package com.sun.deploy.security;

import com.sun.deploy.cache.SignedAsBlobJarFile;
import com.sun.deploy.model.DownloadDelegate;
import com.sun.deploy.net.JARSigningException;
import com.sun.deploy.resources.ResourceManager;
import com.sun.deploy.trace.Trace;
import com.sun.deploy.trace.TraceLevel;
import com.sun.deploy.uitoolkit.ToolkitStore;
import com.sun.deploy.util.BlackList;
import com.sun.deploy.util.DeployJavaUtilJarAccess;
import com.sun.deploy.util.JarUtil;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.AccessController;
import java.security.AlgorithmParameters;
import java.security.CodeSigner;
import java.security.CodeSource;
import java.security.CryptoPrimitive;
import java.security.PrivilegedAction;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.jar.JarEntry;
import java.util.jar.JarFile;
import java.util.jar.Manifest;
import java.util.zip.ZipException;
import sun.security.pkcs.PKCS7;
import sun.security.pkcs.SignerInfo;
import sun.security.timestamp.TimestampToken;
import sun.security.util.DisabledAlgorithmConstraints;
import sun.security.util.KeyUtil;
import sun.security.util.SignatureFileVerifier;
import sun.security.x509.AlgorithmId;

/* loaded from: input_file:com/sun/deploy/security/JarVerifier.class */
public abstract class JarVerifier {
    private static final String WEAK_ALGORITHM_CTX_KEY = "jarverifier.weak.ctx_key";
    public static final String PROPERTY_JAR_DISABLED_ALGS = "jdk.jar.disabledAlgorithms";
    protected File jarFile;
    protected File nativePath;
    protected URL jarLocation;
    protected String jarVersion;
    protected Manifest manifest;
    protected int[] singleSignerIndicesCert;
    protected int[] singleSignerIndicesCS;
    private String signingInfoMessage;
    private static boolean TEST_INJECT_HAS_UNSIGNED = false;
    protected boolean hasSingleCodeSource = false;
    protected boolean hasOnlySignedEntries = false;
    protected boolean hasOnlyUnsignedEntries = true;
    protected boolean hasMissingSignedEntries = false;
    protected Map<String, int[]> signerMapCert = new HashMap();
    protected CodeSourceCache codeSourceCertCache = new CodeSourceCache();
    protected List<Certificate> signerCerts = new ArrayList();
    protected Map<String, int[]> signerMap = new HashMap();
    protected CodeSourceCache codeSourceCache = new CodeSourceCache();
    protected List<CodeSigner> signersCS = new ArrayList();

    /* loaded from: input_file:com/sun/deploy/security/JarVerifier$CodeSourceCache.class */
    public static class CodeSourceCache {
        private final Map<IndicesKey, CodeSource> map = new HashMap();

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:com/sun/deploy/security/JarVerifier$CodeSourceCache$IndicesKey.class */
        public static class IndicesKey {
            private final int[] indices;

            public IndicesKey(int[] iArr) {
                this.indices = iArr;
            }

            public int[] getIndices() {
                if (this.indices != null) {
                    return (int[]) this.indices.clone();
                }
                return null;
            }

            public int hashCode() {
                return (31 * 1) + Arrays.hashCode(this.indices);
            }

            public boolean equals(Object obj) {
                if (this == obj) {
                    return true;
                }
                return obj != null && getClass() == obj.getClass() && Arrays.equals(this.indices, ((IndicesKey) obj).indices);
            }
        }

        public void put(int[] iArr, CodeSource codeSource) {
            this.map.put(wrapKey(iArr), codeSource);
        }

        public CodeSource get(int[] iArr) {
            return this.map.get(wrapKey(iArr));
        }

        public Collection<CodeSource> getCodeSources() {
            return Collections.unmodifiableCollection(this.map.values());
        }

        public int[] findMatchingIndices(CodeSource codeSource) {
            for (Map.Entry<IndicesKey, CodeSource> entry : this.map.entrySet()) {
                CodeSource value = entry.getValue();
                if (value != null && value.equals(codeSource)) {
                    return entry.getKey().getIndices();
                }
            }
            return null;
        }

        private static IndicesKey wrapKey(int[] iArr) {
            return new IndicesKey(iArr);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public JarVerifier(URL url, String str, File file, File file2) {
        this.jarFile = file;
        this.nativePath = file2;
        this.jarLocation = url;
        this.jarVersion = str;
    }

    public URL getJarLocation() {
        return this.jarLocation;
    }

    public String getJarVersion() {
        return this.jarVersion;
    }

    public abstract void validate(DownloadDelegate downloadDelegate) throws IOException, JARSigningException;

