageForCodeSigning(x509Certificate, i, false);
    }

    public static void checkUsageForCodeSigning(X509Certificate x509Certificate, int i, boolean z) throws CertificateException, IOException {
        Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs == null) {
            criticalExtensionOIDs = Collections.EMPTY_SET;
        }
        if (!checkBasicConstraintsForCodeSigning(x509Certificate, criticalExtensionOIDs, i)) {
            Trace.msgSecurityPrintln("trustdecider.check.basicconstraints");
            throw new CertificateException(ResourceManager.getMessage("trustdecider.check.basicconstraints"));
        }
        if (i == 0) {
            if (!checkLeafKeyUsageForCodeSigning(x509Certificate, criticalExtensionOIDs, z)) {
                Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage");
                throw new CertificateException(ResourceManager.getMessage("trustdecider.check.leafkeyusage"));
            }
        } else if (!checkSignerKeyUsage(x509Certificate, criticalExtensionOIDs)) {
            Trace.msgSecurityPrintln("trustdecider.check.signerkeyusage");
            throw new CertificateException(ResourceManager.getMessage("trustdecider.check.signerkeyusage"));
        }
        if (criticalExtensionOIDs.isEmpty()) {
            return;
        }
        Trace.msgSecurityPrintln("trustdecider.check.extensions");
        throw new CertificateException(ResourceManager.getMessage("trustdecider.check.extensions"));
    }

    private static boolean checkBasicConstraintsForCodeSigning(X509Certificate x509Certificate, Set set, int i) throws CertificateException, IOException {
        set.remove(OID_BASIC_CONSTRAINTS);
        set.remove(OID_NETSCAPE_CERT_TYPE);
        if (i == 0) {
            return true;
        }
        if (x509Certificate.getExtensionValue(OID_BASIC_CONSTRAINTS) == null) {
            if (x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) == null) {
                Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.extensionvalue");
                return false;
            }
            if (getNetscapeCertTypeBit(x509Certificate, NSCT_OBJECT_SIGNING_CA)) {
                return true;
            }
            Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.certtypebit");
            return false;
        }
        if (x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) != null && ((getNetscapeCertTypeBit(x509Certificate, NSCT_SSL_CA) || getNetscapeCertTypeBit(x509Certificate, NSCT_S_MIME_CA) || getNetscapeCertTypeBit(x509Certificate, NSCT_OBJECT_SIGNING_CA)) && !getNetscapeCertTypeBit(x509Certificate, NSCT_OBJECT_SIGNING_CA))) {
            Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.bitvalue");
            return false;
        }
        int basicConstraints = x509Certificate.getBasicConstraints();
        if (basicConstraints < 0) {
            Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.enduser");
            return false;
        }
        if (i - 1 <= basicConstraints) {
            return true;
        }
        Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.pathlength");
        return false;
    }

    private static boolean checkLeafKeyUsageForCodeSigning(X509Certificate x509Certificate, Set set, boolean z) throws CertificateException, IOException {
        set.remove(OID_KEY_USAGE);
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null) {
            if (keyUsage.length == 0) {
                Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.length");
                return false;
            }
            if (!keyUsage[0]) {
                Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.digitalsignature");
                return false;
            }
        }
        List extendedKeyUsage = X509Util.getExtendedKeyUsage(x509Certificate);
        Set<String> nonCriticalExtensionOIDs = x509Certificate.getNonCriticalExtensionOIDs();
        if (extendedKeyUsage != null && (set.contains(OID_EXTENDED_KEY_USAGE) || nonCriticalExtensionOIDs.contains(OID_EXTENDED_KEY_USAGE))) {
            set.remove(OID_EXTENDED_KEY_USAGE);
            if (z) {
                if (!extendedKeyUsage.contains(OID_EKU_ANY_USAGE) && !extendedKeyUsage.contains(OID_EKU_TIME_STAMPING)) {
                    Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.tsaextkeyusageinfo");
                    return false;
                }
            } else if (!extendedKeyUsage.contains(OID_EKU_ANY_USAGE) && !extendedKeyUsage.contains(OID_EKU_CODE_SIGNING)) {
                Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.extkeyusageinfo");
                return false;
            }
        }
        if (x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) == null || getNetscapeCertTypeBit(x509Certificate, NSCT_OBJECT_SIGNING)) {
            return true;
        }
        Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.certtypebit");
        return false;
    }

