package com.sun.deploy.security;

import com.sun.deploy.config.Config;
import com.sun.deploy.panel.AndOrRadioPropertyGroup;
import com.sun.deploy.trace.Trace;
import java.io.IOException;
import java.lang.reflect.Method;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.PublicKey;
import java.security.cert.CRLException;
import java.security.cert.CRLReason;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStoreException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateRevokedException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import sun.security.provider.certpath.CertPathHelper;
import sun.security.provider.certpath.DistributionPointFetcher;
import sun.security.provider.certpath.OCSP;
import sun.security.x509.X509CRLEntryImpl;

/* loaded from: input_file:com/sun/deploy/security/RevocationChecker.class */
class RevocationChecker {
    private final X509Certificate anchor;
    private final Date date;
    private final String sigProvider;
    private final boolean checkOCSP;
    private final boolean checkCRLs;
    private final boolean checkBoth;
    private URI ocspResponderURI;
    private final X509Certificate ocspResponderCert;
    private final boolean onlyPublisher;
    private final X509CRL configCrl;
    private final Date timestamp;
    private long maxClockSkew;
    private X509Certificate issuerCert;
    private boolean certCanSignCRL = true;
    private static final boolean[] ALL_REASONS = {true, true, true, true, true, true, true, true, true};
    private static Class[] PARAMS;
    private static Class[] TYPES;
    static Class class$java$security$cert$X509CRLSelector;
    static Class class$java$util$Date;
    static Class class$java$security$PublicKey;
    static Class class$java$lang$String;
    static Class class$java$util$List;
    static Class array$Z;
    static Class class$java$util$Set;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/sun/deploy/security/RevocationChecker$StatusUnknownException.class */
    public static class StatusUnknownException extends CertificateException {
        static final long serialVersionUID = -1133298886602198899L;

        StatusUnknownException() {
        }

        StatusUnknownException(String str) {
            super(str);
        }

        StatusUnknownException(Throwable th) {
            super(th);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RevocationChecker(X509Certificate x509Certificate, PKIXParameters pKIXParameters, boolean z, boolean z2, String str, X509Certificate x509Certificate2, boolean z3, X509CRL x509crl, Date date) {
        this.maxClockSkew = 900000L;
        if (!z && !z2) {
            throw new IllegalArgumentException();
        }
        this.date = pKIXParameters.getDate();
        this.sigProvider = pKIXParameters.getSigProvider();
        this.anchor = x509Certificate;
        this.issuerCert = x509Certificate;
        this.checkOCSP = z;
        this.checkCRLs = z2;
        this.checkBoth = z && z2;
        if (str != null) {
            try {
                this.ocspResponderURI = new URI(str);
            } catch (URISyntaxException e) {
                Trace.securityPrintln(new StringBuffer().append("Can't parse OCSP responder URI: ").append(this.ocspResponderURI).toString());
                Trace.ignored(e);
            }
        }
        this.ocspResponderCert = x509Certificate2;
        this.onlyPublisher = z3;
        this.configCrl = x509crl;
        this.timestamp = date;
        String stringProperty = Config.getStringProperty(Config.SEC_USE_VALIDATION_CLOCK_SKEW_KEY);
        if (stringProperty != null) {
            try {
                this.maxClockSkew = Long.parseLong(stringProperty);
            } catch (NumberFormatException e2) {
                Trace.ignored(e2);
            }
        }
        AccessController.doPrivileged(new PrivilegedAction(this, z, Config.getStringProperty(Config.SEC_USE_VALIDATION_TIMEOUT_KEY), stringProperty, z2) { // from class: com.sun.deploy.security.RevocationChecker.1
            private final boolean val$checkOCSP;
            private final String val$timeout;
            private final String val$clockSkew;
            private final boolean val$checkCRLs;
            private final RevocationChecker this$0;

            {
                this.this$0 = this;
                this.val$checkOCSP = z;
                this.val$timeout = r6;
                this.val$clockSkew = stringProperty;
                this.val$checkCRLs = z2;
            }

