package com.sun.deploy.security;

import com.sun.deploy.panel.AndOrRadioPropertyGroup;
import com.sun.deploy.trace.Trace;
import java.io.IOException;
import java.lang.reflect.Method;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.PublicKey;
import java.security.cert.CRLException;
import java.security.cert.CRLReason;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStoreException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateRevokedException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import sun.security.provider.certpath.CertPathHelper;
import sun.security.provider.certpath.DistributionPointFetcher;
import sun.security.provider.certpath.OCSP;
import sun.security.x509.X509CRLEntryImpl;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/sun/deploy/security/RevocationChecker.class */
public class RevocationChecker {
    private final X509Certificate anchor;
    private final Date date;
    private final String sigProvider;
    private final boolean checkOCSP;
    private final boolean checkCRLs;
    private final boolean checkBoth;
    private URI ocspResponderURI;
    private final X509Certificate ocspResponderCert;
    private final boolean onlyPublisher;
    private final X509CRL configCrl;
    private final Date timestamp;
    private long maxClockSkew;
    private X509Certificate issuerCert;
    private boolean certCanSignCRL = true;
    private static final boolean[] ALL_REASONS = {true, true, true, true, true, true, true, true, true};
    private static Class[] PARAMS = {X509CRLSelector.class, Date.class, Long.TYPE};
    private static Class[] TYPES = {X509CRLSelector.class, Boolean.TYPE, PublicKey.class, String.class, List.class, boolean[].class, Set.class, Date.class};

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/sun/deploy/security/RevocationChecker$StatusUnknownException.class */
    public static class StatusUnknownException extends CertificateException {
        static final long serialVersionUID = -1133298886602198899L;

        StatusUnknownException() {
        }

        StatusUnknownException(String str) {
            super(str);
        }

        StatusUnknownException(Throwable th) {
            super(th);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RevocationChecker(X509Certificate x509Certificate, PKIXParameters pKIXParameters, final boolean z, final boolean z2, String str, X509Certificate x509Certificate2, boolean z3, X509CRL x509crl, Date date, final String str2, final String str3) {
        this.maxClockSkew = 900000L;
        if (!z && !z2) {
            throw new IllegalArgumentException();
        }
        this.date = pKIXParameters.getDate();
        this.sigProvider = pKIXParameters.getSigProvider();
        this.anchor = x509Certificate;
        this.issuerCert = x509Certificate;
        this.checkOCSP = z;
        this.checkCRLs = z2;
        this.checkBoth = z && z2;
        if (str != null) {
            try {
                this.ocspResponderURI = new URI(str);
            } catch (URISyntaxException e) {
                Trace.securityPrintln("Can't parse OCSP responder URI: " + this.ocspResponderURI);
                Trace.ignored(e);
            }
        }
        this.ocspResponderCert = x509Certificate2;
        this.onlyPublisher = z3;
        this.configCrl = x509crl;
        this.timestamp = date;
        if (str3 != null) {
            try {
                this.maxClockSkew = Long.parseLong(str3);
            } catch (NumberFormatException e2) {
                Trace.ignored(e2);
            }
        }
        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.sun.deploy.security.RevocationChecker.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                if (z) {
                    if (str2 != null) {
                        System.setProperty("com.sun.security.ocsp.timeout", str2);
                    }
                    if (str3 != null) {
                        System.setProperty("com.sun.security.ocsp.clockSkew", str3);
                    }
                }
                if (!z2) {
                    return null;
                }
                System.setProperty("com.sun.security.enableCRLDP", AndOrRadioPropertyGroup.TRUE);
                if (str2 != null) {
                    System.setProperty("com.sun.security.crl.timeout", str2);
                }
                System.setProperty("sun.security.certpath.ldap.disable.app.resource.files", AndOrRadioPropertyGroup.TRUE);
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void check(X509Certificate x509Certificate, boolean z) throws CertificateException {
        try {
            try {
                if (this.onlyPublisher && x509Certificate.getBasicConstraints() != -1) {
                    Trace.securityPrintln("Skipping revocation check, not publisher cert");
                    updateState(x509Certificate);
                    return;
                }
                if (this.checkOCSP) {
                    checkOCSP(x509Certificate);
                } else if (this.checkCRLs) {
                    checkCRLs(x509Certificate, z);
                }
                updateState(x509Certificate);
            } catch (CertificateException e) {
                if (!this.checkBoth || (e instanceof CertificateRevokedException)) {
                    throw e;
                }
                Trace.securityPrintln("Failing over to CRLs: " + e.getMessage());
                try {
                    checkCRLs(x509Certificate, z);
                    updateState(x509Certificate);
                } catch (CertificateException e2) {
                    if (e2 instanceof CertificateRevokedException) {
                        throw e2;
                    }
                    e.addSuppressed(e2);
                    throw e;
                }
            }
        } catch (Throwable th) {
            updateState(x509Certificate);
            throw th;
        }
    }

