package com.sun.deploy.security;

import com.sun.deploy.config.Config;
import com.sun.deploy.resources.ResourceManager;
import com.sun.deploy.security.LazyRootStore;
import com.sun.deploy.services.Service;
import com.sun.deploy.services.ServiceManager;
import com.sun.deploy.trace.Trace;
import com.sun.deploy.trace.TraceLevel;
import com.sun.deploy.ui.AppInfo;
import com.sun.deploy.util.SecurityBaseline;
import java.net.URL;
import java.security.KeyStoreException;
import java.security.cert.CertSelector;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:com/sun/deploy/security/X509TrustManagerDelegate.class */
class X509TrustManagerDelegate {
    private CertStore sslRootStore;
    private CertStore permanentStore;
    private CertStore sessionStore;
    private CertStore deniedStore;
    private CertStore browserSSLRootStore;
    private CertStore browserUntrustedStore;
    private RevocationCheckHelper revocationCheckHelper;
    private boolean alwaysShow;
    private boolean mismatchShow;
    private static final String[] SUPPORTED_ALGS = {"HTTPS"};
    private static volatile boolean resetRequested = true;
    private Collection<X509Certificate> acceptedIssuers = new LinkedList();
    private boolean browserSSLRootStoreLoaded = false;
    private boolean browserUntrustedStoreLoaded = false;
    private volatile boolean isInitialized = false;

    /* loaded from: input_file:com/sun/deploy/security/X509TrustManagerDelegate$BasicTrustManagerDelegate.class */
    interface BasicTrustManagerDelegate {
        void checkTrusted(X509TrustManager x509TrustManager, X509Certificate[] x509CertificateArr) throws CertificateException;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void reset() {
        resetRequested = true;
    }

    private void initCertStores() {
        this.sslRootStore = SSLRootCertStore.getCertStore();
        this.permanentStore = DeploySSLCertStore.getCertStore();
        this.sessionStore = new SessionCertStore("x509");
        this.deniedStore = new DeniedCertStore();
        this.alwaysShow = Config.getBooleanProperty(Config.SEC_HTTPS_DIALOG_WARN_KEY);
        this.mismatchShow = Config.getBooleanProperty(Config.SEC_JSSE_HOST_WARN_KEY);
        if (Config.getBooleanProperty(Config.SEC_USE_BROWSER_KEYSTORE_KEY)) {
            Service service = ServiceManager.getService();
            this.browserSSLRootStore = service.getBrowserSSLRootCertStore();
            this.browserUntrustedStore = service.getBrowserSSLUntrustedCertStore();
        } else {
            this.browserSSLRootStore = null;
            this.browserUntrustedStore = null;
        }
        this.browserSSLRootStoreLoaded = false;
        this.browserUntrustedStoreLoaded = false;
        this.revocationCheckHelper = new RevocationCheckHelper();
    }

    private X509TrustManager createTrustManager(List<X509Certificate> list) throws Exception {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
        HashSet hashSet = new HashSet();
        for (X509Certificate x509Certificate : list) {
            if (x509Certificate instanceof X509Certificate) {
                hashSet.add(new TrustAnchor(x509Certificate, null));
            }
        }
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, (CertSelector) null);
        pKIXBuilderParameters.setRevocationEnabled(false);
        trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
        return (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
    }

    private void reloadCertStores() throws Exception {
        if (resetRequested || !this.isInitialized) {
            initCertStores();
            resetRequested = false;
            this.isInitialized = true;
        }
        this.acceptedIssuers.clear();
        if (this.sslRootStore != null) {
            this.sslRootStore.load();
            this.acceptedIssuers.addAll(this.sslRootStore.getCertificates());
        }
        if (this.permanentStore != null) {
            this.permanentStore.load();
        }
        if (this.sessionStore != null) {
            this.sessionStore.load();
        }
        if (this.deniedStore != null) {
            this.deniedStore.load();
        }
        if (this.browserSSLRootStore != null && !this.browserSSLRootStoreLoaded) {
            this.browserSSLRootStore.load();
            this.browserSSLRootStoreLoaded = true;
            this.acceptedIssuers.addAll(this.browserSSLRootStore.getCertificates());
        }
        if (this.browserUntrustedStore == null || this.browserUntrustedStoreLoaded) {
            return;
        }
        this.browserUntrustedStore.load();
        this.browserUntrustedStoreLoaded = true;
    }

