package sun.plugin.security;

import java.io.IOException;
import java.security.CodeSource;
import java.security.GeneralSecurityException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import sun.plugin.usability.Trace;
import sun.security.util.DerInputStream;
import sun.security.util.DerValue;
import sun.security.x509.NetscapeCertTypeExtension;

/* loaded from: input_file:117667-01/patchzip-d52diu.zip:nsjre.zip:bin/base/jre/lib/jaws.jar:sun/plugin/security/TrustDecider.class */
public class TrustDecider {
    private static CertificateStore rootStore = new RootCACertificateStore();
    private static CertificateStore permanentStore = new PluginCertificateStore();
    private static CertificateStore sessionStore = new SessionCertificateStore();
    private static CertificateStore deniedStore = new DeniedCertificateStore();
    private static final String OID_BASIC_CONSTRAINTS = "2.5.29.19";
    private static final String OID_KEY_USAGE = "2.5.29.15";
    private static final String OID_EXTENDED_KEY_USAGE = "2.5.29.37";
    private static final String OID_NETSCAPE_CERT_TYPE = "2.16.840.1.113730.1.1";
    private static final String OID_EKU_ANY_USAGE = "2.5.29.37.0";
    private static final String OID_EKU_CODE_SIGNING = "1.3.6.1.5.5.7.3.3";
    private static final String NSCT_OBJECT_SIGNING_CA = "object_signing_ca";
    private static final String NSCT_OBJECT_SIGNING = "object_signing";
    private static final String NSCT_SSL_CA = "ssl_ca";
    private static final String NSCT_S_MIME_CA = "s_mime_ca";

    public static void reset() {
        rootStore = new RootCACertificateStore();
        permanentStore = new PluginCertificateStore();
        sessionStore = new SessionCertificateStore();
        deniedStore = new DeniedCertificateStore();
    }

    public static boolean isAllPermissionGranted(CodeSource codeSource) throws CertificateEncodingException, CertificateExpiredException, CertificateNotYetValidException, CertificateParsingException, CertificateException, KeyStoreException, NoSuchAlgorithmException, IOException {
        Certificate[] certificates = codeSource.getCertificates();
        codeSource.getLocation().toString();
        if (certificates == null) {
            return false;
        }
        int i = 0;
        int i2 = 0;
        int i3 = 0;
        LinkedList linkedList = new LinkedList();
        rootStore.load();
        permanentStore.load();
        sessionStore.load();
        deniedStore.load();
        while (i2 < certificates.length) {
            int i4 = i;
            while (i4 + 1 < certificates.length && (certificates[i4] instanceof X509Certificate) && (certificates[i4 + 1] instanceof X509Certificate) && isIssuerOf((X509Certificate) certificates[i4], (X509Certificate) certificates[i4 + 1])) {
                i4++;
            }
            i2 = i4 + 1;
            if (deniedStore.contains(certificates[i])) {
                linkedList.add(i3, new Boolean(true));
            } else {
                linkedList.add(i3, new Boolean(false));
                if (permanentStore.contains(certificates[i]) || sessionStore.contains(certificates[i])) {
                    return true;
                }
            }
            i = i2;
            i3++;
        }
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        int i5 = 0;
        int i6 = 0;
        int i7 = 0;
        while (i6 < certificates.length) {
            CertificateExpiredException certificateExpiredException = null;
            CertificateNotYetValidException certificateNotYetValidException = null;
            int i8 = i5;
            while (i8 < certificates.length) {
                X509Certificate x509Certificate = null;
                if (certificates[i8] instanceof X509Certificate) {
                    x509Certificate = (X509Certificate) certificates[i8];
                }
                X509Certificate x509Certificate2 = (i8 + 1 >= certificates.length || !(certificates[i8 + 1] instanceof X509Certificate)) ? x509Certificate : (X509Certificate) certificates[i8 + 1];
                try {
                    x509Certificate.checkValidity();
                } catch (CertificateExpiredException e) {
                    if (certificateExpiredException == null) {
                        certificateExpiredException = e;
                    }
                } catch (CertificateNotYetValidException e2) {
                    if (certificateNotYetValidException == null) {
                        certificateNotYetValidException = e2;
                    }
                }
                if (!rootStore.contains(x509Certificate)) {
                    Set criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
                    if (criticalExtensionOIDs == null) {
                        criticalExtensionOIDs = Collections.EMPTY_SET;
                    }
                    if (!checkBasicConstraints(x509Certificate, criticalExtensionOIDs, i8 - i5)) {
                        return false;
                    }
                    if (i8 == i5) {
                        if (!checkLeafKeyUsage(x509Certificate, criticalExtensionOIDs)) {
                            return false;
                        }
                    } else if (!checkSignerKeyUsage(x509Certificate, criticalExtensionOIDs)) {
                        return false;
                    }
                    if (!criticalExtensionOIDs.isEmpty()) {
                        return false;
                    }
                }
                if (!isIssuerOf(x509Certificate, x509Certificate2)) {
                    break;
                }
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    i8++;
                } catch (GeneralSecurityException e3) {
                    return false;
                }
            }
            i6 = i8 < certificates.length ? i8 + 1 : i8;
            if (!((Boolean) linkedList.get(i7)).booleanValue()) {
                if (!rootStore.verify(certificates[i6 - 1])) {
                    z = true;
                }
                if (certificateExpiredException != null || certificateNotYetValidException != null) {
                    z2 = true;
                }
                int showSecurityDialog = showSecurityDialog(codeSource, i5, i6, z, z2);
                if (showSecurityDialog == 0) {
                    Trace.msgSecurityPrintln("trustdecider.user.grant.session");
                    sessionStore.add(certificates[i5]);
                    sessionStore.save();
                    z3 = true;
                } else if (showSecurityDialog == 2) {
                    Trace.msgSecurityPrintln("trustdecider.user.grant.forever");
                    permanentStore.add(certificates[i5]);
                    permanentStore.save();
                    z3 = true;
                } else {
                    Trace.msgSecurityPrintln("trustdecider.user.deny");
                    deniedStore.add(certificates[i5]);
                    deniedStore.save();
                }
                if (z3) {
                    return true;
                }
            }
            i5 = i6;
            i7++;
        }
        return false;
    }