    public Manifest getManifest() {
        return this.manifest;
    }

    public Map<String, int[]> getSignerMapCert() {
        return this.signerMapCert;
    }

    public CodeSourceCache getCodeSourceCertCache() {
        return this.codeSourceCertCache;
    }

    public Map<String, int[]> getSignerMap() {
        return this.signerMap;
    }

    public CodeSourceCache getCodeSourceCache() {
        return this.codeSourceCache;
    }

    public List<Certificate> getSignerCerts() {
        return this.signerCerts;
    }

    public List<CodeSigner> getSignersCS() {
        return this.signersCS;
    }

    public int[] getSingleSignerIndicesCert() {
        if (this.singleSignerIndicesCert != null) {
            return (int[]) this.singleSignerIndicesCert.clone();
        }
        return null;
    }

    public int[] getSingleSignerIndicesCS() {
        if (this.singleSignerIndicesCS != null) {
            return (int[]) this.singleSignerIndicesCS.clone();
        }
        return null;
    }

    public boolean hasOnlySignedEntries() {
        if (TEST_INJECT_HAS_UNSIGNED) {
            return false;
        }
        return this.hasOnlySignedEntries;
    }

    public boolean hasSingleCodeSource() {
        return this.hasSingleCodeSource;
    }

    public boolean hasMissingSignedEntries() {
        return this.hasMissingSignedEntries;
    }

    public static JarVerifier create(URL url, String str, File file, File file2) {
        JarVerifier create = JarAsBLOBVerifier.create(url, str, file, file2);
        if (create == null) {
            create = EnhancedJarVerifier.create(url, str, file, file2);
            if (create == null) {
                create = SimpleJarVerifier.create(url, str, file, file2);
            }
        }
        return create;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void readAndMaybeSaveStreamTo(InputStream inputStream, boolean z, String str, File file) throws IOException {
        BufferedOutputStream bufferedOutputStream = null;
        byte[] bArr = new byte[16384];
        if (z && file != null) {
            try {
                File canonicalFile = new File(file, str).getCanonicalFile();
                if (canonicalFile.getParentFile().equals(file)) {
                    canonicalFile.getParentFile().mkdirs();
                    bufferedOutputStream = new BufferedOutputStream(new FileOutputStream(canonicalFile));
                }
            } finally {
                if (bufferedOutputStream != null) {
                    bufferedOutputStream.close();
                }
                if (inputStream != null) {
                    inputStream.close();
                }
            }
        }
        while (true) {
            int read = inputStream.read(bArr, 0, bArr.length);
            if (read == -1) {
                break;
            } else if (bufferedOutputStream != null) {
                bufferedOutputStream.write(bArr, 0, read);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void processCertificates(JarFile jarFile, JarEntry jarEntry, String str) throws MalformedURLException {
        Certificate[] certificates;
        HashMap hashMap = new HashMap();
        if (this.hasSingleCodeSource) {
            this.signerMapCert.put(str, this.singleSignerIndicesCert);
            return;
        }
        if (jarEntry != null) {
            certificates = jarEntry.getCertificates();
        } else {
            CodeSource codeSource = DeployJavaUtilJarAccess.instance().getCodeSource(jarFile, this.jarLocation, str);
            certificates = codeSource != null ? codeSource.getCertificates() : null;
        }
        if (certificates == null || certificates.length <= 0) {
            return;
        }
        int[] iArr = new int[certificates.length];
        for (int i = 0; i < certificates.length; i++) {
            int indexOf = this.signerCerts.indexOf(certificates[i]);
            if (indexOf == -1) {
                indexOf = this.signerCerts.size();
                this.signerCerts.add(certificates[i]);
            }
            iArr[i] = indexOf;
        }
        String valueOf = String.valueOf(iArr.length);
        for (int i2 : iArr) {
            valueOf = valueOf + " " + i2;
        }
        int[] iArr2 = (int[]) hashMap.get(valueOf);
        if (iArr2 == null) {
            hashMap.put(valueOf, iArr);
            this.codeSourceCertCache.put(iArr, new CodeSource(this.jarLocation, certificates));
        } else {
            iArr = iArr2;
        }
        this.signerMapCert.put(str, iArr);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void processSigners(JarFile jarFile, JarEntry jarEntry, String str) throws MalformedURLException {
        CodeSigner[] codeSigners;
        HashMap hashMap = new HashMap();
        if (this.hasSingleCodeSource) {
            this.signerMap.put(str, this.singleSignerIndicesCS);
            return;
        }
        if (jarEntry != null) {
            codeSigners = jarEntry.getCodeSigners();
        } else {
            CodeSource codeSource = DeployJavaUtilJarAccess.instance().getCodeSource(jarFile, this.jarLocation, str);
            codeSigners = codeSource != null ? codeSource.getCodeSigners() : null;
        }
        if (codeSigners == null || codeSigners.length <= 0) {
            return;
        }
        int[] iArr = new int[codeSigners.length];
        for (int i = 0; i < codeSigners.length; i++) {
            int indexOf = this.signersCS.indexOf(codeSigners[i]);
            if (indexOf == -1) {
                indexOf = this.signersCS.size();
                this.signersCS.add(codeSigners[i]);
            }
            iArr[i] = indexOf;
        }
        String valueOf = String.valueOf(iArr.length);
        for (int i2 : iArr) {
            valueOf = valueOf + " " + i2;
        }
        int[] iArr2 = (int[]) hashMap.get(valueOf);
        if (iArr2 == null) {
            hashMap.put(valueOf, iArr);
            this.codeSourceCache.put(iArr, new CodeSource(this.jarLocation, codeSigners));
        } else {
            iArr = iArr2;
        }
        this.signerMap.put(str, iArr);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void authenticateJarEntry(JarFile jarFile, JarEntry jarEntry) throws IOException, JARSigningException {
        if (jarEntry == null) {
            return;
        }
        String name = jarEntry.getName();
        try {
            readAndMaybeSaveStreamTo(jarFile.getInputStream(jarEntry), this.nativePath != null && name.indexOf("/") == -1 && name.indexOf("\\") == -1, name, this.nativePath);
        } catch (SecurityException e) {
            throw new JARSigningException(this.jarLocation, this.jarVersion, 2, e);
        }
    }