            @Override // java.security.PrivilegedAction
            public Object run() {
                if (this.val$checkOCSP) {
                    if (this.val$timeout != null) {
                        System.setProperty("com.sun.security.ocsp.timeout", this.val$timeout);
                    }
                    if (this.val$clockSkew != null) {
                        System.setProperty("com.sun.security.ocsp.clockSkew", this.val$clockSkew);
                    }
                }
                if (!this.val$checkCRLs) {
                    return null;
                }
                System.setProperty("com.sun.security.enableCRLDP", AndOrRadioPropertyGroup.TRUE);
                if (this.val$timeout == null) {
                    return null;
                }
                System.setProperty("com.sun.security.crls.timeout", this.val$timeout);
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void check(X509Certificate x509Certificate) throws CertificateException {
        try {
            try {
                if (this.onlyPublisher && x509Certificate.getBasicConstraints() != -1) {
                    Trace.securityPrintln("Skipping revocation check, not publisher cert");
                    updateState(x509Certificate);
                    return;
                }
                if (this.checkOCSP) {
                    checkOCSP(x509Certificate);
                } else if (this.checkCRLs) {
                    checkCRLs(x509Certificate);
                }
                updateState(x509Certificate);
            } catch (CertificateException e) {
                if (!this.checkBoth || (e instanceof CertificateRevokedException)) {
                    throw e;
                }
                Trace.securityPrintln(new StringBuffer().append("Failing over to CRLs: ").append(e.getMessage()).toString());
                try {
                    checkCRLs(x509Certificate);
                    updateState(x509Certificate);
                } catch (CertificateException e2) {
                    if (e2 instanceof CertificateRevokedException) {
                        throw e2;
                    }
                    e.addSuppressed(e2);
                    throw e;
                }
            }
        } catch (Throwable th) {
            updateState(x509Certificate);
            throw th;
        }
    }

    private void updateState(X509Certificate x509Certificate) {
        this.issuerCert = x509Certificate;
        this.certCanSignCRL = certCanSignCRL(x509Certificate);
    }

    private static boolean certCanSignCRL(X509Certificate x509Certificate) {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null) {
            return keyUsage[6];
        }
        return false;
    }

    private void checkOCSP(X509Certificate x509Certificate) throws CertificateException {
        URI responderURI = this.ocspResponderURI != null ? this.ocspResponderURI : OCSP.getResponderURI(x509Certificate);
        if (responderURI == null) {
            throw new StatusUnknownException("Certificate does not specify OCSP responder");
        }
        X509Certificate x509Certificate2 = this.ocspResponderCert != null ? this.ocspResponderCert : this.issuerCert;
        try {
            OCSP.RevocationStatus check = OCSP.check(x509Certificate, this.issuerCert, responderURI, x509Certificate2, this.date);
            Trace.securityPrintln(new StringBuffer().append("OCSP Response: ").append(check.getCertStatus()).toString());
            if (check.getCertStatus() == OCSP.RevocationStatus.CertStatus.REVOKED) {
                Date revocationTime = check.getRevocationTime();
                if (this.timestamp == null || revocationTime.before(this.timestamp)) {
                    throw new CertificateRevokedException(revocationTime, check.getRevocationReason(), x509Certificate2.getSubjectX500Principal(), check.getSingleExtensions());
                }
            } else if (check.getCertStatus() == OCSP.RevocationStatus.CertStatus.UNKNOWN) {
                throw new StatusUnknownException();
            }
        } catch (IOException e) {
            throw new StatusUnknownException(e);
        } catch (CertPathValidatorException e2) {
            String message = e2.getMessage();
            if (message != null && message.startsWith("OCSP response error: ")) {
                String substring = message.substring("OCSP response error: ".length());
                Trace.securityPrintln(substring);
                if (substring.equals("UNAUTHORIZED") || substring.equals("TRY_LATER") || substring.equals("INTERNAL_ERROR")) {
                    throw new StatusUnknownException(e2);
                }
            }
            throw new CertificateException(e2);
        }
    }