    private static boolean checkSignerKeyUsage(X509Certificate x509Certificate, Set set) throws CertificateException, IOException {
        set.remove(OID_KEY_USAGE);
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null && (keyUsage.length < 6 || !keyUsage[5])) {
            Trace.msgSecurityPrintln("trustdecider.check.signerkeyusage.lengthandbit");
            return false;
        }
        List extendedKeyUsage = X509Util.getExtendedKeyUsage(x509Certificate);
        Set<String> nonCriticalExtensionOIDs = x509Certificate.getNonCriticalExtensionOIDs();
        if (extendedKeyUsage == null) {
            return true;
        }
        if (!set.contains(OID_EXTENDED_KEY_USAGE) && !nonCriticalExtensionOIDs.contains(OID_EXTENDED_KEY_USAGE)) {
            return true;
        }
        set.remove(OID_EXTENDED_KEY_USAGE);
        if (extendedKeyUsage.contains(OID_EKU_ANY_USAGE) || extendedKeyUsage.contains(OID_EKU_CODE_SIGNING)) {
            return true;
        }
        Trace.msgSecurityPrintln("trustdecider.check.signerkeyusage.keyusage");
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean getNetscapeCertTypeBit(X509Certificate x509Certificate, String str) throws CertificateException, IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE);
        if (extensionValue == null) {
            return false;
        }
        NetscapeCertTypeExtension netscapeCertTypeExtension = new NetscapeCertTypeExtension(new DerValue(new DerInputStream(extensionValue).getOctetString()).getUnalignedBitString().toByteArray());
        return (Config.isJavaVersionAtLeast18() ? (Boolean) netscapeCertTypeExtension.get(str) : callPre18NetscapeCertTypeExtensionGet(netscapeCertTypeExtension, str)).booleanValue();
    }

    private static boolean checkKeyUsage(X509Certificate x509Certificate, int i) {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null) {
            return true;
        }
        return keyUsage.length > i && keyUsage[i];
    }

    private static boolean checkEKU(X509Certificate x509Certificate, String str) throws CertificateException {
        List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
        return extendedKeyUsage == null || extendedKeyUsage.contains(str) || extendedKeyUsage.contains(OID_EKU_ANY_USAGE);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean checkTLSClient(X509Certificate x509Certificate) throws CertificateException {
        if (!checkKeyUsage(x509Certificate, 0)) {
            Trace.msgSecurityPrintln("clientauth.checkTLSClient.checkKeyUsage");
            return false;
        }
        if (checkEKU(x509Certificate, OID_EKU_CLIENT_AUTH)) {
            return true;
        }
        Trace.msgSecurityPrintln("clientauth.checkTLSClient.checkEKU");
        return false;
    }

    public static boolean isIssuerOf(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        return x509Certificate.getIssuerDN().equals(x509Certificate2.getSubjectDN());
    }

    private static String extractFromQuote(String str, String str2) {
        int indexOf;
        int indexOf2;
        if (str == null || (indexOf = str.indexOf(str2)) < 0) {
            return null;
        }
        int length = indexOf + str2.length();
        if (str.charAt(length) == '\"') {
            length++;
            indexOf2 = str.indexOf(34, length);
        } else {
            indexOf2 = str.indexOf(44, length);
        }
        return indexOf2 < 0 ? str.substring(length) : str.substring(length, indexOf2);
    }

    public static String extractSubjectAliasName(X509Certificate x509Certificate) {
        String message = ResourceManager.getMessage("config.unknownSubject");
        try {
            String name = x509Certificate.getSubjectDN().getName();
            message = extractFromQuote(name, "CN=");
            if (message == null) {
                String extractFromQuote = extractFromQuote(name, "O=");
                String extractFromQuote2 = extractFromQuote(name, "OU=");
                if (extractFromQuote != null || extractFromQuote2 != null) {
                    MessageFormat messageFormat = new MessageFormat(ResourceManager.getMessage("config.certShowOOU"));
                    Object[] objArr = {extractFromQuote, extractFromQuote2};
                    if (extractFromQuote == null) {
                        objArr[0] = "";
                    }
                    if (extractFromQuote2 == null) {
                        objArr[1] = "";
                    }
                    message = messageFormat.format(objArr);
                }
            }
            if (message == null) {
                message = ResourceManager.getMessage("config.unknownSubject");
            }
        } catch (Exception e) {
        }
        return message;
    }

    public static String extractIssuerAliasName(X509Certificate x509Certificate) {
        String message = ResourceManager.getMessage("config.unknownIssuer");
        try {
            String name = x509Certificate.getIssuerDN().getName();
            message = extractFromQuote(name, "CN=");
            if (message == null) {
                String extractFromQuote = extractFromQuote(name, "O=");
                String extractFromQuote2 = extractFromQuote(name, "OU=");
                if (extractFromQuote != null || extractFromQuote2 != null) {
                    MessageFormat messageFormat = new MessageFormat(ResourceManager.getMessage("config.certShowOOU"));
                    Object[] objArr = {extractFromQuote, extractFromQuote2};
                    if (extractFromQuote == null) {
                        objArr[0] = "";
                    }
                    if (extractFromQuote2 == null) {
                        objArr[1] = "";
                    }
                    message = messageFormat.format(objArr);
                }
            }
            if (message == null) {
                message = ResourceManager.getMessage("config.unknownIssuer");
            }
        } catch (Exception e) {
        }
        return message;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static long getFileLastModified(String str) {
        long j = 0;
        try {
            j = ((Long) AccessController.doPrivileged(new PrivilegedExceptionAction(str) { // from class: com.sun.deploy.security.CertUtils.1
                private final String val$filename;