    private void updateState(X509Certificate x509Certificate) {
        this.issuerCert = x509Certificate;
        this.certCanSignCRL = certCanSignCRL(x509Certificate);
    }

    private static boolean certCanSignCRL(X509Certificate x509Certificate) {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null) {
            return keyUsage[6];
        }
        return false;
    }

    private void checkOCSP(X509Certificate x509Certificate) throws CertificateException {
        URI responderURI = this.ocspResponderURI != null ? this.ocspResponderURI : OCSP.getResponderURI(x509Certificate);
        if (responderURI == null) {
            throw new StatusUnknownException("Certificate does not specify OCSP responder");
        }
        X509Certificate x509Certificate2 = this.ocspResponderCert != null ? this.ocspResponderCert : this.issuerCert;
        try {
            OCSP.RevocationStatus doPrivilegedOCSPCheck = doPrivilegedOCSPCheck(x509Certificate, responderURI, x509Certificate2);
            Trace.securityPrintln("OCSP Response: " + doPrivilegedOCSPCheck.getCertStatus());
            if (doPrivilegedOCSPCheck.getCertStatus() == OCSP.RevocationStatus.CertStatus.REVOKED) {
                throw new CertificateRevokedException(doPrivilegedOCSPCheck.getRevocationTime(), doPrivilegedOCSPCheck.getRevocationReason(), x509Certificate2.getSubjectX500Principal(), doPrivilegedOCSPCheck.getSingleExtensions());
            }
            if (doPrivilegedOCSPCheck.getCertStatus() == OCSP.RevocationStatus.CertStatus.UNKNOWN) {
                throw new StatusUnknownException();
            }
        } catch (PrivilegedActionException e) {
            Throwable cause = e.getCause();
            if (cause instanceof IOException) {
                throw new StatusUnknownException(cause);
            }
            if (!(cause instanceof CertPathValidatorException)) {
                throw new CertificateException(cause);
            }
            String message = cause.getMessage();
            if (message != null && message.startsWith("OCSP response error: ")) {
                String substring = message.substring("OCSP response error: ".length());
                Trace.securityPrintln(substring);
                if (substring.equals("UNAUTHORIZED") || substring.equals("TRY_LATER") || substring.equals("INTERNAL_ERROR")) {
                    throw new StatusUnknownException(cause);
                }
            }
            Throwable cause2 = cause.getCause();
            if (cause2 != null && (cause2 instanceof IOException)) {
                throw new StatusUnknownException(cause2);
            }
            throw new CertificateException(cause);
        }
    }

    private OCSP.RevocationStatus doPrivilegedOCSPCheck(final X509Certificate x509Certificate, final URI uri, final X509Certificate x509Certificate2) throws PrivilegedActionException {
        return (OCSP.RevocationStatus) AccessController.doPrivileged(new PrivilegedExceptionAction<OCSP.RevocationStatus>() { // from class: com.sun.deploy.security.RevocationChecker.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public OCSP.RevocationStatus run() throws CertPathValidatorException, IOException {
                try {
                    return OCSP.check(x509Certificate, uri, new TrustAnchor(RevocationChecker.this.anchor, null), RevocationChecker.this.issuerCert, x509Certificate2, RevocationChecker.this.date, Collections.emptyList(), "plugin code signing");
                } catch (NoSuchMethodError e) {
                    return OCSP.check(x509Certificate, RevocationChecker.this.issuerCert, uri, x509Certificate2, RevocationChecker.this.date);
                }
            }
        });
    }

    private void checkCRLs(X509Certificate x509Certificate, boolean z) throws CertificateException {
        Collection<X509CRL> cRLs;
        X509CRLSelector x509CRLSelector = new X509CRLSelector();
        x509CRLSelector.setCertificateChecking(x509Certificate);
        try {
            CertPathHelper.setDateAndTime(x509CRLSelector, this.date, this.maxClockSkew);
        } catch (IllegalAccessError e) {
            setDateAndTime(x509CRLSelector, this.date, this.maxClockSkew);
        }
        boolean[] zArr = new boolean[9];
        Set<TrustAnchor> singleton = Collections.singleton(new TrustAnchor(this.anchor, null));
        if (this.configCrl != null) {
            cRLs = new HashSet();
            cRLs.add(this.configCrl);
            Arrays.fill(zArr, true);
        } else {
            try {
                cRLs = getCRLsPrivileged(x509CRLSelector, zArr, singleton);
            } catch (IllegalAccessError e2) {
                cRLs = getCRLs(x509CRLSelector, this.certCanSignCRL, this.issuerCert.getPublicKey(), this.sigProvider, Collections.emptyList(), zArr, singleton, this.date);
            } catch (PrivilegedActionException e3) {
                Throwable cause = e3.getCause();
                if (!(cause instanceof CertStoreException)) {
                    throw new CertificateException(cause);
                }
                Throwable cause2 = cause.getCause();
                while (true) {
                    Throwable th = cause2;
                    if (th == null) {
                        throw new CertificateException(cause);
                    }
                    if (th instanceof IOException) {
                        throw new StatusUnknownException(cause);
                    }
                    cause2 = th.getCause();
                }
            }
        }
        if (cRLs.isEmpty() || !Arrays.equals(zArr, ALL_REASONS)) {
            throw new StatusUnknownException();
        }
        checkApprovedCRLs(x509Certificate, cRLs);
        if (z) {
            throw new StatusUnknownException();
        }
    }