    private void checkCRLs(X509Certificate x509Certificate) throws CertificateException {
        Collection cRLs;
        X509CRLSelector x509CRLSelector = new X509CRLSelector();
        x509CRLSelector.setCertificateChecking(x509Certificate);
        try {
            CertPathHelper.setDateAndTime(x509CRLSelector, this.date, this.maxClockSkew);
        } catch (IllegalAccessError e) {
            setDateAndTime(x509CRLSelector, this.date, this.maxClockSkew);
        }
        boolean[] zArr = new boolean[9];
        Set singleton = Collections.singleton(new TrustAnchor(this.anchor, null));
        try {
            cRLs = DistributionPointFetcher.getCRLs(x509CRLSelector, this.certCanSignCRL, this.issuerCert.getPublicKey(), this.sigProvider, Collections.emptyList(), zArr, singleton, this.date);
        } catch (IllegalAccessError e2) {
            cRLs = getCRLs(x509CRLSelector, this.certCanSignCRL, this.issuerCert.getPublicKey(), this.sigProvider, Collections.emptyList(), zArr, singleton, this.date);
        } catch (CertStoreException e3) {
            Throwable cause = e3.getCause();
            while (true) {
                Throwable th = cause;
                if (th == null) {
                    throw new CertificateException(e3);
                }
                if (th instanceof IOException) {
                    throw new StatusUnknownException(e3);
                }
                cause = th.getCause();
            }
        }
        if (this.configCrl != null) {
            cRLs.add(this.configCrl);
        }
        if (cRLs.isEmpty() || !Arrays.equals(zArr, ALL_REASONS)) {
            throw new StatusUnknownException();
        }
        checkApprovedCRLs(x509Certificate, cRLs);
    }

    private static void setDateAndTime(X509CRLSelector x509CRLSelector, Date date, long j) {
        try {
            AccessController.doPrivileged(new PrivilegedExceptionAction(x509CRLSelector, date, j) { // from class: com.sun.deploy.security.RevocationChecker.2
                private final X509CRLSelector val$sel;
                private final Date val$date;
                private final long val$skew;

                {
                    this.val$sel = x509CRLSelector;
                    this.val$date = date;
                    this.val$skew = j;
                }

                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    Method declaredMethod = Class.forName("sun.security.provider.certpath.CertPathHelper").getDeclaredMethod("setDateAndTime", RevocationChecker.PARAMS);
                    declaredMethod.setAccessible(true);
                    declaredMethod.invoke(null, this.val$sel, this.val$date, new Long(this.val$skew));
                    return null;
                }
            });
        } catch (PrivilegedActionException e) {
            Trace.ignored(e);
            x509CRLSelector.setDateAndTime(date);
        }
    }

    private static Collection getCRLs(X509CRLSelector x509CRLSelector, boolean z, PublicKey publicKey, String str, List list, boolean[] zArr, Set set, Date date) throws StatusUnknownException {
        try {
            return (Collection) AccessController.doPrivileged(new PrivilegedExceptionAction(x509CRLSelector, z, publicKey, str, list, zArr, set, date) { // from class: com.sun.deploy.security.RevocationChecker.3
                private final X509CRLSelector val$selector;
                private final boolean val$signFlag;
                private final PublicKey val$prevKey;
                private final String val$provider;
                private final List val$certStores;
                private final boolean[] val$reasonsMask;
                private final Set val$trustAnchors;
                private final Date val$validity;

                {
                    this.val$selector = x509CRLSelector;
                    this.val$signFlag = z;
                    this.val$prevKey = publicKey;
                    this.val$provider = str;
                    this.val$certStores = list;
                    this.val$reasonsMask = zArr;
                    this.val$trustAnchors = set;
                    this.val$validity = date;
                }

                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    Class<?> cls = Class.forName("sun.security.provider.certpath.DistributionPointFetcher");
                    Method declaredMethod = cls.getDeclaredMethod("getInstance", (Class[]) null);
                    declaredMethod.setAccessible(true);
                    Object invoke = declaredMethod.invoke(null, new Object[0]);
                    Method declaredMethod2 = cls.getDeclaredMethod("getCRLs", RevocationChecker.TYPES);
                    declaredMethod2.setAccessible(true);
                    return declaredMethod2.invoke(invoke, this.val$selector, new Boolean(this.val$signFlag), this.val$prevKey, this.val$provider, this.val$certStores, this.val$reasonsMask, this.val$trustAnchors, this.val$validity);
                }
            });
        } catch (PrivilegedActionException e) {
            Trace.ignored(e);
            throw new StatusUnknownException();
        }
    }