    public final synchronized void checkTrusted(X509Certificate[] x509CertificateArr, String str, String str2, int i, String str3, BasicTrustManagerDelegate basicTrustManagerDelegate, boolean z) throws CertificateException {
        X509Certificate[] ensureChainOrdering;
        X509Certificate[] x509CertificateArr2;
        if (str3 != null && !isSupportedAlgorithm(str3)) {
            throw new CertificateException("Not supported algorithm:" + str3);
        }
        boolean z2 = false;
        int i2 = 0;
        int i3 = -1;
        try {
            reloadCertStores();
            ensureChainOrdering = ensureChainOrdering(x509CertificateArr);
        } catch (CertificateException e) {
            throw e;
        } catch (Throwable th) {
            th.printStackTrace();
        }
        if (this.deniedStore.contains(ensureChainOrdering[0])) {
            throw new CertificateException("Certificate has been denied");
        }
        untrustedCertsCheck(this.browserUntrustedStore, ensureChainOrdering);
        if (this.sessionStore.contains(ensureChainOrdering[0]) || this.permanentStore.contains(ensureChainOrdering[0])) {
            return;
        }
        LazyRootStore lazyRootStore = new LazyRootStore(this.browserSSLRootStore, this.sslRootStore);
        LazyRootStore.TrustedRootResult trustAnchors = lazyRootStore.getTrustAnchors(ensureChainOrdering[ensureChainOrdering.length - 1]);
        List<X509Certificate> matchedCAList = trustAnchors == null ? null : trustAnchors.getMatchedCAList();
        if (matchedCAList == null) {
            z2 = true;
            matchedCAList = new LinkedList();
            matchedCAList.add(ensureChainOrdering[ensureChainOrdering.length - 1]);
        }
        X509Certificate[] x509CertificateArr3 = new X509Certificate[ensureChainOrdering.length];
        for (int i4 = 0; i4 < ensureChainOrdering.length; i4++) {
            x509CertificateArr3[i4] = new X509CertificateWrapper(ensureChainOrdering[i4], str2);
        }
        basicTrustManagerDelegate.checkTrusted(createTrustManager(matchedCAList), x509CertificateArr3);
        boolean[] zArr = new boolean[ensureChainOrdering.length];
        for (int i5 = 0; i5 < ensureChainOrdering.length; i5++) {
            try {
                zArr[i5] = true;
                ensureChainOrdering[i5].checkValidity();
                zArr[i5] = false;
            } catch (CertificateExpiredException e2) {
                i2 = -1;
            } catch (CertificateNotYetValidException e3) {
                i2 = 1;
            }
        }
        String str4 = i == -1 ? "https://" + str2 : "https://" + str2 + ":" + i;
        if (trustAnchors == null || !trustAnchors.isAlreadyTrusted()) {
            x509CertificateArr2 = ensureChainOrdering;
        } else {
            x509CertificateArr2 = new X509Certificate[ensureChainOrdering.length - 1];
            System.arraycopy(ensureChainOrdering, 0, x509CertificateArr2, 0, ensureChainOrdering.length - 1);
        }
        boolean z3 = false;
        if (!z2 && x509CertificateArr2.length > 0) {
            z3 = this.revocationCheckHelper.checkRevocationStatus(x509CertificateArr2, matchedCAList.get(0), str4, matchedCAList, lazyRootStore, zArr);
        }
        if (Trace.isAutomationEnabled()) {
            Trace.msgSecurityPrintln("x509trustmgr.automation.ignoreservercert");
            i3 = 0;
        } else {
            boolean z4 = z3 || z2 || i2 != 0 || !(!this.mismatchShow || str2 == null || CertUtils.checkWildcardDomainList(str2, CertUtils.getServername(ensureChainOrdering[0])));
            boolean z5 = this.alwaysShow || z4;
            if (z4 && SecurityBaseline.isUpdateThread()) {
                Trace.msgSecurityPrintln("x509trustmgr.check.invalidcert");
                i3 = 1;
            } else if (z5) {
                Trace.msgSecurityPrintln("x509trustmgr.check.invalidcert");
                URL url = null;
                if (str2 != null) {
                    try {
                        url = new URL("https", str2, i, "");
                    } catch (Exception e4) {
                    }
                }
                i3 = TrustDeciderDialog.showDialog(ensureChainOrdering, url, 0, ensureChainOrdering.length, z2, i2, null, new AppInfo(), true, str2, z3);
            } else {
                i3 = 0;
            }
        }
        if (i3 == 0) {
            this.sessionStore.add(ensureChainOrdering[0]);
            this.sessionStore.save();
        } else if (i3 == 2) {
            CertStore userCertStore = DeploySSLCertStore.getUserCertStore();
            userCertStore.load(true);
            if (userCertStore.add(ensureChainOrdering[0])) {
                userCertStore.save();
            }
        } else {
            this.deniedStore.add(ensureChainOrdering[0]);
            this.deniedStore.save();
        }
        if (i3 != 0 && i3 != 2) {
            throw new CertificateException(z ? "Java couldn't trust Server " : "Java couldn't trust Client");
        }
    }