                {
                    this.val$filename = str;
                }

                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws SecurityException {
                    return new Long(new File(this.val$filename).lastModified());
                }
            })).longValue();
        } catch (PrivilegedActionException e) {
            Trace.securityPrintException(e);
        }
        return j;
    }

    static boolean getCertCRLExtension(X509Certificate x509Certificate) throws IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue(OID_CRL);
        if (extensionValue == null) {
            Trace.msgSecurityPrintln("trustdecider.check.validation.crl.notfound");
            return false;
        }
        if (extensionValue[0] == 4) {
            extensionValue = new DerValue(extensionValue).getOctetString();
        }
        Trace.msgSecurityPrintln(extractSubjectAliasName(x509Certificate));
        Trace.msgSecurityPrintln(new CRLDistributionPointsExtension(new Boolean(false), extensionValue).toString());
        return true;
    }

    static boolean hasAIAExtensionWithOCSPAccessMethod(X509Certificate x509Certificate) throws IOException {
        AuthorityInfoAccessExtension authorityInfoAccessExtension;
        if (x509Certificate instanceof X509CertImpl) {
            authorityInfoAccessExtension = ((X509CertImpl) x509Certificate).getAuthorityInfoAccessExtension();
        } else {
            byte[] extensionValue = x509Certificate.getExtensionValue(OID_AIA);
            if (extensionValue == null) {
                Trace.msgSecurityPrintln("trustdecider.check.validation.ocsp.notfound");
                return false;
            }
            if (extensionValue[0] == 4) {
                extensionValue = new DerValue(extensionValue).getOctetString();
            }
            Trace.msgSecurityPrintln(extractSubjectAliasName(x509Certificate));
            authorityInfoAccessExtension = new AuthorityInfoAccessExtension(new Boolean(false), extensionValue);
        }
        if (authorityInfoAccessExtension == null) {
            return false;
        }
        Trace.msgSecurityPrintln(authorityInfoAccessExtension.toString());
        Iterator it = authorityInfoAccessExtension.getAccessDescriptions().iterator();
        while (it.hasNext()) {
            if (((AccessDescription) it.next()).getAccessMethod().equals(AccessDescription.Ad_OCSP_Id)) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean checkWildcardDomainList(String str, ArrayList arrayList) {
        for (int i = 0; i < arrayList.size(); i++) {
            if (checkWildcardDomain(str, (String) arrayList.get(i))) {
                return true;
            }
        }
        return false;
    }

    private static boolean checkWildcardDomain(String str, String str2) {
        if (str == null || str.length() == 0 || str2 == null || str2.length() == 0) {
            return false;
        }
        String trim = str2.trim();
        String trim2 = str.trim();
        if (trim.equalsIgnoreCase(trim2)) {
            return true;
        }
        int indexOf = trim.indexOf("*.");
        if (indexOf == -1) {
            return false;
        }
        String substring = trim.substring(indexOf + 1);
        String substring2 = trim.substring(0, indexOf);
        return !substring2.contains(".") && trim2.indexOf(substring2) == 0 && trim2.endsWith(substring) && trim2.length() >= trim.length();
    }

    public static ArrayList getServername(X509Certificate x509Certificate) {
        ArrayList arrayList = new ArrayList();
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames != null) {
                for (List<?> list : subjectAlternativeNames) {
                    if (((Integer) list.get(0)).intValue() == 2) {
                        arrayList.add((String) list.get(1));
                    }
                }
                if (arrayList.size() > 0) {
                    return arrayList;
                }
            }
        } catch (NoSuchMethodError e) {
        } catch (CertificateException e2) {
        }
        arrayList.add(extractSubjectAliasName(x509Certificate));
        return arrayList;
    }

    private static Boolean callPre18NetscapeCertTypeExtensionGet(NetscapeCertTypeExtension netscapeCertTypeExtension, String str) {
        return (Boolean) AccessController.doPrivileged(new PrivilegedAction(netscapeCertTypeExtension, str) { // from class: com.sun.deploy.security.CertUtils.2
            private final NetscapeCertTypeExtension val$extn;
            private final String val$type;

            {
                this.val$extn = netscapeCertTypeExtension;
                this.val$type = str;
            }