    private void checkApprovedCRLs(X509Certificate x509Certificate, Collection collection) throws CertificateException {
        CRLReason cRLReason = CRLReason.UNSPECIFIED;
        Iterator it = collection.iterator();
        while (it.hasNext()) {
            X509CRL x509crl = (X509CRL) it.next();
            X509CRLEntry revokedCertificate = x509crl.getRevokedCertificate(x509Certificate);
            if (revokedCertificate != null) {
                try {
                    X509CRLEntryImpl impl = X509CRLEntryImpl.toImpl(revokedCertificate);
                    Set criticalExtensionOIDs = impl.getCriticalExtensionOIDs();
                    if (criticalExtensionOIDs != null && !criticalExtensionOIDs.isEmpty()) {
                        criticalExtensionOIDs.remove("2.5.29.21");
                        criticalExtensionOIDs.remove("2.5.29.29");
                        if (!criticalExtensionOIDs.isEmpty()) {
                            throw new CertificateException("unresolved critical extensions in CRLEntry");
                        }
                    }
                    CRLReason revocationReason = impl.getRevocationReason();
                    if (revocationReason == null) {
                        revocationReason = CRLReason.UNSPECIFIED;
                    }
                    Date revocationDate = impl.getRevocationDate();
                    if (this.timestamp == null || revocationDate.before(this.timestamp)) {
                        throw new CertificateRevokedException(revocationDate, revocationReason, x509crl.getIssuerX500Principal(), impl.getExtensions());
                    }
                } catch (CRLException e) {
                    throw new CertificateException(e);
                }
            }
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        Class cls2;
        Class cls3;
        Class cls4;
        Class cls5;
        Class cls6;
        Class cls7;
        Class cls8;
        Class cls9;
        Class[] clsArr = new Class[3];
        if (class$java$security$cert$X509CRLSelector == null) {
            cls = class$("java.security.cert.X509CRLSelector");
            class$java$security$cert$X509CRLSelector = cls;
        } else {
            cls = class$java$security$cert$X509CRLSelector;
        }
        clsArr[0] = cls;
        if (class$java$util$Date == null) {
            cls2 = class$("java.util.Date");
            class$java$util$Date = cls2;
        } else {
            cls2 = class$java$util$Date;
        }
        clsArr[1] = cls2;
        clsArr[2] = Long.TYPE;
        PARAMS = clsArr;
        Class[] clsArr2 = new Class[8];
        if (class$java$security$cert$X509CRLSelector == null) {
            cls3 = class$("java.security.cert.X509CRLSelector");
            class$java$security$cert$X509CRLSelector = cls3;
        } else {
            cls3 = class$java$security$cert$X509CRLSelector;
        }
        clsArr2[0] = cls3;
        clsArr2[1] = Boolean.TYPE;
        if (class$java$security$PublicKey == null) {
            cls4 = class$("java.security.PublicKey");
            class$java$security$PublicKey = cls4;
        } else {
            cls4 = class$java$security$PublicKey;
        }
        clsArr2[2] = cls4;
        if (class$java$lang$String == null) {
            cls5 = class$("java.lang.String");
            class$java$lang$String = cls5;
        } else {
            cls5 = class$java$lang$String;
        }
        clsArr2[3] = cls5;
        if (class$java$util$List == null) {
            cls6 = class$("java.util.List");
            class$java$util$List = cls6;
        } else {
            cls6 = class$java$util$List;
        }
        clsArr2[4] = cls6;
        if (array$Z == null) {
            cls7 = class$("[Z");
            array$Z = cls7;
        } else {
            cls7 = array$Z;
        }
        clsArr2[5] = cls7;
        if (class$java$util$Set == null) {
            cls8 = class$("java.util.Set");
            class$java$util$Set = cls8;
        } else {
            cls8 = class$java$util$Set;
        }
        clsArr2[6] = cls8;
        if (class$java$util$Date == null) {
            cls9 = class$("java.util.Date");
            class$java$util$Date = cls9;
        } else {
            cls9 = class$java$util$Date;
        }
        clsArr2[7] = cls9;
        TYPES = clsArr2;
    }
}