    public static JarFile getValidatedJarFile(File file, URL url, URL url2, String str, DownloadDelegate downloadDelegate) throws IOException {
        JarVerifier create = create(url2, str, file, null);
        JarFile createJarFile = JarUtil.createJarFile(file, true);
        if (downloadDelegate != null) {
            downloadDelegate.validating(url, 0, createJarFile.size());
        }
        try {
            try {
                try {
                    create.validate(downloadDelegate);
                    if (create instanceof JarAsBLOBVerifier) {
                        createJarFile = new SignedAsBlobJarFile(file, (JarAsBLOBVerifier) create);
                    }
                    if (BlackList.getInstance().checkJarFile(createJarFile)) {
                        return null;
                    }
                    if (1 == 0) {
                        createJarFile.close();
                    }
                    if (1 != 0) {
                        return createJarFile;
                    }
                    return null;
                } catch (SecurityException e) {
                    throw new JARSigningException(url, str, 2, e);
                }
            } catch (ZipException e2) {
                throw new JARSigningException(url, str, 2, e2);
            }
        } finally {
            if (0 == 0) {
                createJarFile.close();
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void warnIfUnsigned() {
        try {
            if (this.signersCS.isEmpty() && isJarWeaklySigned()) {
                Trace.println(ResourceManager.getString("deployment.console.weak.text", this.signingInfoMessage, "jdk.jar.disabledAlgorithms=" + ((String) AccessController.doPrivileged(new PrivilegedAction<String>() { // from class: com.sun.deploy.security.JarVerifier.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedAction
                    public String run() {
                        return Security.getProperty(JarVerifier.PROPERTY_JAR_DISABLED_ALGS);
                    }
                })), this.jarFile.getAbsolutePath()), TraceLevel.SECURITY);
                setWeakAlgorithmMessage(this.signingInfoMessage);
            }
        } catch (Throwable th) {
            Trace.ignored(th);
        }
    }

    private static void setWeakAlgorithmMessage(String str) {
        ToolkitStore.get().getAppContext().put(WEAK_ALGORITHM_CTX_KEY, str);
    }

    public static String getWeakAlgorithmMessage() {
        return (String) ToolkitStore.get().getAppContext().get(WEAK_ALGORITHM_CTX_KEY);
    }