    private Collection<X509CRL> getCRLsPrivileged(final X509CRLSelector x509CRLSelector, final boolean[] zArr, final Set<TrustAnchor> set) throws PrivilegedActionException {
        return (Collection) AccessController.doPrivileged(new PrivilegedExceptionAction<Collection<X509CRL>>() { // from class: com.sun.deploy.security.RevocationChecker.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Collection<X509CRL> run() throws CertStoreException {
                return DistributionPointFetcher.getCRLs(x509CRLSelector, RevocationChecker.this.certCanSignCRL, RevocationChecker.this.issuerCert.getPublicKey(), RevocationChecker.this.sigProvider, Collections.emptyList(), zArr, set, RevocationChecker.this.date);
            }
        });
    }

    private static void setDateAndTime(final X509CRLSelector x509CRLSelector, final Date date, final long j) {
        try {
            AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.sun.deploy.security.RevocationChecker.4
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    Method declaredMethod = Class.forName("sun.security.provider.certpath.CertPathHelper").getDeclaredMethod("setDateAndTime", RevocationChecker.PARAMS);
                    declaredMethod.setAccessible(true);
                    declaredMethod.invoke(null, x509CRLSelector, date, new Long(j));
                    return null;
                }
            });
        } catch (PrivilegedActionException e) {
            Trace.ignored(e);
            x509CRLSelector.setDateAndTime(date);
        }
    }

    private static Collection getCRLs(final X509CRLSelector x509CRLSelector, final boolean z, final PublicKey publicKey, final String str, final List list, final boolean[] zArr, final Set set, final Date date) throws StatusUnknownException {
        try {
            return (Collection) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.sun.deploy.security.RevocationChecker.5
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    Class<?> cls = Class.forName("sun.security.provider.certpath.DistributionPointFetcher");
                    Method declaredMethod = cls.getDeclaredMethod("getInstance", (Class[]) null);
                    declaredMethod.setAccessible(true);
                    Object invoke = declaredMethod.invoke(null, new Object[0]);
                    Method declaredMethod2 = cls.getDeclaredMethod("getCRLs", RevocationChecker.TYPES);
                    declaredMethod2.setAccessible(true);
                    return declaredMethod2.invoke(invoke, x509CRLSelector, Boolean.valueOf(z), publicKey, str, list, zArr, set, date);
                }
            });
        } catch (PrivilegedActionException e) {
            Trace.ignored(e);
            throw new StatusUnknownException();
        }
    }

    private void checkApprovedCRLs(X509Certificate x509Certificate, Collection collection) throws CertificateException {
        Iterator it = collection.iterator();
        while (it.hasNext()) {
            X509CRL x509crl = (X509CRL) it.next();
            X509CRLEntry revokedCertificate = x509crl.getRevokedCertificate(x509Certificate);
            if (revokedCertificate != null) {
                try {
                    X509CRLEntryImpl impl = X509CRLEntryImpl.toImpl(revokedCertificate);
                    Set criticalExtensionOIDs = impl.getCriticalExtensionOIDs();
                    if (criticalExtensionOIDs != null && !criticalExtensionOIDs.isEmpty()) {
                        criticalExtensionOIDs.remove("2.5.29.21");
                        criticalExtensionOIDs.remove("2.5.29.29");
                        if (!criticalExtensionOIDs.isEmpty()) {
                            throw new CertificateException("unresolved critical extensions in CRLEntry");
                        }
                    }
                    CRLReason revocationReason = impl.getRevocationReason();
                    if (revocationReason == null) {
                        revocationReason = CRLReason.UNSPECIFIED;
                    }
                    throw new CertificateRevokedException(impl.getRevocationDate(), revocationReason, x509crl.getIssuerX500Principal(), impl.getExtensions());
                } catch (CRLException e) {
                    throw new CertificateException(e);
                }
            }
        }
    }
}