    private static boolean checkBasicConstraints(X509Certificate x509Certificate, Set set, int i) throws CertificateException, IOException {
        int basicConstraints;
        set.remove(OID_BASIC_CONSTRAINTS);
        set.remove(OID_NETSCAPE_CERT_TYPE);
        if (i == 0) {
            return true;
        }
        return x509Certificate.getExtensionValue(OID_BASIC_CONSTRAINTS) == null ? x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) != null && getNetscapeCertTypeBit(x509Certificate, "object_signing_ca") : (x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) == null || (!(getNetscapeCertTypeBit(x509Certificate, "ssl_ca") || getNetscapeCertTypeBit(x509Certificate, "s_mime_ca") || getNetscapeCertTypeBit(x509Certificate, "object_signing_ca")) || getNetscapeCertTypeBit(x509Certificate, "object_signing_ca"))) && (basicConstraints = x509Certificate.getBasicConstraints()) >= 0 && i - 1 <= basicConstraints;
    }

    private static boolean checkLeafKeyUsage(X509Certificate x509Certificate, Set set) throws CertificateException, IOException {
        set.remove(OID_KEY_USAGE);
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null && (keyUsage.length == 0 || !keyUsage[0])) {
            return false;
        }
        List extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
        if (extendedKeyUsage != null && set.contains(OID_EXTENDED_KEY_USAGE)) {
            set.remove(OID_EXTENDED_KEY_USAGE);
            if (!extendedKeyUsage.contains(OID_EKU_ANY_USAGE) && !extendedKeyUsage.contains(OID_EKU_CODE_SIGNING)) {
                return false;
            }
        }
        return x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) == null || getNetscapeCertTypeBit(x509Certificate, "object_signing");
    }

    private static boolean checkSignerKeyUsage(X509Certificate x509Certificate, Set set) throws CertificateException, IOException {
        set.remove(OID_KEY_USAGE);
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null && (keyUsage.length < 6 || !keyUsage[5])) {
            return false;
        }
        List extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
        if (extendedKeyUsage == null || !set.contains(OID_EXTENDED_KEY_USAGE)) {
            return true;
        }
        set.remove(OID_EXTENDED_KEY_USAGE);
        return extendedKeyUsage.contains(OID_EKU_ANY_USAGE);
    }

    private static boolean getNetscapeCertTypeBit(X509Certificate x509Certificate, String str) throws CertificateException, IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE);
        if (extensionValue == null) {
            return false;
        }
        return ((Boolean) new NetscapeCertTypeExtension(new DerValue(new DerInputStream(extensionValue).getOctetString()).getUnalignedBitString().toByteArray()).get(str)).booleanValue();
    }

    private static boolean isIssuerOf(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        return x509Certificate.getIssuerDN().equals(x509Certificate2.getSubjectDN());
    }

    static int showSecurityDialog(CodeSource codeSource, int i, int i2, boolean z, boolean z2) {
        return new TrustDeciderDialog(codeSource.getCertificates(), i, i2, z, z2).DoModal();
    }
}