            @Override // java.security.PrivilegedAction
            public Object run() {
                Class cls;
                Class<?> cls2;
                try {
                    if (CertUtils.class$sun$security$x509$NetscapeCertTypeExtension == null) {
                        cls = CertUtils.class$("sun.security.x509.NetscapeCertTypeExtension");
                        CertUtils.class$sun$security$x509$NetscapeCertTypeExtension = cls;
                    } else {
                        cls = CertUtils.class$sun$security$x509$NetscapeCertTypeExtension;
                    }
                    Class<?>[] clsArr = new Class[1];
                    if (CertUtils.class$java$lang$String == null) {
                        cls2 = CertUtils.class$("java.lang.String");
                        CertUtils.class$java$lang$String = cls2;
                    } else {
                        cls2 = CertUtils.class$java$lang$String;
                    }
                    clsArr[0] = cls2;
                    Object invoke = cls.getDeclaredMethod("get", clsArr).invoke(this.val$extn, this.val$type);
                    if (invoke instanceof Boolean) {
                        return (Boolean) invoke;
                    }
                } catch (Exception e) {
                    Trace.ignored(e);
                }
                return Boolean.FALSE;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static boolean add(KeyStore keyStore, String str, Certificate certificate, String str2, boolean z) {
        String stringBuffer;
        String[] existingAliases = getExistingAliases(keyStore, certificate);
        if (existingAliases != null) {
            for (String str3 : existingAliases) {
                try {
                    if (matchingAlias(str3, str2)) {
                        if (!z || str3.indexOf(TSFLAG) > -1) {
                            return true;
                        }
                        keyStore.deleteEntry(str3);
                    }
                } catch (KeyStoreException e) {
                    Trace.ignored(e);
                    return false;
                }
            }
        }
        do {
            stringBuffer = new StringBuffer().append(str).append(z ? TSFLAG : null).append(str2 != null ? LOCFLAG : null).append(str2).append(new Random()).toString();
            try {
            } catch (KeyStoreException e2) {
                Trace.ignored(e2);
                return false;
            }
        } while (keyStore.getCertificate(stringBuffer) != null);
        keyStore.setCertificateEntry(stringBuffer, certificate);
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static boolean contains(KeyStore keyStore, Certificate certificate, String str, boolean z) {
        String[] existingAliases = getExistingAliases(keyStore, certificate);
        if (existingAliases == null) {
            return false;
        }
        for (String str2 : existingAliases) {
            if (matchingAlias(str2, str) && (!z || str2.indexOf(TSFLAG) >= 0)) {
                return true;
            }
        }
        return false;
    }

    private static String[] getExistingAliases(KeyStore keyStore, Certificate certificate) {
        ArrayList arrayList = new ArrayList();
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (certificate.equals(keyStore.getCertificate(nextElement))) {
                    arrayList.add(nextElement);
                }
            }
        } catch (KeyStoreException e) {
            Trace.ignored(e);
        }
        return (String[]) arrayList.toArray(new String[0]);
    }

    private static boolean matchingAlias(String str, String str2) {
        return str.indexOf(LOCFLAG) < 0 || str.indexOf(new StringBuffer().append(LOCFLAG).append(str2).toString()) >= 0;
    }

    private static void byte2hex(byte b, StringBuffer stringBuffer) {
        char[] cArr = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'};
        stringBuffer.append(cArr[(b & 240) >> 4]);
        stringBuffer.append(cArr[b & 15]);
    }

    private static String getSecureHash(String str, byte[] bArr) {
        try {
            byte[] digest = MessageDigest.getInstance(str).digest(bArr);
            StringBuffer stringBuffer = new StringBuffer();
            for (byte b : digest) {
                byte2hex(b, stringBuffer);
            }
            return stringBuffer.toString();
        } catch (NoSuchAlgorithmException e) {
            Trace.ignored(e);
            return "";
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getCertificateFingerPrint(String str, X509Certificate x509Certificate) {
        try {
            String secureHash = getSecureHash(str, x509Certificate.getEncoded());
            Trace.println(new StringBuffer().append(str).append("Certificate finger print: ").append(secureHash).toString(), TraceLevel.SECURITY);
            return secureHash;
        } catch (CertificateEncodingException e) {
            Trace.ignored(e);
            return "";
        }
    }

    public static String getMainCertHash(Certificate[] certificateArr, String str) {
        if (certificateArr == null || certificateArr.length <= 0 || !(certificateArr[0] instanceof X509Certificate)) {
            return Config.VERSION_UPDATE_DEF;
        }
        if (str == null) {
            str = "SHA-256";
        }
        return getCertificateFingerPrint(str, (X509Certificate) certificateArr[0]);
    }

    public static String getSecureHashForString(String str) {
        return getSecureHash("SHA-256", str.getBytes());
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }
}