    boolean isJarWeaklySigned() {
        DisabledAlgorithmConstraints disabledAlgorithmConstraints = new DisabledAlgorithmConstraints(PROPERTY_JAR_DISABLED_ALGS);
        Set unmodifiableSet = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST));
        Set unmodifiableSet2 = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        JarFile jarFile = null;
        try {
            try {
                jarFile = JarUtil.createJarFile(this.jarFile, true);
                byte[] bArr = new byte[8192];
                Enumeration<JarEntry> entries = jarFile.entries();
                while (entries.hasMoreElements()) {
                    JarEntry nextElement = entries.nextElement();
                    try {
                        InputStream inputStream = jarFile.getInputStream(nextElement);
                        String name = nextElement.getName();
                        if (SignatureFileVerifier.isSigningRelated(name) && SignatureFileVerifier.isBlockOrSF(name)) {
                            String substring = name.substring(name.lastIndexOf(47) + 1, name.lastIndexOf(46));
                            if (name.endsWith(".SF")) {
                                Iterator<Object> it = new Manifest(inputStream).getMainAttributes().keySet().iterator();
                                while (true) {
                                    if (!it.hasNext()) {
                                        break;
                                    }
                                    String obj = it.next().toString();
                                    if (obj.endsWith("-Digest-Manifest")) {
                                        hashMap.put(substring, obj.substring(0, obj.length() - 16));
                                        break;
                                    }
                                }
                            } else {
                                hashMap2.put(substring, new PKCS7(inputStream));
                            }
                        }
                    } catch (IOException e) {
                        Trace.ignored(e);
                    }
                }
                if (jarFile != null) {
                    try {
                        jarFile.close();
                    } catch (IOException e2) {
                        Trace.ignored(e2);
                    }
                }
            } catch (IOException e3) {
                Trace.ignored(e3);
                if (jarFile != null) {
                    try {
                        jarFile.close();
                    } catch (IOException e4) {
                        Trace.ignored(e4);
                    }
                }
            }
            boolean z = false;
            for (String str : hashMap.keySet()) {
                PKCS7 pkcs7 = (PKCS7) hashMap2.get(str);
                if (pkcs7 != null) {
                    try {
                        SignerInfo signerInfo = pkcs7.getSignerInfos()[0];
                        X509Certificate certificate = signerInfo.getCertificate(pkcs7);
                        String str2 = (String) hashMap.get(str);
                        String makeSigAlg = AlgorithmId.makeSigAlg(signerInfo.getDigestAlgorithmId().getName(), signerInfo.getDigestEncryptionAlgorithmId().getName());
                        PublicKey publicKey = certificate.getPublicKey();
                        if (!disabledAlgorithmConstraints.permits(unmodifiableSet, str2, (AlgorithmParameters) null)) {
                            this.signingInfoMessage = ResourceManager.getString("launch.error.unsignedResource.weak.digest", str2, this.jarLocation);
                            z = true;
                        } else if (!disabledAlgorithmConstraints.permits(unmodifiableSet2, makeSigAlg, (AlgorithmParameters) null)) {
                            this.signingInfoMessage = ResourceManager.getString("launch.error.unsignedResource.weak.signature", makeSigAlg, this.jarLocation);
                            z = true;
                        } else if (disabledAlgorithmConstraints.permits(unmodifiableSet2, publicKey)) {
                            PKCS7 tsToken = signerInfo.getTsToken();
                            if (tsToken != null) {
                                SignerInfo signerInfo2 = tsToken.getSignerInfos()[0];
                                X509Certificate certificate2 = signerInfo2.getCertificate(tsToken);
                                TimestampToken timestampToken = new TimestampToken(tsToken.getContentInfo().getData());
                                PublicKey publicKey2 = certificate2.getPublicKey();
                                String name2 = timestampToken.getHashAlgorithm().getName();
                                String makeSigAlg2 = AlgorithmId.makeSigAlg(signerInfo2.getDigestAlgorithmId().getName(), signerInfo2.getDigestEncryptionAlgorithmId().getName());
                                if (!disabledAlgorithmConstraints.permits(unmodifiableSet, name2, (AlgorithmParameters) null)) {
                                    this.signingInfoMessage = ResourceManager.getString("launch.error.unsignedResource.weak.ts.digest", makeSigAlg, this.jarLocation);
                                    z = true;
                                } else if (!disabledAlgorithmConstraints.permits(unmodifiableSet2, makeSigAlg2, (AlgorithmParameters) null)) {
                                    this.signingInfoMessage = ResourceManager.getString("launch.error.unsignedResource.weak.ts.signature", makeSigAlg, this.jarLocation);
                                    z = true;
                                } else if (disabledAlgorithmConstraints.permits(unmodifiableSet2, publicKey2)) {
                                    continue;
                                } else {
                                    this.signingInfoMessage = ResourceManager.getString("launch.error.unsignedResource.weak.ts.key", makeSigAlg, Integer.valueOf(KeyUtil.getKeySize(publicKey)), this.jarLocation);
                                    z = true;
                                }
                            } else {
                                continue;
                            }
                        } else {
                            this.signingInfoMessage = ResourceManager.getString("launch.error.unsignedResource.weak.key", makeSigAlg, Integer.valueOf(KeyUtil.getKeySize(publicKey)), this.jarLocation);
                            z = true;
                        }
                        return z;
                    } catch (Throwable th) {
                        Trace.ignored(th);
                    }
                }
            }
            return z;
        } catch (Throwable th2) {
            if (jarFile != null) {
                try {
                    jarFile.close();
                } catch (IOException e5) {
                    Trace.ignored(e5);
                }
            }
            throw th2;
        }
    }
}