    public synchronized X509Certificate[] getAcceptedIssuers() {
        try {
            reloadCertStores();
        } catch (Exception e) {
            Trace.printException(e);
        }
        return (X509Certificate[]) this.acceptedIssuers.toArray(new X509Certificate[this.acceptedIssuers.size()]);
    }

    private boolean isSupportedAlgorithm(String str) {
        for (int i = 0; i < SUPPORTED_ALGS.length; i++) {
            if (str.equalsIgnoreCase(SUPPORTED_ALGS[i])) {
                return true;
            }
        }
        return false;
    }

    private void untrustedCertsCheck(CertStore certStore, X509Certificate[] x509CertificateArr) throws CertificateException {
        boolean z = false;
        KeyStoreException keyStoreException = null;
        int i = 0;
        while (true) {
            if (i >= x509CertificateArr.length) {
                break;
            }
            BlacklistedCerts.check(x509CertificateArr[i]);
            if (certStore != null) {
                try {
                    if (certStore.contains(x509CertificateArr[i])) {
                        z = true;
                        break;
                    }
                } catch (KeyStoreException e) {
                    z = true;
                    keyStoreException = e;
                }
            }
            i++;
        }
        if (z) {
            String string = ResourceManager.getString("untrusted.certificate");
            Trace.println(string, TraceLevel.SECURITY);
            throw new CertificateException(string, keyStoreException);
        }
    }

    private static X509Certificate[] ensureChainOrdering(X509Certificate[] x509CertificateArr) {
        boolean z;
        X509Certificate x509Certificate = x509CertificateArr[0];
        if (x509Certificate.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal())) {
            return new X509Certificate[]{x509Certificate};
        }
        X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length - 1];
        System.arraycopy(x509CertificateArr, 1, x509CertificateArr2, 0, x509CertificateArr.length - 1);
        ArrayList arrayList = new ArrayList();
        arrayList.add(x509Certificate);
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        int i = 0;
        do {
            z = false;
            int i2 = i;
            while (true) {
                if (i2 >= x509CertificateArr2.length) {
                    break;
                }
                if (issuerX500Principal.equals(x509CertificateArr2[i2].getSubjectX500Principal())) {
                    arrayList.add(x509CertificateArr2[i2]);
                    if (x509CertificateArr2[i2].getSubjectX500Principal().equals(x509CertificateArr2[i2].getIssuerX500Principal())) {
                        i = x509CertificateArr2.length;
                    } else {
                        issuerX500Principal = x509CertificateArr2[i2].getIssuerX500Principal();
                        X509Certificate x509Certificate2 = x509CertificateArr2[i];
                        x509CertificateArr2[i] = x509CertificateArr2[i2];
                        x509CertificateArr2[i2] = x509Certificate2;
                        i++;
                    }
                    z = true;
                } else {
                    i2++;
                }
            }
        } while (z);
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
    }
}
